Shulou(Shulou.com)05/31 Report--

This article introduces the knowledge of "how to realize the homemade honeypot based on docker". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

The address of the thing captured.

Https://github.com/yingshang/Legacy-of-intrusion.git

Honeypot address

Https://github.com/yingshang/honeypot.git

I found that using docker to make a honeypot is a good choice, which is simply invincible compared to the honeypot system with low interaction and medium interaction. First of all, at least the security can be guaranteed. If someone escapes, there will be CVE in an instant.

Let me talk about the architecture of the honeypot. Generally speaking, there are too many scanners throughout the Internet, some are blasting services, some are exp vulnerabilities, so first of all, we have to consider the issue of revenue, that is, I want the attacker to quickly attack my honeypot system, and then leave the attack trace, let me analyze and trace the source, and then build the attack model.

So I chose ssh and mysql to set weak passwords and let hackers break in violently. A month ago, I set up the honeypot system in different areas, and to my surprise, I caught the same attack sample on the same day. In this process, the process of external network attack is to upload samples (mining, ddos virus, self-replicating virus, etc.) after successful blasting with the tool.

When I installed ssh, I made some changes to the source code to record the password exploded by the attacker

Mar 29 10:57:09 85740b4003de sshd [120]: Username: root, Password: 123123Mar 29 10:57:09 85740b4003de sshd [120]: Failed password for root from 174.138.56.93 port 45482 ssh3Mar 29 10:57:09 85740b4003de sshd [120]: error: Received disconnect from 174.138.56.93: 11: Normal Shutdown Thank you for playingMar 29 10:57:23 85740b4003de sshd [121]: error: Received disconnect from 223.111.139.211: 11: Mar 29 10:57:58 85740b4003de sshd [122]: error: Received disconnect from 222.186.30.71: 11: Mar 29 10:58:49 85740b4003de sshd [123]: Invalid user ubuntu from 159.89.116.97Mar 29 10:58:49 85740b4003de sshd [123]: input_userauth_request: invalid user ubuntuMar 29 10:58:49 85740b4003de sshd [123]: Username: ubuntu Password: ubuntu123Mar 29 10:58:49 85740b4003de sshd [123]: error: Could not get shadow information for NOUSERMar 29 10:58:49 85740b4003de sshd [123]: Failed password for invalid user ubuntu from 159.89.116.97 port 57664 ssh3Mar 29 10:58:49 85740b4003de sshd [123]: error: Received disconnect from 159.89.116.97: 11: Normal Shutdown Thank you for playingMar 29 11:02:07 85740b4003de sshd [124]: Invalid user oracle from 46.105.30.20Mar 29 11:02:07 85740b4003de sshd [124]: input_userauth_request: invalid user oracleMar 29 11:02:07 85740b4003de sshd [124]: Username: oracle Password: qwe@123Mar 29 11:02:07 85740b4003de sshd [124]: error: Could not get shadow information for NOUSERMar 29 11:02:07 85740b4003de sshd [124]: Failed password for invalid user oracle from 46.105.30.20 port 42954 ssh3Mar 29 11:02:08 85740b4003de sshd [124]: error: Received disconnect from 46.105.30.20: 11: Normal Shutdown Thank you for playingMar 29 11:03:46 85740b4003de sshd [125]: Invalid user support from 103.120.226.12Mar 29 11:03:46 85740b4003de sshd [125]: input_userauth_request: invalid user supportMar 29 11:03:46 85740b4003de sshd [125]: Username: support Password: passwordMar 29 11:03:46 85740b4003de sshd [125]: error: Could not get shadow information for NOUSERMar 29 11:03:46 85740b4003de sshd [125]: Failed password for invalid user support from 103.120.226.12 port 48932 ssh3Mar 29 11:03:46 85740b4003de sshd [125]: error: Received disconnect from 103.120.226.12: 11: Normal Shutdown, Thank you for playingMar 29 11:05:17 85740b4003de sshd [126]: error: Received disconnect from 36.156.24.94: 11: Mar 29 11:06:15 85740b4003de sshd [127]: Username: root Password: uClinuxMar 29 11:06:15 85740b4003de sshd [127]: Failed password for root from 95.189.253.93 port 59721 ssh3Mar 29 11:06:16 85740b4003de sshd [127]: Username: root, Password: rootMar 29 11:06:16 85740b4003de sshd [127]: Failed password for root from 95.189.253.93 port 59721 ssh3Mar 29 11:06:16 85740b4003de sshd [127]: Username: root Password: systemMar 29 11:06:16 85740b4003de sshd [127]: Failed password for root from 95.189.253.93 port 59721 ssh3Mar 29 11:06:16 85740b4003de sshd [127]: Username: root, Password: 123456Mar 29 11:06:16 85740b4003de sshd [127]: Accepted password for root from 95.1

And I buried a spot at history's.

PS1= "`whoami` @ `hostname`:"'[$PWD] 'historyUSER_IP= `who-u ami 2 > / dev/null | awk' {print $NF}'| sed-e's / [()] / / g'`if ["$USER_IP" = ""] thenUSER_IP= `hostname`fiif [!-d / usr/operation] thenmkdir / usr/operationchmod 777 / usr/operationfiif [!-d / usr/operation/$ {LOGNAME}] thenmkdir / usr/operation/$ {LOGNAME} chmod 300 / usr/operation/$ {LOGNAME} Fiexport HISTSIZE=4096DT= `date "+% Y-%m-%d_%H:%M:%S" `if [!-d / usr/operation/$ {LOGNAME} / ${USER_IP}] thenmkdir / usr/operation/$ {LOGNAME} / ${USER_IP} chmod {LOGNAME} / ${USER_IP} fiexport HISTFILE= "/ usr/operation/$ {LOGNAME} / ${USER_IP} / $DT" chmod 600 / usr/operation/$ {LOGNAME} / ${USER_IP} / * * 2 > / dev/null

Operation log

Root@85740b4003de:/# cd / usr/operation/root/185.234.217.217/root@85740b4003de:/usr/operation/root/185.234.217.217# ls2019-03-29_11:06:19root@85740b4003de:/usr/operation/root/185.234.217.217# cat 2019-03-29011\: 06\: 19 / gisdfoewrsfdfsudo / bin/sh root@85740b4003de:/usr/operation/root/185.234.217.217#

Then I set the password for ssh and mysql in dockerfile to 123456, but I didn't turn on mysql logging, mainly because I was lazy and free to do it.

In fact, this is over at the beginning, because the attacker's log will be recorded through history, but later found that it is still too young to use the script ssh to enter will not leave a history log. So I improved it by simply monitoring global changes. I thought of using ossec, but found it was too cumbersome, so I wrote a monitoring script with python to monitor the behavior of attackers and save attack samples.

Import osimport datetimeimport pyinotifyimport loggingimport shutilimport randomimport hashlibimport stringimport syspath = "/ usr/share/record/file/" def mylog (): # create a logger log = logging.getLogger ("test_logger") log.setLevel (logging.INFO) # create a log processor # # here you need to fill in the path and file name correctly and spell it into a string Finally generate a log file logHandler = logging.FileHandler (filename = "/ usr/share/record/error.log") # # set the log level logHandler.setLevel (logging.INFO) # create a log formatter formats = logging.Formatter ('% (asctime) s% (levelname) s:% (message) s' Datefmt=' [% Y/%m/%d% I:%M:%S]') # add log formatter to log processor logHandler.setFormatter (formats) # add log processor to log logger log.addHandler (logHandler) return logdef GetFileMd5 (filename): if not os.path.isfile (filename): return myhash = hashlib.md5 () f = open (filename 'rb') while True: B = f.read (8096) if not b: break myhash.update (b) f.close () return myhash.hexdigest () def filecp (source,name Type): day_name = path + datetime.datetime.now (). Strftime ('% Y% m% d') hour_name = day_name+'/' + datetime.datetime.now (). Strftime ('% H') if not os.path.exists (day_name): os.mkdir (day_name) if not os.path.exists (hour_name): os.mkdir (hour_name) try: Source_md5 = GetFileMd5 (source) status = 0 for root Dirs, files in os.walk (path, topdown=False): for i in files: file_md5 = GetFileMd5 (os.path.join (root) I)) if file_md5 = = source_md5: status = 1 if status = = 0: fsize = int (os.path.getsize (source)) if fsize! = 0: now = datetime.datetime.now () .strftime ("% MMI% S") token = '.join (random.sample (string.ascii_letters + string.digits) 8) shutil.copy (source,hour_name+'/'+name + "_" + token+ "_" + now+ "_" + type) except FileNotFoundError: pass except OSError: passclass MyEventHandler (pyinotify.ProcessEvent): logging.basicConfig (level=logging.INFO, filename='/usr/share/record/monitor.log') logging.info ("Starting monitor...") Def process_IN_ACCESS (self, event): print ("ACCESS event:", event.pathname) logging.info ("ACCESS event:% s% s"% (os.path.join (event.path, event.name), datetime.datetime.now ()) def process_IN_ATTRIB (self, event): print ("ATTRIB event:" Event.pathname) logging.info ("IN_ATTRIB event:% s% s"% (os.path.join (event.path, event.name), datetime.datetime.now ()) # filecp (source=os.path.join (event.path, event.name), name=event.name,type= "ATTRIB") # def process_IN_CLOSE_NOWRITE (self, event): # print ("CLOSE_NOWRITE event:" Event.pathname) # logging.info ("CLOSE_NOWRITE event:% s% s"% (os.path.join (event.path, event.name), datetime.datetime.now ()) # def process_IN_CLOSE_WRITE (self, event): # print ("CLOSE_WRITE event:", event.pathname) # logging.info ("CLOSE_WRITE event:% s% s"% (os.path.join (event.path, event.name)) Datetime.datetime.now ()) # filecp (source=os.path.join (event.path, event.name), name=event.name,type= "CLOSE_WRITE") def process_IN_CREATE (self, event): print ("CREATE event:", event.pathname) logging.info ("CREATE event:% s% s"% (os.path.join (event.path, event.name)) Datetime.datetime.now ()) filecp (source=os.path.join (event.path, event.name), name=event.name,type= "CREATE") def process_IN_DELETE (self, event): print ("DELETE event:", event.pathname) logging.info ("DELETE event:% s% s"% (os.path.join (event.path, event.name)) Datetime.datetime.now ()) # filecp (source=os.path.join (event.path, event.name), name=event.name,type= "DELETE") def process_IN_MODIFY (self, event): print ("MODIFY event:", event.pathname) logging.info ("MODIFY event:% s% s"% (os.path.join (event.path, event.name)) Datetime.datetime.now ()) if event.name! = "null": filecp (source=os.path.join (event.path, event.name), name=event.name, type= "MODIFY") def process_IN_OPEN (self, event): print ("OPEN event:", event.pathname) logging.info ("OPEN event:% s% s"% (os.path.join (event.path, event.name)) Datetime.datetime.now ()) def main (): # watch manager excl_list = ['/ usr/share/record','/ var/log',] excl = pyinotify.ExcludeFilter (excl_list) wm = pyinotify.WatchManager () wm.add_watch ('/ tmp', pyinotify.ALL_EVENTS, rec=True,exclude_filter=excl) eh = MyEventHandler () # notifier logger = mylog () try: notifier = pyinotify.Notifier (wm Eh) notifier.loop () except: logger.exception (sys.exc_info ()) logger.info ("Error in log") if _ _ name__ ='_ _ main__': main ()

The following is the log of the monitoring

INFO:root:OPEN event: / tmp/hsperfdata_root 2019-03-25 06:27:05.780024INFO:root:ACCESS event: / tmp/hsperfdata_root 2019-03-25 06:27:05.780818INFO:root:CREATE event: / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:45.775160INFO:root:OPEN event: / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:45.935427INFO:root:MODIFY event: / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:46.179364INFO Root:OPEN event: / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:46.357906INFO:root:ACCESS event: / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:46.358347INFO:root:OPEN event: / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:46.358630INFO:root:ACCESS event: / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:46.358835INFO:root:OPEN event: / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:47.577594INFO:root:ACCESS event / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:47.578082INFO:root:ACCESS event: / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:47.578376INFO:root:DELETE event: / tmp/2tk8gg28p1pkzsc4i088gdu4zl 2019-03-25 12:07:48.699488INFO:root:CREATE event: / tmp/knrm 2019-03-25 12:07:50.316929INFO:root:OPEN event: / tmp/knrm 2019-03-25 12:07:50.317885INFO:root:OPEN event: / tmp/ Knrm 2019-03-25 12:07:50.318216INFO:root:MODIFY event: / tmp/knrm 2019-03-25 12:07:51.220061INFO:root:OPEN event: / tmp/knrm 2019-03-25 12:07:51.221799INFO:root:ACCESS event: / tmp/knrm 2019-03-25 12:07:51.221942INFO:root:OPEN event: / tmp/knrm 2019-03-25 12:07:51.222171INFO:root:ACCESS event: / tmp/knrm 2019-03- 25 12:07:51.222359INFO:root:MODIFY event: / tmp/knrm 2019-03-25 12:07:51.446485INFO:root:OPEN event: / tmp/knrm 2019-03-25 12 purl 07purl 51.448138

Next is to install and run

Docker build-t hon.

Run the honeypot

Docker run-d-v / record:/usr/share/record-p 22:22 hon

Then wait for the attacker to come, generally 512m VPS can be brought up.

There are several ideas have not been written, wait until free to write, one is to transfer the honeypot log to the physical machine in real time, if deleted or any changes, email alarm. The other is to monitor the traffic, I have a VPS did not pay attention to, the virus directly knocked out all my traffic.

This is the end of the content of "how to realize the homemade honeypot based on docker". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.