Modern Honey Network (Not Pot) Project in Azure
This project will give you hands on experience with Azure and Security Analysis. It is called the Modern Honey Network. MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface. Honeypot deploy scripts include several common honeypot technologies, including Snort, Cowrie, Dionaea, and glastopf, among others.
We will be deploying Dionaea honeypot and analyzing it using the 5-step SOC Analyst Method.
Creating the Virtual Machine
Go to Azure and sign up for your $200 in free credits if you haven’t already. This project should cost more than a few bucks depending on how long you collect data.
Once logged in choose “virtual machine” and then “create”
Create a resource group called “mhn-rg”
Virtual Machine name is “mhn-server” and region is “East US”
Security type is “standard” and type in “18.04” under “see all images” and it should be the first result. Image is “Ubuntu 18.04 — x64 Gen 1”
Size is “Standard_A2m_v2” — 2 vcpus, 16 GiB memory
Choose “Password” authentication and username “azureuser” and your password.
Click “Next: Disks”
Select 128GiB (E10) disk size and Standard SSD
Click “Review + Create” and then “Create” at the bottom.
Once it’s completely deployed, select “mhn-server-nsg” from the top
Select “Inbound security rules” from the left and click “add”
Create the inbound security rule with destination ports “*” and priority 310 and set it to allow.
Configuring the MHN Server
Go to “mhn-server”
Copy Public IP Address
SSH into the VM
ssh azureuser@<mhn-server IP>
Password: *******Execute
sudo apt install git -yExecute
cd /opt/There is an error in the download package that follows, MaxMind is a geoip database and while you can go through the installation without it, all of the cool maps won’t work. They switched their license to paid with registration and the fix is to execute this:
sudo wget https://github.com/pwnlandia/geolite2/raw/master/GeoLite2-City.tar.gz -O GeoLite2-City.tar.gzExecute
sudo git clone https://github.com/pwnlandia/mhn.git
cd mhn
sudo ./install.shMHN Configuration
Do you wish to run in Debug mode?: y/n n
Superuser email: YOUR_EMAIL@YOURSITE.COM
Superuser password: Yourpassword.
Server base url [“http://1.2.3.4"]:
Honeymap url [“http://1.2.3.4:3000"]:
Mail server address [“localhost”]:
Mail server port [25]:
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [“”]:
Mail server password [“”]:
Mail default sender [“”]:
Path for log file [“mhn.log”]:
Would you like to integrate with Splunk (y/n) n
Would you like to install ELK (y/n) n
Would youlike to add MHN rules to UFW? (y/n) nExploring the Honeypot
The first thing you want to do is make sure the web interface is up, so open a browser and type in the IP address and you will be prompted with a login. This is the login from the install script, so the email that you entered plus your password. You arrive at this page…
There aren’t any attacks yet because we haven’t installed any sensors. We will be installing a sensor on the same server as the MHN server but it is not recommended.
In the past when I have deployed this project I have done really cool things like deploy sensors on a VPS in Russia, and one on a VPS in DC during a midterm election to see if I could notice any variations in attacks. I published an article on Tripwire State of Security about it and had journalists calling me.
So, after you complete this project, use this guide again and set up a secondary (and tertiary, etc..) server in azure for your sensor(s). You can install multiple sensors in multiple geographic regions and it will feed right back to this server.
In this guide, we will be deploying a dionaea honeypot to capture attacks and analyze them.
So lets get started.
Click on “Deploy” and then click on “New script” and select “Ubuntu/Raspberry Pi — dioneae”
Copy and paste the deploy command and go back to your MHN-Server and paste it in the terminal. You want to prepend “sudo” to this command before pasting.
When it’s finished go back to your MHN Webui, and go to Sensors > View Sensors and make sure the sensor shows up.
There are two quote unquote firewalls in action here. One was your Network Security Group on azure that you had to create a rule to allow all traffic into the network, and it sits as a networking appliance in front of your host, the other is actually on the host called “Ubuntu Firewall” which we turned off in previous steps.
So now the gates are wide open to this host both from a networking perspective and software firewall perspective. Anything can contact it. It wasn’t recommended that the MHN server be on the same host as the honeypot because the honeypot requires all ports to be open and you typically want more security on your MHN server. But since this is a very temporary project, it should be fine. If you run this project again, split the honeypot and the MHN server up.
Exploring MHN
Now we have the MHN server and a honeypot configured. Let’s check out the map, click on “Map” button at the top. Years ago this map was teeming with activity. People can configure their MHN instance to send their data to this map and now go walk away and take a break. In a few minutes when you return you should be able to see some activity… we hope. It might take some time to see some attacks happen on your honeypots, too.
Now, browse on over to the “Attacks”, this is where you will see the attacks that happened on your honeypots.
If you have trouble with the honeypot, try this command:
sudo supervisorctl restart allNow explore the 5-step SOC Analyst Method and conduct a security analysis on the attacks. The one thing that SOC analysts need to know how to do everyday.
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, four online courses, and regularly holds webinars for new cybersecurity talent.
You can connect with him on LinkedIn.
Get 20% off all courses in our On-Demand catalog with coupon code “Welcome20”
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Also available in the Secure Style Store, download the Job Hunting Application Tracker for FREE to keep track of all your job applications.
Check out my latest book Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success published June 1st, 2024 and winner of the 2024 Cybersecurity Excellence Awards.
