haas.md 3.19 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
---
board: shield, mox, omnia, 1.x
---

# HaaS – Honeypot as a Service

Honeypot is a special software which simulates an operating system and allows an
attacker to log in via SSH or telnet and execute commands or download malware.
Commands are recorded and used to analyze the behavior. Malware can be analyzed
as well.

HaaS allows usage of moderately interactive SSH honeypot in a way that the
attacker would be kept logged in as long as possible, knowing that he attacks
the real device, not the honeypot.

## How it works

Using HaaS and installing the
[HaaS proxy application](https://haas.nic.cz/proxy/), your router becomes able
to forward traffic incoming from WAN port 22 (commonly used for SSH) to the HaaS
server (owned by CZ.NIC association) located in one of our datacenters.

The HaaS server, powered by Cowrie, is a full-fledged honeypot. As well, it is
able to record the user/password combination (like
25
[Minipots](intro.md#minipot) do) and in addition it is able to simulate a real
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
device and record the executed commands.

A big advantage is that your router stays safe all the time because all
communications are redirected to our server and nothing is done on the router
itself.

Available facts gained by using HaaS are:

- From which IP address the attacker logged in
- Credentials he used to log in
- The attacker's behavior
- The scripts which the attacker ran in the honeypot

## How to set up HaaS

41
42
43
44
To activate HaaS, you need a PC or server with Linux (or another supported device
- like Turris) and public IPv4 address. You may have to redirect port 22 from
your router to your PC if you use the router and NAT. In case of Turris all
firewall changes are done automatically.
45

46
## Registration
47

48
49
50
In order to use HaaS, you have to register at its website and obtain **HaaS
tokens** for your devices. If you already have a token, you can skip this
section.
51

52
### 1. Register on [HaaS website](https://haas.nic.cz/).
53
54
55

   ![Registration](registration.png)

56
57
58
59
### 2. Get the token

Proceed to the section *My Honeypot* and click on *Add new device*. After naming
it, you will get a token.
60
61
62
63
64
65
66

   ![Add new device](add-new-device.png)

   ![Create new device](create-new-device.png)

   ![Device token](device-token.png)

67
### 3. Use the token
68

69
70
After obtaining the tokens, you can use them in you device configuration.
In case of Turris, follow [Sentinel HaaS setup](setup.md#haas).
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

## Move the SSH server to a port for remote administration

If you use SSH for remote access to your router, you need to redirect the port
22 to a different port, otherwise you will be connected to the honeypot.
Changing the SSH port can be simple protection against intrusion attempts.
Don't forget to use a strong password or use a public key for logging in.

You just need to add a port forwarding with the following settings:

- **Name**: SSH redirect
- **External port**: number from 1 to 65535
- **Internal port**: 22

For the obvious reasons, choose those port numbers, which are not being used.

!!! warning
    If you don't fill out the port of your SSH connection, the default port
    (which is 22) will be used and you will be connected to the honeypot,
    which could record your password! For this reason it is better to log in
    with a public key.