HFish - Configuring a Super Cool Honeypot to Discover Attackers' Flaws

Introduction

A honeypot, a technology used to deceive attackers, is created by setting up hosts, network services, or information as bait to lure attackers into attacking them. This allows capturing and analyzing the attacking behavior, understanding the tools and methods used by the attackers, and inferring the attackers' intentions and motives. It helps defenders to clearly understand the security threats they face and enhance the security protection capabilities of the actual system through technical and management means.

HFish, a free, simple, and secure honeypot product, helps users increase threat awareness in daily security operations, discover attackers' weaknesses, and take relevant actions. It is widely used for sensing the horizontal movement of compromised hosts in office intranets, production environments, cloud intranets, employee account leaks, scanning and detection activities, private intelligence production, and even internal drills and security awareness training. HFish's various alert output forms, combined with situational awareness, NDR, XDR, or log platforms, greatly expand the detection field of view. Using the B/S architecture, the system consists of a management end and a node end. The management end generates and manages the node end, and receives, analyzes, and displays the data returned by the node end. The node end accepts control from the management end and is responsible for building honeypot services.

In HFish, the management end is only used for data analysis and display, and the node end carries out the virtual honeypot, finally borne by the honeypot to withstand the attack. Of course, you can also directly install the management end and use the built-in node in the management end to directly test the honeypot service.

Screenshot:

Environment Requirements:

1. Honeypot deployed on the intranet:

   	Management	Node
   Recommended Configuration	2 cores 4g 200G	1 core 2g 50G
   Minimum Configuration	1 core 2g 100G	1 core 1g 50G

2. Honeypot deployed on the Internet:

   	Management	Node
   Recommended Configuration	Within 5 nodes, 4 cores 8g 200G.	1 core 2g 50G
   Minimum Configuration	2 cores 4g 100G	1 core 1g 50G

Note: The disk space occupied by logs is greatly affected by the number of attacks, and it is recommended to configure 200G or more of hard disk space for the management end.

Deployment Method One: Install from Source Code

It is recommended to use the CentOS system for configuration.

Step One: Enable Firewall (If other ports are needed for honeypot service later, you can use the same command to open them)

firewall-cmd --add-port=4433/tcp --permanent   # (For web interface startup)
firewall-cmd --add-port=4434/tcp --permanent   # (For communication between node and management end)
firewall-cmd --reload

Step Two: Run the following code

bash <(curl -sS -L https://hfish.net/webinstall.sh)

After deployment, you can access https://<your-ip>:4433/web/ to access HFish.

Username: admin
Password: HFish2021

HFish will automatically create a node on the management end. You can log in and view it in the "Node Management" list.

This node will default to enable some services, including FTP, SSH, Telnet, Zabbix monitoring system, Nginx honeypot, MySQL honeypot, Redis honeypot, HTTP proxy honeypot, ElasticSearch honeypot, and generic TCP port listening. Note: This node cannot be deleted but can be paused.

Add Node

1. Enter the "Node Management" page, click "Add Node."
   
2. Choose the corresponding installation package and callback address according to the node device type.
   

3. Execute the command statement or installation package on the node machine to successfully deploy the node.
   

   Related Links:

   Official Website: https://hfish.net