Overview
Honeypots can be a great tool to use within your environment to gain visibility into active threats or curious insiders that could introduce risk to an environment. By placing honeypots at various locations around your environment (e.g., your workstation and server subnets), you can quickly determine whether a threat is poking at hosts to find new avenues for access.
About the Blumira honeypot
The current version of the Blumira honeypot deploys a fake NAS DiskStation into a container on your sensor. This provides enough functionality to catch most attackers who are not rather advanced, and it is especially protective against insiders who might be probing internally. It listens on ports 8080, 21, and sometimes 8022, although the first two ports are the main focus.
Procedure
To deploy a Blumira honeypot:
- In the Blumira app, in the menu, click Settings.
- Click Sensors.
- Click the sensor on which you want to deploy a honeypot.
- Under Logging Devices, click Add New Module.
- In the window that appears, type honeypot, and then select the newest Sensor Honeypot Module version that appears in the Module list.
- Click Install.
Testing the honeypot
After you install a honeypot module, you can test it to verify that it is functioning.
To test a honeypot deployment:
- In your browser URL bar, type http:// followed by the IP address of the sensor on which you deployed the honeypot, then the port :8080.
Example: http://192.168.1.82:8080 - The following image should appear:
- Attempt to log in to the DiskStation using any credentials (none are valid). An authentication failure alert appears, and Blumira automatically sends you a finding.
- Attempt an FTP connection to the honeypot using the sensor's IP address over port 21 or port 8022. Blumira automatically sends you a finding.