Honeypots offer numerous advantages for your cybersecurity framework, enhancing cyber threat intelligence and deceptive security measures. They provide early warnings of malicious activity, offer invaluable insights into threat behavior and protect critical assets by diverting attackers, while tying up their resources. For a deeper dive into these benefits, check out our earlier blog post.
But, the effectiveness of a honeypot—especially its ability to mislead and occupy attackers—depends on how convincingly it mimics a real, high-value target. To maximize this impact, security professionals must design high-interaction honeypots tailored to their specific ecosystems.
At CROWSI, we strive to make this process simpler with CROWSI’s honeypot platform. Our platform enables you to deploy containerized honeypot applications with ease, empowering you to customize decoys that fit your unique environment.
In this article, we’ll guide you through creating a decoy using CROWSI’s default honeypot decoy, httpCatcherDecoy. You’ll learn how it’s built and integrated into the CROWSI platform, providing you with a foundation for developing honeypot decoys tailored to your system.
Prerequisite: A basic understanding of container technologies and their use in Kubernetes is required to follow along this articel. If you need further support on your CROWSI journey, please reach out to us!
The Application
When building your own decoy, the first step is to decide what your honeypot should mimic to attract and bind attackers. For the httpCatcherDecoy, we aimed to create a simple HTTP REST interface that:
- Accepts all incoming requests.
- Logs request details to
stdout. - Returns a default error response.
The idea is that this design encourages attackers to explore different request paths, searching for an actual supported request, while providing valuable insights to the security team about the services, paths, and request methods being targeted. But to be fair, due to the default response to every request path, this will keep attackers only intrested for a short time, making the httpCatcherDecoy a typical low-interaction decoy.
Code Overview
We chose Python as the programming language and Flask as the web service framework. This decision was purely out of personal preference. The full code is available on GitHub, but here’s the key code snippet:
# Create a simple response for each incoming request
@app.route('/', defaults={'path': ''}, methods=['GET', 'POST', 'PUT', 'DELETE'])
@app.route('/<path:path>', methods=['GET', 'POST', 'PUT', 'DELETE'])
def default(path):
return 'Bad Request', 400
# Start server and listen on port 8000
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8000)This code configures the app to listen on port 8000 for all incoming requests. For every request path and method, it returns the HTTP status code 400 with the default message “Bad Request.”
With this setup, we have a low-interaction honeypot that allows attackers to interact in various ways, helping you gather intelligence on their behavior.
By adding additional supported paths and methods to the code of the httpCatcherDecoy, you can improve this basic setup to become your own high-interaction decoy or realize your idea from scratch.
The Container
To integrate our decoy into the CROWSI platform, we need to package it as a Docker container. Therefore we need a Dockerfile defining our container image structure. The Dockerfile for the httpCatcherDecoy contains the following key elements:
- Base Image: We use an Alpine-based Python image.
- Dependencies: Install necessary Python libraries.
- Application: Add the Python application file.
- Server Setup: Configure the container to launch a Gunicorn server running our app.
- Port Exposure: Publicly expose port 8000.
The complete Dockerfile can also be found on GitHub.
Once the Dockerfile is ready, use Docker commands to build the container and push it to a container registry accessible to your CROWSI platform’s Kubernetes deployment (e.g., Docker Hub).
The Integration
With the steps so far, you already have developed your own honeypot decoy. Great! Now the last step is to add our own decoy to your CROWSI deployment via the respective Kubernetes manifests. These include at least the definitions for the Deployment, Service, and Traefik IngressRoute. Let’s review the most important aspects:
Deployment
The Deployment specification references the container and ensures the correct port is exposed:
spec:
containers:
- name: defaultapi
image: crowsi/httpcatcherdecoy:1.1.2
ports:
- containerPort: 8000Service
To make the container accessible within the Kubernetes network, define the Service and map the ports consistently:
ports:
- protocol: TCP
port: 8000
targetPort: 8000IngressRoute
Finally, configure the Traefik ingress controller to route external incoming requests to the decoy. The IngressRoute configuration looks like this:
spec:
entryPoints:
- websecure
routes:
- match: PathPrefix(`/`)
priority: 1
kind: Rule
services:
- name: defaultapi-service
port: 8000Most important to explain here is the “match” and “priority” statement. The match statement instructs Taefik to route any request where the requested path starts with “/” to our decoy.
As this is basically every request this would cause a lot of trouble for you when you want to integrate your own decoy, the priority becomes important. For the httpCatcherDecoy which is the default route in the CROWSI platform for all request that don’t match with any other decoy, we set the priority to “1”. This tells traefik to only check this routing condition if no other IngressRoute with higher priority has given a match.
So when integrating your own decoy, make sure to set the “priority” wisely for your overall set-up and at least greater then “1”.
Wrapping Up
After applying these manifests, your containerized honeypot application will be operational within your CROWSI deployment, enhancing real-time threat detection and cybersecurity of your overall eco-system. Congratulations!
If you need further assistance at any step of your CROWSI journey or you might be interested in our premium decoys that might already fit your needs, feel free to reach out.
We would love to hear from you. Let’s trick your attackers together!