Architecture

The Hugo project is based upon the development environment and tools for assembling virtual machines with conventional honeypots. Hugo uses Puppet (without a master node), Python, bash and Gitlab CI to generate virtual machines with pre-installed honeypots, which can then be deployed in the network of a CESNET member. The operating system of virtual machines is currently Debian version 11. Virtual machines are primarily generated using the Oracle VirtualBox virtualization platform. They can, however, be operated under other platforms and hypervisors after modification, e.g. under VMware.

The administrator who wants to operate a honeypot can download and import our VM image into their hypervisor. After the initial login, they will then set the parameters and registration data using the wizard realized by text utility dialog. Following the setup of the honeypot, the registration data is sent to the Hugo central control site operated by CESNET. After the registration is approved, the new honeypot will become a Warden client and will start sending events to the Warden server and other connected systems. These events can then be monitored using the the SIEM of the CESNET e-infrastructure network, the Mentat system.

Our honeypots are also monitored by the Hugo control center. The honeypot will periodically report its status information back to us. The honeypot VM may also receive updates in the future, assuming the administrator has not disabled this. The annual renewal of the client certificate for access to Warden is also automated. Thus, once configured, the system is, in theory, unattended and does not normally require additional interventions by its administrator.

The Hugo control center allows the Hugo operators to register, monitor, and, when required, also send control commands to the honeypots registered with the system. The operators are able to watch the honeypot status using the summary table, and, if needed, they may contact the administrator of the honeypot machine, and they can also take action themselves. As an example, a honeypot, which is sending faulty data, can be administratively switched to a Test mode, and it is also possible to turn off the sending of the events altogether.

Our system respects the right of the connected organization to disallow CESNET operators access to their machines (however limited it is) and such management can be turned off by the honeypot administrator.

The Hugo control center is implemented using PHP, Nette framework, and uses the MariaDB database as a data storage.