This blog post was authored by Veronica Valeros (@verovaleros) on May 3, 2022
In this blog we will describe how to install Glutton [1] honeypot in a cloud server instance. This blog is divided in three parts: (i) how to create a new Digital Ocean instance, (ii) how to install Glutton on it, and (iii) a walkthrough to some of the data captured by Glutton.
Creating a new Digital Ocean Droplet
In this occasion, we chose the cloud provider Digital Ocean [2], which offers a variety of cloud instances or droplets in eight different regions. We love Digital Ocean, and it’s one of the most affordable and reliable hosting providers in our experience.
Step one is to log in or create a new account in Digital Ocean. If you use our [referral code], you will be supporting our research and we appreciate it very much!
Step two is to create a new droplet. A droplet is how Digital Ocean refers to a new cloud server:
Step 2: Select the option to create a new droplet
Step three is to select the base image that will be used to create this new cloud sever. This time we will use as a base an Ubuntu image, specifically Ubuntu 20.04 LTS x64.
Step 3: Selecting the base image for the honeypot
Step four is to select the plan and the specs of our new server. For this honeypot, we will choose the most basic configuration: shared CPU, 1GB RAM, 1 CPU, 25GB storage and 1000 GB of data transfer. This is a simple setup for testing things out; if you are deploying this honeypot for long term data capture, we recommend picking better specs on the server and increasing the storage.
Step 4: Selecting the server specs (memory, CPU, storage, etc)
Step five is to select the region of the server. This will depend on where you are located and the reason behind running the honeypot in the first place. If it is just for fun, we recommend selecting the country closer to home; this will ensure your connection to the server will be the fastest.
Step 5: Selecting the region of the cloud server
Step six is to select a form of authentication. There are two options, adding a SSH Key or a password. In this case, we will write down a long and secure password (it can be reset later from Digital Ocean web interface).
Step 6: Select the authentication method: SSH Key or Password.
Step seven is where we choose how many droplets or instances we are going to create, and chose a hostname for our droplet.
Step 7: Select the number of droplets to create and a hostname for the droplet.
Once our configurations are ready, we click on Create Droplet and wait.
Step 8: Select create droplet to start instantiating the new cloud server
Once the droplet is created, you should see it listed in your project or droplets section. Copy the IP address of the droplet and log-in using SSH: ssh root@xxx.xxx.xxx.xxx
Step 9: Login to the newly created cloud server using SSH using the information provided in the previous steps and the assigned IP address visible from the account dashboard.
If everything went well, you logged in to your new server and you are ready to install Glutton!
Step 10: Successful login into the new cloud server
Installing Glutton: the “all eating honeypot”
Glutton is a low interaction honeypot written in GO created around 2017 by Lukas Rist (@glaslos) and The Honeynet Project (@ProjectHoneynet). Glutton listens in all ports for incoming connections. Every connection is matched against a list of predefined rules which act as handlers, indicating what to do with the incoming traffic. If a rule is matched it can be drop, proxied to a different service, or processed by Glutton. Thanks to Glutton’s design, it can be combined with other honeypots: all incoming SSH traffic in Glutton can be forwarded to a Cowrie honeypot which can do a more complex handling of the SSH sessions.
The installation of Glutton in our new cloud server can be done in a few steps: i. Installing dependencies, ii. Configuring the system, iii. cloning the Glutton GitHub repository, iv. building and running Glutton. There is an interesting article, covering some more specific areas of Glutton in [3], be sure to check it out.
Installing dependencies
There are a few dependencies we need to install in the system before being able to compile and run Glutton.
This is a fresh Ubuntu installation, so we need to start by updating the package sources. As we mentioned before Glutton is written in GO, so we need to install GO. We also need to install the dependencies for Glutton as mentioned in their GitHub repository [1]. The following commands should install all it is needed in this step:
apt update
apt install -y make gcc jq
apt install -y libnetfilter-queue-dev libpcap-dev iptables lsofThe next step is to install GO 1.17. This time we will install it from source:
wget https://dl.google.com/go/go1.17.7.linux-amd64.tar.gz
tar -xvf go1.17.7.linux-amd64.tar.gz
mv go /usr/local
export GOROOT=/usr/local/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATHIf everything went well, you should see ‘go1.17’ in the output of ‘go version’:
Configuring the System
Our cloud instance uses the default (and most interesting) port for SSH (22/TCP). However, we want to capture these attacks in Glutton. So the next step is to change the default port in our SSH server to a different one, e.g.: 5001.
Following the guide from Glutton, this can be done in two steps:
sed -i 's/[# ]*Port .*/Port 5001/g' /etc/ssh/sshd_config
service ssh restartThis means that next time we login to the server we need to use the new port:
ssh root@<server-ip> -p 5001Cloning the Glutton GitHub Repository
We are ready to clone the Glutton Git repository [1]:
git clone https://github.com/mushorg/glutton.gitBUILDING and running Glutton
Now that we have Glutton’s code and all dependencies installed, it is time to build and run it! Following the guide from Glutton’s repository [1], we first build it:
cd glutton
make buildTo run Glutton simply run the following command (from /root/glutton) and you should be able to see the honeypot in action :
bin/serverGlutton Data
Congratulations! You have Glutton running!
The data captured by Glutton is shown in the terminal when running the service. To store the results, we need to run the service specifying where to store these logs. For this, we will stop (CTRL+C) and start the server again with the following parameters:
bin/server -l /var/log/gluttonAfter leaving Glutton running for a little bit, you can see and work with the output logs. Each line in the log is an event in JSON format which can easily be ingested in some SIEM for further processing. Here is an example of one event line:
{
"level": "info",
"ts": 1651590315.6039968,
"msg": "login attempt: 52.83.131.72:59644, user root password: 1QAZ2wsx",
"sensorID": "2424c9e2-3cc0-4ced-9e5a-19a5e7c0ea60",
"handler": "ssh proxy",
"src_ip": "52.83.131.72",
"src_port": "59644",
"user": "root",
"password": "1QAZ2wsx"
}Let’s look at some interesting data we can obtain from Glutton.
Known Scanners
One of the first things that came to my attention was the known scanners. These are entities that are constantly scanning the Internet. Within minutes of running the honeypot, we already have probes from censys and shadowserver!
Find all the IPs from known scanners with:
grep "IP from a known scanner" /var/log/glutton | less -SFind all the scanners with the number of events observed:
grep "IP from a known scanner" /var/log/glutton| jq .scanner | sort | uniq -c | sortHTTP GET Requests
There were quite a few HTTP GET requests received during the first minutes of running Glutton. Here is an example of one of the outputs generated by Glutton:
{
"level": "info",
"ts": 1651590187.0254521,
"msg": "HTTP GET request handled: /rb/getip.php",
"sensorID": "2424c9e2-3cc0-4ced-9e5a-19a5e7c0ea60",
"handler": "http",
"dest_port": "3128",
"src_ip": "141.101.196.233",
"src_port": "28196",
"path": "/rb/getip.php",
"method": "GET",
"query": "Z79124357572Q1="
}We can get very quickly a list of resources targeted with:
grep "HTTP GET request handled" /var/log/glutton | jq .path | sort | uniq -c | sort
And a list of source IPs making HTTP GET queries with:
grep "HTTP GET request handled" /var/log/glutton | jq .src_ip | sort | uniq -c | sort
Conclusion
Glutton is a very easy to install and to use honeypot, flexible enough to tweak and play with. Definitely a good choice for those interested in a wide reach and low interaction honeypot to have some visibility on the incoming attacks. Be sure to check it out, test it and have fun!
References
[1] Glutton, the all eating honeypot, https://github.com/mushorg/glutton. Accessed on 03/05/2022.
[2] Digital Ocean cloud provider, https://cloud.digitalocean.com/. Accessed on 03/05/2022.
[3] An analysis of Glutton — All Eating honeypot, https://cstayyab.medium.com/an-analysis-of-glutton-all-eating-honeypot-625adf70a33b. Accessed on 03/05/2022.