HoneyNet | Honeypot Attack Analysis

HOW IT WORKS

HONEYPOT SECURITY IN 3 STEPS

Our honeypot solution attracts and monitors attackers while keeping your real systems safe.

1

DEPLOY HONEYPOT

Set up a decoy system that mimics real services to attract attackers.

2

MONITOR ACTIVITY

Collect data on attack methods, sources, and techniques used by intruders.

3

ANALYZE ATTACKS

Gain insights to improve your real security defenses and threat intelligence.

ATTACK DASHBOARD

Real-time monitoring of honeypot activity and attack analytics.

TOTAL ATTACKS

1,248

+12% from last week

ACTIVE THREATS

24

5 critical right now

TOP ATTACK TYPE

SSH Brute Force

42% of all attacks

TOP SOURCE COUNTRY

China

38% of traffic

ATTACKS OVER TIME

ATTACK TYPES

TOP SOURCE COUNTRIES

SEVERITY DISTRIBUTION

SECURITY MONITORING

RECENT ATTACKS

Detailed view of recent malicious activity captured by your honeypot.

TIMESTAMP	ATTACK TYPE	SOURCE IP	COUNTRY	SEVERITY	ACTIONS

No attacks detected yet. It may take some time for attackers to find your honeypot.

Showing 1-10 of 24 attacks

GET STARTED

HONEYPOT SETUP GUIDE

Step-by-step instructions to deploy your own honeypot.

CHOOSE YOUR HONEYPOT TYPE

Low-Interaction

Simulates services with minimal risk. Best for beginners and monitoring common attacks.

RECOMMENDED

Medium-Interaction

More realistic emulation with some service functionality. Requires more resources.

High-Interaction

Real systems with extensive logging. Advanced users only - higher security risk.

LOW-INTERACTION HONEYPOT SETUP

1

Install Docker

Docker will allow us to quickly deploy honeypot containers. Install Docker on your system:

# For Ubuntu/Debian
sudo apt update
sudo apt install docker.io docker-compose
sudo systemctl enable --now docker

2

Deploy T-Pot

T-Pot is a popular multi-honeypot platform with various services. Deploy it with:

git clone https://github.com/telekom-security/tpotce
cd tpotce/iso/installer/
sudo ./install.sh --type=user

Follow the installer prompts. Choose a strong password for the web interface.

3

Configure Firewall

Allow traffic to honeypot ports while protecting your real services:

# Example UFW rules
sudo ufw allow 64294/tcp  # T-Pot web interface
sudo ufw allow 22/tcp     # SSH honeypot
sudo ufw allow 80/tcp     # HTTP honeypot
sudo ufw enable

Adjust ports based on which honeypot services you enable in T-Pot.

4

Access Dashboard

Once installed, access the T-Pot web interface:

https://your-server-ip:64294

Use the credentials you set during installation. You'll see attacks appear as they happen.

MEDIUM-INTERACTION HONEYPOT SETUP

Medium-interaction honeypots provide more realistic responses to attackers while still being relatively safe.

1

Set Up a VM

Create a dedicated virtual machine for your honeypot. We recommend Ubuntu Server:

# Create a new Ubuntu 20.04 VM with:
- 2 CPU cores
- 4GB RAM
- 50GB disk space
- Network in bridged mode

2

Install Dionaea

Dionaea is a medium-interaction honeypot that emulates various services:

sudo apt update
sudo apt install dionaea
sudo systemctl enable dionaea
sudo systemctl start dionaea

Dionaea will listen on ports 21 (FTP), 445 (SMB), and others.

3

Configure Logging

Set up ELK stack to analyze collected data:

# Install Docker if not already present
sudo apt install docker.io docker-compose

# Clone ELK configuration
git clone https://github.com/deviantony/docker-elk
cd docker-elk
docker-compose up -d

Access Kibana at http://your-server-ip:5601 to view honeypot data.

HIGH-INTERACTION HONEYPOT SETUP

Warning: High-interaction honeypots use real systems and services, which can be compromised. Only deploy in isolated environments with proper security measures.

1

Isolated Network Setup

Create a completely isolated network segment for your honeypot:

# On your router/firewall:
1. Create a separate VLAN (e.g., VLAN 666)
2. Disable all outbound traffic from this VLAN
3. Set up a logging server in a different VLAN
4. Enable port mirroring to capture all traffic

2

Deploy Vulnerable Services

Set up intentionally vulnerable services to attract attackers:

# Example: Old WordPress with known vulnerabilities
docker run --name vulnerable-wordpress \\
  -e WORDPRESS_DB_HOST=db \\
  -e WORDPRESS_DB_USER=wpuser \\
  -e WORDPRESS_DB_PASSWORD=wppass \\
  -e WORDPRESS_DB_NAME=wordpress \\
  -p 8080:80 \\
  wordpress:4.6.1-php5.6-apache

Also consider old versions of SSH, FTP, or database services.

3

Configure Monitoring

Install comprehensive monitoring to track all activity:

# Install Wazuh for host-based intrusion detection
curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh
sudo bash wazuh-install.sh -a -i

# Install Zeek for network monitoring
sudo apt install zeek
sudo zeekctl deploy

SECURITY BEST PRACTICES

Isolation

Always isolate honeypots from your production network. Use separate VLANs or physical networks.

Monitoring

Implement comprehensive logging. Assume your honeypot will be compromised and plan accordingly.

Maintenance

Regularly update and reset your honeypots. Automated deployment scripts help with this.

Legal Considerations

Check local laws before deploying honeypots. Some jurisdictions restrict certain types of monitoring.

NEED HELP?

CATCH HACKERS IN THE ACT