Working with multiple honeypots behind honssh
Closed this issue · 7 comments
GoogleCodeExporter commented
Hi,
This is not a problem, just a request for advice.
What would be my best option to work with multiple honeypots behind one honssh
gateway? Can I enter several IP addresses in the honssh config file ?
Thank you.
Original issue reported on code.google.com by sivan...@umn.edu on 4 Nov 2014 at 11:35
GoogleCodeExporter commented
Hi,
Currently HonSSH only supports one honeypot behind it.
In theory it could support multiple honeypots, but I would need to figure out
how I'd implement it.
One of the difficulties would be, if a someone logs in via one IP, then logs in
again via a different IP, ideally I would want them to go to the same honeypot.
You could have multiple instances of HonSSH running on different ports on one
box, but then you would need something to proxy requests to the different ports
etc.
What sort of deployment scenario were you thinking of?
Cheers,
Tom
Original comment by tnn...@googlemail.com on 4 Nov 2014 at 12:44
GoogleCodeExporter commented
Thanks for the quick reply Tom.
I was thinking about running honssh as my gateway in front of an openVZ server
with multiple honeypots' instances. In my scenario, I would like attackers who
choose different IPs to be able to login to different honeypots. Can honshh
listen on multiple addresses ? I would then create the logic on the openVZ side
to create a machine according to the trageted ip address from the attack. How's
that sounds ?
Original comment by sivan...@umn.edu on 4 Nov 2014 at 1:06
GoogleCodeExporter commented
Thanks for the quick reply Tom.
I was thinking about running honssh as my gateway in front of an openVZ server
with multiple honeypots' instances. In my scenario, I would like attackers who
choose different IPs to be able to login to different honeypots. Can honshh
listen on multiple addresses ? I would then create the logic on the openVZ side
to create a machine according to the trageted ip address from the attack. How's
that sounds ?
Original comment by sivan...@umn.edu on 4 Nov 2014 at 1:06
GoogleCodeExporter commented
Sounds like an interesting project.
Yes, honssh can listen on all interfaces using 0.0.0.0/0 - Just make sure you
have a firewall rule preventing an attacker from sshing back into honssh from
inside a honeypot, you will get some strange ssh connection loops!
Feel free to email directly to my email if you have any further queries about
this project - I'd definatly be interested in seeing the setup and results.
Cheers,
Tom
Original comment by tnn...@googlemail.com on 4 Nov 2014 at 1:17
- Changed state: Done
GoogleCodeExporter commented
Thank you Tom. It is very nice of you to provide assistance and your personal
email for future queries. I will go ahead and send a test email to make sure
the email route works between us.
Some additional questions:
1. Just to verify, while honssh can listen on all interfaces, it can only open
one ssh session to a honeypot per instance right? In other words, I cannot use
some NAT tricks to make honssh open multiple sessions to multiple honeypots and
trace all that happens in those sessions. Am I right ?
2. What do you think will be the HD space & ram requirements for a honssh
gateway that sits in front of 500 honeypots and has the capability of accepting
multiple sessions per honeypot?
Thanks again,
Ido.
Original comment by sivan...@umn.edu on 4 Nov 2014 at 2:11
GoogleCodeExporter commented
Hi Ido,
1) Correct - maybe in the distant future I will implement it :)
2) Not too sure. The number of honeypots is not really the factor as more
honeypots does not always mean more attacks. I think an average machine should
be able to support it though. I have a friend who is actively deploying HonSSH,
so I can CC him on our emails if needed.
Original comment by tnn...@googlemail.com on 4 Nov 2014 at 3:13
w0rhost commented
Hi,
Have you solved this problem? How can I write a pre-auth-script file? please.