OK, so I am just getting started with this, so I’m not pretending to be an expert. I have no doubt some of you are going to say, “Hey stupid, it’s easier if you…” and I’m fine with that. I’m doing this as a learning experience and to keep from getting (too) rusty on the tech side. Besides, it’s fascinating.
What is it?
MHN stands for Modern Honey Network. It’s a pretty cool way to deploy and track many different types of honeypots. The software and description are located HERE
Well, it’s not horribly tough actually. You need a Linux/Unix machine or VM and some time. According to the Git page, Ubuntu 220.127.116.11 x86_64 and Centos 6.7 are supported. I am running it on an Ubuntu 14 LTS x64 and it seems fine so far.
I’m not going to get in to the how-to install as that is already documented on the Git site, but I will share some tips and observations so far.
Number 1: You need a “server”. This will run the MHN server side. Overhead seems pretty low, so you don’t need a beast. Keep in mind that if you are putting sensors outside of your network, you will need to have ports 80 and 10000 open between the server and sensor(s). Port 80 can be closed when you are not doing installs, but will need to be open to the server during deployments as they use a WGET function from the server to dl the packages. Port 10000 needs to be open all the time to get reports from the honeypots. I have a NAT rule set up for port 80 in Pfsense that I enable when I’m deploying and disable when I’m not. So far so good.
Number 2: You need hardware or VM sensors. My first sensors were just VMs. I made a secondary network (192.168.2.x) and locked down almost all comms to my .1.x network to reduce the chance of things getting in the door on my real network. Only port 10000 can pass traffic between the .1 and .2 subnets. It still feels weird inviting in the bad guys, but I feel pretty safe. These sensors run Kippo and WordPot. My 3rd sensor was just deployed on a cheap server I got from CloudAtCost.com. It was a $17.50 fee and I own it forever, nothing recurring. It’s low power (1 CPU, 512MB RAM, 10GB SSD), but it seems fine for what it’s doing. (If you sign up for one of these, please contact me and I’ll give you my email address and I can get another server free). This one started getting traffic almost immediately. I installed Dionaea and Snort on this one, and it’s been lighting up pretty good.
Number 3: Deploy the software. It’s pretty easy, you go to the “Deploy” tab in MHN and it gives you a script to run on the sensor (an OS must be installed already). Make sure the IPs look good (should be the IP your sensor will use to hit the MHN server) and let it rip. One thing I found is, if it fails, make sure you run ‘apt-get update’ and try again. Once this is done, it should show up in the sensors section of the MHN webpage and it should start reporting shortly.
I’ll keep reporting progress as I play around
Erich Kron is the Security Awareness Advocate at KnowBe4, and has over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere.