Step 4: Creating certificates for authentication on the sacrificial host ¶ On the firewall side, the sacrificial host should not allow any outbound connections and only allow inbound connections on TCP port 2376 from the gateway host. #SSH HONEYPOT UPDATE#The update process of this VM image can be automated using tools like Packer. In order to keep this host up to date a prebuilt VM image with Docker installed should be used. The sacrificial host should not have any public Internet connectivity, instead it should only be connected to the gateway host. Step 3: Firewalling the sacrificial host ¶ Outbound rules to your S3-compatible object storage.These will be used by the Prometheus node exporter and the ContainerSSH metrics server respectively. Ports 91 should be open from your Prometheus instance.Port 22 should be open to the Internet.You will need the following firewall rules: You should set up the gateway host in such a way that it is visible from the Internet. We strongly recommend automating the setup with a tool like Terraform to rapidly apply security updates. Both VMs need sufficient disk space to hold audit logs and containers.įurthermore, you will need an S3-compatible object storage to upload audit logs and we will need a Prometheus installation for monitoring. Ideally, the sacrificial VM should run on its own dedicated physical hardware to prevent leakage of secrets due to CPU bugs. We'll call the first host the gateway VM and the second one sacrificial VM. In order to set up a honeypot securely you will need at least two hosts: one to run ContainerSSH and the second to run the container infrastructure the attacker is dropped into. Docker has really good documentation on this topic. Please do not attempt this unless you are intimately familiar with securing container environments. While this tutorial represents the best practices in building a honeypot, the responsibility of securing your installation ultimately rests upon you. Any local privilege escalation could lead to the attacker taking over your host system. Logging to the ELK stack with Docker and FluentdĬontainerSSH 0.4.1: Bugfixing Audit & ProxyĬreating SSH honeypots with a real Linux backend is inherently dangerous. Step 7: Creating the ContainerSSH configuration file Step 4: Creating certificates for authentication on the sacrificial host
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |