Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/MattCarothers/mhn-core-docker

Core elements of the Modern Honey Network implemented in Docker
https://github.com/MattCarothers/mhn-core-docker

Last synced: 2 months ago
JSON representation

Core elements of the Modern Honey Network implemented in Docker

Lists

README 

        
# mhn-core-docker



## What this is



1. It's a subset of the [Modern Honey Network project](https://github.com/threatstream/mhn) that's set up to run in docker.

2. The "broker" image runs an hpfeeds broker.  The broker allows clients to publish to channels or subscribe to channels.

3. The "cowrie" image runs the cowrie honeypot.  It connects to the broker and publishes events to it.

4. The "dionaea" image runs the dionaea honeypot.  It connects to the broker and publishes events to it, and it stores captured binaries.

5. In the broker container, an application called "geoloc" subscribes to the cowrie channel events and publishes a second channel with geolocation info added.

6. Also in the broker container, an application called "honeymap" subscribes to the geoloc channel and makes a pretty map.  It listens on port 3000.



![Data Flow Diagram](https://mattcarothers.github.io/mhn-core-docker/data-flow-diagram.png)



## Steps to make this work



Create a docker network so you can statically IP your containers:

```

docker network create --subnet 192.168.0.0/24 honeynet

```



Clone the repository, change to the broker directory, and build the docker image.

```

git clone https://github.com/MattCarothers/mhn-core-docker

cd broker

docker build -t broker .

```



Start the broker image.  Your host OS will now be listening on port 3000 for http requests into

honeymap.  If you prefer to forward ports with iptables or use a reverse proxy, leave out the

-p flag.  Events from hpfeeds will be written to /var/log/broker/mhn-json.log.

```

docker run --name broker -v /var/log/broker:/var/log/mhn -d \

	--restart unless-stopped \

	-p 3000:3000 \

	--net honeynet --ip 192.168.0.2 broker

```



Add an hpfeeds auth key for the cowrie honeypot by inserting it into the mongo

database.  You should edit this script and change the key.  Especially if you plan to expose

hpfeeds outside of your host.  You'll need to change it in cowrie/Dockerfile

too.

```

cd ..

./add_cowrie_user.sh

```



Optional: create a honeypot user on the host OS to own the cowrie log

directory.  Set the uid of the new user in cowrie/Dockerfile.



Create the honeypot image.

```

cd cowrie

docker build -t cowrie .

```



Create a log directory for the honeypot.  Change ownership to uid 1000 (default)

or whatever your honeypot user is if you created one.  Creating this directory

isn't strictly necessary, but it's helpful for troubleshooting.

```

mkdir /var/log/cowrie

chown 1000 /var/log/cowrie

```



Start the honeypot.  Your host will now be listening on 22 and 23.  If you're 

forwarding ports with iptables, leave out the -p flags.  NB: If your host has

ssh running on port 22 already, docker won't be able to bind to it.

```

docker run -d --name cowrie -v /var/log/cowrie:/opt/cowrie/log \

	--restart unless-stopped \

	--net honeynet --ip 192.168.0.3 --link broker \

	-p 22:22 -p 23:23 \

	cowrie

```



Add an hpfeeds auth key for the dionaea honeypot by inserting it into the

mongo database.  You should edit this script and change the key.  Especially if you plan to expose

hpfeeds outside of your host.  You'll need to change it in dionaea/Dockerfile

too.

```

cd ..

./add_dionaea_user.sh

```



Optional: edit the dionaea config file and set any options you want.

```

vi dionaea/dionaea.conf

```



Optional: create a honeypot user on the host OS to own the dionaea log

directory.  Set the uid of the new user in dionaea/Dockerfile.



Create the honeypot image.

```

cd dionaea

docker build -t dionaea .

```



Create a log directory for the honeypot.  Change ownership to uid 1000

(default) or whatever your honeypot user is if you created one.  You'll

want to map a directory on the host OS if you're storing binaries, sqllite

logs, or other stuff you want to access.  The default config stores binaries

and sends events via hpfeeds to the broker.

```

mkdir /var/log/dionaea

chown 1000 /var/log/dionaea

```



Start the honeypot.  Your host will now be listening on a bunch of ports.

If you're forwarding ports with iptables, leave out the -p flags.

```

docker run -d --name dionaea -v /var/log/dionaea:/opt/dionaea/var/dionaea \

	--net honeynet --ip 192.168.0.4 --link broker \

	--restart unless-stopped \

	-p 21:21 -p 42:42 -p 80:80 -p 135:135 -p 443:443 -p 445:445 -p 1433:1433 \

	-p 1723:1723 -p 1883:1883 -p 3306:3306 -p 5060:5060 -p 5061:5061 \

	-p 69:69/udp -p 1900:1900/udp -p 5060:5060/udp \

	dionaea

```



## iptables configuration



If you have a dark subnet routed to your host, you'll need to perform some additional configuration

in order to get packets to the honeypot.



```

# Clear existing rules

iptables -F

iptables -F -t nat



# Permit docker containers to NAT

iptables -A FORWARD -s 172.17.0.0/16 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT



# Permit specific hosts to reach exposed docker container ports (e.g.

# honeymap or hpfeeds)

iptables -A FORWARD -s YOUR_TRUSTED_SOURCE_IP -d 172.17.0.0/16 -j ACCEPT

iptables -A FORWARD -s YOUR_TRUSTED_SOURCE_IP -d 192.168.0.0/24 -j ACCEPT



# Permit locahost

iptables -A FORWARD -s 127.0.0.0/8 -j ACCEPT

iptables -A FORWARD -d 127.0.0.0/8 -j ACCEPT



# Allow traffic to honeypots on the ports they need

# Cowrie

iptables -A FORWARD -d 192.168.0.3 -p tcp --destination-port 22 -j ACCEPT

iptables -A FORWARD -d 192.168.0.3 -p tcp --destination-port 23 -j ACCEPT



# Dionaea

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 21 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 42 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 80 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 135 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 443 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 445 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 1433 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 1723 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 1883 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 3306 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 5060 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p tcp --destination-port 5061 -j ACCEPT



iptables -A FORWARD -d 192.168.0.4 -p udp --destination-port 69 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p udp --destination-port 1900 -j ACCEPT

iptables -A FORWARD -d 192.168.0.4 -p udp --destination-port 5060 -j ACCEPT



# Don't forward any other packets.  It's very important that you enable this rule before you

# turn on ip forwarding.  Otherwise you create a routing loop.

iptables -P FORWARD DROP



# Permit traffic to the host OS from approved sources

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -s YOUR_TRUSTED_SOURCE_IP -j ACCEPT



# Don't accept any other connections

iptables -P INPUT DROP



# NAT specific ports on specific destination IPs to docker containers

iptables -t nat -A PREROUTING -i eth0 -j DNAT -d YOUR_DARK_IP --to-destination 192.168.0.3

iptables -t nat -A PREROUTING -i eth0 -j DNAT -d YOUR_DARK_IP --to-destination 192.168.0.4



# In practice you'll probably want to script that:

HOSTS=`cat /etc/mhn/ssh-honeypots`

for host in $HOSTS; do

        echo $host '->' 192.168.0.3

        iptables -t nat -A PREROUTING -i eth0 -j DNAT -d $host --to-destination 192.168.0.3

done



HOSTS=`cat /etc/mhn/dionaea-honeypots`

for host in $HOSTS; do

        echo $host '->' 192.168.0.4

        iptables -t nat -A PREROUTING -i eth0 -j DNAT -d $host --to-destination 192.168.0.4

done



# And here's a script to clear out the honeypot nat rules:

RULES=`iptables -t nat -nL PREROUTING --line-numbers | grep '192.168.0.[3456789]' | awk '{print $1}' | sort -rn`



for rule in $RULES; do

        echo iptables -t nat -D PREROUTING $rule

        iptables -t nat -D PREROUTING $rule

done

```