Deploying a Modern Honeynet (MHN) Server

Deploying a Modern Honeynet (MHN) Server

Watch real-time attacks with a Modern Honeynet (MHN) Server and MHN sensors

Honeypots are servers specifically designed to catch malicious traffic and users in action. Honeynets are networks for catching them.

The Modern Honeynet project's goal is to make honeynets accessible to anyone willing to give them a try.

Once you deploy a MHN server with the steps below, you can then deploy sensors and have them report their hits to the server.

MHN even provides you with a cool map of the hits once you have a sensor deployed:

MHN map image

Create a base build using the steps provided, but make sure you choose an Ubuntu 14.04.x server build. MHN's git page says to use 12.04, but I used 14.04.5 and it works.

Enable ufw, but allow ports 22, 80, 443, 3000, and 10000.

ufw allow ssh
ufw allow 80
ufw allow 443
ufw allow 3000
ufw allow 10000

ufw enable

ufw status

Output should look like this:

root@ubuntu-Test8888:/opt/mhn# ufw status
Status: active
To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
3000                       ALLOW       Anywhere
10000                      ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
3000 (v6)                  ALLOW       Anywhere (v6)
10000 (v6)                 ALLOW       Anywhere (v6)

If you didn't type the IP address of your server during setup for the Honeymap url question, your map won't work until you do the following:

Edit the /opt/mhn/server/ file to update the HONEYMAP_URL server name.

cp /opt/mhn/server/ /opt/mhn/server/

vim /opt/mhn/serve/

Find the line HONEYMAP_URL

HONEYMAP_URL = ':3000'

Edit to read as follows

HONEYMAP_URL = 'http://<your server IP>:3000'

Replacing with the IP address of your server.

You can obtain this by typing
ifconfig | grep inet

and looking for the line with a public IP address.

After saving the edited file, restart the celery service.
sudo supervisorctl restart mhn-uwsgi

Once your server is deployed, log in to it by browsing to the IP address and entering the email address and password you entered during setup.

Check the status of your server

To see how the MHN related services are running, type supervisorctl status.

If you see mhn-celery-worker FATAL Exited too quickly (process log may have details), you may have to change ownership of the mhn.log file (I had to do this sometimes). chown www-data /var/log/mhn/mhn.log. The type supervisorctl start mhn-celery-worker. It should now start normally.

Remember, spinning up DigitalOcean servers costs you money. There's also some risk in taunting the bad guys. I recommend spinning up a sensor and collecting data for a few hours to a few days, then shutting it down and destroying it. You can quickly spin up a new one if you saved an image of your secure base build.

You can deploy sensors quickly and easily which is covered in my next post.

/* Adding copy button to code snippet in Ghost */