https://github.com/helospark/tomcat-manager-honeypot

Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study
https://github.com/helospark/tomcat-manager-honeypot

honeypot spring-boot tomcat

Last synced: 2 months ago
JSON representation

Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study

• Host: GitHub
• URL: https://github.com/helospark/tomcat-manager-honeypot
• Owner: helospark
• License: mit
• Created: 2017-08-12T19:48:38.000Z (almost 7 years ago)
• Default Branch: master
• Last Pushed: 2017-08-27T09:48:01.000Z (almost 7 years ago)
• Last Synced: 2024-01-23T21:43:08.640Z (5 months ago)
• Topics: honeypot, spring-boot, tomcat
• Language: Java
• Size: 106 KB
• Stars: 10
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.adoc
  • License: LICENSE

Lists

• awesome-honeypots - tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study (Honeypots)
• awesome-honeypots - tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study (Honeypots)
• -awesome-honeypots- - tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study (Honeypots)
• awesome-honeypots - tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study. (Honeypots)
• fucking-awesome-honeypots - tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study. (Honeypots)
• awesome-honeypot - **3**星

README

        
= Tomcat manager honeypot

== Introduction

Honeypot that mimics Tomcat manager endpoints, but when called it logs requests and saves attacker's WAR file for later study. +

This is a standalone (runnable jar) application, so you will not going to need any webcontainer to run it. +

Created in Java using Spring Boot.

== Compilation

You can compile using Maven:

[source,bash]

mvn clean install

== Usage

Default properties are defined under `src/main/resources/default_configuration.properties` file, but you can override any properties by creating a file in `/etc/tomcat-manager-honeypot/configuration.properties`. Alternatively this location can be changed by appending `-DCONFIG_LOCATION=/some/path/config.properties` flag when starting the application. +

The most important property to override is `honeypot.save.directory=/tmp`, that changes where the uploaded (WAR) files are saved. By default they are saved to /tmp directory.

By default log files are generated in `currentDirectory/tomcat-manager-honeypot/general.log` but you can override this by supplying `-DLOG_LOCATION=/var/log/tomcat-manager-honeypot` when starting the application. +

By default logs are not shown on the console, but you can turn them on, by running the application with dev profile. You can do this, by appending `-Dspring.profiles.active=dev`

Running the application can be done via Java:

[source,bash]

	java -jar [Optional flags] application.jar

This will block the terminal, if you want to run as daemon, run with `&` at the end, you can also disown the application, so if you close the session, it will still run:

[source,bash]

	java -jar [Optional -D flags] tomcat-manager-honeypot-{version}.jar &

	disown -a

For security reasons, it is usually the best to run it as a separate user

[source,bash]

	sudo useradd -m telnetsnake

	sudo passwd telnetsnake

	# enter some super secret password

Also for security reasons don't run the the honeypot at an admin port, so you will need to create a redirect from HTTP/HTTPS port:

[source,bash]

	iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8081

== Testing

Endpoints are separated to two major category, REST and HTML endpoint. +

Basic authentication is required for all endpoints (except static resources), by default userName=tomcat and password=tomcat is used (can be overridden via properties file).

REST Endpoints are those listen on the Tomcat page: https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Deploy_a_Directory_or_WAR_by_URL

These can be accessed via GET and POST calls, you can call this via a rest caller (like Postman).

HTML endpoint root is /manager/html, you can go visit it via a regular browser:

http://localhost:8081/manager/html

== Troubleshooting

Check the log files (see above section about the location). If you cannot see log file, you can force logging to console by appending `-Dspring.profiles.active=dev` to application when starting.

On compilation failure check Java version (should be at least 8) and check Maven version (+3.5.0 should be able to compile it).

If you are not able to find the problem, please create a GitHub issue with as many details, as you can add.

== Integration with other programs

On Linux integration with the following tools are recommended:

=== Fail2Ban

Fail2ban can be used to automatically add IPs to your firewall to stop user, who once used the service. +

Under environment/fail2ban folder I have defined a filter to ban user for an hour, who have uploaded a war file.  +

Append the content of jail.conf at the end of you fail2ban's jail.conf. +

Don't forget to change the log location in the rule, if you have changed that.

=== Nginx

You can use an Nginx frontcontroller, so only `/manager/*` URLs get routed to this honeypot, while the rest can be routed to a real service. This would also allow this honeypot to be usable via HTTP, HTTPS.

You can apply this to you nginx.conf server to proxy manager traffic to this honeypot:

[source]

    location /manager {

        proxy_pass http://localhost:8081;

        proxy_http_version 1.1;

    }