So, we’ve set up a kali-lookalike Cowrie honeypot, and added some iptables rules to detect nmap scans. It would be nice, though, if we had some way to see what was going on other than opening a couple of shells and running tail -f /var/log/syslog | grep “<IPT>”.
So, let’s get our data somewhere useful.
I’m using Splunk in my home lab because it’s pretty powerful, and a single-host instance is relatively easy to set up compared to something like Graylog or an ELK stack.
Continue reading “Kalipot – Part 3: Monitoring The Data”
In part 1 of this series, I showed you how to set up and customize a Cowrie honeypot on a Raspberry Pi. In this part, I’ll show how to use iptables to detect nmap scans and attempts to connect to ports other than the honeypot running on port 22.
IPTables is a common Linux firewall tool installed by default on ubuntu and other Debian-based distributions, including Raspbian. It’s available for both ipv4 and ipv6 and is easy to manage via the command line.
Continue reading “Kalipot – Part 2: Detecting Nmap Scans With IPTables”