MHN best practices
Marvin De Haas
Hi Jason,
I am very interested in integrated your MHN network within our Cyber Defense Center (CDC) and I personally am planning to do a pilot using the MHN server together with a Dionaea honeypot installed on a Raspberry Pi in our customer environment. The idea is that all our customers with managed security services have one installed in their own perimeter and that all malicious IP information is gathered using a SIEM solution for example HP Arcsight. Eventually the idea is to publish that information to a website from within our CDC center so that our customers with network solutions (think about firewalls) can use that feed list to automatically block there IP´s, just like having a IP blacklist. This way we deliver a far more proactive and dynamic protection to our customers.
So the idea is very nice and neat, so now to put it in practice. I am very new to this, so it would be nice to have some quick start recommendations on how to install the MHN server. Actually I tried it before but the services never started correctly of the MHN server, maybe I did not use the right operating system. I see that on the website that there is an updated installer available that supports Ubuntu 16.04.1? But on the website I see that it has only been tested with Ubuntu 12.0.4.3 and CentOS 6.7? So what exactly is the recommended OS to use to run MHN server? What are your recommendations on using Raspberry Pi with the Dionaea honeypot?
https://github.com/threatstream/mhn
Could you please provide me some best practices to be able to install the MHN network. I think we can do great business together if we can make it work properly J.
Ps: For your information we are a security company in South America.
Hope to hear from you soon.
Best regards,
|
Marvin de Haas IT Security Architect |
||||||||||
|
||||||||||
|
|
Jason Trost
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-honey-network@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modern-honey-network/BN6PR14MB134732CB77ABB465B8299912B1700%40BN6PR14MB1347.namprd14.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.
Marvin De Haas
Hi Jason,
I was working on the installation of the MHN using the Ubuntu 16.04.1 x64 version you recommended.
I used the procedure as stated on the following page:
https://github.com/threatstream/mhn
After running sudo ./install.sh it gets stuck on the mongodb installation. Do you have any ideas? What is the correct procedure for the installation?
Best regards,
Marvin
--
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-hon...@googlegroups.com.
Kyle Howson
--
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
To post to this group, send email to modern-ho...@googlegroups.com.
Marvin De Haas
Hi Jason,
Good I just finished the installation.
I noticed that one service has not been started yet Mnemosyne. What should I do now?
Best regards,
Marvin
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
Marvin De Haas
Perhaps it has to do with the Python version looking at this post?
http://mibmithoney.blogspot.pe/2016/09/mhn-mnemosyne-fatal-status.html
Actual python version is 2.7.12
Please let me know how to proceed, thanks!!
Jason Trost
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
Marvin De Haas
Hi Jason.
Little by little we get this pilot working J
Yes you are right I saw these errors:
I followed your procedure and know it contains the following error while starting the service:
Another thing that happened today is that there was an power outage and the server shut down unexpectedly. Because of that the running services are:
So two things how am I able to solve the Mnemosyne issue and how to ensure that all services will start correctly after a reboot. Is it recommended to reinstall, because of the power outage? Looking at the other logfiles:
It seems that all issues are related to proper rights “connection refused”. Seems like a Database related issue with the MongoDB?
Again, your help is very welcome, thank you.
Best regards,
Marvin
De: Jason Trost [mailto:jason...@gmail.com]
Enviado el: lunes, 13 de febrero de 2017 11:39
Para: Marvin De Haas <mde...@neosecure.com>
CC: Kyle Howson <thn...@gmail.com>; Modern Honey Network <modern-hon...@googlegroups.com>; jason...@threatstream.com
Asunto: Re: MHN best practices
I recommend looking at the mnemosyne logs in /var/log/mhn/. If you see errors from gevent and SSL then I would bet that it relates to this PR: https://github.com/threatstream/mnemosyne/pull/28 that needs to be merged.
Best regards,
Marvin
De: Jason Trost [mailto:jason...@gmail.com]
Enviado el: domingo, 22 de enero de 2017 15:24
Para: Marvin De Haas <mde...@neosecure.com>
CC: jason...@threatstream.com; modern-hon...@googlegroups.com
Asunto: Re: MHN best practices
Hey Marvin,
This sounds like an awesome use of MHN. For this sort of setup, here is my recommendation:
1. MHN Server - I recommend using Ubuntu 16 now that MHN supports this. This is what I am running MHN on and it is working for me (on Digital Ocean, Ubuntu 16.04.1 x64). I recommend at least 2GB RAM, but preferably 8GB+ if you have lots of honeypots. We have deployed MHN to AWS and Digital with great success so that is what I would recommend as well if you can.
2. Raspberry Pi's - I just tested this install on a new Raspberry Pi that I have and it worked great. I would recommend installing cowrie as well.
On Fri, Jan 20, 2017 at 8:49 PM, Marvin De Haas <mde...@neosecure.com> wrote:
Hi Jason,
I am very interested in integrated your MHN network within our Cyber Defense Center (CDC) and I personally am planning to do a pilot using the MHN server together with a Dionaea honeypot installed on a Raspberry Pi in our customer environment. The idea is that all our customers with managed security services have one installed in their own perimeter and that all malicious IP information is gathered using a SIEM solution for example HP Arcsight. Eventually the idea is to publish that information to a website from within our CDC center so that our customers with network solutions (think about firewalls) can use that feed list to automatically block there IP´s, just like having a IP blacklist. This way we deliver a far more proactive and dynamic protection to our customers.
So the idea is very nice and neat, so now to put it in practice. I am very new to this, so it would be nice to have some quick start recommendations on how to install the MHN server. Actually I tried it before but the services never started correctly of the MHN server, maybe I did not use the right operating system. I see that on the website that there is an updated installer available that supports Ubuntu 16.04.1? But on the website I see that it has only been tested with Ubuntu 12.0.4.3 and CentOS 6.7? So what exactly is the recommended OS to use to run MHN server? What are your recommendations on using Raspberry Pi with the Dionaea honeypot?
https://github.com/threatstream/mhn
Could you please provide me some best practices to be able to install the MHN network. I think we can do great business together if we can make it work properly J.
Ps: For your information we are a security company in South America.
Hope to hear from you soon.
Best regards,
Marvin de Haas
IT Security Architect
+51 1 981522932
Av. El Pinar 152 Oficina 804, Chacarilla, Surco
--
You received this message because you are subscribed to the Google Groups "Modern Honey Network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to
Jason Trost
Marvin De Haas
HI Jason,
Great!
Know I will continue to build a Honeypot Dionaea on Ubuntu, also will use the Splunk integration to export the attack data. At the end will do the same with Rasberry Pi.
Is there any recommended version for the Dionaea, is Ubuntu 16 ok?
What Rasberry Pi do you recommend for the Dionaea Honeypot?
Thanks!
Jason Trost
HI Jason,
Great!
Know I will continue to build a Honeypot Dionaea on Ubuntu, also will use the Splunk integration to export the attack data. At the end will do the same with Rasberry Pi.
Is there any recommended version for the Dionaea, is Ubuntu 16 ok?
What Rasberry Pi do you recommend for the Dionaea Honeypot?
Thanks!
Marvin
De: Jason Trost [mailto:jason...@gmail.com]
Enviado el: lunes, 13 de febrero de 2017 17:07
CC: Kyle Howson <thn...@gmail.com>; Modern Honey Network <modern-honey-network@googlegroups.com>; jason...@threatstream.com
Asunto: Re: MHN best practices
It looks like mongo db is not running. Try restarting it like this
sudo restart mongo
On Mon, Feb 13, 2017 at 4:35 PM Marvin De Haas <mde...@neosecure.com> wrote:
Hi Jason.
Little by little we get this pilot working J
Yes you are right I saw these errors:
I followed your procedure and know it contains the following error while starting the service:
Another thing that happened today is that there was an power outage and the server shut down unexpectedly. Because of that the running services are:
So two things how am I able to solve the Mnemosyne issue and how to ensure that all services will start correctly after a reboot. Is it recommended to reinstall, because of the power outage? Looking at the other logfiles:
It seems that all issues are related to proper rights “connection refused”. Seems like a Database related issue with the MongoDB?
Again, your help is very welcome, thank you.
Best regards,
Marvin
De: Jason Trost [mailto:jason...@gmail.com]
Enviado el: lunes, 13 de febrero de 2017 11:39
Para: Marvin De Haas <mde...@neosecure.com>
CC: Kyle Howson <thn...@gmail.com>; Modern Honey Network <modern-honey-network@googlegroups.com>; jason...@threatstream.com
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsub...@googlegroups.com.
Marvin De Haas
HI Jason,
I found some spare time to proceed with the MHN project. At this moment I am trying to deploy the Dionaea HoneyPot on a seperate server with Ubuntu 16.
10.16.1.233 è MHN server
10.16.1.234 è Honeypot (to be deployed)
I use the webpage of the MHN server to deploy the Dionaea honeypot and it provides me the following script:
wget "http://10.16.1.233/api/script/?text=true&script_id=4" -O deploy.sh && sudo bash deploy.sh http://10.16.1.233 0XSrb4zY
The installation end with some errors. Is this the right way to deploy the Dionaea HoneyPot? Isn´t it needed to provide the IP address of de destination server where I want to deploy it, in this case 10.16.1.234?
Thanks,
Marvin
De: Jason Trost
Enviado: viernes, 17 de febrero de 2017 15:59
Para: Marvin De Haas
CC: Kyle Howson;
Modern Honey Network; jason...@threatstream.com
Asunto: Re: MHN best practices
I think Ubuntu 16 is the recommended version now.
Re Raspberry Pi, I just got a Raspberry Pi 3 (this specific package https://www.amazon.com/gp/product/B01DMFQZXK/ref=od_aui_detailpages00?ie=UTF8&psc=1) and it worked fine for dionaea. I used the latest version of Rasbian as well.
On Mon, Feb 13, 2017 at 5:29 PM, Marvin De Haas <mde...@neosecure.com> wrote:
HI Jason,
Great!
Know I will continue to build a Honeypot Dionaea on Ubuntu, also will use the Splunk integration to export the attack data. At the end will do the same with Rasberry Pi.
Is there any recommended version for the Dionaea, is Ubuntu 16 ok?
What Rasberry Pi do you recommend for the Dionaea Honeypot?
Thanks!
Marvin
De: Jason Trost [mailto:jason...@gmail.com]
Enviado el: lunes, 13 de febrero de 2017 17:07
Para: Marvin De Haas <mde...@neosecure.com>
CC: Kyle Howson <thn...@gmail.com>; Modern Honey Network <modern-hon...@googlegroups.com>; jason...@threatstream.com
Asunto: Re: MHN best practices
It looks like mongo db is not running. Try restarting it like this
sudo restart mongo
On Mon, Feb 13, 2017 at 4:35 PM Marvin De Haas <mde...@neosecure.com> wrote:
Hi Jason.
Little by little we get this pilot working J
Yes you are right I saw these errors:
I followed your procedure and know it contains the following error while starting the service:
Another thing that happened today is that there was an power outage and the server shut down unexpectedly. Because of that the running services are:
So two things how am I able to solve the Mnemosyne issue and how to ensure that all services will start correctly after a reboot. Is it recommended to reinstall, because of the power outage? Looking at the other logfiles:
It seems that all issues are related to proper rights “connection refused”. Seems like a Database related issue with the MongoDB?
Again, your help is very welcome, thank you.
Best regards,
Marvin
De: Jason Trost [mailto:jason...@gmail.com]
Enviado el: lunes, 13 de febrero de 2017 11:39
Para: Marvin De Haas <mde...@neosecure.com>
CC: Kyle Howson <thn...@gmail.com>; Modern Honey Network <modern-hon...@googlegroups.com>; jason...@threatstream.com
Asunto: Re: MHN best practices
I recommend looking at the mnemosyne logs in /var/log/mhn/. If you see errors from gevent and SSL then I would bet that it relates to this PR: https://github.com/threatstream/mnemosyne/pull/28 that needs to be merged.
If it is the above issue, the fix is this:
sudo su -
cd /opt/mnemosyne
source env/bin/activate
pip install -U gevent==1.0.2
supervisorctl restart mnemosyne
On Mon, Feb 13, 2017 at 10:38 AM, Marvin De Haas <mde...@neosecure.com> wrote:
Perhaps it has to do with the Python version looking at this post?
http://mibmithoney.blogspot.pe/2016/09/mhn-mnemosyne-fatal-status.html
Actual python version is 2.7.12
Please let me know how to proceed, thanks!!
De: Marvin De Haas
Enviado el: lunes, 13 de febrero de 2017 10:33
Para: Kyle Howson <thn...@gmail.com>; Modern Honey Network <modern-hon...@googlegroups.com>
CC: jason...@gmail.com; jason...@threatstream.com
Asunto: RE: MHN best practices
Hi Jason,
Good I just finished the installation.
I noticed that one service has not been started yet Mnemosyne. What should I do now?
Best regards,
--
Kyle Kurdziolek
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-network+unsubscrib...@googlegroups.com.
Marvin De Haas
Hi Kyle,
Only accessible on the private network right now.
To make things clear should I execute the command on the MHN server right? But how does it know to what IP of the Honeypot server to deploy?
wget "http://localhost/api/script/?text=true&script_id=4" -O deploy.sh && sudo bash deploy.sh http://locahost 0XSrb4zY
Best regards,
Marvin
De: Kyle Kurdziolek
Enviado: viernes, 14 de julio de 2017 10:20
Para: Modern Honey Network
CC: jason...@gmail.com;
thn...@gmail.com; jason...@threatstream.com;
Alberto Gomez;
Marvin De Haas
Asunto: Re: MHN best practices
Hey Marvin,
Is your IP public or privately facing right now? I know when I was playing with my MHN in the baby stages to get my feet wet; I would exchange the actual IP with "localhost" and it would download the honeypots needed. Working on fixing it at the moment, but its an idea for now.
wget "http://localhost/api/script/?text=true&script_id=4" -O deploy.sh && sudo bash deploy.sh http://locahost 0XSrb4zY
On Thursday, July 13, 2017 at 11:57:06 AM UTC-5, Marvin De Haas wrote:
HI Jason,
I found some spare time to proceed with the MHN project. At this moment I am trying to deploy the Dionaea HoneyPot on a seperate server with Ubuntu 16.
10.16.1.233 è MHN server
10.16.1.234 è Honeypot (to be deployed)
I use the webpage of the MHN server to deploy the Dionaea honeypot and it provides me the following script:
wget "http://10.16.1.233/api/script/?text=true&script_id=4" -O deploy.sh && sudo bash deploy.sh http://10.16.1.233 0XSrb4zY
The installation end with some errors. Is this the right way to deploy the Dionaea HoneyPot? Isn´t it needed to provide the IP address of de destination server where I want to deploy it, in this case 10.16.1.234?
To unsubscribe from this group and stop receiving emails from it, send an email to modern-honey-net...@googlegroups.com.
To post to this group, send email to modern-ho...@googlegroups.com.
Marvin De Haas
Hi Kyle,
I ran the command as you indicated on the MHN server and it ends with the same error. It is unable to retrieve the URL, the content is not available on the ubuntu.com website so something has changed there. Perhaps the content has been moved to another directory. If that is the case we´ll have to alter the installation script because it refers to locations on the internet that does not exist (404 not found).
Marvin De Haas
I was reading on the internet and someone was trying the same with Ubuntu 16.04 with MHN and Honeypot Dionaea and he says that this version is not supported and he fixed it using version 14.04
https://groups.google.com/forum/#!topic/modern-honey-network/TonxQ7K40kE
Could you please confirm if I should continu with version 16 or 14?
Thanks,
Marvin
De: Marvin De Haas
Enviado: viernes, 14 de julio de 2017 13:49
Para: Kyle Kurdziolek;
Modern Honey Network
CC: jason...@gmail.com;
thn...@gmail.com; jason...@threatstream.com;
Alberto Gomez
Asunto: RE: MHN best practices
Hi Kyle,
I ran the command as you indicated on the MHN server and it ends with the same error. It is unable to retrieve the URL, the content is not available on the ubuntu.com website so something has changed there. Perhaps the content has been moved to another directory. If that is the case we´ll have to alter the installation script because it refers to locations on the internet that does not exist (404 not found).
Marvin De Haas
Got it already to work with Ubuntu 14!
prof...@hotmail.com
- Dionaea is one that needs modification since nmap can detect it.
- WordPot uses a standard webpage - change it. Also change the wordpot.conf file.
- Kippo and Cowrie are two that will need modification. Although I have read where some users have used weak passwords in order for the honeypot to be compromised, I woulrd recommend not to. I have several Cowrie honeypots running. The ones with the strongest passwords are constantly under attack. The one with a weak password encountered a large number of attacks until the password was "discovered". Since the discovery, the traffic to that honeypot is down to a trickle. I also changed the responses stored in /opt/{name}/honeyfs/etc and /opt/{name}/honeyfs/proc to give the honeypot a more realistic look and feel.
- Glastopf: I changed the content of base.html
Marvin De Haas
Hi thanks for your recomendation yes for sure the idea is that the Honeypot is not detectable by atackers.
In this case I use Dionaea, what should I change so it would not be identified by NMAP?
Marvin
De: prof...@hotmail.com
Enviado: viernes, 14 de julio de 2017 17:36
Para: Modern Honey Network
CC: jason...@threatstream.com;
Marvin De Haas
Asunto: Re: MHN best practices
I am using Ubuntu 14.04 LTS and have not encountered any issues. As for best practices, there are a couple I can recommend. First, do not publish the honeypot IP. Threat actors will find it fast enough. Secondly, before you expose the honeypot to the masses, I would recommend you scan the honeypot will the same open source tools that the average threat actor will use. Some or the honeypots will be identified. You should make modifications to the honeypot so they will not be identified.
Marvin De Haas
Dear all,
Back again and now working on the integration with HP Arcsight logger.
I have installed the Hpfeeds logger for Arcsight and it is logging locally on the MHN server to /var/log/mhn/mhn-arcsight.log, all OK.
Is there a way to write the logs directly to an external HP Arcsight logger? Is there a hpfeeds config file where I can define the IP address, port number username and password for sending it directly?
Thanks for your recomendations!
Best regards,
Marvin
De: Marvin De Haas
Enviado: viernes, 14 de julio de 2017 17:39
Para: prof...@hotmail.com;
Modern Honey Network
CC: jason...@threatstream.com
Asunto: RE: MHN best practices
Hi thanks for your recomendation yes for sure the idea is that the Honeypot is not detectable by atackers.
Marvin De Haas
Dear All,
Anyone an idea how to publish a customized new URL within the MHN server web interface. What I am looking for is to publish a IP blacklist.
I found the homedrive of the webserver Nginx but the content is not recognized yet, is there a specific config file I have to modify for the content to be visible on the webpage?
Thanks for your help I´ll appreciate it.