蜜罐搭建记录

tcppc蜜罐搭建记录

只是记录一下tcppc蜜罐的搭建步骤,不一定适合所有人

购买VPS主机：https://www.vultr.com/?ref=8391117-6G

QQ群：397745473

参考：https://www.freebuf.com/articles/network/240041.html

做少量修改才跑起来
不修改路径好像会有点问题。

apt-get update
apt-get upgrade
sed -i 's/#Port 22/Port 9922/g'  /etc/ssh/sshd_config && dd if=/dev/zero of=/var/swapfile bs=1M count=2048 && /sbin/mkswap /var/swapfile && /sbin/swapon /var/swapfile && chmod 0600 /var/swapfile && echo "/var/swapfile swap swap defaults 0 0" >>/etc/fstab
apt install -y docker.io
apt-get install python3-pip
pip3 install docker-compose
service docker start

mkdir docker_test

vim Dockerfile

###使用golang作为基础镜像提供程序运行环境
FROM golang
#设置时区变量
ENV TZ=Asia/Shanghai
#调整时区,从github拉取相应源码，并编译
run ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \
    go get github.com/md-irohas/tcppc-go
#跳转至生成的程序位置
WORKDIR /go/bin/
#执行命令
cmd ["./tcppc-go", "-T","86400","-w","log/tcppc-%Y%m%d.jsonl"]

docker build -t all_port:1.0 .

mkdir log
docker run -it  -d --restart=always  --net=host -v `pwd`/log:/go/bin/log/ all_port:1.0 /bin/bash
docker ps
【进入docker】docker exec -i -t 23e896b7fb20 /bin/bash

开启iptables日志

1. 在文件/etc/rsyslog.conf中添加一行内容，kern.info /var/log/iptables.log

2. 为了让日志和ssh日志一样回滚，将文件名/var/log/iptables.log加入文件/etc/logrotate.d/rsyslog中
参考:
/var/log/syslog
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
/var/log/iptables.log
{
        rotate 4
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

service rsyslog restart

iptables日志规则

iptables -t nat -A PREROUTING -p tcp -i ens3 --dport 80:8000 -j LOG --log-level 6 --log-prefix "port_for"
iptables -t nat -A PREROUTING -p tcp -i ens3 --dport 80:8000 -j REDIRECT --to-ports 12345

参考: https://github.com/siberkuvvet/siberkuvvet-honeypot
【进入docker】docker exec -i -t 23e896b7fb20 /bin/bash
$ openssl genrsa 2048 > server.key
$ openssl req -new -key server.key > server.csr
$ openssl x509 -days 36500 -req -signkey server.key < server.csr > server.crt


cd /go/bin/;./tcppc-go -T 86400 -C server.crt -K server.key -w log/tcppc-%Y%m%d.json

HFish 搭建记录

HFish官网: https://github.com/hacklcx/HFish

apt-get update && apt-get upgrade -y

sed -i 's/#Port 22/Port 9922/g'  /etc/ssh/sshd_config && dd if=/dev/zero of=/var/swapfile bs=1M count=2048 && /sbin/mkswap /var/swapfile && /sbin/swapon /var/swapfile && chmod 0600 /var/swapfile && echo "/var/swapfile swap swap defaults 0 0" >>/etc/fstab
sed -i 's/mouse=a/mouse-=a/g' /usr/share/vim/vim81/defaults.vim;
apt install -y docker.io
apt-get install -y python3-pip
pip3 install docker-compose
service docker start


git clone https://github.com/hacklcx/HFish.git
参考: https://www.v2ex.com/t/599168

# 下载镜像
docker pull hfishs/hub      # Docker Hub : https://hub.docker.com/r/hfishs/hub
# 创建配置
mkdir /opt/hfish 
vi /opt/hfish/demo.conf
# 启动
docker run -d -p 80:80 -v /opt/hfish:/home/server hfishs/hub /home/start
# 维护
docker exec -it fervent_swanson bash
# 方便调试 Nginx 配置，无需重启容器
docker exec -it 67c20c772c5a /home/reload  # 67c20c772c5a 为启动的进程 ID


wget http://hfish.cn-bj.ufileos.com/hfish-linux-amd64.tar.gz
mkdir hfish
tar -xzvf hfish-linux-amd64.tar.gz -C hfish
cd hfish
apt -y install tmux


tmux new -d -s mySession && tmux send-keys -t mySession.0 "./server" ENTER


通过浏览器访问 https://ip:4433/web/login 默认用户名密码：admin / HFish2021

节点搭建：
sh -c "$(curl -k https://202.182.102.133:4434/tmp/lzjiwpfwnyrj.sh)"
sh -c "$(curl -k https://202.182.102.133:4434/tmp/wxebamzfngju.sh)"

搭建webhoneypot 蜜罐

框架地址: https://gitlab.com/misc_heading

原文参考: 
https://medium.com/@misc_heading/building-a-real-world-web-honeypot-for-cve-2019-6340-rce-in-drupal-core-f4240f989c3f

尝试把nginx模块更换成openresty,对请求头部进行抓取
参考:
https://stackoverflow.com/questions/24380123/how-to-log-all-headers-in-nginx
https://www.hardill.me.uk/wordpress/2018/03/14/logging-requests-and-response-with-nginx/

下载安装

Webhoneypot 框架是使用Python 3编写的,需要docker和docker-compose才能运行。

apt-get update && apt-get upgrade -y

sed -i 's/#Port 22/Port 9922/g'  /etc/ssh/sshd_config && dd if=/dev/zero of=/var/swapfile bs=1M count=2048 && /sbin/mkswap /var/swapfile && /sbin/swapon /var/swapfile && chmod 0600 /var/swapfile && echo "/var/swapfile swap swap defaults 0 0" >>/etc/fstab
sed -i 's/mouse=a/mouse-=a/g' /usr/share/vim/vim81/defaults.vim;

apt install -y docker.io
reboot

apt-get install -y python3-pip
pip3 install docker-compose
service docker start

cd ;git clone https://gitlab.com/SecurityBender/webhoneypot-framework.git
cd ;git clone https://gitlab.com/misc_heading/webhoneypot-wordpress.git && cd webhoneypot-wordpress/
mkdir -p nginx/logs
mkdir -p ./apache/html/

sed -i "s|nginx:latest|openresty/openresty:alpine|g" /root/webhoneypot-wordpress/nginx/Dockerfile

sed -i "s|version: '2'|version: '3'|g" /root/webhoneypot-wordpress/docker-compose.yml

/root/webhoneypot-framework/webhoneypot.py -c ./wordpress.json init

修改配置文件

vim /root/webhoneypot-wordpress/nginx/config/default.conf

log_format postlog '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for" '				  
                  '"$request_body"';

server {
    listen 80;

    access_log /var/log/nginx/access.log postlog;
    error_log /var/log/nginx/error.log;

    location / {
#        auth_basic "This is not the website you're looking for!";
#        auth_basic_user_file /etc/nginx/.htpasswd;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://apache:80/;
    }
	
	
	
header_filter_by_lua_block {
local data_string = ngx.req.raw_header()
ngx.log(ngx.ERR, "Got header---------------------------- \n"..data_string.."\n")
}


}

WEB程序安装

正常安装一个wordpress,把容易受攻击的插件全安装上

wget https://wordpress.org/latest.tar.gz
wget https://files.phpmyadmin.net/phpMyAdmin/5.1.0/phpMyAdmin-5.1.0-all-languages.zip

查数据库IP: docker inspect webhoneypot-wordpress_mysql_1

修改phpmyadmin目录中libraries文件夹下的config.default.php文件
查找$cfg['Servers'][$i]['host'] ， 将其值设置为上面数据库的IP地址
用phpmyadmin 建立一个数据库和数据库的用户名密码

日常维护

快照功能,这个功能是快速把容器恢复为初始化状态, 数据库会被清空
$ cd ;cd webhoneypot-wordpress/
$ /root/webhoneypot-framework/webhoneypot.py -c ./wordpress.json reset

日志监控：
文件路径：/root/webhoneypot-wordpress/nginx/logs
tail -f webhoneypot-wordpress/nginx/logs/access.log

源码路径: /root/webhoneypot-wordpress/apache/html

【重启docker】docker restart webhoneypot-wordpress_nginx_1
【进入docker】docker exec -i -t webhoneypot-wordpress_mysql_1 /bin/bash

其他参考：
搭建wordpress监控参考:
https://medium.com/@misc_heading/how-i-capture-and-monitor-wordpress-attacks-ceda512b07

常见问题解决

装插件和主题提示需要FTP

在wp-config.php加入以下代码

define("FS_METHOD", "direct");
define("FS_CHMOD_DIR", 0775);
define("FS_CHMOD_FILE", 0775);

装插件和主题没有权限

chmod 755 wp-content/plugins/
chmod 777 wp-content

每天一个日志文件

vim /root/logs.sh

#!/bin/bash

logsPath="/root/webhoneypot-wordpress/nginx/logs"
log_path=$(date -d yesterday +"%Y%m")
day=$(date -d yesterday +"%Y%m%d")

mkdir -p "${logsPath}/${log_path}"
mv "$logsPath/access.log" "$logsPath/$log_path/access_$day.log"
mv "$logsPath/error.log" "$logsPath/$log_path/error_$day.log"
docker restart webhoneypot-wordpress_nginx_1

crontab -e

0 0 * * * /bin/bash /root/logs.sh

chmod 755 /root/logs.sh

用宝塔搭建蜜罐

其他也不叫什么搭建蜜罐吧。只是把日志记录得更加详细一点

环境准备

购买VPS主机：https://www.vultr.com/?ref=8391117-6G

apt-get update && apt-get upgrade -y

sed -i 's/#Port 22/Port 9922/g'  /etc/ssh/sshd_config && dd if=/dev/zero of=/var/swapfile bs=1M count=2048 && /sbin/mkswap /var/swapfile && /sbin/swapon /var/swapfile && chmod 0600 /var/swapfile && echo "/var/swapfile swap swap defaults 0 0" >>/etc/fstab
sed -i 's/mouse=a/mouse-=a/g' /usr/share/vim/vim81/defaults.vim;

apt install -y docker.io
reboot

apt-get install -y python3-pip
pip3 install docker-compose
service docker start

宝塔安装

参考宝塔官方github： https://github.com/ifui/baota

git clone https://github.com/ifui/baota.git
cd baota/ && cp .env-example .env
** 注意,可以用vim .env 把8080改成80
docker-compose up -d app
docker-compose logs app

docker exec -it baota_app_1 bash

# 去掉宝塔强制登陆
sed -i "s|if (bind_user == 'True') {|if (bind_user == 'REMOVED') {|g" /www/server/panel/BTPanel/static/js/index.js

# 还原宝塔强制登陆
sed -i "s|if (bind_user == 'REMOVED') {|if (bind_user == 'True') {|g" /www/server/panel/BTPanel/static/js/index.js

登陆宝塔后安装软件选择参考：
1. openresty 
2. mysql5.6 
3. 去掉FTP的选择
4. PHP7.0 
5. PHPmyadmin 
6. 编译安装

配置nginx服务

1. 网站–>添加站点–> default.com–>其他的保持默认,点确定
2. 网站–>默认站点–> 选择 default.com
3. 网站–>修改默认页–>把4个默认页的内容全部清空 (这步可以省略)
4. 软件商店–>Nginx 1.13.6.2–>设置–>配置修改 在倒数第一个“}” 前面加下以下代码

header_filter_by_lua_block {
function serialize(obj)
    local lua = ""  
    local t = type(obj)  
    if t == "number" then  
        lua = lua .. obj  
    elseif t == "boolean" then  
        lua = lua .. tostring(obj)  
    elseif t == "string" then  
        lua = lua .. string.format("%q", obj)  
    elseif t == "table" then  
        lua = lua .. "{"  
        for k, v in pairs(obj) do  
            lua = lua .. " " .. serialize(k) .. ":" .. serialize(v) .. ","  
        end  
        local metatable = getmetatable(obj)  
        if metatable ~= nil and type(metatable.__index) == "table" then  
            for k, v in pairs(metatable.__index) do  
                lua = lua .. " " .. serialize(k) .. ":" .. serialize(v) .. ","  
            end  
        end  
        lua = lua .. "}"  
    elseif t == "nil" then  
        return nil  
    else  
        error("can not serialize a " .. t .. " type.")  
    end  
    return lua  
end

function table2string(tablevalue)
    local stringtable = serialize(tablevalue)
    return stringtable
end

local data = ngx.req.get_headers()
local data_string = table2string(data)
ngx.log(ngx.ERR, "Got header---------------------------- \n"..data_string.."\n")
}

完整的nginx配置文件

user  www www;
worker_processes auto;
error_log  /www/wwwlogs/nginx_error.log  debug;
pid        /www/server/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;

events
    {
        use epoll;
        worker_connections 51200;
        multi_accept on;
    }

http
    {
        include       mime.types;
		#include luawaf.conf;

		include proxy.conf;

        default_type  application/octet-stream;

        server_names_hash_bucket_size 512;
        client_header_buffer_size 32k;
        large_client_header_buffers 4 32k;
        client_max_body_size 50m;

        sendfile   on;
        tcp_nopush on;

        keepalive_timeout 60;

        tcp_nodelay on;

        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_buffer_size 64k;
        fastcgi_buffers 4 64k;
        fastcgi_busy_buffers_size 128k;
        fastcgi_temp_file_write_size 256k;
		fastcgi_intercept_errors on;

        gzip on;
        gzip_min_length  1k;
        gzip_buffers     4 16k;
        gzip_http_version 1.1;
        gzip_comp_level 2;
        gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml;
        gzip_vary on;
        gzip_proxied   expired no-cache no-store private auth;
        gzip_disable   "MSIE [1-6]\.";

        limit_conn_zone $binary_remote_addr zone=perip:10m;
		limit_conn_zone $server_name zone=perserver:10m;

        server_tokens off;
        access_log on;
        
        log_format postlog '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for" '				  
                  '"$request_body"';	

server
    {
        listen 888;
        server_name phpmyadmin;
        index index.html index.htm index.php;
        root  /www/server/phpmyadmin;

        #error_page   404   /404.html;
        include enable-php.conf;

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /www/wwwlogs/access.log postlog;
    }
include /www/server/panel/vhost/nginx/*.conf;

header_filter_by_lua_block {
function serialize(obj)
    local lua = ""  
    local t = type(obj)  
    if t == "number" then  
        lua = lua .. obj  
    elseif t == "boolean" then  
        lua = lua .. tostring(obj)  
    elseif t == "string" then  
        lua = lua .. string.format("%q", obj)  
    elseif t == "table" then  
        lua = lua .. "{"  
        for k, v in pairs(obj) do  
            lua = lua .. " " .. serialize(k) .. ":" .. serialize(v) .. ","  
        end  
        local metatable = getmetatable(obj)  
        if metatable ~= nil and type(metatable.__index) == "table" then  
            for k, v in pairs(metatable.__index) do  
                lua = lua .. " " .. serialize(k) .. ":" .. serialize(v) .. ","  
            end  
        end  
        lua = lua .. "}"  
    elseif t == "nil" then  
        return nil  
    else  
        error("can not serialize a " .. t .. " type.")  
    end  
    return lua  
end

function table2string(tablevalue)
    local stringtable = serialize(tablevalue)
    return stringtable
end

local data = ngx.req.get_headers()
local data_string = table2string(data)
ngx.log(ngx.ERR, "Got header---------------------------- \n"..data_string.."\n")
}

}

配置方案二

header_filter_by_lua_block {
local data_string = ngx.req.raw_header()
ngx.log(ngx.ERR, "Got header---------------------------- \n"..data_string.."\n")
}

5. http部分加以下代码更改log的格式并记录请求体

   log_format postlog '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for" '				  
                     '"$request_body"';

   把所有access_log记录的后面都加上postlog就可以记录请求体了,
   例如: access_log  /www/wwwlogs/access.log postlog;

查看测试

1. 把 IP 输入到浏览器中.

   或者使用以下代码测试

   curl -i http://ip/index.php?a=1&b=2
   curl -i -d "c=3&d=5" http://ip/index.php?a=1&b=2

2. 安全 –> Web日志：/www/wwwlogs –>/www/wwwlogs的链接–>跳到文件目录中找到default.com.error.log–>双击打开 可以查看到详细请求参数和返回参数信息了

QQ群：397745473