All Products
Search

This Product

    Security Center:Configure a honeypot

    Document Center

    Security Center:Configure a honeypot

    Last Updated:Oct 28, 2024

    You can use the cloud honeypot feature to deploy honeypots (decoys) in your virtual private clouds (VPCs) and servers and detect attacks that are initiated within and outside the cloud on your servers. You can use honeypots to trace attacks and use the tracing information to defend against attackers. The cloud honeypot feature improves security awareness and prevents attacks. This topic describes how to configure a honeypot.

    Prerequisites

    • The cloud honeypot feature is enabled. For more information, see Purchase the cloud honeypot feature.

    • If you want to deploy a honeypot in a server that does not have a public IP address in a data center, you must build a proxy server in the data center and configure a proxy IP address for the server when you create a probe in the Security Center console. This way, you can deploy the honeypot in the server in proxy mode.

      How do I build a proxy server in a data center?

      1. Prepare at least one server that you can use as a proxy server. Make sure that GNU Compiler Collection (GCC) and zlib-devel are installed on the server.

      2. Download a version of NGINX that supports reverse proxies.

        Honeypots use HTTPS connections. To deploy a honeypot, you must build a Layer 4 HTTPS proxy. After you download NGINX, you must add the --with-stream parameter when you compile and install NGINX. 

        tar -xvf nginx-1.9.0.tar.gz
cd nginx-1.9.0
./configure --without-http_rewrite_module --with-stream
make
make install

      3. In the /usr/local/nginx/conf/ directory of the NGINX application, modify the nginx.conf configuration file. 

        #user nobody;
worker_processes auto;
error_log logs/error.log;

#error_log logs/error.log notice;
error_log logs/error.log info;
pid logs/nginx.pid;

events {
    use epoll;
    worker_connections 60000;
}

stream {
        server {
            listen 1337;
            proxy_timeout 10m;
            proxy_connect_timeout 60s;
            proxy_pass proxy1337;
        }
        upstream proxy1337 {
           # You can view the IP address of the management node for a honeypot in the IP Address of Management Node column of the Management Node tab. To go to the tab, choose Risk Governance > Cloud Honeypot > Configuration Management in the left-side navigation pane of the Security Center console.
           server # The IP address of the management node for a honeypot#:1337; 
        }

        server {
            listen 1338;
            proxy_timeout 10m;
            proxy_connect_timeout 60s;
            proxy_pass proxy1338;
        }
        upstream proxy1338 {''
          # You can view the IP address of the management node for a honeypot in the IP Address of Management Node column of the Management Node tab. To go to the tab, choose Risk Governance > Cloud Honeypot > Configuration Management in the left-side navigation pane of the Security Center console.
           server # The IP address of the management node for a honeypot#:1338; 
        }
}

      4. After you modify the configuration file, run the following command to start NGINX: 

        /usr/local/nginx/sbin/nginx

    Procedure overview

    image
    Important

    When you configure a honeypot, make sure that the host server with the newly added host probe can access its associated management node.

    Step 1: Create a management node

    A management node is the core and basic component for delivering deception-based protection capabilities. You can configure honeypots in a management node and use probes to forward traffic to the honeypots.

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

    2. In the left-side navigation pane, choose Risk Governance > Cloud Honeypot > Configuration Management.

    3. On the Management Node tab of the Configuration Management page, click Create Management Node. In the panel that appears, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Management Node Name

      Specify a name for the management node.

      Assigned Probes

      Specify the number of probes that you want to allocate for the management node. Valid values: 20 to 100. If you specify a value greater than 100, the system automatically sets this parameter to 100. We recommend that you install two to three host probes for each CIDR block and one VPC probe for each VPC.

      Note

      A probe is used for traffic redirection. Cloud honeypot supports host probes and VPC probes.

      • Host probe: Host probe installs a client on the host and forwards the configured port traffic to the backend honeypot cluster.

      • VPC probe: When an IP address (IP_A) within the VPC attempts to access a non-existent internal IP address (IP_B), the traffic is redirected to the VPC probe. Based on the configured honeypot mapping rules, the VPC probe establishes a normal connection between IP_A and the honeypot IP_C, and this operation remains transparent to IP_A.

      Host probes are installed on hosts to forward port traffic to honeypots. VPC probes are installed on VPCs to forward traffic that is destined for non-existing internal IP addresses to honeypots.

      CIDR Block Allowed

      Specify the egress CIDR block of a host probe. This allows the CIDR block to access the management node from the host probe. The default value is 0.0.0.0/0. You can specify up to 100 CIDR blocks. To provide deception-based protection, the probe must communicate with the management node. Make sure that the egress IP addresses of the probe are within the specified CIDR blocks.

      Allow Honeypot Access Internet

      Specify whether the management node allows a honeypot to access the Internet.

      Important

      If you turn on the switch, security risks may occur. Attackers can intrude into the honeypot and launch severe attacks. If you turn off the switch, only attack detection is supported, which is suitable for internal networks.

      You can view the management node that you created in the management node list. The value of the Management Node Status parameter for the created management node is Preparing. The node stays in this state for approximately 5 minutes. Please wait until the Management Node Status changes to Normal.

    Step 2: (Optional) Create a honeypot template

    Honeypot templates allow you to configure custom attributes based on honeypot types. You can use honeypot templates to create honeypots that are suitable for various business scenarios and better simulate real-world applications. You can configure custom attributes, such as the titles of websites, background images of office automation (OA), and data of web pages. You can create a honeypot template based on your business requirements.

    1. On the left side of the Honeypot Template tab of the Configuration Management page, select a honeypot type and click Create Template.

    2. In the Create Template panel, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Template Name

      Specify a name for the honeypot template.

      Management Node

      Specify the management node to which you want to deploy the honeypot. In this example, select the management node that you created in Step 1.

      Note

      The parameters in the Create Template panel vary based on the honeypot type. If you have more requirements, you can submit a ticket to contact technical support.

    Step 3: Create a honeypot

    A honeypot is the basic unit for delivering deception-based protection capabilities. The system provides various built-in honeypot images. You can create honeypots based on the honeypot images.

    1. On the Honeypot Management tab of the Configuration Management page, click Create Honeypot.

    2. In the Create Honeypot panel, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Name

      Specify a name for the honeypot.

      Management Node

      Specify the management node to which you want to deploy the honeypot. In this example, select the management node that you created in Step 1.

      Honeypot Type

      Specify the type of the honeypot. Valid values:

      • Web

      • Advanced

      • Special Defect

      • System Service

      • Database

      Honeypot Custom Configurations

      Specify the custom attributes of the honeypot. After you select the check box, you can configure custom attributes based on honeypot types. You can create honeypots that are suitable for various business scenarios and better simulate real-world applications. You can configure custom attributes, such as the titles of websites, background images of OA, and data of web pages.

      You can also create a honeypot template on the Honeypot Template tab in advance and click Import Template for Configuration to import custom attributes from the template.

      For more information about how to configure custom honeypots and honeypot templates, you can submit a ticket to contact technical support.

    Step 4: Create a probe

    A probe is a tool that is used to redirect traffic and forward unusual traffic from hosts and networks to a honeypot. VPC probes and host probes are supported.

    1. On the Probe Management tab of the Configuration Management page, click Add Probe. Then, click Host Probe or VPC Probe.

    2. In the AddHost Probe or AddVPC Probe panel, configure the parameters and click OK.

      • The following table describes the parameters in the AddHost Probe panel.

        Parameter

        Description

        Probe Name

        Specify a name for the probe.

        Management Node

        Specify the management node of the server to which you want to deploy the probe. In this example, select the management node that you created in Step 1.

        Proxy IP Address

        If your honeypot is deployed in a server in a data center by using a proxy server, enter the IP address of the proxy server. Otherwise, you do not need to configure this parameter.

        Host for Probe Deployment

        Specify the server to which you want to deploy the probe.

        Configure Service

        Specify the name and listener port of the honeypot to which the probe forwards traffic.

        Note

        The listener port is a port on the host (such as ECS) that the probe uses to redirect traffic to the honeypot. It is crucial to ensure that this port is exclusively reserved for the probe, with no other services using it.

      • The following table describes the parameters in the AddVPC Probe panel.

        Important

        You can create honeypots only in VPCs. You cannot create honeypots in other types of networks. You can create only one honeypot in a VPC. You can deploy the VPC probe only in supported regions. For more information, see Limits.

        Parameter

        Description

        Probe Name

        Specify a name for the probe.

        Management Node

        Specify the management node of the server to which you want to deploy the probe. In this example, select the management node that you created in Step 1.

        Deployed VPC

        Specify the VPC to which you want to deploy the probe.

        Configure Service

        Specify the name and listener port of the honeypot to which the probe forwards traffic.

    What to do next

    After you configure the honeypot, the honeypot diverts attacks from targets. This way, attackers attack the decoy application in the honeypot, and the honeypot records the information about the attacks and generates alerts. You can view and handle the alerts to enhance the security of your servers and VPCs. For more information, see View and handle alert events.