Project Honeynet

I have been wanting to work on this project for some time now. I started mapping it out several months ago but never got around to actually sitting down and writing the code. I spent some time tonight updating my blog (switching themes) and it made me want to start working on this post for whatever reason. So I wanted to start actually writing out some of the code and seeing where I can go from here.

Project Honeynet

The idea behind this project started when I noticed a very large amount of bots hitting several of my servers. I thought it would be a fun project to map the locations of the bots that are hitting my logins and plot them on a map. There are likely a number of projects that already do this that I could install and have running quickly. Where is the fun in that!?

There are several log files that can be hit when logins fail. One such log file is messages in /var/log/. The main entry that I started looking for was "Authentication failed". When searching the log file for entries matching this, potential hits could look like:

I removed the original IP addresses, just to be safe...

/var/log/messages host ftp: ([email protected]) [WARNING] Authentication failed for user [root]

/var/log/messages host ftp: ([email protected]) [WARNING] Authentication failed for user [admin]

/var/log/messages host ftp: ([email protected]) [WARNING] Authentication failed for user [admin]

/var/log/messages host ftp: ([email protected]) [WARNING] Authentication failed for user [administrator]

/var/log/messages host ftp: ([email protected]) [WARNING] Authentication failed for user [admin]

/var/log/messages host ftp: ([email protected]) [WARNING] Authentication failed for user [test]

With this result, I know that the entry is a bot trying to do bad things. As the owner of the server, there are several things that stand out to me.

  1. These users do not exist.
  2. I don't use FTP, I prefer to use rsync.
  3. There are duplicate attempts, and attempts on other usernames.

With the knowledge that I am not logging in as an FTP user, and there are no other users on this server I can devise a pattern to match any of these results. Using "Authentication failed" as the phrase pattern when reading the logs I can use Python to pull out all of these entries. Once these entries have been pulled from the log file I can use some simple regex \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} to match the IP addresses from the bots. Once the IP addresses have been extracted I store them in a log file. This allows me an easier way to start plotting the IPs since my logs rotate daily.

importantMessages = []
messagesPhrases = ["Authentication failed"]
ipmatch = re.compile(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}')

with open(messagesFile) as f:
    f = f.readlines()
    for line in f:
        for phrase in messagesPhrases:
            if phrase in line:
                importantMessages.append(line)
                messagesList = ipmatch.search(line)
                print messagesList.group()
                with open('ip_log.log', 'a') as g:
                    print >> g, messagesList.group()
                g.close()
                break
    return

The code is a bit messy at this stage and I could likely clean it up. But it has been fun to dive into so far. I have several other functions created and running. I plan to go back and update the code because I am not happy with some of my decisions. And I would like to make more use of reusable code instead of duplicating similar steps. I have not began to wrote the map plotting functions yet. That is something that I will likely start working on this weekend. I was having a lot of fun writing this tonight and really wanted to get a post up talking about it. I should be revisiting this post again soon in a part two.

Show Comments