[5 Mins Docker] Deploy a free, simple and safe honeypot with Own Domain - HFISH - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, July 20, 2024

[5 Mins Docker] Deploy a free, simple and safe honeypot with Own Domain - HFISH

HFish is a community free honeypot that focuses on enterprise security scenarios. It provides users with independently operable and practical functions from three scenarios: intranet loss detection, internet threat awareness, and threat intelligence production. It increases users' capabilities in the field of loss awareness and threat intelligence through a secure, agile, and reliable middle and low level interactive honeypot.

HFish has more than 40 honeypot environments, free cloud honeynet, highly customizable honeybait capability, one click deployment, cross platform multi architecture, domestic operating system and CPU support, extremely low performance requirements, email/syslog/webhook/enterprise WeChat/nail/fly book alarm and other features to help users reduce operation and maintenance costs and improve operational efficiency.



 


Architecture

HFish is widely used to sense the horizontal movement of lost hosts in office intranet, production environment, cloud intranet and other environments, employee account leakage, scanning and detection behavior, private intelligence production and even internal drills and security awareness training. Various alarm output forms of HFish are combined with state, NDR, XDR or log platforms to greatly expand the detection vision.

HFish adopts B/S architecture, and the system consists of a management end and a node end. The management end is used to generate and manage the node end, and receive, analyze and display the data returned from the node end. The node end receives the control of the management end and is responsible for building the honeypot service.



System Requirements:

ManagementNode
Suggested2c4g200G1c2g50G
Minimum1c2g100G1c1g50G


Self Hosted Docker Installation Pre-requirements

Free resources you might need to complete this docker project:


Pre-installed services:

  • Docker, 
    • apt update
    • apt install docker.io
    • apt install docker-compose
    • apt upgrade docker.io
    • mkdir /root/data/docker_data/<docker_name>
  • Docker-Compose (Using Ubuntu OS for the commands)
    • Docker-compose down
    • Optional command : use following command to backup your Docker data. You might need to change your folder name based on your docker configuraiton
      • cp -r /root/data/docker_data/<docker_name> /root/data/docker_data_backup/<docker_name>
    • docker-compose pull
    • docker-compose up -d
    • docker image prune
  • Portainer (Optional)
    • docker volume create portainer_data
    • docker run -d -p 9000:9000 --name portainer --restart always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
  • Install some applications: apt install wget curl sudo vim git (Optional)
  • aapanel with Nginx (Optional)
  • Nginx Proxy Manager (Optional)
  • Install screen (Optional)
    • Install screen (Depends on the Linux Distribution if it came pre installed or not) : yum install screen
    • Initiate a Screen : screen or  screen -S <screen name> <command to execute>
    • Detach from the screen : "CTRL+A,D" not "CTRL+A+D"
    • List all the screen currently working : screen -ls
    • Reattach to a screen : screen  -r  <session number> or screen -r <screen name>
    • Kill specific screen: screen -X -S <screen name> quit
    • Kill all screens : pkill screen

Monitoring Usage

  • Docker stats
  • ncdu
    • apt install ncdu

Remove Docker and Related folders

  • docker stop <Docker Name> # stop the docker but not remove anything. 
  • docker rm -f <Docker Name>  # remove speficic container, but will not delete mapped volumes
  • rm -rf /root/data/docker_data/<Docker Mapped Volumns>  # remove all mapped volumes

Restrick Journal Log File Size:

  • journalctl --vacuum-size=100M
  • Limit it to 25M:
nano /etc/systemd/journald.conf
SystemMaxUse=25M
systemctl restart systemd-journald.service


or 
sudo bash -c 'echo "SystemMaxUse=100M" >> /etc/systemd/journald.conf'
sudo systemctl restart systemd-journald



Enable IPv6 and Limit Log File Size (Ubuntu)

Special command to cleans all logs and you don't need to stop the containers.

  • sudo sh -c 'truncate -s 0 /var/lib/docker/containers/*/*-json.log'
Add customized self defined IPv6 address segment to enable container's IPv6 fucntion. And limit log file's size and numbers in case log file to fill all hard drive's space. 

cat > /etc/docker/daemon.json << EOF
{
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "20m",
        "max-file": "3"
    },
    "ipv6": true,
    "fixed-cidr-v6": "fd00:dead:beef:c0::/80",
    "eixperimental":true,
    "ip6tables":true
}
EOF

If there is any error, or IPv6 part might not work in the platform you might want to change it to list:


cat <<EOF > /etc/docker/daemon.json
{
  "live-restore": true,
  "storage-driver": "overlay2",
  "log-opts": {
    "max-size": "10m"
  }
}
EOF


Restart Docker service:

systemctl restart docker

Limit number of log files:

cat /etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
    rotate 4
    weekly
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
        /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

You can change 4 to some other value, such as 1, so that only one file is stored.


Docker Installation Steps

https://hfish.net/#/2-1-docker

1 Pre-requisites verification

Docker version


2  Docker Run command :

docker run -itd --name hfish \
-v /usr/share/hfish:/usr/share/hfish \
--network host \
--privileged=true \
threatbook/hfish-server:latest

3 Docker Run command with auto-upgrade

docker run -d    \
 --name watchtower \
 --restart unless-stopped \
  -v /var/run/docker.sock:/var/run/docker.sock  \
  --label=com.centurylinklabs.watchtower.enable=false \
--privileged=true \
  containrrr/watchtower  \
  --cleanup  \
  hfish \
  --interval 3600


4 Log in

Make sure firewall opened port 4433 tcp. But if you have opened all ports to Internet for your Honeypot, you can ignore this 4433 port. 

Web Address:https://[server]:4433/web/ Username:admin Password:HFish2021


Screenshots

Dashboard



About


Threat Monitor

in 30 minutes, I got 11 attack and 538 times scanning. 

Node info:


After a couple of days, screen shows much more informaiton:



Linux / Windows Installation Commands

For Linux:  
https://hfish.net/#/2-2-linux


For Windows: 
https://hfish.net/#/2-3-windows


Web Address:https://[server]:4433/web/ Username:admin Password:HFish2021




Use Own Domain Access it

Cloudflare:
  • add an A record to point to NPM server
NPM (Nginx Proxy Manager)
  • Add a Proxy Host with https
You might find with above NPM's configuration, you will need to put /web at the end of your own subdomain to get it working. To get following type of domain format working without sub-folder added in, you will need extra NPM configuraiton as show below. 

Demo site:
  • https://hfish.51sec.eu.org/


If you want to re-direct to sub folder web,

in NPM advanced configuration, which is going to redirect your subdomain to ip:port/web forward url, so it is still partial working:

location = /{return 301 $scheme://$server:$port/web/;}

A couple of other variables you can try:
  • $host
  • $http_host
  • $server

Note: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/104

Finally, I got https://hfish.51sec.eu.org/ working  without enter web folder at the end of subdomain URL in this advanced configuration:
  • location = /{return 301 $scheme://$http_host/web/;}



Clean DB data

 Since we are using SQLite as DB, you might want to clean up data regularly. 




Videos

 
HFish Honeypot Project- Easiest To Deploy in 5 Minutes(Docker) - 2020


Easily Create A Free But Safe Honeypot - HFISH



References

Docker Hub: 

  • https://hub.docker.com/r/threatbook/hfish-server

Github:
  • https://github.com/hacklcx/HFish-English/
  • https://github.com/hacklcx/HFish
Doc:
  • https://hfish.net/#/docs

Others:
  • https://a8dog.com/da-jian-yi-ge-hfish-mi-guan-jie-shou-quan-wang-gong-ji


2 comments:

  1. because some parts of Hfish honeypot use Chinese language and characters, so when running docker first time I added some environment commands in HFish Honeypot, so here the script :

    docker run -itd --name hfish \
    -v /usr/share/hfish:/usr/share/hfish \
    --network host \
    --privileged=true \
    -e LANG=en_US.UTF-8 \
    -e LANGUAGE=en_US:en \
    -e LC_ALL=en_US.UTF-8 \
    --restart unless-stopped \
    threatbook/hfish-server:latest

    docker run -d \
    --name watchtower \
    --restart unless-stopped \
    -v /var/run/docker.sock:/var/run/docker.sock \
    --label=com.centurylinklabs.watchtower.enable=false \
    --privileged=true \
    containrrr/watchtower \
    -e LANG=en_US.UTF-8 \
    -e LANGUAGE=en_US:en \
    -e LC_ALL=en_US.UTF-8 \
    --cleanup \
    --restart unless-stopped \
    hfish \
    --interval 3600
    refference : https:// stackoverflow.com /questions/28405902/how-to-set-the-locale-inside-a-debian-ubuntu-docker-container (remove the space between it)

    ReplyDelete
  2. There is still chinese word with Crafty Kiddos command :
    here i have better solution with docker compose (helped with ai Copilot)
    -------------- START Docker FILE -------------
    FROM alpine:latest

    # Install necessary packages
    RUN apk add --no-cache \
    bash \
    curl \
    tzdata \
    && rm -rf /var/cache/apk/*

    # Set environment variables
    ENV LANG en_US.UTF-8
    ENV LANGUAGE en_US:en
    ENV LC_ALL en_US.UTF-8

    # Set the working directory
    WORKDIR /usr/share/hfish

    # Copy application files
    COPY . /usr/share/hfish

    ------------------------ END Dockerfile -------------------------

    ---------------------- START docker-compose.yml ------------------

    version: '3.9'

    services:
    hfish:
    image: threatbook/hfish-server:latest
    container_name: hfish
    volumes:
    - /usr/share/hfish:/usr/share/hfish
    network_mode: host
    privileged: true
    environment:
    - LANG=en_US.UTF-8
    - LANGUAGE=en_US:en
    - LC_ALL=en_US.UTF-8
    restart: unless-stopped

    mysql:
    image: mysql:8.0.26
    container_name: mysql
    volumes:
    - mysql_data:/var/lib/mysql
    environment:
    MYSQL_ROOT_PASSWORD: yourpassword
    MYSQL_DATABASE: hfishdb
    MYSQL_USER: hfishuser
    MYSQL_PASSWORD: yourpassword
    ports:
    - "3307:3306"
    restart: unless-stopped

    watchtower:
    image: containrrr/watchtower:latest
    container_name: watchtower
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    environment:
    - WATCHTOWER_CLEANUP=true
    - WATCHTOWER_POLL_INTERVAL=3600 # Check for updates every hour
    restart: unless-stopped

    volumes:
    mysql_data:
    ---------------------- END docker-compose.yml ------------------

    ReplyDelete