I’m trying a new Modern Honey Network (MHN) setup utilizing DigitalOcean droplets. I like this approach because the droplets are inexpensive ($5/month) and you can configure the droplets to be connected to a private network as well. The private network will be for configuring anything you would prefer not be routed through the internet facing IP addresses. We want to configure Splunk for example to capture events using the private network.
The layout is pretty straightforward. Configure a droplet with Ubuntu (MHN is primarily built for Ubuntu at this point) and then configure this initial server to run the MHN server. This will be the place you go to log into the console and see the data being collected from your honeypots. The MHN server will also be where you get the various deployment scripts (Kippo, Dionaea, etc.) for use in setting up your honeypots. The MHN server will also be where data is sent to from each honeypot.
Once you get the MHN server configured, it’s just a matter of configuring droplets for use with the different honeypots available in MHN. Setting up a honeypot or sensor is as simple as copying and pasting a deployment script which is available in the MHN server console. You will simply need to paste that deployment script into the command line of your honeypot droplet and that should install everything you need.
Once you have your honeypots configured you should start seeing attacks show up right away. For example when I set up the Kippo honeypot which is for capturing SSH login attempts, it was a matter of mere minutes before attacks started showing up.
Now one other thing you can do once you have your MHN server and sensors configured is to set up a droplet for Splunk. Setting up the free version (Splunk Light) is as simple as running the installer and you are up and running. You will need to configure rsyslog to fire the events at the Splunk server but that’s simple enough. *Remember to configure rsyslog to use the private networking address of the Splunk server instead of the internet facing IP address.
So for Splunk there are a couple things we are doing, we are collecting logs for the server OS itself but we will also be collecting logs for some of the honeypots as well. For example Kippo has a log file that we can add to rsyslog and have rsyslog fire that at Splunk for collection. This way you can simply perform a search in Splunk for the userid/password combinations being attempted by attackers.
Once you have the MHN server and Splunk configured, you should be able to add and delete honeypots as needed. Just remember you will need to configure rsyslog on each new droplet in order to get those events into Splunk but that should really be no more than a copy and paste exercise from already configured rsyslog configuration files.