How to Run a Honeypot

I decided to run a honeypot for fun, to see what interesting things I would see. Maybe at some point I’ll share the details in a list and perhaps build some automation fun around the data gathered.

Recommendations:

I would recommend setting up a dedicated VPS for something like this – one that is not connected to any sensitive networks and does not store any sensitive data on it.

I’m going with a $5/month server with Vultr running Arch Linux and then I’ll be using Docker to run heralding. Heralding is a simple honeypot written in Python that spoofs a range of common services and logs the credentials used when an attacker attempts to brute-force a service.

I’d recommend changing the port for SSH to a different port than 22 and then restricting access to that port to only be available to trusted IP addresses.

Installation:

First, install Docker on your Honeypot host.

Let’s create a directory for logs to go:

mkdir -p /opt/honeypot/logs

And let’s create empty files to mount in the container as log files:

touch /opt/honeypot/logs/{log_session.json,log_session.csv,log_auth.csv}

Once Docker is running, run the following command to deploy the heralding container on all the ports it has services for:

docker run -d --restart=unless-stopped \ 
	--name=heralding \
	-v /opt/honeypot/logs/log_session.json:/log_session.json \
	-v /opt/honeypot/logs/log_session.csv:/log_session.csv \
	-v /opt/honeypot/logs/log_auth.csv:/log_auth.csv \
	-p 21:21 \
	-p 22:22 \
	-p 23:23 \
	-p 25:25 \
	-p 80:80 \
	-p 110:110 \
	-p 143:143 \
	-p 443:443 \
	-p 465:465 \
	-p 993:993 \
	-p 995:995 \
	-p 1080:1080 \
	-p 2222:2222 \
	-p 3306:3306 \
	-p 3389:3389 \
	-p 5432:5432 \
	-p 5900:5900 \ 
	heywoodlh/heralding:latest

Now when any brute force attempts are made on your server they will be stored in the logs in /opt/honeypots/logs on your server!

Written on January 31, 2022