Presenting a clean honeypot

Question

Presenting a clean honeypot

robputt opened this issue 9 years ago · 2 comments

Hi,

I have had a HonSSH honey pot running for a while with some interesting results, however I am a bit concerned that when an intruder epically screws up the honeypot backend it often requires manual intervention to put it right. Can we add a feature to enable spinning up and retirement of the backend host using a docker container. This way the attacker gets a clean docker container each time he attempts the hack to interact with. I am happy to help out implement this, let me know your thoughts.

Best Regards,

Rob

Answer 1 · 2015-12-11T16:47:54.000Z

This is an interesting idea but, I'm not sure its within the scope of HonSSH. Maybe it could be added as a type of optional module?
What do you think @tnich ?

Answer 2 · 2015-12-11T17:12:21.000Z

Hi Rob,

Thanks for your comment.

I added in the "pre_auth_script" config option to help with things like this.
The idea being that when an attacker connects, HonSSH calls a script of your choosing and passes it the attacker IP etc.
Then the script returns the IP of the honeypot that you want HonSSH to forward the attacker too.

I thought the external script could spin up docker/LXC etc and keep track of attacker IPs to container mappings, that way they could log back into the same pot, but other attackers would get a new clean install.

I want to eventually add a post_auth_script to forward attackers based on the username/password combination, but that's a way off currently.

Cheers,
Tom