-
Three different honeypots were setup using Google Cloud Virtual Machines: Dionaea, Cowrie, Elastichoney. A total of 9253 attacks were recorded from various countries.
-
I spent 10 hours on this project.
- Dionaea is intended to trap malware by exposing a variety of services offered by a network including SIP, FTP, MYSQL, and SMB. My Dionaea instance loggged 9244 connection attempts from countries all over the world.
-
I was unable to capture any malware samples. In fact, upon performing a google search, a lot of users reported that the Dionaea honeypot does not capture any malware samples when used as part of the Modern Honeypot Network. Many users reported capturing malware when setting up instances of Dionaea separate from the Modern Honeypot Network. https://github.com/threatstream/mhn/issues/417
-
I even tried attack Dionaea myself using various nmap and metasploit modules, but Dionaea did not record any binaries.
-
Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker. Cowrie includes a full fake filesystem.
-
Unfortunately I did not catch any traffic attempting to brute force Cowrie.
-
Elasticsearch has become an extremely popular search and analytics engine over the last few years. I thought it would be really neat to setup a honeypot to catch attackers attempting to attack an elastic instance.
-
Elastichoney takes requests on the /, /_search, and /_nodes endpoints and returns a JSON response that is identical to a vulnerable ES.
-
I was only able to capture 9 instances of attempted connections to the honeypot (image below shows page 1).
- After several days of capturing traffic, my mhn-admin vm suddenly went offlne. I kept getting a 504 gateway timeout and never got it to work again. Thankfully, I was able to make a snapshot of the original vm's persistent disk and deploy another mh-admin vm.
Copyright [2017] [Milan Bhatia]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.