Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/helospark/tomcat-manager-honeypot

Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study
https://github.com/helospark/tomcat-manager-honeypot

honeypot spring-boot tomcat

Last synced: 2 months ago
JSON representation

Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study

Host: GitHub
URL: https://github.com/helospark/tomcat-manager-honeypot
Owner: helospark
License: mit
Created: 2017-08-12T19:48:38.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2017-08-27T09:48:01.000Z (over 7 years ago)
Last Synced: 2024-08-01T17:30:48.502Z (5 months ago)
Topics: honeypot, spring-boot, tomcat
Language: Java
Size: 106 KB
Stars: 10
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.adoc
- License: LICENSE

Awesome Lists containing this project

awesome-honeypots - tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study (Honeypots)
awesome-honeypots - tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study. (Honeypots)
fucking-awesome-honeypots - tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study. (Honeypots)
awesome-honeypot - **3**星

README

= Tomcat manager honeypot

== Introduction

Honeypot that mimics Tomcat manager endpoints, but when called it logs requests and saves attacker's WAR file for later study. +
This is a standalone (runnable jar) application, so you will not going to need any webcontainer to run it. +
Created in Java using Spring Boot.

== Compilation

You can compile using Maven:

[source,bash]
mvn clean install

== Usage

Default properties are defined under `src/main/resources/default_configuration.properties` file, but you can override any properties by creating a file in `/etc/tomcat-manager-honeypot/configuration.properties`. Alternatively this location can be changed by appending `-DCONFIG_LOCATION=/some/path/config.properties` flag when starting the application. +
The most important property to override is `honeypot.save.directory=/tmp`, that changes where the uploaded (WAR) files are saved. By default they are saved to /tmp directory.

By default log files are generated in `currentDirectory/tomcat-manager-honeypot/general.log` but you can override this by supplying `-DLOG_LOCATION=/var/log/tomcat-manager-honeypot` when starting the application. +
By default logs are not shown on the console, but you can turn them on, by running the application with dev profile. You can do this, by appending `-Dspring.profiles.active=dev`

Running the application can be done via Java:

[source,bash]
java -jar [Optional flags] application.jar

This will block the terminal, if you want to run as daemon, run with `&` at the end, you can also disown the application, so if you close the session, it will still run:

[source,bash]
java -jar [Optional -D flags] tomcat-manager-honeypot-{version}.jar &
disown -a

For security reasons, it is usually the best to run it as a separate user

[source,bash]
sudo useradd -m telnetsnake
sudo passwd telnetsnake
# enter some super secret password

Also for security reasons don't run the the honeypot at an admin port, so you will need to create a redirect from HTTP/HTTPS port:

[source,bash]
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8081

== Testing

Endpoints are separated to two major category, REST and HTML endpoint. +
Basic authentication is required for all endpoints (except static resources), by default userName=tomcat and password=tomcat is used (can be overridden via properties file).

REST Endpoints are those listen on the Tomcat page: https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Deploy_a_Directory_or_WAR_by_URL
These can be accessed via GET and POST calls, you can call this via a rest caller (like Postman).

HTML endpoint root is /manager/html, you can go visit it via a regular browser:
http://localhost:8081/manager/html

== Troubleshooting

Check the log files (see above section about the location). If you cannot see log file, you can force logging to console by appending `-Dspring.profiles.active=dev` to application when starting.

On compilation failure check Java version (should be at least 8) and check Maven version (+3.5.0 should be able to compile it).

If you are not able to find the problem, please create a GitHub issue with as many details, as you can add.

== Integration with other programs

On Linux integration with the following tools are recommended:

=== Fail2Ban

Fail2ban can be used to automatically add IPs to your firewall to stop user, who once used the service. +
Under environment/fail2ban folder I have defined a filter to ban user for an hour, who have uploaded a war file. +
Append the content of jail.conf at the end of you fail2ban's jail.conf. +
Don't forget to change the log location in the rule, if you have changed that.

=== Nginx

You can use an Nginx frontcontroller, so only `/manager/*` URLs get routed to this honeypot, while the rest can be routed to a real service. This would also allow this honeypot to be usable via HTTP, HTTPS.

You can apply this to you nginx.conf server to proxy manager traffic to this honeypot:

[source]
location /manager {
proxy_pass http://localhost:8081;
proxy_http_version 1.1;
}