Skip to content

Setup a honeypot

Jump to bottom
lhmerino edited this page Sep 29, 2019 · 37 revisions

What we will utilize:

  • A public IP address (globally routable)
  • The "UMD Network" Network Switch
  • The Proxmox Host VM
  • A private IP address
  • A high port (1024 - 65535) for the MITM

How everything is interconnected:

  • The "UMD Network" will provide the public IP address
  • The "Proxmox Host VM" has a network interface connected to the "UMD Network"
  • The private IP address must be within the range of the Proxmox Host VM's bridge network

Instructions (on the Proxmox Host VM):

  • Follow the instructions here before you get started
  • pveam update
    • Updates the list of container templates from proxmox
  • pveam available
    • Shows all of the possible container templates
  • pveam download local <template>
    • Downloads the container OS template that you specify
  • pct create 101 /var/lib/vz/template/cache/<template> --storage local-lvm --net0 name=eth0,ip=<private ip>/<netmask>,bridge=vmbr0,gw=<bridge ip address> --cores 1 --memory 4096 --swap 0
    • The arguments presented are the bare minimum for honeypot use
    • If you previously had the honeypots built, it is preferable to destroy them and re-create them to make sure no issues show up.
    • By default, the private network is 172.20.0.0/16. You must use an assignable IP address within this range: this address will be considered the "private ip"
    • By default, the "bridge ip address" is 172.20.0.1 which can be determined by executing ifconfig vmbr0
    • By changing the argument for cores, you can allocate more or less CPU units to a container
    • By changing the argument for memory, you can allocate more or less RAM to a container
    • You may want to look into --hostname. See more info here
    • You may not change the argument for swap
  • pct start 101
    • Starts the container 101
  • iptables -t nat -A PREROUTING -d <public ip> -j DNAT --to-destination <private ip>
    • Rewrites all incoming packets that have the destination IP as the "public ip" to the "private ip"
  • iptables -t nat -A POSTROUTING -s <private ip> -j SNAT --to-source <public ip>
    • Rewrites all the outgoing packets that have the source IP as the "private ip" to the "public ip"
  • If you are not using the MITM, then you are done at this step; your honeypot is directly accessible from the Internet. If you are using the MITM, then please continue.
  • iptables -t nat -I PREROUTING 1 -d <public ip> -p tcp --dport 22 -j DNAT --to-destination <bridge ip address>:<high port>
    • The high port must be the port that the MITM will be listening on
  • See the MITM documentation to execute the MITM

Testing:

  • Outside of the Proxmox VM, use ping <public ip> to make sure it reaches the Proxmox Host VM.
  • Use ip addr to look at the public ip addresses that are attached to the UMD Network Interface
  • Use iptables -t nat -L -n -v to see the current firewall NAT (Network Address Translation) rules
Clone this wiki locally