HFish is a community free honeypot that focuses on enterprise security scenarios. It provides users with independently operable and practical functions from three scenarios: intranet loss detection, internet threat awareness, and threat intelligence production. It increases users' capabilities in the field of loss awareness and threat intelligence through a secure, agile, and reliable middle and low level interactive honeypot.
HFish has more than 40 honeypot environments, free cloud honeynet, highly customizable honeybait capability, one click deployment, cross platform multi architecture, domestic operating system and CPU support, extremely low performance requirements, email/syslog/webhook/enterprise WeChat/nail/fly book alarm and other features to help users reduce operation and maintenance costs and improve operational efficiency.
Â
Architecture
HFish adopts B/S architecture, and the system consists of a management end and a node end. The management end is used to generate and manage the node end, and receive, analyze and display the data returned from the node end. The node end receives the control of the management end and is responsible for building the honeypot service.
System Requirements:
Management | Node | |
---|---|---|
Suggested | 2c4g200G | 1c2g50G |
Minimum | 1c2g100G | 1c1g50G |
Self Hosted Docker Installation Pre-requirements
Free resources you might need to complete this docker project:
- Server:Â Oracle Free VPS, Azure Free VPS, Google Cloud Free VPS, and others
- Create a Free Tier Windows/Linux Azure VPS VM
- [Free VPS] GCP (Google Cloud Platform) Tips and Tricks (Free 16G RAM, 4 vCPU VPS)
- System: Cloud Vendor Ubuntu, Debian, or DD an original version
- SWAP size increase: wget https://raw.githubusercontent.com/51sec/swap/main/swap.sh && bash swap.sh
- Enable Password ssh login
- Enable BBR
- systemctl restart docker
- Domain: (Optional) EU.ORG to get a free one, free Cloudflare account to manage your domain
- Confirm port has not been used (you might need to install lsof using command :Â apt install lsof):
- lsof -i:8088
Pre-installed services:
- Docker,Â
- apt update
- apt install docker.io
- apt install docker-compose
- apt upgrade docker.io
- mkdir /root/data/docker_data/<docker_name>
- Docker-Compose (Using Ubuntu OS for the commands)
- Docker-compose down
- Optional command : use following command to backup your Docker data. You might need to change your folder name based on your docker configuraiton
- cp -r /root/data/docker_data/<docker_name> /root/data/docker_data_backup/<docker_name>
- docker-compose pull
- docker-compose up -d
- docker image prune
- Portainer (Optional)
- docker volume create portainer_data
- docker run -d -p 9000:9000 --name portainer --restart always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
- Install some applications: apt install wget curl sudo vim git (Optional)
- aapanel with Nginx (Optional)
- Nginx Proxy Manager (Optional)
- Install screen (Optional)
- Install screen (Depends on the Linux Distribution if it came pre installed or not) : yum install screen
- Initiate a Screen : screen or  screen -S <screen name> <command to execute>
- Detach from the screen : "CTRL+A,D" not "CTRL+A+D"
- List all the screen currently working :Â screen -ls
- Reattach to a screen : screen  -r  <session number> or screen -r <screen name>
- Kill specific screen:Â screen -X -S <screen name> quit
- Kill all screens :Â pkill screen
Monitoring Usage
- Docker stats
- ncdu
- apt install ncdu
Remove Docker and Related folders
- docker stop <Docker Name> # stop the docker but not remove anything.Â
- docker rm -f <Docker Name>  # remove speficic container, but will not delete mapped volumes
- rm -rf /root/data/docker_data/<Docker Mapped Volumns>Â # remove all mapped volumes
Restrick Journal Log File Size:
- journalctl --vacuum-size=100M
- Limit it to 25M:
SystemMaxUse=25M
systemctl restart systemd-journald.service
sudo bash -c 'echo "SystemMaxUse=100M" >> /etc/systemd/journald.conf'
sudo systemctl restart systemd-journald
Enable IPv6 and Limit Log File Size (Ubuntu)
sudo sh -c 'truncate -s 0 /var/lib/docker/containers/*/*-json.log'
cat > /etc/docker/daemon.json << EOF
{
"log-driver": "json-file",
"log-opts": {
"max-size": "20m",
"max-file": "3"
},
"ipv6": true,
"fixed-cidr-v6": "fd00:dead:beef:c0::/80",
"eixperimental":true,
"ip6tables":true
}
EOF
cat <<EOF > /etc/docker/daemon.json { "live-restore": true, "storage-driver": "overlay2", "log-opts": { "max-size": "10m" } } EOF
systemctl restart docker
Limit number of log files:
cat /etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
You can change 4
 to some other value, such as 1
, so that only one file is stored.
Docker Installation Steps
1Â Pre-requisites verification
Docker version
2Â Â Docker Run command :
docker run -itd --name hfish \
-v /usr/share/hfish:/usr/share/hfish \
--network host \
--privileged=true \
threatbook/hfish-server:latest
3Â Docker Run command with auto-upgrade
docker run -d \
--name watchtower \
--restart unless-stopped \
-v /var/run/docker.sock:/var/run/docker.sock \
--label=com.centurylinklabs.watchtower.enable=false \
--privileged=true \
containrrr/watchtower \
--cleanup \
hfish \
--interval 3600
4Â Log in
Make sure firewall opened port 4433 tcp. But if you have opened all ports to Internet for your Honeypot, you can ignore this 4433 port.Â
Web Address:https://[server]:4433/web/ Username:admin Password:HFish2021
Screenshots
Threat Monitor
Linux / Windows Installation Commands
For Linux: ÂWeb Address:https://[server]:4433/web/ Username:admin Password:HFish2021
Use Own Domain Access it
Cloudflare:- add an A record to point to NPM server
- Add a Proxy Host with https
- https://hfish.51sec.eu.org/
- $host
- $http_host
- $server
Clean DB data
 Since we are using SQLite as DB, you might want to clean up data regularly.ÂVideos
ÂReferences
Docker Hub:Â
- https://hub.docker.com/r/threatbook/hfish-server
- https://github.com/hacklcx/HFish-English/
- https://github.com/hacklcx/HFish
- https://hfish.net/#/docs
- https://a8dog.com/da-jian-yi-ge-hfish-mi-guan-jie-shou-quan-wang-gong-ji
because some parts of Hfish honeypot use Chinese language and characters, so when running docker first time I added some environment commands in HFish Honeypot, so here the script :
ReplyDeletedocker run -itd --name hfish \
-v /usr/share/hfish:/usr/share/hfish \
--network host \
--privileged=true \
-e LANG=en_US.UTF-8 \
-e LANGUAGE=en_US:en \
-e LC_ALL=en_US.UTF-8 \
--restart unless-stopped \
threatbook/hfish-server:latest
docker run -d \
--name watchtower \
--restart unless-stopped \
-v /var/run/docker.sock:/var/run/docker.sock \
--label=com.centurylinklabs.watchtower.enable=false \
--privileged=true \
containrrr/watchtower \
-e LANG=en_US.UTF-8 \
-e LANGUAGE=en_US:en \
-e LC_ALL=en_US.UTF-8 \
--cleanup \
--restart unless-stopped \
hfish \
--interval 3600
refference : https:// stackoverflow.com /questions/28405902/how-to-set-the-locale-inside-a-debian-ubuntu-docker-container (remove the space between it)
There is still chinese word with Crafty Kiddos command :
ReplyDeletehere i have better solution with docker compose (helped with ai Copilot)
-------------- START Docker FILE -------------
FROM alpine:latest
# Install necessary packages
RUN apk add --no-cache \
bash \
curl \
tzdata \
&& rm -rf /var/cache/apk/*
# Set environment variables
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
# Set the working directory
WORKDIR /usr/share/hfish
# Copy application files
COPY . /usr/share/hfish
------------------------ END Dockerfile -------------------------
---------------------- START docker-compose.yml ------------------
version: '3.9'
services:
hfish:
image: threatbook/hfish-server:latest
container_name: hfish
volumes:
- /usr/share/hfish:/usr/share/hfish
network_mode: host
privileged: true
environment:
- LANG=en_US.UTF-8
- LANGUAGE=en_US:en
- LC_ALL=en_US.UTF-8
restart: unless-stopped
mysql:
image: mysql:8.0.26
container_name: mysql
volumes:
- mysql_data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: yourpassword
MYSQL_DATABASE: hfishdb
MYSQL_USER: hfishuser
MYSQL_PASSWORD: yourpassword
ports:
- "3307:3306"
restart: unless-stopped
watchtower:
image: containrrr/watchtower:latest
container_name: watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WATCHTOWER_CLEANUP=true
- WATCHTOWER_POLL_INTERVAL=3600 # Check for updates every hour
restart: unless-stopped
volumes:
mysql_data:
---------------------- END docker-compose.yml ------------------