So, we’ve set up a kali-lookalike Cowrie honeypot, and added some iptables rules to detect nmap scans. It would be nice, though, if we had some way to see what was going on other than opening a couple of shells and running tail -f /var/log/syslog | grep “<IPT>”.
So, let’s get our data somewhere useful.
I’m using Splunk in my home lab because it’s pretty powerful, and a single-host instance is relatively easy to set up compared to something like Graylog or an ELK stack.
In part 1 of this series, I showed you how to set up and customize a Cowrie honeypot on a Raspberry Pi. In this part, I’ll show how to use iptables to detect nmap scans and attempts to connect to ports other than the honeypot running on port 22.
IPTables is a common Linux firewall tool installed by default on ubuntu and other Debian-based distributions, including Raspbian. It’s available for both ipv4 and ipv6 and is easy to manage via the command line.
Continue reading “Kalipot – Part 2: Detecting Nmap Scans With IPTables”
For the past year, I’ve been setting up honeypots and network sensors on the wifi network at local security conferences, watching to see what other people are doing on the network. For the most part, the answer has been ‘not much’. But I wanted to write this up to capture the howto knowledge.
The Cowrie honeypot is a python application that simulates a ssh or telnet server, and will serve up a fake shell environment which can be tailored to resemble any kind of Linux distribution you like, with a fake directory tree and hosted files an attacker could examine or pillage. It supports logging in several formats, including syslog-like logs, JSON, Cuckoo, ELK and several different SQL databases.
Continue reading “Kalipot – Part 1: Hardening SSH and Setting Up Cowrie”
Off-Kilter Security 