Shulou(Shulou.com)06/01 Report--

This article introduces how to create and deploy honeypots in Kubernetes. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Brief introduction of Honeypot

As we all know, honeypot is a network security mechanism, which is used to detect and combat hacker attacks. This is a bait placed inside the network, disguising itself as a sensitive asset or network vulnerability. When an attacker tries to access these bogus confidential data, the honeypot records and notifies the behavior. Honeypots also collect and analyze data about hacker attacks.

There are two types of honeypot configurations:

1. The honeypot is mainly used by the company. They can improve the security of enterprise systems and protect only the data that hackers are most likely to access. Producing honeypots is easier to deploy and maintain because they are mainly used to distract attackers.

2. The honeypot is mainly used by cyber security researchers, government and military organizations. The goal of studying honeypots is not to stop hackers, but to study new threats and attack patterns.

We can also divide the honeypot into:

Low-interaction honeypots replicate only the most common attack services.

Highly interactive honeypot, replicating all system services.

The pure honeypot is a complete copy of the production system and does not contain any sensitive data.

Before deploying the honeypot, let's review the Kubernetes elements we need to use in this tutorial.

Basic Kubernetes element

Kubernetes is an open source application for managing containerization on multiple hosts in the cloud platform. In a previous article, we have carefully studied and discussed its architecture and functionality. It contains a large number of built-in tools. In this tutorial, we will use only the following four components

Pod-A basic Kubernetes unit that models hosts for storage containers and creates the environment in which containers run

Cluster-A set of nodes that run containerized applications

ReplicaSet-A replica controller that ensures that the required number of containers are running at any given time. The ReplicaSet definition has several fields that contain information about the type and quantity of Pod that this controller should retain, as well as the template used to create a new Pod.

Deployment (Deployment)-the controller responsible for declarative updates to Pods and ReplicaSet. The deployment controller needs to describe the required state to maintain these two entities.

Despite the rich features, the use of Kubernetes is very simple. It allows you to manipulate high-level entities (such as deployment and StatefulSets) without having to interact directly with Pod.

Kubernetes clusters are managed using dashboards or embedded command-line tools called kubectl. In this article, we use kubectl to deploy the honeypot system in a Kubernetes cluster and collect data about the current state of the infrastructure.

Deploy honeypots in the middle of Kubernetes

Having learned the basics of honeypots and Kubernetes, let's start creating honeypot systems in the Kubernetes cluster.

Define protected boundaries:

Let's start building honeypots by defining the resources we want to protect. The Kubernetes documentation contains examples of WordPress and MySQL deployments. We can use the application and deployment files in this example. Suppose our Kubernetes network contains sensitive data that we want to protect.

Create a MySQL honeypot:

We need to choose ways to protect sensitive data. The best way is to create a MySQL service bait.

To do this, we need to use MySQL honeypots. In our tutorial, we will use this low-interaction honeypot example, and you can also use any other template you like.

Before we begin, we must make sure that the sample honeypot works properly. Let's download the repository: then we need to create the dependencies described in the Kubernetes document:

> git clone https://github.com/skyformat99/mysql-honeypotd. / honeypot

Then, we need to create the dependencies described in the Kubernetes document:

> apt-get install libev-dev

Compile the project:

> make

If kubectl does not return any errors, we can start the project:

>. / mysql-honypotd-s 5.6-n mysql-replica

After the command is executed, the MySQL honeypot will start and run. Now we need to connect to it using the following command:

> mysql-root-h [host-IP]

ERROR 1045 (28000): Access denied for user' user'@'ip'

The honeypot responded to our request, which means that the honeypot is ready. Let's take a look at its log:

Mysql-replica: New connection from IP:PORT to host-IPmysql-replica: Access denied for user' user' from IP:PORT to host-IP:3306mysql-replica: Closing connection for IP:PORT

The record indicates that everything is fine with our honeypot. The next step is to add the honeypot to the Kubernetes cluster.

Create a honeypot Docker image:

Before starting our honeypot in the Kubernetes cluster, we need to create a Docker image. We will need to use it to start Pod later.

You can create a Docker image by following four simple steps:

1. Select a basic container (in our example, we will use Ubuntu 14.04).

2. Set up a working directory and copy the honeypot to that directory.

3. Create dependencies.

4. Set the entry point.

All of these steps need to be documented in the Docker file:

FROM ubuntu:14.04 WORKDIR / tmp/honeymsqlCOPY. . / RUN apt-get updateRUN apt-get install libev-dev ENTRYPOINT [". / mysql-honypotd"]

Now we need to create a Docker image:

> docker build-f. / Dockerfile-t mysql-honeypot:1

After the build is complete, our local Docker image is ready to use. To create a Pod, we must upload the Docker image to Docker Hub:

> docker push dockerID/repositoryName

At this point, we have created a MySQL honeypot in Pod.

Add the honeypot to Kubernetes:

The required state of Pod is maintained by the Deployment object we discussed earlier. Before we can start the deployment, we need to create a YAML file. Based on this, Deployment automatically controls the status of Pod. If necessary, we can run multiple honeypots using ReplicaSet.

To write YAML documents, you can refer to Kubernetes documents. The statement of our project is as follows:

ApiVersion: extensions/v1beta1kind: Deploymentmetadata: name: mysql-replicaspec: replicas: 1 template: metadata: labels: app: mysql-replicaspec: containers:-name: mysql-replica image: dockerID/repo:tag imagePullPolicy: Always args: ["- s 5.6"] securityContext: privileged: true

Let's notice the two lines of strings in this declaration:

Image: dockerID/repo:tag

This line refers to the Docker image we created earlier to build Pod. Note that if you use a private repository, you need to create an additional Secrets object that will store access tokens to the mirror.

Args: ["- s 5.6"]

This line defines the parameters of the application we have started. We can define them at the entry point when we create Docker images. However, this method does not allow parameters to be changed without refactoring the mirror.

Declaring parameters when creating a Pod makes the process of setting up the application more flexible.

Let's save the file and create a Deployment resource:

> kubectl create-f honeypot-deployment.yaml

Now, we need to check the status of Pod:

> kubectl get podsmysql-replica-5895cb77dd-9ltrr 1 Running 1 Running 0 2m

Use the following command to see if the honeypot is working as expected:

> mysql-root-h [POD-IP] ERROR 1045 (28000): Access denied for user' user'@'ip' {/ code}

Finally, let's take a look at the honeypot log:

> kubectl logs mysql-replica-5895cb77dd-9ltrrmysql-honeypotd [1]: New connection from IP:PORT to [POD-IP]: 3306mysql-honeypotd [1]: Access denied for user 'user from IP:PORT to POD-IP:3306mysql-honeypotd [1]: Closing connection for IP:PORT shares here on how to create and deploy honeypots in Kubernetes. I hope the above content can be helpful to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.