Skip to content
This repository has been archived by the owner on Jan 2, 2023. It is now read-only.

Deployment Guide

Jump to bottom
tnich edited this page Mar 16, 2015 · 1 revision

Introduction

This document outlines the intended usage of HonSSH.

Details

HonSSH is intended to sit between the outside world and the honey pot.

  • When HonSSH is first run it will begin a connection to the honey pot, acquire the SSH server version of the honey pot, store it and then disconnect.
  • When an attacker connects to HonSSH, HonSSH will set up an SSH connection with the attacker, and a separate connection with the honey pot. Any data transferred after the key exchange is passed from the attacker to the honey pot and vice versa.
  • It is intended that the machine hosting HonSSH also provides NAT translation and firewall blocking.
  • This will not work if private keys are used - it is recommended to disable Public Key Authentication on the honey pot SSH server.
  • It is suggested that the HonSSH use the same encryption keys as the honey pot to fool the attacker further.

Operation

                 <-----SSH Connection------>          <-----SSH Connection------>
    
     |----------|        /----------\       |--------|                           |----------|
     | Attacker |--------| Internet |-------| HonSSH |---------------------------| HoneyPot |
     |----------|        \----------/       |--------|                           |----------|

Examples

The following presents two different deployments (one with Double NAT the other with single NAT).

In the honssh.cfg config file the addresses are as follows:

  1. honey_addr - e.g. 192.168.1.10
  2. client_addr - e.g. 192.168.1.1
  3. ssh_addr & ssh_port

Scenario One

In this scenario HonSSH is sitting behind another NAT router. The NAT router will forward all traffic on port 22 to HonSSH, HonSSH will then pass that between itself and the Honey Pot.

                                           3)       2)       1)
                                           \        \        \
     /----------\       /------------\       |--------|       |----------|
     | Internet |-------| NAT Router |-------| HonSSH |-------| HoneyPot |
     \----------/       \------------/       |--------|       |----------|
                                                  \
                                                  NAT and Firewall

Scenario Two

This scenario is simpler as HonSSH is connected directly to the internet and therefore only single NAT is taking place.

                      3)       2)       1)
                       \        \        \
     /----------\       |--------|       |----------|
     | Internet |-------| HonSSH |-------| HoneyPot |
     \----------/       |--------|       |----------|
                             \
                              NAT and Firewall

Alternately, do not run NAT on HonSSH and give the attacker no internet access (confusing? :D)

My Setup

2 x Raspberry Pis 2 x Raspberry Pis

tnich you should secure this page better - your friendly neighborhood hackerman :)

Clone this wiki locally