My next class:

Tech Tuesday Recap / Recordings: Part 2 (Installing the Honeypot) release.

Published: 2020-06-25. Last Updated: 2020-06-25 18:41:00 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

As mentioned during our "Tech Tuesday" session, the session itself was not recorded. Instead, I will be releasing three "stand alone" videos covering the major parts of the workshop.

The videos will be broken up into three parts:

- Introduction. What is DShield and the Internet Storm Center (to be released later today).

- Installing the honeypot. See blow for this video

- Using the DShield / Internet Storm Center Data (to be released tomorrow)

All videos will be available on our YouTube channel

The instructions from the hands-on exercises are available at https://isc.sans.edu/techtuesday .

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

3 comment(s)
My next class:

Comments

Hi Johannes,
So I have the honeypot all setup and running from my LAN interface. I do have a Ubiquity USG, so I setup the LAN2 port on it and the honeypot is pulling an IP from the DHCP pool I configured. However, the status script is showing that it isn't being exposed to the Internet, and I can't ssh into it anymore. I created the firewall rule for all of this, but obviously I did something wrong. Since you specifically mention using a USG in the video, I assume that you have it working? If so, would you please share the firewall rules that you used so I can determine where I went wrong?

Sincerely,
Jon
I don't have a USG in front of me right now. But if I remember right, you configure two networks (e.g. 192.168.1.0/24 for LAN1 and 192.168.2.0/24 for LAN2). Next, you forward inbound traffic to the honeypot's IP via the Unifi admin interface's firewall setup. I found that interface to be a bit buggy at times. Best to log in to the USG via ssh and verify the firewall rules.

If you configured the honeypot in a different network: you need to run the install script again to adjust the honeypot firewall rules for the new network configuration.
Thank you for putting on this presentation. I had tried unsuccessfully to set up the honeypot a few times in the past but because of your class I was able to get it working. I'm proud to now be able to contribute to your valuable cause.

Diary Archives