I love honeypots. They are so much fun. I haven’t run one in a very long time: the reason is that a while back (almost a decade now,) I had a high-interaction honeypot that was compromised, and what I saw was scary. Not that the attacks were all that interesting, but what else they had compromised made me worried. Enough said.
But recently, I have been putting a lot of time and thought into production honeypots—low interaction systems with minimal attack surface that can act as early warning of a real attack. Research-honeypots are fun, but allowing actual compromises, keeping them contained, and doing forensics is a lot of work. My interest at this point is more tactical than academic. There are a lot of really cool honeypot systems out there, but I wanted to get practice building custom web application honeypots. The premise is to create a static mirror of a website, and either introduce simulated, or previously well-known vulnerabilities. Then knowing exactly what vulnerabilities exist, monitor for only those, and automate whatever measures are appropriate, like D-Natting the attacker to a shadow-network away from valuable targets. It’s not a new idea—I wrote a paper on what I called then “bait and switch honeypots” in 1999.
SLowDeATH: Realistic Web-Application Honeypots with only static HTML and NGinX Rewrite Rules
As part of this, I have released a few of the “generic” applications I have created simulations of and have made them available as a project called SLowDeATH (Static Low-interaction Deceptive Attack Target Honeypots) on GitHub.
Right now I have only released two example configurations: Umbraco 4.7 and Tomcat 5.5, and (at the time of writing this at least,) there is a live system you can look at on the Internet: Umbraco Honeypot and Tomcat Honeypot.
Here’s the project’s README from GitHubRead full post →