Honeypot as a Service beta testing since 1st October!

General discussion
1

Hello!

Let me introduce you research project: Honeypot as a Service (HaaS) powered by CZ.NIC

What is a honeypot?

It’s software, which simulates an operating system and allows attackers to log in and execute commnnands (for example: downloading malware through tftp/wget, removing some files and so on).
Each attack is recorded and we can analyse his/her behaviour also downloaded malware.

Analysing behaviour of the attackers will be used for further innovation of SSH honeypot and for the [CSIRT.CZ]
(https://csirt.cz/) (Cyber Security Response Team operated in Czech republic)

How does it work?

Volunteers (including an organization or company) will install and run HaaS proxy application, which will forward incoming traffic from port 22 (which is commonly used for SSH) to the HaaS server.

How can I get involved?

It’s very simple.
Sign up, add a device then download and run the HaaS proxy application. :slight_smile:

What you will get?

  1. Good feeling that you will contribute to improvement of cyber security and preparedness for cyber attacks in the Czech Republic.

  2. Interesting information about the attacks on your device on HaaS website after login

From which IP address the attacker logged in
Credentials he used to login
Attacker behavior
The scripts, which the attacker ran in the honeypot

Thank you for any cooperation!

HaaS should be in next major TurrisOS version. In the meantime you can use SSH honeypot.

More details can be find here: Honeypot as a Service - Join the fight against malware!

4 Likes
2

Thanks for the service.

Will there be a systemd or init.d script for launching haas_proxy? Launching it and possibly killing it isn’t easy. I need to search for the command in history every time… The main issue is that I need to type the commend after every reboot (not a big issue, but I can forget…)

1 Like
3

I often see this in my logs:

  8078	2017-10-19T21:02:30+0200 [SSHService b'ssh-connection' on SSHServerTransport,4,XXX.XXX.XXX.XXX] got channel b'direct-tcpip' request
  8079	2017-10-19T21:02:30+0200 [SSHService b'ssh-connection' on SSHServerTransport,4,XXX.XXX.XXX.XXX] channel open failed
  8080		Traceback (most recent call last):
  8081		  File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 118, in callWithContext
  8082		    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  8083		  File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 81, in callWithContext
  8084		    return func(*args,**kw)
  8085		  File "/usr/lib/python3/dist-packages/twisted/conch/ssh/service.py", line 45, in packetReceived
  8086		    return f(packet)
  8087		  File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 151, in ssh_CHANNEL_OPEN
  8088		    log.err(e, 'channel open failed')
  8089		--- <exception caught here> ---
  8090		  File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 138, in ssh_CHANNEL_OPEN
  8091		    packet)
  8092		  File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 546, in getChannel
  8093		    data)
  8094		  File "/usr/lib/python3/dist-packages/twisted/conch/avatar.py", line 23, in lookupChannel
  8095		    raise ConchError(OPEN_UNKNOWN_CHANNEL_TYPE, "unknown channel")
  8096		twisted.conch.error.ConchError: (3, 'unknown channel')

What does that mean and what is causing that error?

4

No idea about the error and no idea whether it is ready for general public, but I have my package with service file: https://build.opensuse.org/package/show/home:-miska-:arm/mitmproxy

1 Like
5

The website clearly claims public beta-testing since the beginning of this month.

2 Likes
6

Given that AFAIK it wasn’t announced anywhere, could be just a placeholder till they decide on the correct date :wink:

1 Like
7

Insider information: it’s not so and the public beta testing is real.

1 Like
8

Yesterday there were released a new version. If it still doesn’t work for you, please would you be so kind and contact guys responsible for Honeypot as a Service on this email: haas@nic.cz ? :slight_smile:

9

AFAIK it means that some client is trying to do port forwarding and the server refuses it. It’s quite unfortunate that the error which is expected (you don’t want honeypot to do the port forwarding) is logged so verbosely…

10

I’ve reported this with explanation how to reproduce: https://gitlab.labs.nic.cz/haas/proxy/issues/2

1 Like
11

And if you need to use ssh through turris omnia to your local network? Can you use both?

12

Hello,
of course. You can use both.

In your LAN you don’t need to change anything and you are able to connect directly to your router and from WAN bots and anyone else, who tries to connect to your SSH will be redirected to the honeypot.

If you want remotely access your router via SSH, please see our documentation, where it is explained, what you need to do.

Also, you can use HaaS on your desktop/server or where you want, but it requires the public IPv4 address.

1 Like