nahakubuilder/honeydany
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
269e11d7585ed8a47e02bea2b3695d8391ce1c58
honeydany/README.md
BlobTheBuilder 269e11d758 Update README.md
2026-04-16 06:01:31 +01:00

253 lines
5.3 KiB
Markdown
Raw Blame History

# Honeypot app
### 1. **Container Deployment (MANDATORY)**
```bash
# Build and deploy with Docker
docker-compose up -d
# Monitor logs
docker-compose logs -f honeypot
```
### 2. **Network Isolation**
```bash
# Create isolated network
docker network create --driver bridge \
--subnet=172.30.0.0/16 \
--ip-range=172.30.240.0/20 \
honeypot-isolated
# Update docker-compose.yml to use isolated network
```
### 3. **Firewall Configuration**
```bash
# Allow only necessary ports
ufw default deny incoming
ufw default allow outgoing
# Honeypot services
ufw allow 2121/tcp # FTP
ufw allow 2222/tcp # SSH
ufw allow 2323/tcp # Telnet
ufw allow 2525/tcp # SMTP
ufw allow 3306/tcp # MySQL
ufw allow 3399/tcp # RDP
ufw allow 4450/tcp # SMB
ufw allow 5060/tcp # SIP
ufw allow 5432/tcp # PostgreSQL
ufw allow 8080/tcp # HTTP
ufw allow 8443/tcp # HTTPS
ufw allow 27017/tcp # MongoDB
ufw allow 1143/tcp # IMAP
# Dashboard (RESTRICT TO ADMIN IPs ONLY)
ufw allow from YOUR_ADMIN_IP to any port 6333
ufw enable
```
### 4. **Dashboard Access Control**
```bash
# Create admin IP whitelist
export ADMIN_IPS="192.168.1.100,10.0.0.50"
# Or use VPN/bastion host for dashboard access
# NEVER expose dashboard to public internet
```
### 5. **SSL/TLS Configuration**
```bash
# Generate proper SSL certificates
openssl req -x509 -newkey rsa:4096 -keyout tls_key.pem -out tls_cert.pem -days 365 -nodes
# Or use Let's Encrypt for public-facing deployments
certbot certonly --standalone -d your-honeypot-domain.com
```
## 📊 Threat Intelligence Export
### Available Formats
1. **Plain Text** (for simple blocklists)
```
GET /api/export/blocklist/txt?min_score=70&max_age=7d
```
2. **JSON** (for programmatic consumption)
```
GET /api/export/blocklist/json?min_score=60&include_unblocked=false
```
3. **Suricata Rules** (for IDS/IPS)
```
GET /api/export/blocklist/suricata?min_score=80
```
4. **iptables Script** (for Linux firewalls)
```
GET /api/export/blocklist/iptables?min_score=70
```
### Automated Blocklist Updates
```bash
#!/bin/bash
# Update blocklist every hour
0 * * * * curl -s "http://your-honeypot:6333/api/export/blocklist/txt?min_score=70" > /etc/blocklist.txt && iptables-restore < /etc/iptables-blocklist.rules
```
## 🛡️ Security Monitoring
### 1. **Log Monitoring**
```bash
# Monitor for suspicious activity
tail -f /var/log/honeypot/honeypot.log | grep -E "(brute_force|port_scan|high_threat)"
# Set up log rotation
logrotate -d /etc/logrotate.d/honeypot
```
### 2. **Resource Monitoring**
```bash
# Monitor container resources
docker stats honeydany
# Set up alerts for high CPU/memory usage
```
### 3. **Database Backup**
```bash
# Backup threat intelligence database
sqlite3 app.db ".backup /backup/honeypot-$(date +%Y%m%d).db"
# Automated daily backups
0 2 * * * /usr/local/bin/backup-honeypot.sh
```
## 🔧 Configuration Hardening
### 1. **Disable Unnecessary Services**
```json
{
"services": {
"http": true,
"https": true,
"ssh": true,
"ftp": false, // Disable if not needed
"smtp": false, // Disable if not needed
"mysql": true,
"postgresql": false,
"mongodb": true,
"telnet": false, // High risk - disable if possible
"imap": false,
"smb": false, // High risk - disable if possible
"rdp": false, // High risk - disable if possible
"sip": false,
"vnc": false
}
}
```
### 2. **Rate Limiting**
```json
{
"security": {
"max_connections_per_ip": 5,
"connection_timeout": "2m",
"rate_limit_window": "1m",
"max_auth_attempts": 3
}
}
```
## 🚨 Incident Response
### 1. **High-Threat Detection**
```bash
# Immediate blocking of high-threat IPs
curl -X POST "http://localhost:6333/api/threat/block" \
-H "Content-Type: application/json" \
-d '{"ip": "THREAT_IP", "reason": "automated_high_threat"}'
```
### 2. **Emergency Shutdown**
```bash
# Emergency stop all services
docker-compose down
# Or stop specific services
docker-compose stop honeypot
```
## 📈 Performance Optimization
### 1. **Database Optimization**
```sql
-- Regular database maintenance
VACUUM;
ANALYZE;
-- Index optimization
CREATE INDEX IF NOT EXISTS idx_threat_events_ip_time ON threat_events(ip, last_seen);
CREATE INDEX IF NOT EXISTS idx_ip_analysis_score ON ip_analysis(threat_score);
```
### 2. **Log Rotation**
```bash
# Configure log rotation
cat > /etc/logrotate.d/honeypot << EOF
/app/logs/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 644 honeypot honeypot
}
EOF
```
## 🔍 Threat Intelligence Integration
### 1. **External Threat Feeds**
```bash
# Integrate with external threat intelligence
curl -s "https://reputation-api.com/threats" | jq -r '.ips[]' >> external_threats.txt
```
### 2. **Sharing Threat Intelligence**
```bash
# Share your blocklist with community
curl -X POST "https://threat-sharing-platform.com/api/submit" \
-H "Content-Type: application/json" \
-d @honeypot_blocklist.json
```
## **CRITICAL WARNINGS**
1. **NEVER run honeypot on production systems**
2. **ALWAYS use dedicated, isolated infrastructure**
3. **NEVER expose dashboard to public internet**
4. **ALWAYS use strong authentication**
5. **REGULARLY update and patch the system**
6. **MONITOR for compromise indicators**
7. **BACKUP threat intelligence data regularly**
Reference in New Issue View Git Blame Copy Permalink