Participate in the Hugo project
Register a Warden client
Since the Hugo project is linked to sending events to the system Warden, it is necessary to apply for registration of the client in this system. There is a separate website, where you can find all the details.
Our virtual machine images include the software allowing automatic client registration into the Warden system. After the first start of the virtual machine, just answer a few questions, after which a request to register the honeypot into the system will be sent to us. If the honeypot is approved, the virtual machine will be set up within an hour; the Warden client certificate for data transmission will be downloaded, and the honeypot will begin capturing attacks and sending events. In case of any doubt, we will contact you back.
Each virtual machine should have its own Warden client.
How to start gathering data
You may start by downloading the VM package – in that case, you will need a hypervisor, to which you will import this machine.
Minimum requirements for running the VM:
- 1 vCPU,
- 1 GB RAM (512 MB is sometimes too low),
- 4 GB of disk space,
- an IPv4 address. We also recommend an IPv6 address.
The second option is that you will install the honeypots yourselves, and then you will just use our logging plugins. They will output IDEA events, which you would then send to Warden servers - you may use Warden Filer for this purpose. You may find the files in the Downloads section.
Open ports
Honeypot can be operated both with a public IP address directly assigned to the system, or in the private IP address space as well, where you set up port forwarding (Destination NAT) from the public IP towards your private IP address.
If you use private IP addresses, then a proper detection of the public IPv4 is essential to provide accurate information in your events. If you decide to anonymize the IP address of your honeypots, then you do not need to worry about this.
Here follows the list of ports that our virtual machines open and that you should allow on your firewall.
Ports open:
| Honeypot | Port | Direction | Description |
|---|---|---|---|
| Cowrie | 22 (TCP) | incoming | SSH |
| Dionaea | 22 (TCP) | incoming | SSH (for VM management from your local network) |
| Dionaea | 21 (TCP) | incoming | FTP, control channel |
| Dionaea | random (TCP) | incoming | FTP, control channel for passive connections |
| Dionaea | 1433 (TCP) | incoming | MS SQL |
| Dionaea | 3306 (TCP) | incoming | MySQL |
| Dionaea | 69 (UDP) | incoming | TFTP |
Outgoing connections:
Our VMs will make the following connections, which are necessary for its operation. Most of the hostnames mentioned resolve to a static IP.
- sulu.cesnet.cz, port 443 (TCP) – Hugo control center, registration and monitoring
- ftp.zcu.cz, ports 80 a 443 (TCP) – Debian software and updates
- Fastly CDN, ports 80 a 443 (TCP) – Debian security updates (debian-security)
- warden-hub.cesnet.cz, port 443 (TCP) – Warden server which receives the events
- tik.cesnet.cz, tak.cesnet.cz, port 123 (TCP/UDP) – NTP servers for time synchronisation
The following connections can be seen only during registration and activation:
- resolver1.opendns.com, port 53 (UDP/TCP) – Public address detection via DNS, both over IPv4 and IPv6
- default gateway, port 1456 (TCP) – Detection of SW daemon for resolving public IP address from conntrack (
link to a repository) - gitlab.cesnet.cz, port 443 (TCP) – Download of current connector version for sending events to Warden
The Cowrie honeypot allows outgoing HTTP/HTTPS connections via simulated wget and curl commands. To gather additional data such as malware samples, these connections should be enabled, with appropriate restrictions to limit abuse. Although Cowrie code does not allow connections to the private networks (that means, it prohibits using address ranges defined in iana-ipv4-special-registry and iana-ipv6-special-registry), we strongly advise to always limit outgoing access from honeypot to your internal networks, either by using ACLs or appropriate firewall rules.