I think that today there are not many who do not know what a Honeypot is, and how good it can be for us to have it implemented in our infrastructures. The idea of these gadgets as we know is to alert and detect attacks or curious people on the network; Well, in this post, we will also see how to integrate it with Centreon.

It's been a long time since I played with a Honeypot, recently, In a post, The boys of The Hacker They gave me some interesting ideas. It may be very attractive to place them in the public part and detect attacks that our public IPs may suffer, but perhaps it is more interesting to deploy a lightweight Honeypot in each network segment that we have. With the idea of detecting curious people, Bots, or any scans that may exist on our internal network.

The truth is that there are numerous Honeypots and perhaps that is why I have previously named you the post of The Hacker, the vast majority unfold in a flash, and have beautiful interfaces. In my case, I was looking for a light one, one that detects and responds to certain services, to the most common that may exist in a network (telnet, smb, rdp, LDAP, HTTP…). What I said, If someone tries to connect to a port on this machine we will know, is ransomware trying to move, A port scan of some coti, or a bot trying to brute force. Honeypot itself could alert me, But as you know, if I can centralise it in Centreon, and know the status of the Honeypot, Well, even better… And if someone makes a connection to you, Well, alert me that it reaches me.

Total, we don't need anything more than an Ubuntu 18.04 with 1vCPU and to put 2GB of RAM, we will rely on this simple but effective Honeypot, called Chameleon. It comes with a dashboard already pre-created in its own Grafana and consists of a pack of 19 Customizable honeypots for services: DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, RDP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres, MySQL, MSSQL, Elastic and LDAP.

Before you deploy anything, that will be wonderful thanks to Docker containers, we will have to change the SSH connection port to our Ubuntu, since the 22tcp will be used by a honeypot, So editing the '/etc/ssh/sshd_config’ We put some high, like 2222tcp (Port 2222) And we restarted the demon of sshd 'sudo systemctl restart sshd'.

It will be enough to clone the Chameleon repo, and run a script, And he'll take care of everything, It's time to wait.

git clone https://github.com/qeeqbox/chameleon.git CD Chameleon sudo chmod +x ./run.sh sudo ./run.sh deploy sudo ./run.sh test 

We have at least two options, (i) deploy, Deploy 3 containers a Grafana, another with Postgres and another with the HoneyPots. The Option (Ii) test, it will also deploy a syslog and a container that simulates connections; I think this last option is less interesting and heavier (what we are dealing with in this post). Once the creation of the containers is complete, everything is ready. We will access Grafana through the port 3000 and default credentials (changeme457f6460cb287 / ChangeMed23b8cc6a20e0). In my case I already have some Grafana on the net, Well, this container doesn't interest me, I export your dashboard and import it into the production Grafana, access to the Postgres database would be using port 9999tcp and credentials (changeme027a088931d22 / changeme0f40773877963).

And well, to integrate it into Centreon and have it be the generator of connection alerts, well, the best with queries to the PostgreSQL DB of Honeypot itself, so with such a Command that:

perl /usr/lib/centreon/plugins/centreon-plugins/centreon_plugins.pl --plugin=database::Postgres::plugin --mode=sql --host=DIRECCION_IP_HONEYPOT --port=9999 --database=chameleon --username=changeme027a088931d22 --password=changeme0f40773877963 --sql-statement="$ARG1$" --warning=0 --critical=0

And the arguments of Postgres are sent to him, example the HTTP service:

SELECT COUNT(*) FROM sniffer_table WHERE date >= (NOW() - INTERVAL '1 HOUR') AND data->>'dst_port' = '80' AND DATA ->>'action' = 'tcpscan'

And this would be the result. Although it is true that from the graph that Chameleon brings you could configure alerts, You already know me as a good centralizer, everything passes through Centreon, You have to find out everything and from a single central point.

What I said, I hope you found it curious, But I think it's good to have some such machine on our network, If they enter us, Better to be told than to have to wait for us to find out ourselves. It is lightweight, does not consume…

PS: Beware of putting a public Honeypot on the internet, You will get very amazing data from the jungle that is on the Internet, of attacks, The most affected ports or credentials that bots attempt; But if they violate your machine, will be in your network; Pesicola tests in an isolated network. A hug,