Preface

I had the opportunity to contact the installation and use of honeypots

HFish It's a community free honeypot , Focus on enterprise security scenarios , Detect from the intranet failure 、 Extranet threat perception 、 Threat Intelligence production starts from three scenarios , Provide users with independent and practical functions , Through security 、 agile 、 Reliable medium and low interaction honeypots increase users' ability in the field of loss perception and Threat Intelligence .

HFish Have more than 40 Honeypot environment 、 Provide free cloud Honeynet 、 Highly customizable honey bait ability 、 One key deployment 、 Cross platform and multi architecture 、 Domestic operating system and CPU Support 、 Very low performance requirements 、 mail /syslog/webhook/ Enterprise WeChat / nailing / Flybook alarm and other features , Help users reduce operation and maintenance costs , Improve operational efficiency .

install

Configuration instructions

HFish Including management side and node side （ The management end itself can also be used as a node end ）, The management side is used to generate and manage the node side , And receive 、 Analyze and display the data returned by the node , The node side accepts the control of the management side and is responsible for building the honeypot service .

The management end and the node end have different configuration requirements , See HFish Chapter 2 of the user manual ： https://hfish.net/#/2-0-deploy

setup script

I use Alibaba cloud CentOS 8.2 The server

First, open the firewall 4433、4434 These two ports

firewall-cmd --add-port=4433/tcp --permanent   #（ be used for web Interface to start ）
firewall-cmd --add-port=4434/tcp --permanent   #（ It is used for communication between the node and the management end ）
firewall-cmd --reload

If the computer can be connected to the Internet , Use root jurisdiction , Run the following command

bash <(curl -sS -L https://hfish.net/webinstall.sh)

If you can't connect to the Internet , Download the installation package first ：https://hfish.cn-bj.ufileos.com/hfish-3.0.1-linux-amd64.tgz （ Linux x86 framework 64 Bit system ）

Then decompress , Run the installation file to install

sudo ./install.sh

After installation, you can log in

 Login link ：https://[ip]:4433/web/
 account number ：admin
 password ：HFish2021

Using modules

Because my honeypot is on the public network , As soon as I logged in, I had two attack messages …

The following is a brief introduction to each module

home page 、 screen

There will be some general news , It is a visual processing of data

Attack list

Here is the show 、 polymerization 、 Search for 、 Analyze and Export HFish Honeypot capture attack data page

The attack data displayed on this page includes ：

1. Name of honeypot attacked
2. Number of attacked
3. Name of the attacked node
4. The source of the attack IP And geographical location
5. Threat Intelligence
6. Last attack time
7. Attack time
8. Attack data length
9. Attack details

Scanning perception

Here is the show HFish The honeypot node is TCP、UDP and ICMP Full port scan detection behavior of three protocols

Collapse perception

Here is the use of honey bait to realize the host fell to perceive the threat , I don't understand yet , For the moment, skip

The source of the attack

Here is a demonstration of trying to connect and attack each node IP, And IP Past attack records

Account assets

Here is the storage of attackers in all HFish The account number entered in the honeypot login interface 、 password

Node management

HFish use B/S framework , The system is composed of control end and node end , The control end is used to generate and manage the node end , And receive 、 Analyze and display the data returned by the node , The node accepts the control of the control end and is responsible for building the honeypot service .

By default, the management end is a built-in node , You can add external nodes , After entering the node information , Deploy the corresponding installation package at the node to deploy external nodes

Service management

Here are some templates for honeypots , These templates can be deployed on nodes