Hfish Honeypot construction and testing

HFish It's a community free honeypot , Focus on enterprise security scenarios , Detect from the intranet failure 、 Extranet threat perception 、 Threat Intelligence production starts from three scenarios , Provide users with independent and practical functions , Through security 、 agile 、 Reliable medium and low interaction honeypots increase users' ability in the field of loss perception and Threat Intelligence .

Honeypot Technology is essentially a technology that deceives the attacker , By placing some hosts as decoys 、 Network services
Or information , To induce an attacker to attack them , Thus, the attack behavior can be captured
And analysis , Understand the tools and methods used by the attacker , Speculate on the intention and motive of the attack , To give the defense a clear understanding of the security threats they face , And through the technical and management means to enhance the actual system security protection ability .

Here we go hfish Honeypot construction and testing .

build

docker Search this container on .

docker search hfish

Download

docker pull imdevops/hfish

View existing containers

docker images

Master node deployment

docker run -d --name hfish -p 21:21 -p 22:22 -p 23:23 -p 69:69 -p
3306:3306 -p 5900:5900 -p 6379:6379 -p 8080:8080 -p 8081:8081 -p
8989:8989 -p 9000:9000 -p 9001:9001 -p 9200:9200 -p 11211:11211
–restart=always imdevops/hfish:latest

21 by FTP port
22 by SSH port
23 by Telnet port
3306 by Mysql port
6379 by Redis port
8080 by Dark net port
8989 by plug-in unit port
9000 by Web monitor port
9001 by System management background port
11211 by Memcache port
69 by TFTP port
5900 by VNC port
8081 by HTTP Agent pool port
9200 by Elasticsearch port

An error occurred during deployment

docker ps View the current container running status
The name is occupied
docker rm id Delete

Error response from daemon: driver failed programming external connectivity on endpoint hfish (f971c0aa59bf806b22a1777bea4c23871f432dd9cb50c54c7d2482d3341980ff): Error starting userland proxy: listen tcp4 0.0.0.0:3306: bind: address already in use.

The first half ：
Error response from daemon: driver failed programming external connectivity on endpoint hfish
restart docker The container can solve this problem ： systemctl restart docker

The second part of ：
Error starting userland proxy: listen tcp4 0.0.0.0:3306: bind: address already in use.

Show 3306 Port occupied .

ps -ef | grep 3306

pid The process number will change

stop it mysql service ：

service mysql stop

again

Look at the open ports on the attacker

——
——

test

visit 9001 port , Successfully enter the management interface .
admin/admin

visit web Interface honeypot ：9000 port

go back to 9001 The hook information can be seen in the port management background .

Attacker test ssh

Attacker test ftp

Attacker test mysql

And then in hfish The information that the honeypot is triggered can be seen in the background