蜜罐搭建记录

tcppc蜜罐搭建记录

只是记录一下tcppc蜜罐的搭建步骤,不一定适合所有人

购买VPS主机:https://www.vultr.com/?ref=8391117-6G

QQ群:397745473

1
2
3
4
参考:https://www.freebuf.com/articles/network/240041.html

做少量修改才跑起来
不修改路径好像会有点问题。
1
2
3
4
5
6
7
8
9
apt-get update
apt-get upgrade
sed -i 's/#Port 22/Port 9922/g' /etc/ssh/sshd_config && dd if=/dev/zero of=/var/swapfile bs=1M count=2048 && /sbin/mkswap /var/swapfile && /sbin/swapon /var/swapfile && chmod 0600 /var/swapfile && echo "/var/swapfile swap swap defaults 0 0" >>/etc/fstab
apt install -y docker.io
apt-get install python3-pip
pip3 install docker-compose
service docker start

mkdir docker_test

vim Dockerfile

1
2
3
4
5
6
7
8
9
10
11
###使用golang作为基础镜像提供程序运行环境
FROM golang
#设置时区变量
ENV TZ=Asia/Shanghai
#调整时区,从github拉取相应源码,并编译
run ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \
go get github.com/md-irohas/tcppc-go
#跳转至生成的程序位置
WORKDIR /go/bin/
#执行命令
cmd ["./tcppc-go", "-T","86400","-w","log/tcppc-%Y%m%d.jsonl"]
1
2
3
4
5
6
docker build -t all_port:1.0 .

mkdir log
docker run -it -d --restart=always --net=host -v `pwd`/log:/go/bin/log/ all_port:1.0 /bin/bash
docker ps
【进入docker】docker exec -i -t 23e896b7fb20 /bin/bash

开启iptables日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
1. 在文件/etc/rsyslog.conf中添加一行内容,kern.info /var/log/iptables.log

2. 为了让日志和ssh日志一样回滚,将文件名/var/log/iptables.log加入文件/etc/logrotate.d/rsyslog中
参考:
/var/log/syslog
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
/var/log/iptables.log
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
1
service rsyslog restart

iptables日志规则

1
2
iptables -t nat -A PREROUTING -p tcp -i ens3 --dport 80:8000 -j LOG --log-level 6 --log-prefix "port_for"
iptables -t nat -A PREROUTING -p tcp -i ens3 --dport 80:8000 -j REDIRECT --to-ports 12345
1
2
3
4
5
6
7
8
参考: https://github.com/siberkuvvet/siberkuvvet-honeypot
【进入docker】docker exec -i -t 23e896b7fb20 /bin/bash
$ openssl genrsa 2048 > server.key
$ openssl req -new -key server.key > server.csr
$ openssl x509 -days 36500 -req -signkey server.key < server.csr > server.crt


cd /go/bin/;./tcppc-go -T 86400 -C server.crt -K server.key -w log/tcppc-%Y%m%d.json

HFish 搭建记录

1
HFish官网: https://github.com/hacklcx/HFish
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
apt-get update && apt-get upgrade -y

sed -i 's/#Port 22/Port 9922/g' /etc/ssh/sshd_config && dd if=/dev/zero of=/var/swapfile bs=1M count=2048 && /sbin/mkswap /var/swapfile && /sbin/swapon /var/swapfile && chmod 0600 /var/swapfile && echo "/var/swapfile swap swap defaults 0 0" >>/etc/fstab
sed -i 's/mouse=a/mouse-=a/g' /usr/share/vim/vim81/defaults.vim;
apt install -y docker.io
apt-get install -y python3-pip
pip3 install docker-compose
service docker start


git clone https://github.com/hacklcx/HFish.git
参考: https://www.v2ex.com/t/599168

# 下载镜像
docker pull hfishs/hub # Docker Hub : https://hub.docker.com/r/hfishs/hub
# 创建配置
mkdir /opt/hfish
vi /opt/hfish/demo.conf
# 启动
docker run -d -p 80:80 -v /opt/hfish:/home/server hfishs/hub /home/start
# 维护
docker exec -it fervent_swanson bash
# 方便调试 Nginx 配置,无需重启容器
docker exec -it 67c20c772c5a /home/reload # 67c20c772c5a 为启动的进程 ID


wget http://hfish.cn-bj.ufileos.com/hfish-linux-amd64.tar.gz
mkdir hfish
tar -xzvf hfish-linux-amd64.tar.gz -C hfish
cd hfish
apt -y install tmux


tmux new -d -s mySession && tmux send-keys -t mySession.0 "./server" ENTER


通过浏览器访问 https://ip:4433/web/login 默认用户名密码:admin / HFish2021

节点搭建:
sh -c "$(curl -k https://202.182.102.133:4434/tmp/lzjiwpfwnyrj.sh)"
sh -c "$(curl -k https://202.182.102.133:4434/tmp/wxebamzfngju.sh)"

搭建webhoneypot 蜜罐

框架地址: https://gitlab.com/misc_heading

1
2
3
4
5
6
7
原文参考: 
https://medium.com/@misc_heading/building-a-real-world-web-honeypot-for-cve-2019-6340-rce-in-drupal-core-f4240f989c3f

尝试把nginx模块更换成openresty,对请求头部进行抓取
参考:
https://stackoverflow.com/questions/24380123/how-to-log-all-headers-in-nginx
https://www.hardill.me.uk/wordpress/2018/03/14/logging-requests-and-response-with-nginx/

下载安装

Webhoneypot 框架是使用Python 3编写的,需要docker和docker-compose才能运行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
apt-get update && apt-get upgrade -y

sed -i 's/#Port 22/Port 9922/g' /etc/ssh/sshd_config && dd if=/dev/zero of=/var/swapfile bs=1M count=2048 && /sbin/mkswap /var/swapfile && /sbin/swapon /var/swapfile && chmod 0600 /var/swapfile && echo "/var/swapfile swap swap defaults 0 0" >>/etc/fstab
sed -i 's/mouse=a/mouse-=a/g' /usr/share/vim/vim81/defaults.vim;

apt install -y docker.io
reboot

apt-get install -y python3-pip
pip3 install docker-compose
service docker start

cd ;git clone https://gitlab.com/SecurityBender/webhoneypot-framework.git
cd ;git clone https://gitlab.com/misc_heading/webhoneypot-wordpress.git && cd webhoneypot-wordpress/
mkdir -p nginx/logs
mkdir -p ./apache/html/

sed -i "s|nginx:latest|openresty/openresty:alpine|g" /root/webhoneypot-wordpress/nginx/Dockerfile

sed -i "s|version: '2'|version: '3'|g" /root/webhoneypot-wordpress/docker-compose.yml

/root/webhoneypot-framework/webhoneypot.py -c ./wordpress.json init

修改配置文件

vim /root/webhoneypot-wordpress/nginx/config/default.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
log_format postlog '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$request_body"';

server {
listen 80;

access_log /var/log/nginx/access.log postlog;
error_log /var/log/nginx/error.log;

location / {
# auth_basic "This is not the website you're looking for!";
# auth_basic_user_file /etc/nginx/.htpasswd;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_pass http://apache:80/;
}



header_filter_by_lua_block {
local data_string = ngx.req.raw_header()
ngx.log(ngx.ERR, "Got header---------------------------- \n"..data_string.."\n")
}


}

WEB程序安装

正常安装一个wordpress,把容易受攻击的插件全安装上

1
2
3
4
5
6
7
8
wget https://wordpress.org/latest.tar.gz
wget https://files.phpmyadmin.net/phpMyAdmin/5.1.0/phpMyAdmin-5.1.0-all-languages.zip

查数据库IP: docker inspect webhoneypot-wordpress_mysql_1

修改phpmyadmin目录中libraries文件夹下的config.default.php文件
查找$cfg['Servers'][$i]['host'] , 将其值设置为上面数据库的IP地址
用phpmyadmin 建立一个数据库和数据库的用户名密码

日常维护

1
2
3
4
5
6
7
8
9
10
11
12
快照功能,这个功能是快速把容器恢复为初始化状态, 数据库会被清空
$ cd ;cd webhoneypot-wordpress/
$ /root/webhoneypot-framework/webhoneypot.py -c ./wordpress.json reset

日志监控:
文件路径:/root/webhoneypot-wordpress/nginx/logs
tail -f webhoneypot-wordpress/nginx/logs/access.log

源码路径: /root/webhoneypot-wordpress/apache/html

【重启docker】docker restart webhoneypot-wordpress_nginx_1
【进入docker】docker exec -i -t webhoneypot-wordpress_mysql_1 /bin/bash
1
2
3
其他参考:
搭建wordpress监控参考:
https://medium.com/@misc_heading/how-i-capture-and-monitor-wordpress-attacks-ceda512b07

常见问题解决

装插件和主题提示需要FTP

在wp-config.php加入以下代码

1
2
3
define("FS_METHOD", "direct");
define("FS_CHMOD_DIR", 0775);
define("FS_CHMOD_FILE", 0775);

装插件和主题没有权限

1
2
chmod 755 wp-content/plugins/
chmod 777 wp-content

每天一个日志文件

vim /root/logs.sh

1
2
3
4
5
6
7
8
9
10
#!/bin/bash

logsPath="/root/webhoneypot-wordpress/nginx/logs"
log_path=$(date -d yesterday +"%Y%m")
day=$(date -d yesterday +"%Y%m%d")

mkdir -p "${logsPath}/${log_path}"
mv "$logsPath/access.log" "$logsPath/$log_path/access_$day.log"
mv "$logsPath/error.log" "$logsPath/$log_path/error_$day.log"
docker restart webhoneypot-wordpress_nginx_1

crontab -e

1
0 0 * * * /bin/bash /root/logs.sh
1
chmod 755 /root/logs.sh

用宝塔搭建蜜罐

其他也不叫什么搭建蜜罐吧。只是把日志记录得更加详细一点

环境准备

购买VPS主机:https://www.vultr.com/?ref=8391117-6G

1
2
3
4
5
6
7
8
9
10
11
apt-get update && apt-get upgrade -y

sed -i 's/#Port 22/Port 9922/g' /etc/ssh/sshd_config && dd if=/dev/zero of=/var/swapfile bs=1M count=2048 && /sbin/mkswap /var/swapfile && /sbin/swapon /var/swapfile && chmod 0600 /var/swapfile && echo "/var/swapfile swap swap defaults 0 0" >>/etc/fstab
sed -i 's/mouse=a/mouse-=a/g' /usr/share/vim/vim81/defaults.vim;

apt install -y docker.io
reboot

apt-get install -y python3-pip
pip3 install docker-compose
service docker start

宝塔安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
参考宝塔官方github: https://github.com/ifui/baota

git clone https://github.com/ifui/baota.git
cd baota/ && cp .env-example .env
** 注意,可以用vim .env 把8080改成80
docker-compose up -d app
docker-compose logs app

docker exec -it baota_app_1 bash

# 去掉宝塔强制登陆
sed -i "s|if (bind_user == 'True') {|if (bind_user == 'REMOVED') {|g" /www/server/panel/BTPanel/static/js/index.js

# 还原宝塔强制登陆
sed -i "s|if (bind_user == 'REMOVED') {|if (bind_user == 'True') {|g" /www/server/panel/BTPanel/static/js/index.js

登陆宝塔后安装软件选择参考:
1. openresty
2. mysql5.6
3. 去掉FTP的选择
4. PHP7.0
5. PHPmyadmin
6. 编译安装

配置nginx服务

  1. 网站–>添加站点–> default.com–>其他的保持默认,点确定
  2. 网站–>默认站点–> 选择 default.com
  3. 网站–>修改默认页–>把4个默认页的内容全部清空 (这步可以省略)
  4. 软件商店–>Nginx 1.13.6.2–>设置–>配置修改 在倒数第一个“}” 前面加下以下代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
header_filter_by_lua_block {
function serialize(obj)
local lua = ""
local t = type(obj)
if t == "number" then
lua = lua .. obj
elseif t == "boolean" then
lua = lua .. tostring(obj)
elseif t == "string" then
lua = lua .. string.format("%q", obj)
elseif t == "table" then
lua = lua .. "{"
for k, v in pairs(obj) do
lua = lua .. " " .. serialize(k) .. ":" .. serialize(v) .. ","
end
local metatable = getmetatable(obj)
if metatable ~= nil and type(metatable.__index) == "table" then
for k, v in pairs(metatable.__index) do
lua = lua .. " " .. serialize(k) .. ":" .. serialize(v) .. ","
end
end
lua = lua .. "}"
elseif t == "nil" then
return nil
else
error("can not serialize a " .. t .. " type.")
end
return lua
end

function table2string(tablevalue)
local stringtable = serialize(tablevalue)
return stringtable
end

local data = ngx.req.get_headers()
local data_string = table2string(data)
ngx.log(ngx.ERR, "Got header---------------------------- \n"..data_string.."\n")
}

完整的nginx配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
user  www www;
worker_processes auto;
error_log /www/wwwlogs/nginx_error.log debug;
pid /www/server/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;

events
{
use epoll;
worker_connections 51200;
multi_accept on;
}

http
{
include mime.types;
#include luawaf.conf;

include proxy.conf;

default_type application/octet-stream;

server_names_hash_bucket_size 512;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;

sendfile on;
tcp_nopush on;

keepalive_timeout 60;

tcp_nodelay on;

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;

gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";

limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;

server_tokens off;
access_log on;

log_format postlog '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$request_body"';

server
{
listen 888;
server_name phpmyadmin;
index index.html index.htm index.php;
root /www/server/phpmyadmin;

#error_page 404 /404.html;
include enable-php.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

location ~ /\.
{
deny all;
}

access_log /www/wwwlogs/access.log postlog;
}
include /www/server/panel/vhost/nginx/*.conf;

header_filter_by_lua_block {
function serialize(obj)
local lua = ""
local t = type(obj)
if t == "number" then
lua = lua .. obj
elseif t == "boolean" then
lua = lua .. tostring(obj)
elseif t == "string" then
lua = lua .. string.format("%q", obj)
elseif t == "table" then
lua = lua .. "{"
for k, v in pairs(obj) do
lua = lua .. " " .. serialize(k) .. ":" .. serialize(v) .. ","
end
local metatable = getmetatable(obj)
if metatable ~= nil and type(metatable.__index) == "table" then
for k, v in pairs(metatable.__index) do
lua = lua .. " " .. serialize(k) .. ":" .. serialize(v) .. ","
end
end
lua = lua .. "}"
elseif t == "nil" then
return nil
else
error("can not serialize a " .. t .. " type.")
end
return lua
end

function table2string(tablevalue)
local stringtable = serialize(tablevalue)
return stringtable
end

local data = ngx.req.get_headers()
local data_string = table2string(data)
ngx.log(ngx.ERR, "Got header---------------------------- \n"..data_string.."\n")
}

}

配置方案二

1
2
3
4
header_filter_by_lua_block {
local data_string = ngx.req.raw_header()
ngx.log(ngx.ERR, "Got header---------------------------- \n"..data_string.."\n")
}
  1. http部分加以下代码更改log的格式并记录请求体

    1
    2
    3
    4
    log_format postlog '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for" '
    '"$request_body"';
    1
    2
    把所有access_log记录的后面都加上postlog就可以记录请求体了,
    例如: access_log /www/wwwlogs/access.log postlog;

查看测试

  1. 把 IP 输入到浏览器中.

    或者使用以下代码测试

    1
    2
    curl -i http://ip/index.php?a=1&b=2
    curl -i -d "c=3&d=5" http://ip/index.php?a=1&b=2
  1. 安全 –> Web日志:/www/wwwlogs –>/www/wwwlogs的链接–>跳到文件目录中找到default.com.error.log–>双击打开 可以查看到详细请求参数和返回参数信息了

QQ群:397745473

知识星球