Fosth: watching hackers on their own honeypot server

Fosth: watching hackers on their own Honeypot server

On the open source developer conference fodem presented sanja bonic and janos pasztor, how to illustrate with your project containersh and the program asciinema, which do attacking hackers on a server. Containersh makes it possible to dynamically generate software containers when an ssh user logs on to a server. If he returns again, the container is scrambled. This is suitable for example for applications in the webhosting area or for learning environments for practical linux courses. But you can also build a honeypot.

A honeypot is a deliberately vulnerable server, which is introduced to the internet with the purpose, to attract attackers. For example, you can examine the latest attack techniques that are currently in use. But not only for security experts, also as an admin at a honeypot can be useful. For example, pasztor brought the example of an admins, the ssh server operates and protects. So someone can learn from the login attempts on a honeypot, whereas he has to defend his real servers.

Command line recording with asciinema

Normally, you were monitored such a honeypot with normal audit logs. And exactly dafur also supplies its own precautions to bring these logs from the container to other systems before it is discarded after the deregistration of the ssh user. Bonic and pasztor, however, also introduced another, later possibility to learn from such honeypots. With asciinema you can create records of what a user (or attacker) drives on a server. Asciinema can record all inputs and outputs on a command line and saves them in a text format. This can be played like a video and also be converted into video files. However, since only the text of the inputs and outputs on the command line plus a timestamp containing, the resulting files are much, much smaller than videos. And are therefore also suitable for the long-term monitoring of a server.

However, the pure text recording of commands on a honeypot server quickly stabs its limits. Since most attackers are in reality bots, do not use a console, but start commands on a ssh connection, and the recordings contain a few or cryptic entries accordingly. Here it helps to convert the recording of containersh and asciinema to binary data. Now these directly executed commands will be visible.

Every login about the shoulder looked

And so you can have a lot of spab with a honeypot in a relatively secure kind and watch what hackers do on a server after they have logged in. For example, pasztor has found that many attackers are looking for mobile radio devices connected to the server. They are used by many admins to send alerts, even if the server itself has no internet connection. An attacker capers the gates and then send spam sms, which remains undiscovered under circumstances, if the admin has no insight into the billing data of the mobile radio connection – for example, because a different department is state. Containersh and asciinema are also suitable for recording the sessions of course participants who are accessing training servers.

More details about this field of application of the two open source programs can be found in the slides of the lecture on the fostem page. These also contain configuration examples and farther left.