One of the ways to ensure information security of network resources is the organization of specially prepared "barrels of honey" for easy hacking, detecting threats, identifying and analyzing the corresponding signatures, followed by timely blocking of intruders. The article describes the creation of honeypots on the Internet using software from MikroTik.
Philosophical digression and background
Surfing the Internet has become associated with government regulation, expressed in the fulfillment by providers of requirements to restrict access to various sites. Paranoid people are aggravating the situation with the fact that the DNS protocol is not encrypted and that it can be manipulated by third parties. Good old HTTP is still found on the web. And for dessert - analytics of our interests from search engines, postal services, instant messengers, social networks and various services. As a result, most people know / have heard / use VPN technologies to resist the real globalization of modern life in order to protect digital privacy. We don't even take into account the dark side of power and have no relationship with them.
As IT specialists, we do not have the moral right to use ready-made solutions from companies unknown to us from the category of โpush the button and you're in VPNโ. We need our own CA and the entire public key infrastructure. Your VPN server, full root, full control, absolute flexibility and security. Most of us will take a Linux server and do everything as in the technical assignment. A layer of network engineers specializing in MikroTik hardware would happily prefer RouterOS deployed somewhere on VP for a number of reasons:
Ease of integration into existing infrastructure based on RouterOS.
The presence of a convenient management interface, including a graphical one.
Easy deployability of various networking technologies for switching, routing,
L7, etc.
Security and stability of the applied solution.
.
VPN (openvpn, l2tp, sstp, gre, pptp).
MikroTik. VPS . Debian RouterOS:
mount -t tmpfs tmpfs /tmp/
cd /tmp
wget https://download.mikrotik.com/routeros/6.47.9/chr-6.47.9.img.zip
apt install zip
unzip chr-6.47.9.img.zip
dd if=chr-6.47.9.img of=/dev/vda bs=4M oflag=sync
echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger
, VN, , :
/ip address add interface=ether1 address=_ip /ip route add dst-address=0.0.0.0/0 gateway=gw__
Linux bruteforce ssh-:
... system,error,critical login failure for user root from 104.211.164.221 via ssh
... system,error,critical login failure for user yu from 119.29.113.149 via ssh
... system,error,critical login failure for user laboratory from 1.245.61.144 via ssh
... system,error,critical login failure for user username from 36.133.162.171 via ssh
... system,error,critical login failure for user test from 49.232.214.91 via ssh
honeypot Cloud Hosted Router , MikroTik. ยซFools your enemy with Mikrotikยป.
honeypot
, RouterOS:
.
.
.
, , , , , 7 ( stable 6.48.1). : ยซBy upgrading to RouterOS v7 you will get more details in this command outputยป ( /system history print detail
). , :
/system logging action set 3 remote=ip__
/system logging
add action=remote topics=info
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=hotspot
add action=remote topics=warning
vpn , . - rsyslog, /etc/rsyslog.conf:
$ModLoad imudp
$UDPServerAddress ip__
$UDPServerRun 514
systemctl enable rsyslog
, systemctl restart rsyslog
. vpn , 514 UDP . :
2021-03-24T20:46:02.608642+06:00 ip_ system,error,critical login failure for user root from 45.124.86.155 via ssh
2021-03-24T20:51:46.427403+06:00 ip_ system,error,critical login failure for user root from 193.112.24.94 via ssh
2021-03-24T20:52:48.378138+06:00 ip_ system,error,critical login failure for user ts3srv from 107.173.209.238 via ssh
2021-03-24T20:53:02.692985+06:00 ip_ system,error,critical login failure for user root from 61.7.147.29 via ssh
2021-03-24T20:53:15.616354+06:00 ip_ system,error,critical login failure for user user14 from 68.183.84.215 via ssh
2021-03-24T20:53:54.436415+06:00 ip_ system,error,critical login failure for user root from 52.172.165.176 via ssh
2021-03-24T20:53:56.684200+06:00 ip_ system,error,critical login failure for user php from 189.8.95.30 via ssh
, VPS ftp, vpn (/ip service set ftp address=ip__
). MikroTik : /export compact file=file
. :
#!/bin/sh
HOST=ip_
USER=admin
PASSWD=___
FILE=file.rsc
SIZE=2091c
while true; do
OUTPUTNAME=`date +%F-%H-%M-%S`.rcs
curl -u $USER:$PASSWD ftp://$HOST/$FILE > /root/exports/$OUTPUTNAME
find /root/exports/ -type 'f' -size 0 -delete
find /root/exports/ -type 'f' -size $SIZE -delete
sleep 5;
done
SIZE honeypot. , . , /root/exports - . , rsyslog ( /etc/rsyslog.conf):
if $fromhost-ip contains 'ip__' then {
if $msg contains 'ftp' then /dev/null
else /var/log/mikrotik.log
}
. , net-flow , โ packet-sniffer:
/tool sniffer
set filter-interface=ether1 filter-port=!ssh,!winbox,!ftp,!___vpn \
filter-stream=yes memory-scroll=no streaming-enabled=yes \
streaming-server=ip__
vpn, ssh winbox, ftp. UDP Tazmen Sniffer Protocol (TZSP), tcpdump-, , Trafr MikroTik. .
. , honeypot RouterOS " " root qwerty ( ยซuser root logged inยป). , . 10 ( , , ) , :
:local DELAY 600;
:local USER root;
:local STRING "user $USER logged in";
:foreach line in=[/log find message~$STRING] do={
if ([ /tool sniffer get running] = no) do={
/tool sniffer start;
}
:delay $DELAY;
/system shutdown;
}
/console clear-history
. honeypot , , email, - . . , root - honeypot, . ( ) - :
sshpass -p ___ ssh admin@ip_ /user disable root
!
PS At the end of 2020, we implemented a project to organize public access to the Internet for the international company " Coffee Cup ": 5 own bars of the "coffee to go " format in different cities, as well as dealers throughout Russia and the CIS countries (until the last hands did not reach). Which is not surprising, but among the clients of Hotspot networks there are not clean hands trying to get access to routers. It is interesting, so to speak, to recognize them "by sight" ...