Honeypots are security devices whose value lie in being probed and compromised. Traditional honeypots are servers (or devices that expose server services) that wait passively to be attacked. Client Honeypots are active security devices in search of malicious servers that attack clients. The client honeypot poses as a client and interacts with the server to examine whether an attack has occurred.
Clientpot is a kind a client honeypot for the linux systems, which crawls the potentially malicious web servers and log all the suspicious activity occured on the client side. Based on the changes occured in linux file system and linux process tree, logging server decides if the web server is malicous or not.
-
Make your system conatiners workable.
sudo apt-get install lxc lxc-templates
-
create a lxc guest machine name it ub1
sudo lxc-create -n ub1 -t ubuntu
Create a lxc machine for ubuntu named ub1
The name must be ub1 as it is hardcoded in the system
Make sure the ip allocated to lxcbr0 is from the NAT 10.0.3.0/24 else we need to change the system service files -
install necessary utils in lxc_guest
sudo lxc-start -n ub1 && sudo lxc-console -n ub1
login-ubuntu
passwrod-ubuntusudo apt-get install less gcc g++ make zip tar wget curl lynx
-
Copy ./server in current machine on which lxc-host runs(This is our logging Server).
build the server cd ./server make cd build ./server $PORT_NUMBER
For setting up log location, change the value of variable LOG_LOCATION in server.h before make,Make sure that folder exist. you should start logging_server with the default port 8080 else need to change the system service file a bit Server need to be started before the request is sent from the cralwer.
-
Copy the servcices in the service folder to lxc_guest ub1
filemonitor.service
If the defualt of port of logging server is different than 8080, change in the argument given in EXECSTART of this service Default watches are addded to /tmp/ and / directory, that can be added with more watches by specifying in EXECSTART:syntax : [directory_name]/,[PERMISSIONS_FOR_WATCH],[PERMISSIONS_FOR_WATCH], ...
PERMISSIONS_FOR_WATCH includes : ACCESS CREATE DELETE MODIFY ISDIR OPEN If server(lxc host belongs to different NAT) change the server IP relapce it with 10.0.3.1
forkmonitor.service
If Applicable : Apply changes to server IP and PORT in EXECSTARTcrawler.service
Invokes crawler service that runs default on port 7070, dont change thismake sure to give all permissions to service files after copying
-
stop the lxc_guest ub1
sudo lxc-stop -n ub1
This will be treated as the safe copy, that will be restored after every request
-
In the Host machine. Goto lxc-scripts folder and run
sudo python3 lxc_server.py 7070 *<URL_TO_CRAWL>*
remember 7070 is harcoded default port for web_crawler service
-
logs will be created to the log location specified.
Analyse the logs manually.