2017, January 27 - ongoing This repo is for a honeypot project, created with the aim of writing a white paper focusing on unsolicited internet traffic. This project is a joint effort between Holberton School staff, students, and mentors.
- Setup an Amazon AWS instance
- Install tshark:
sudo apt-get install tshark - Setup an ssh tunneling server, so we only have to filter one IP address, and only have one ssh entry way into the Amazon AWS instance. We used a droplet from Digital Ocean.
- Filter out all traffic from our IP address
sudo tshark -w log.pcap -s 0 -n -f 'not net <IP from ssh tunnel>' - Record the activity for one day.
- Parse through the pcap, organize them by number of IP requests, type of request, or number of requests by country.
- Decide on what kind of honey pot to set up, based on the top accessed protocols.
- TELNET (port 23) - Specifically targeted at Mirai/Hijimbe
- Cowrie, homegrown honeypot
- SIP (port 5060 + 5061)
- Artemesia, Dionisia, homegrown honeypot
- HTTP + MySQL (port 80 + 3306) - Specifically Wordpress, MySQL
- Glasopf, homegrown honeypot
- One other protocol
- Compare the pcap with auth.log from that day to determine what is ssh bruteforce and what is not.
- -- Tim: Continue analyzing Telnet protocol + Mirai/Hijimbe Botnets and keep the project moving
- -- Ian C: Write the paper and organize / compile data
- -- Swati and Ian L-J: Research and deploy SIP honeypot
- -- Richard: Setup + investigate possible honeypots / protocols to analyze. Currently deploying glastopf
- -- Danton: Compare authlogs and SSH bruteforce to determine what is a normal ssh bruteforce and what could be anomalous. Simultaneously, decide on a final protocol to analyze.
- tshark
- docker
- cowrie
For a list of resources and commands used, refer to LINKS.md
For a list of Authors and contributors, refer to AUTHORS