honeydany/SECURITY_DEPLOYMENT.md

🔒 Secure Honeypot Deployment Guide

🚨 Critical Security Measures

1. Container Deployment (MANDATORY)

# Build and deploy with Docker
docker-compose up -d

# Monitor logs
docker-compose logs -f honeypot

2. Network Isolation

# Create isolated network
docker network create --driver bridge \
  --subnet=172.30.0.0/16 \
  --ip-range=172.30.240.0/20 \
  honeypot-isolated

# Update docker-compose.yml to use isolated network

3. Firewall Configuration

# Allow only necessary ports
ufw default deny incoming
ufw default allow outgoing

# Honeypot services
ufw allow 2121/tcp  # FTP
ufw allow 2222/tcp  # SSH
ufw allow 2323/tcp  # Telnet
ufw allow 2525/tcp  # SMTP
ufw allow 3306/tcp  # MySQL
ufw allow 3399/tcp  # RDP
ufw allow 4450/tcp  # SMB
ufw allow 5060/tcp  # SIP
ufw allow 5432/tcp  # PostgreSQL
ufw allow 8080/tcp  # HTTP
ufw allow 8443/tcp  # HTTPS
ufw allow 27017/tcp # MongoDB
ufw allow 1143/tcp  # IMAP

# Dashboard (RESTRICT TO ADMIN IPs ONLY)
ufw allow from YOUR_ADMIN_IP to any port 6333

ufw enable

4. Dashboard Access Control

# Create admin IP whitelist
export ADMIN_IPS="192.168.1.100,10.0.0.50"

# Or use VPN/bastion host for dashboard access
# NEVER expose dashboard to public internet

5. SSL/TLS Configuration

# Generate proper SSL certificates
openssl req -x509 -newkey rsa:4096 -keyout tls_key.pem -out tls_cert.pem -days 365 -nodes

# Or use Let's Encrypt for public-facing deployments
certbot certonly --standalone -d your-honeypot-domain.com

📊 Threat Intelligence Export

Available Formats

1. Plain Text (for simple blocklists)

   GET /api/export/blocklist/txt?min_score=70&max_age=7d
   

2. JSON (for programmatic consumption)

   GET /api/export/blocklist/json?min_score=60&include_unblocked=false
   

3. Suricata Rules (for IDS/IPS)

   GET /api/export/blocklist/suricata?min_score=80
   

4. iptables Script (for Linux firewalls)

   GET /api/export/blocklist/iptables?min_score=70
   

Automated Blocklist Updates

#!/bin/bash
# Update blocklist every hour
0 * * * * curl -s "http://your-honeypot:6333/api/export/blocklist/txt?min_score=70" > /etc/blocklist.txt && iptables-restore < /etc/iptables-blocklist.rules

🛡️ Security Monitoring

1. Log Monitoring

# Monitor for suspicious activity
tail -f /var/log/honeypot/honeypot.log | grep -E "(brute_force|port_scan|high_threat)"

# Set up log rotation
logrotate -d /etc/logrotate.d/honeypot

2. Resource Monitoring

# Monitor container resources
docker stats honeydany

# Set up alerts for high CPU/memory usage

3. Database Backup

# Backup threat intelligence database
sqlite3 app.db ".backup /backup/honeypot-$(date +%Y%m%d).db"

# Automated daily backups
0 2 * * * /usr/local/bin/backup-honeypot.sh

🔧 Configuration Hardening

1. Disable Unnecessary Services

{
  "services": {
    "http": true,
    "https": true,
    "ssh": true,
    "ftp": false,     // Disable if not needed
    "smtp": false,    // Disable if not needed
    "mysql": true,
    "postgresql": false,
    "mongodb": true,
    "telnet": false,  // High risk - disable if possible
    "imap": false,
    "smb": false,     // High risk - disable if possible
    "rdp": false,     // High risk - disable if possible
    "sip": false,
    "vnc": false
  }
}

2. Rate Limiting

{
  "security": {
    "max_connections_per_ip": 5,
    "connection_timeout": "2m",
    "rate_limit_window": "1m",
    "max_auth_attempts": 3
  }
}

🚨 Incident Response

1. High-Threat Detection

# Immediate blocking of high-threat IPs
curl -X POST "http://localhost:6333/api/threat/block" \
  -H "Content-Type: application/json" \
  -d '{"ip": "THREAT_IP", "reason": "automated_high_threat"}'

2. Emergency Shutdown

# Emergency stop all services
docker-compose down

# Or stop specific services
docker-compose stop honeypot

📈 Performance Optimization

1. Database Optimization

-- Regular database maintenance
VACUUM;
ANALYZE;

-- Index optimization
CREATE INDEX IF NOT EXISTS idx_threat_events_ip_time ON threat_events(ip, last_seen);
CREATE INDEX IF NOT EXISTS idx_ip_analysis_score ON ip_analysis(threat_score);

2. Log Rotation

# Configure log rotation
cat > /etc/logrotate.d/honeypot << EOF
/app/logs/*.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 644 honeypot honeypot
}
EOF

🔍 Threat Intelligence Integration

1. External Threat Feeds

# Integrate with external threat intelligence
curl -s "https://reputation-api.com/threats" | jq -r '.ips[]' >> external_threats.txt

2. Sharing Threat Intelligence

# Share your blocklist with community
curl -X POST "https://threat-sharing-platform.com/api/submit" \
  -H "Content-Type: application/json" \
  -d @honeypot_blocklist.json

⚠️ CRITICAL WARNINGS

1. NEVER run honeypot on production systems
2. ALWAYS use dedicated, isolated infrastructure
3. NEVER expose dashboard to public internet
4. ALWAYS use strong authentication
5. REGULARLY update and patch the system
6. MONITOR for compromise indicators
7. BACKUP threat intelligence data regularly

📞 Emergency Contacts

• Security Team: security@yourorg.com
• Infrastructure Team: infra@yourorg.com
• 24/7 SOC: +1-xxx-xxx-xxxx