Let me introduce you research project: Honeypot as a Service (HaaS) powered by CZ.NIC
What is a honeypot?
It’s software, which simulates an operating system and allows attackers to log in and execute commnnands (for example: downloading malware through tftp/wget, removing some files and so on).
Each attack is recorded and we can analyse his/her behaviour also downloaded malware.
Analysing behaviour of the attackers will be used for further innovation of SSH honeypot and for the [CSIRT.CZ]
(https://csirt.cz/) (Cyber Security Response Team operated in Czech republic)
How does it work?
Volunteers (including an organization or company) will install and run HaaS proxy application, which will forward incoming traffic from port 22 (which is commonly used for SSH) to the HaaS server.
How can I get involved?
It’s very simple.
Sign up, add a device then download and run the HaaS proxy application.
What you will get?
Good feeling that you will contribute to improvement of cyber security and preparedness for cyber attacks in the Czech Republic.
Interesting information about the attacks on your device on HaaS website after login
From which IP address the attacker logged in
Credentials he used to login
Attacker behavior
The scripts, which the attacker ran in the honeypot
Thank you for any cooperation!
HaaS should be in next major TurrisOS version. In the meantime you can use SSH honeypot.
Will there be a systemd or init.d script for launching haas_proxy? Launching it and possibly killing it isn’t easy. I need to search for the command in history every time… The main issue is that I need to type the commend after every reboot (not a big issue, but I can forget…)
Yesterday there were released a new version. If it still doesn’t work for you, please would you be so kind and contact guys responsible for Honeypot as a Service on this email: haas@nic.cz ?
AFAIK it means that some client is trying to do port forwarding and the server refuses it. It’s quite unfortunate that the error which is expected (you don’t want honeypot to do the port forwarding) is logged so verbosely…
In your LAN you don’t need to change anything and you are able to connect directly to your router and from WAN bots and anyone else, who tries to connect to your SSH will be redirected to the honeypot.
If you want remotely access your router via SSH, please see our documentation, where it is explained, what you need to do.
Also, you can use HaaS on your desktop/server or where you want, but it requires the public IPv4 address.