Honeypots can be a great tool to use within your environment to gain visibility into active threats or curious insiders that could introduce risk to an environment.
By placing honeypots at various locations around your environment, e.g., your workstation and server subnets, you can quickly determine if a threat is poking at hosts to find new avenues for access.
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.
The current version of the Blumira honeypot deploys a fake NAS DiskStation into a container on your sensor. This provides enough functionality to catch most attackers who are not rather advanced, and it is especially protective against insiders who might be probing internally. It listens on ports 8080, 21, and sometimes 8022, although the first two ports are the main focus.
To deploy a Blumira honeypot:
Note: The Short name will show up as the hostname, so make it something enticing to an attacker!
At this point, your honeypot has been successfully set up and the host should be listening on the identified honeypot ports above, 8080, 21, and 8022 at times, although the first two are the main focus. These ports were chosen as they do not conflict with host access, port 22 or Syslog collection, port 514.
While the initial version of the Blumira Honeypot is limited, it presents enough functionality to catch most attackers who are not rather advanced and especially insiders who are poking around.
Below is the fake port 8080 DiskStation login page that is deployed with the current Blumira Honeypot. This is of course, a fake site that is impossible to actually authenticate into or take data from.
When a user attempts to authenticate and fails, they are presented with the normal DiskStation alert that the authentication failed. At the same time, a log entry is created and passed through the logging module and up to the Blumira platform for validation of threat.
In an effort to catch users who are scanning and attempting to authenticate to weak protocols, the Blumira Honeypot exposes FTP to the network, which appears as ProFTPD to the network.
When an authentication attempt occurs, or a scan occurs, the honeypot will capture the event and pass the event log to the logging module and then to the Blumira platform for threat validation.
Once you have the Honeypot module successfully installed, you may want to consider testing it out to verify that it is functioning. The easiest way to do this is to browse to the sensor IP via HTTP forcing traffic over port 8080 (Example: http://192.168.1.82:8080). You should be presented with the DiskStation login page as shown in the screenshot above.
From there, you can test logging into the login page which should trigger a Blumira finding automatically. This is a fake login so a valid set of credentials does not exist for this “DiskStation”.
Note: Detections must be deployed before testing will trigger an alert. This is an automated process but there is a delay (1-4 hours) from when new log types are received to when detections for those log types are deployed.
Additionally, you can attempt an FTP connection to the honeypot using the sensor IP over port 21 or 8022. A login attempt will also trigger a Blumira finding.