Many articles in my blog are dedicated to malware analysis. All of the articles involve downloading the malware from malware collections such as any.run or hybrid-analysis.com or a friend providing me a malware sample. In this article, I describe my procedure to setup a honeypot using the Modern Honeypot Network (MHN) Framework and Dionaea honeypot on Amazon AWS. I will also go on to show how Dionaea logs can be integrated with Splunk.
Prerequisites: At least a free-tier account on AWS.
Setting Up MHN Server
The MHN
server will be an EC2 instance on Amazon AWS. After it is fully operational, it will have the following ports open:
80
:MHN
dashboard (My IP only)22
:SSH
for administration (My IP only)3000
:MHN
attack map (My IP only)10000
: Dionaea honeypot traffic (Dionaea honeypot IP only)
EC2 Instance




At this point of the setup process, I’ll open SSH port 22
accessible from my IP only. This will allow me to login and execute scripts to install MHN
on this instance.

In order to SSH
into the server, I’ll create a public/private key pair and download the private key.

SSH into EC2 Instance
The downloaded private key has a file format of .pem
which is incompatible with PuTTY
that uses a .ppk
file format. So, I used PuTTYgen
to convert the .pem
private key into RSA
.ppk
file format and saved it without any passphrase.

In PuTTY
, I set the above private key to be used for authentication and the IPv4
address of the MHN
server (refer to instance dashboard in AWS). By default, the login username is ubuntu
.



Installing MHN on EC2 Instance
After SSH
‘ng into the server, I ran the following command to ensure all packages are updated on the server:
sudo apt update && sudo apt upgrade -y


The following commands start the installation of MHN
on the server:
cd /opt
sudo git clone https://github.com/pwnlandia/mhn.git
cd mhn
sudo ./install.sh
The installation will ask for specific administrative parameters. Fill them in according to your needs.

Since I sit behind my University’s proxy, I was unable to setup a forwarder on the MHN
server to transmit logs to the Splunk
instance running on my laptop. So, I will not be integrating MHN
with Splunk
and ELK
. Adding rules to UFW
is not needed at this point.

I executed the following commands to ensure all MHN
related services were up and running:
sudo /etc/init.d/nginx status
sudo /etc/init.d/supervisor status
sudo supervisorctl status


Setting Up Dionaea Honeypot
The command to deploy Dionaea honeypot is available on the MHN server’s dashboard. To login to the dashboard, I had to add a rule to the MHN
server’s network configuration to allow HTTP port 80
traffic from my IP.

On the dashboard login portal, I logged in with the same credentials that I used during the MHN
server’s installation.


Dionaea Deploy Command
On the MHN
server’s dashboard, click on the Deploy
tab and select Ubuntu/Raspberry Pi - Dionaea
on the resulting page. Also, notice that there are many honeypot types to choose from besides Dionaea
.

The above deploy command installs the Dionaea
honeypot. So, it must be run on a new EC2 server. (The steps to create the new EC2 server are the same as before.) Before executing the above deploy command, a HTTP
rule needs to be added to the MHN
server’s network configuration. It must allow the Dionaea
honeypot IP to connect to it.

If the IP address of the Dionaea
honeypot changes for whatever reason, Dionaea
must be uninstalled from the server and the deploy command must be executed again. Also, the network configuration rule for port 10000
on the MHN
server needs to be modified accordingly to allow traffic from Dionaea
.
Logging Control
To decrease the amount of logging, I implemented the following measures:
- only
error
level logs. - log rotation and time-based log compression/deletion for bistreams.
Error Level Logging
This modification is made in the file, /opt/dionaea/etc/dionaea/dionaea.cfg
.

Bistreams Log Rotation
I created the file, /etc/logrotate.d/dionaea
and copied the following code into it. The code is also available in Dionaea
documentation. Logs are rotated every 7
days.
/opt/dionaea/var/dionaea/dionaea*.log {
notifempty
missingok
rotate 7
daily
delaycompress
compress
create 660 root root
dateext
postrotate
service dionaea restart
endscript
}
Time-based Bistreams Log Compression/Deletion
I installed the following code as a script, bistreamZipDel
in a cron
job that runs every hour everyday. It compresses bistreams logs which are more than one hour old and deletes those which are more than six hours old. Note that the cron
is installed for root
user to take care of permissions issues.
#!/bin/bash
bistreamsDir=$(date +%Y-%m-%d)
function zipFiles() {
while read line1; do
zip /home/ubuntu/bistreamsZip/$bistreamsDir-$(date +%M-%S).zip -u $line1
done
}
# Compress bistream files older than 1 hour
find /opt/dionaea/var/lib/dionaea/bistreams/$bistreamsDir/ -type f -mmin +60 | zipFiles
# Clear bistream logs from dionaea every 6 hours
find /opt/dionaea/var/lib/dionaea/bistreams/$bistreamsDir/ -type f -mmin +360 -exec rm {} \;

Open Dionaea to the World
Dionaea sends TCP
data to port 10000
on the MHN
server. So, that port needs to be accessible from Dionaea
honeypot IP. Also, the attack map is available on port 3000
but that is only for admin use, so I’ll open that port to be accessible only from my IP.

Now that Dionaea
is fully setup, the last step is to open all ports for attackers to discover and attack it. Or if you are looking to monitor only specific ports, then only those ports can be opened.

Almost instantly, Dionaea
is discovered and poked at.

Malware Collection
My primary motivation to setup a honeypot was to collect fresh malware binaries. The Dionaea
honeypot collects any dropped malware binaries in the directory, /opt/dionaea/var/lib/dionaea/binaries
. This path can be configured in /opt/dionaea/etc/dionaea/dionaea.cfg
.

Splunk and MHN
Since I wasn’t able to setup a forwarder on the MHN
server, I decided to manually load data into Splunk. The MHN
server is capable of generating logs that can be easily read by Splunk. These are stored in the file, /var/log/mhn/mhn-splunk.log
. This feature can be enabled by executing the following commands:
cd /opt/mhn/scripts
sudo ./install_hpfeeds-logger-splunk.sh


Like Dionaea
, Splunk logs more than 2
days old will be deleted using the following code in a script as a cron
job.
# Clear splunk logs every 48 hours
find /var/log/mhn/mhn-splunk.log -type f -mmin +2880 -exec rm {} \;

MHN Splunk App
Splunk has an app which intrinsically contains analytics that supports data from MHN
. It can be downloaded here. After installing the app, I manually copy-pasted data from /var/log/mhn/mhn-server.log
on the MHN
server to a file, mhn-server.log
my local machine. I then imported the file into the Splunk Modern Honey Network
app.


Once the file was imported into the Modern Honey Network
app, I navigated to the app’s dashboard. I modified the time filters of all searches to All time
and a wealth of analytics presented itself.

Thanks for reading!
In this article, I described my procedure to setup a honeypot using the MHN Framework
and Dionaea
honeypot on AWS. On being attacked, Dionaea
collected information about the attacker and stored any dropped malware binaries, which was my primary motivation to setup a honeypot. I also used the Modern Honey Network
Splunk app to ingest honeypot data for future data analytics.
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!