Simple Python Honeypot

    I've been thinking about honeypots for the last few weeks and as I've been playing around with the various products, I wondered what it would take to write something up in Python.  Initially, I had these grand ideas but then it sort of dawned on me that a lot of what I'd been conjuring up would be a reinvention of the wheel.  

    With a honeypot, what do we really need?  If we're building a web server, we need to answer HTTP requests, we need some sort of logging, and we need some method to alert.  I could build something from scratch or I could leverage some existing tools.  Rather than alerting, I'm going with an IP ban by using Fail2Ban but it can also trigger emails which is something I might add later.

    My script is hosted under /opt and this is the structure:

    The script is pretty simple:

    We're defining the working directory: ./web
    We're bringing in the logging functionality.
    We're setting up the server.
    And we're writing our log file.

    import SimpleHTTPServer
    import SocketServer
    import os
    import logging
    import sys

    PORT = 8000

    web_dir = os.path.join(os.path.dirname(__file__), 'web')

    class GetHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
        def do_GET(self):

    Handler = GetHandler
    httpd = SocketServer.TCPServer(("", PORT), Handler)

    print "serving at port", PORT
    sys.stderr = open('http.log', 'w', buffer)

    Assuming you don't have it running already, with Fail2Ban, we have to setup a few things:

    sudo apt-get install iptables-persistent
    Answer Y
    sudo iptables -A INPUT -i lo -j ACCEPT
    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
    sudo iptables -A INPUT -j DROP
    sudo su (if you don't, this next line will fail)
    sudo iptables-save > /etc/iptables/rules.v4

    sudo apt-get install fail2ban
    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

    sudo nano /etc/fail2ban/jail.local

    At the bottom, add the following:

    In the above, we define our new service, we point it to the log file, maxretry is the number of hits in the log file, and bantime is the amount of time the IP will be banned in seconds.

    sudo nano /etc/fail2ban/filter.d/framework-PyServ.conf

    The above file doesn't exist, we add the following:

    In the above, we're parsing the log file for a GET request.  If we see it, we trigger the ban.

    If you look back at the directory structure, there's an index.html file in /web.  I thought it would be fun to make it look like a broken WordPress site:

    One GET request is all it takes.  We we look in /web/http.log, we see the following:

    If we run:  sudo iptables -S

    We see...

    Setting an action in jail.local would be all that is required to send off an email alert when an IP was banned.  

    If you wanted to give someone the benefit of the doubt, you could change the failed regex to:

    ^<HOST> - - \[.*\] "GET \/wp-admin.*.*$
    ^<HOST> - - \[.*\] "GET \/wp-login.php.*$

    This way, if someone hits the server, they have to take an extra step to get banned.  Personally, in my head, this is running on its own and it only has one purpose.  One touch -- you get banned.

    © 2020