0x00 MHN蜜罐介绍
MHN(Modern Honey Network):开源蜜罐,简化蜜罐的部署,同时便于收集和统计蜜罐的数据。用ThreatStream来部署,数据存储在MOngoDB中,安装了入侵检测系统的部署传感器Snort、Kippo、Conpot和Dionaea。收集的信息可以通过Web接口进行展示。据官方说法,目前经测试支持部署MHN服务器的系统有Ubuntu 14.04, Ubuntu 16.04, Centos 6.9
github地址(https://github.com/threatstream/mh)
0x01 支持蜜罐类型
- Snort
- Suricata
- Dionaea
- Conpot
- Kippo
- Amun
- Glastopf
- WordPot
- ShaockPot
- P0f
0x02 MHN架构
0x03 MHN安装与使用
1.Ubuntu安装MHN管理端
# 操作系统:ubuntu16.04系统更新和自动化脚本安装
sudo apt update
sudo apt upgrade -y
sudo apt-get install git -y
cd /opt
sudo git clone https://github.com/threatstream/mhn.git
cd mhn /
sudo ./install.sh
# 配置服务器信息,这里的邮箱与密码就是安装完成后的Web后台密码
Do you wish to run in Debug mode?: y/n n
Superuser email: root@backlion.org
Superuser password: (again):
Server base url ["http://155.138.147.248"]:
Honeymap url [":3000"]: http://155.138.147.248:3000
Mail server address ["localhost"]:
Mail server port [25]:
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [""]:
Mail server password [""]:
Mail default sender [""]:
Path for log file ["/var/log/mhn/mhn.log"]:
Would you like to integrate with Splunk? (y/n)n
Would you like to install ELK? (y/n)n
# 配置splunk与ELK,我这里选择不配置
2.MHN配置
2.1 agent部署蜜罐
在Deploy选项中,选择我们需要部署的蜜罐类型,复制部署脚本进行安装。
如部署conpot蜜罐,在其系统中执行以下脚本:
wget "http://155.138.147.248/api/script/?text=true&script_id=15" -O deploy.sh && sudo bash deploy.sh http://155.138.147.248 lfDWqAN
2.2 集成Splunk与ArcSight
Splunk
cd /opt/mhn/scripts/
sudo ./install_hpfeeds-logger-splunk.sh
sudo ./install_splunk_universalforwarder.sh
tail -f /var/log/mhn/mhn-splunk.log
这会将事件作为值记录到/var/log/mhn-splunk.log。SplunkUniveralForwarder应该监视此日志
Arcsight
cd /opt/mhn/scripts/
sudo ./install_hpfeeds-logger-arcsight.sh
tail -f /var/log/mhn/mhn-arcsight.log
2.3禁止数据上报
MHN Server会默认将分析数据上报给Anomali,如果需要禁用此配置,运行如下命令:
cd mhn/scripts/
sudo ./disable_collector.sh
3.利用MHN部署蜜罐
SSH蜜罐测试
# 蜜罐部署机器:155.138.151.176
# 部署蜜罐:dionaea
wget "http://155.138.147.248/api/script/?text=true&script_id=4" -O deploy.sh && sudo bash deploy.sh http://155.138.147.248 lfDWqANT
# 尝试暴力破解攻击
hydra -l root -P password.txt mssql://155.138.151.176
4.界面功能展示
1.如下图界面展示了攻击者的源IP地址以及目的端口和所属协议以及蜜罐类型等攻击报告信息。
2.如下图列出了攻击载荷报告信息(传感器,源IP地址,目的端口等信息)
3.可以看到下图列出了已安装的agent传感器
4.下图分别列出攻击者TOP的用户名和密码字典等展示图
5.打开以下连接地址可以看到实时的攻击图(honeymap)
0x05 系统排错以及安全设置
1.查看系统运行状态
root@mhn:/opt/mhn/scripts# sudo /etc/init.d/nginx status #查看nginx状态
* nginx is running
root@mhn:/opt/mhn/scripts# sudo /etc/init.d/supervisor status #查看supervisor 状态
is running
root@mhn:/opt/mhn/scripts#sudo supervisorctl status #查看所有蜜罐系统组件运行状态
geoloc RUNNING pid 31443, uptime 0:00:12
honeymap RUNNING pid 30826, uptime 0:08:54
hpfeeds-broker RUNNING pid 10089, uptime 0:36:42
mhn-celery-beat RUNNING pid 29909, uptime 0:18:41
mhn-celery-worker RUNNING pid 29910, uptime 0:18:41
mhn-collector RUNNING pid 7872, uptime 0:18:41
mhn-uwsgi RUNNING pid 29911, uptime 0:18:41
mnemosyne RUNNING pid 28173, uptime 0:30:08
root@mhn:/opt/mhn/scripts#sudo supervisorctl restart all #重启所有蜜罐系组件系统命令
正常情况各服务的状态如下:
geoloc RUNNING pid 31443, uptime 0:00:12
honeymap RUNNING pid 30826, uptime 0:08:54
hpfeeds-broker RUNNING pid 10089, uptime 0:36:42
mhn-celery-beat RUNNING pid 29909, uptime 0:18:41
mhn-celery-worker RUNNING pid 29910, uptime 0:18:41
mhn-collector RUNNING pid 7872, uptime 0:18:41
mhn-uwsgi RUNNING pid 29911, uptime 0:18:41
mnemosyne RUNNING pid 28173, uptime 0:30:08
2.honeymap 的状态为FATAL解决方法
先删除旧版本的golang
sudo rm -rf /usr/bin/go
sudo apt-get remove golang-go
sudo apt-get remove --auto-remove golang-go
安装golang,如果apt-get install golang安装,后面会因为golang版本低而报错,所以直接下载编译后的包
wget https://storage.googleapis.com/golang/go1.9.linux-amd64.tar.gz
解压,然后进行以下配置
sudo tar -xzf go1.9.linux-amd64.tar.gz -C /usr//local/ //注意包名要改和自己一样的
导入环境变量:
export GOROOT=/usr/local/go
export GOARCH=amd64
export GOOS=linux
export GOBIN=$GOROOT/bin/
export GOTOOLS=$GOROOT/pkg/tool/
export PATH=$GOBIN:$GOTOOLS:$PATH
安装依赖插件net并重新启动所有蜜罐系统组件
cd /opt/honeymap/server
export GOPATH=/opt/honeymap/server
mkdir -p $GOPATH/src/golang.org/x/
cd $GOPATH/src/golang.org/x/
git clone https://github.com/golang/net.git net
go install net
sudo supervisorctl restart all
3.mhn-celery-worker的状态为FATAL解决方法
cd /var/log/mhn/
sudo chmod 777 mhn.log
sudo supervisorctl start mhn-celery-worker
如果还不行
cd /var/log/mhn/ #查看celery-worker的错误日志
tail -f mhn-celery-worker.err
提示的具体错误内容如下
worker.err supervisor: couldn't chdir to /root/mhn/server: EACCES supervisor: child process was not spawned)
改变root跟目录权限
chmod 777 -R /root # 改下权限
4.手动密码重置
如果基于电子邮件的密码重置不适合您,这是另一种方法。
# cd /opt/mhn/server/server/
#apt install sqlite3
# sqlite3 mhn.db
SQLite version 3.7.9 2011-11-01 00:52:41
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from user;
1|USERNAME@SITE.com|sklfdjhkasdlfhklsadhfklasdhfkldsahklsd|1|
sqlite>.quit
$ cd /opt/mhn/server/
$ source env/bin/activate
$ cd server
$ python manual_password_reset.py
Enter email address: YOUR_USER@YOUR_SITE.com
Enter new password:
Enter new password (again):
user found, updating password
5.网络排查
$ sudo netstat -luntp #查看网络端口开放情况
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 561/sshd
tcp6 0 0 :::21 :::* LISTEN 3763/dionaea
tcp6 0 0 :::22 :::* LISTEN 561/sshd
tcp6 0 0 :::1433 :::* LISTEN 3763/dionaea
tcp6 0 0 :::443 :::* LISTEN 3763/dionaea
tcp6 0 0 :::445 :::* LISTEN 3763/dionaea
tcp6 0 0 :::5060 :::* LISTEN 3763/dionaea
tcp6 0 0 :::5061 :::* LISTEN 3763/dionaea
tcp6 0 0 :::135 :::* LISTEN 3763/dionaea
tcp6 0 0 :::3306 :::* LISTEN 3763/dionaea
tcp6 0 0 :::42 :::* LISTEN 3763/dionaea
tcp6 0 0 :::80 :::* LISTEN 3763/dionaea
udp 0 0 0.0.0.0:68 0.0.0.0:* 464/dhclient3
udp 0 0 0.0.0.0:40077 0.0.0.0:* 3763/dionaea
udp6 0 0 :::5060 :::* 3763/dionaea
udp6 0 0 :::69 :::* 3763/dionaea
$ sudo iptables -L #查看防火墙规则状态
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ sudo tcpdump -nnNN tcp port 10000 #监听tcp 10000数据通信信息
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:46:14.009646 IP 1.2.3.4.42873 > 5.6.6.8.10000: Flags [P.], seq 1180349317:1180349611, ack 2474834734, win 913, options [nop,nop,TS val 85084174 ecr 169636000], length 294
16:46:14.012967 IP 5.6.6.8.10000 > 1.2.3.4.42873: Flags [.], ack 294, win 162, options [nop,nop,TS val 169661444 ecr 85084174], length 0
# netstat -luntp | grep 10000 #查看端口10000的状态
tcp 0 0 0.0.0.0:10000 0.0.0.0:*
LISTEN 980/python
$sudo tail -f hpfeeds-broker.err #查看hpfeeds-broker错误信息
INFO:root:Auth success by mnemosyne.
INFO:root:Auth success by mnemosyne.
INFO:root:Auth success by mnemosyne.
INFO:root:Auth success by mnemosyne.
INFO:root:Auth success by mnemosyne.
INFO:root:Auth success by mnemosyne.
INFO:root:Auth success by cb5a36e8-55e8-11e9-a746-560001faa574.
INFO:root:Auth success by cb5a36e8-55e8-11e9-a746-560001faa574.
INFO:root:Auth success by mnemosyne.
INFO:root:Auth success by mnemosyne.
$sudo mongo hpfeeds
MongoDB shell version v3.4.20
connecting to: mongodb://127.0.0.1:27017/hpfeeds
MongoDB server version: 3.4.20
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
Server has startup warnings:
2019-04-03T07:28:15.543+0000 I STORAGE [initandlisten]
2019-04-03T07:28:15.543+0000 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2019-04-03T07:28:15.543+0000 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem
2019-04-03T07:28:15.579+0000 I CONTROL [initandlisten]
2019-04-03T07:28:15.579+0000 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2019-04-03T07:28:15.579+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2019-04-03T07:28:15.579+0000 I CONTROL [initandlisten]
2019-04-03T07:28:15.579+0000 I CONTROL [initandlisten]
2019-04-03T07:28:15.579+0000 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2019-04-03T07:28:15.579+0000 I CONTROL [initandlisten] **
6.设置通过HTTPS访问MHN以及端口开放安全
将生成的SSL密钥文件复制到/etc/ssl/private/
将下面的配置复制到/etc/nginx/sites-enabled/
/etc/nginx/sites-enabled/mhn-https
server {
listen 80;
listen 443 ssl;
server_name _;
ssl_certificate /etc/ssl/private/mhn.pem;
ssl_certificate_key /etc/ssl/private/mhn-priv.key;
if ($ssl_protocol = "") {
rewrite ^ https://$host$request_uri? permanent;
}
location / {
try_files $uri @mhnserver;
}
root /opt/www;
location @mhnserver {
include uwsgi_params;
uwsgi_pass unix:/tmp/uwsgi.sock;
}
location /static {
alias /opt/mhn/server/mhn/static;
}
}
/etc/nginx/sites-enabled/honeymap-https
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 8443 ssl;
ssl_certificate /etc/ssl/private/mhn.pem;
ssl_certificate_key /etc/ssl/private/mhn-priv.key;
root /opt/honeymap/client;
index index.html index.htm;
server_name _;
location / {
try_files $uri $uri/ /index.html;
}
location /data/ {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
/etc/nginx/sites-available/splunk-https
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 8001 ssl;
ssl_certificate /etc/ssl/private/mhn.pem;
ssl_certificate_key /etc/ssl/private/mhn-priv.key;
root /tmp;
index index.html index.htm;
server_name _;
location / {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
需要启用以下端口并允许MHN服务器上的防火墙规则运行,所有其他端口都可以被阻止。
TCP:443 TCP:3000
7.备份数据
在MHN服务器上进行备份数据
sudo su -
supervisorctl stop all
mongodump --db hpfeeds
mongodump --db mnemosyne
tar zcvf mhn-backup.tar.gz dump /opt/mhn/server/mhn.db
supervisorctl start all
复制mhn-backup.tar.gz安全的地方
8.数据恢复
使用install.sh进行安装MHN ,然后将mhn-backup.tar.gz复制到/tmp/目录下并运行以下命
sudo su -
supervisorctl stop all
cd /tmp
tar zxvf mhn-backup.tar.gz
cp /opt/mhn/server/mhn.db /opt/mhn/server/mhn.db
service mongod start
dump.sh脚本:
for FILE in dump/mnemosyne/*.bson;
do
mongorestore --drop --db mnemosyne "$FILE"
done
for FILE in dump/hpfeeds/*.bson;
do
mongorestore --drop --db hpfeeds "$FILE"
done
supervisorctl start all
0x06 总结
使用
- 蜜罐可以存在于各种场景之中(机房、内网、云环境);
- 蜜罐产品的思考应该是在防火墙、入侵检测之后,属于提高企业安全水平的辅助产品;
- 蜜罐主要部署在企业内网,起到预警与了解攻击中入侵的情况的作用,如:发现员工PC中毒对内网的入侵、转移攻击者注意力等等;
- 蜜罐不能设置的太过简单,也不能设置太过复杂;
优点
- 内置集成大量的蜜罐系统,且提供一键部署蜜罐的方式;
- 支持蜜罐攻击效果图展示,与ArcSight或Splunk集成友好;
缺点
- 部署时间需要很长时间(不算缺点吧,网速给力情况下不存在这个问题);
- 不支持对蜜罐的集中管理;
0x07 参考资料
Build Your Own Honeypot Network In Under An Hour
https://www.cnblogs.com/Eleven-Liu/p/9284417.html
所有评论(0)