How to Run a Honeypot
I decided to run a honeypot for fun, to see what interesting things I would see. Maybe at some point I’ll share the details in a list and perhaps build some automation fun around the data gathered.
I would recommend setting up a dedicated VPS for something like this – one that is not connected to any sensitive networks and does not store any sensitive data on it.
I’m going with a $5/month server with Vultr running Arch Linux and then I’ll be using Docker to run heralding. Heralding is a simple honeypot written in Python that spoofs a range of common services and logs the credentials used when an attacker attempts to brute-force a service.
I’d recommend changing the port for SSH to a different port than 22 and then restricting access to that port to only be available to trusted IP addresses.
First, install Docker on your Honeypot host.
Let’s create a directory for logs to go:
mkdir -p /opt/honeypot/logs
And let’s create empty files to mount in the container as log files:
Once Docker is running, run the following command to deploy the heralding container on all the ports it has services for:
docker run -d --restart=unless-stopped \ --name=heralding \ -v /opt/honeypot/logs/log_session.json:/log_session.json \ -v /opt/honeypot/logs/log_session.csv:/log_session.csv \ -v /opt/honeypot/logs/log_auth.csv:/log_auth.csv \ -p 21:21 \ -p 22:22 \ -p 23:23 \ -p 25:25 \ -p 80:80 \ -p 110:110 \ -p 143:143 \ -p 443:443 \ -p 465:465 \ -p 993:993 \ -p 995:995 \ -p 1080:1080 \ -p 2222:2222 \ -p 3306:3306 \ -p 3389:3389 \ -p 5432:5432 \ -p 5900:5900 \ heywoodlh/heralding:latest
Now when any brute force attempts are made on your server they will be stored in the logs in
/opt/honeypots/logs on your server!