diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..947f6c6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,13 @@ +# Terraform +.terraform/ +*.tfstate +*.tfstate.* +terraform.tfvars +.terraform.lock.hcl + +# OS files +.DS_Store +Thumbs.db + +# Editor +.vscode/ \ No newline at end of file diff --git a/README.md b/README.md index df453b1..0aeb34c 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,233 @@ -# honeynet -Develop a scalable, cloud-native honeypot deployment framework that leverages Terraform to provision and manage honeypot instances across multiple geographic regions. +# Honeynet + +Honeynet is a scalable, cloud-native framework for deploying and managing distributed honeypots across multiple geographic regions. It automates the provisioning, configuration, and monitoring of honeypot infrastructure using **Terraform** and **Ansible**. + +The goal of the project is to help security researchers and organizations collect threat intelligence, analyze attacker behavior, and improve defensive strategies by simulating realistic targets in cloud environments. + +[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE) + +--- + +# Table of Contents + +* Overview +* Architecture +* Key Features +* Repository Structure +* Getting Started +* Deployment +* Data Collection +* Development +* Contributing +* License + +--- + +# Overview + +Modern cyber threats originate from different regions across the globe. Understanding attacker behavior requires collecting data from distributed environments. + +Honeynet provides a framework that allows security teams to deploy honeypot systems across multiple cloud providers and geographic regions using Infrastructure-as-Code. + +``` +Controller Node + │ + ▼ +┌──────────────────────────────┐ +│ Infrastructure Automation │ +│ (Terraform) │ +└───────────┬──────────────────┘ + │ + Multi-Region Deployment + │ + ┌──────┴───────┐ + ▼ ▼ + Honeypot Node Honeypot Node + (Region A) (Region B) + │ │ + └──────┬───────┘ + ▼ + Attack Logs & Intelligence +``` + +--- + +# Architecture + +The system follows a distributed deployment architecture inspired by global scanning systems. + +### Components + +**Controller Node** + +The central orchestration node responsible for: + +* provisioning infrastructure +* executing automation workflows +* collecting attack data + +**Terraform** + +Used for Infrastructure-as-Code deployment of: + +* virtual machines +* networking +* security groups +* cloud resources + +**Ansible** + +Responsible for configuring honeypot nodes: + +* installing honeypot software +* configuring services +* managing system dependencies + +**Honeypot Nodes** + +Deployed globally to simulate vulnerable services such as: + +* SSH +* web servers +* network services + +These nodes capture attacker interactions and generate logs. + +--- + +# Key Features + +| Feature | Description | +| ------------------------------ | --------------------------------------------------- | +| Distributed Deployment | Deploy honeypots across multiple geographic regions | +| Infrastructure as Code | Terraform-based infrastructure provisioning | +| Automated Configuration | Ansible playbooks for system setup | +| Threat Intelligence Collection | Capture and analyze attacker behavior | +| Multi-Cloud Support | Compatible with AWS, Azure, and GCP | + +--- + +# Repository Structure + +``` +honeynet/ + +terraform/ + main.tf + provider.tf + variables.tf + +ansible/ + playbooks/ + install_honeypot.yml + +scripts/ + deploy_honeypots.sh + +honeypots/ + cowrie/ + dionaea/ + +docs/ + architecture.md +``` + +--- + +# Getting Started + +## Prerequisites + +Ensure the following tools are installed: + +* Terraform +* Ansible +* Git +* Access to a cloud provider (AWS / Azure / GCP) + +--- + +# Deployment + +Clone the repository: + +```bash +git clone https://github.com/c2si0rg/honeynet.git +cd honeynet +``` + +Initialize Terraform: + +```bash +terraform init +``` + +Apply infrastructure configuration: + +```bash +terraform apply +``` + +Or use the deployment script: + +```bash +bash scripts/deploy_honeypots.sh +``` + +--- + +# Data Collection + +Honeypot nodes collect various types of attack data including: + +* login attempts +* command execution attempts +* malware uploads +* network scanning behavior + +These logs can later be aggregated and analyzed to extract threat intelligence. + +--- + +# Development + +To start development: + +```bash +git clone https://github.com/c2si0rg/honeynet.git +cd honeynet +``` + +Modify Terraform modules, Ansible playbooks, or scripts as needed. + +Future development will focus on: + +* improved multi-region deployment +* centralized logging +* analytics pipelines +* integration with threat intelligence platforms + +--- + +# Contributing + +Contributions are welcome. + +You can contribute by: + +* improving infrastructure modules +* adding support for new honeypots +* improving automation scripts +* enhancing documentation + +Before submitting a pull request: + +* keep PRs focused and minimal +* ensure code is properly formatted +* include documentation when adding features + +--- + +# License + +This project is licensed under the **Apache 2.0 License**. See the [LICENSE](LICENSE) file for details. diff --git a/ansible/inventory.ini b/ansible/inventory.ini new file mode 100644 index 0000000..960e211 --- /dev/null +++ b/ansible/inventory.ini @@ -0,0 +1,4 @@ +[honeynet] +54.174.245.155 ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/honeynet_key +54.154.83.253 ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/honeynet_key +13.235.2.19 ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/honeynet_key diff --git a/ansible/playbooks/install_honeypot.yml b/ansible/playbooks/install_honeypot.yml new file mode 100644 index 0000000..5c191fe --- /dev/null +++ b/ansible/playbooks/install_honeypot.yml @@ -0,0 +1,94 @@ +- hosts: honeynet + become: yes + + vars: + cowrie_dir: /home/ubuntu/cowrie + + tasks: + + - name: Update apt cache + apt: + update_cache: yes + + - name: Install required packages + apt: + name: + - git + - python3 + - python3-pip + - python3-venv + state: present + + - name: Remove old Cowrie installation + file: + path: "{{ cowrie_dir }}" + state: absent + + - name: Clone Cowrie repository + git: + repo: https://github.com/cowrie/cowrie.git + dest: "{{ cowrie_dir }}" + + - name: Create Python virtual environment + command: python3 -m venv cowrie-env + args: + chdir: "{{ cowrie_dir }}" + + - name: Install Cowrie dependencies + command: "{{ cowrie_dir }}/cowrie-env/bin/pip install -r requirements.txt" + args: + chdir: "{{ cowrie_dir }}" + + - name: Install Cowrie in editable mode + command: "{{ cowrie_dir }}/cowrie-env/bin/python -m pip install -e ." + args: + chdir: "{{ cowrie_dir }}" + + - name: Ensure correct ownership + file: + path: "{{ cowrie_dir }}" + owner: ubuntu + group: ubuntu + recurse: yes + + - name: Copy Cowrie config + copy: + src: "{{ cowrie_dir }}/etc/cowrie.cfg.dist" + dest: "{{ cowrie_dir }}/etc/cowrie.cfg" + remote_src: yes + + - name: Install Twisted + command: "{{ cowrie_dir }}/cowrie-env/bin/pip install twisted" + + - name: Create Cowrie systemd service + copy: + dest: /etc/systemd/system/cowrie.service + content: | + [Unit] + Description=Cowrie SSH Honeypot + After=network.target + + [Service] + Type=forking + User=ubuntu + WorkingDirectory=/home/ubuntu/cowrie + + Environment="PATH=/home/ubuntu/cowrie/cowrie-env/bin:/usr/bin:/bin" + + ExecStart=/home/ubuntu/cowrie/cowrie-env/bin/cowrie start + ExecStop=/home/ubuntu/cowrie/cowrie-env/bin/cowrie stop + + Restart=always + RestartSec=5 + + [Install] + WantedBy=multi-user.target + + - name: Reload systemd + command: systemctl daemon-reexec + + - name: Enable Cowrie service + command: systemctl enable cowrie + + - name: Start Cowrie service + command: systemctl start cowrie \ No newline at end of file diff --git a/docs/architecture.md b/docs/architecture.md new file mode 100644 index 0000000..3e4747c --- /dev/null +++ b/docs/architecture.md @@ -0,0 +1,155 @@ +# Honeynet Architecture + +## Overview + +Honeynet is designed as a distributed system for deploying and managing honeypot nodes across multiple geographic regions. The system automates infrastructure provisioning, configuration, and monitoring using Infrastructure-as-Code and configuration management tools. + +The architecture separates infrastructure provisioning, node configuration, and attack data collection into independent layers to ensure scalability and maintainability. + +--- + +## High-Level Architecture + +```id="qev0j3" +Controller Node + │ + │ Terraform + ▼ +Cloud Infrastructure (AWS / Azure / GCP) + │ + │ Ansible + ▼ +Honeypot Nodes + │ + ▼ +Attack Logs & Intelligence +``` + +--- + +## Components + +### Controller Node + +The controller node acts as the central orchestration point of the system. + +Responsibilities: + +* Execute Terraform to provision infrastructure +* Run Ansible playbooks to configure honeypot nodes +* Manage deployment scripts +* Collect or aggregate attack logs + +This node is typically operated by a researcher or security team. + +--- + +### Infrastructure Layer (Terraform) + +Terraform is used to provision infrastructure resources across multiple cloud providers. + +Typical resources include: + +* virtual machines +* networking configuration +* firewall rules +* SSH access + +Terraform modules allow infrastructure to be deployed across different geographic regions. + +Example regions: + +``` +North America +Europe +Asia-Pacific +``` + +This enables global deployment of honeypots to capture region-specific attack patterns. + +--- + +### Configuration Layer (Ansible) + +After infrastructure is provisioned, Ansible is used to configure each honeypot node. + +Tasks include: + +* installing system dependencies +* installing honeypot software +* configuring services +* enabling log collection + +Automation ensures consistent configuration across all deployed nodes. + +--- + +### Honeypot Nodes + +Honeypot nodes simulate vulnerable services to attract malicious activity. + +Common honeypots may include: + +* **Cowrie** – SSH honeypot +* **Dionaea** – malware collection honeypot +* **Conpot** – industrial control system honeypot + +These services record attacker interactions such as: + +* login attempts +* command execution +* malware uploads +* network scanning behavior + +--- + +### Data Collection + +Logs generated by honeypot nodes contain valuable threat intelligence. + +Collected data may include: + +* attacker IP addresses +* attack commands +* authentication attempts +* malware samples + +This data can be stored and analyzed to identify attack patterns and emerging threats. + +Future improvements may integrate centralized logging or analytics systems. + +--- + +## Deployment Workflow + +Typical deployment workflow: + +1. Clone the repository and configure credentials. +2. Run Terraform to provision infrastructure. +3. Execute Ansible playbooks to configure honeypot nodes. +4. Honeypot nodes begin collecting attacker activity. +5. Logs are gathered for analysis. + +--- + +## Future Enhancements + +Potential improvements to the architecture include: + +* multi-cloud automated deployment +* centralized logging infrastructure +* attack data analytics pipelines +* automated threat intelligence generation +* dynamic scaling of honeypot nodes + +--- + +## Summary + +The Honeynet architecture focuses on three core principles: + +* **automation** – infrastructure and configuration managed through code +* **scalability** – distributed deployment across regions +* **observability** – capturing and analyzing attacker behavior + +This design enables researchers and security teams to deploy and operate honeypot infrastructure efficiently. diff --git a/scripts/deploy_honeypots.sh b/scripts/deploy_honeypots.sh new file mode 100644 index 0000000..cc7200f --- /dev/null +++ b/scripts/deploy_honeypots.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +set -e + +echo "Starting Honeynet deployment..." + +cd terraform + +terraform init +terraform apply -auto-approve + +echo "Infrastructure deployed." + +IPS=$(terraform output -json honeypot_ips | jq -r '.[]') + +echo "Configuring honeypots with Ansible..." + +echo "[honeynet]" > ../ansible/inventory.ini + +for IP in $IPS; do + echo "$IP ansible_user=ubuntu ansible_ssh_private_key_file=~/.ssh/honeynet_key" >> ../ansible/inventory.ini +done + +cd .. + +export ANSIBLE_HOST_KEY_CHECKING=False + +ansible-playbook -i ansible/inventory.ini ansible/playbooks/install_honeypot.yml + +echo "Deployment complete." \ No newline at end of file diff --git a/terraform/main.tf b/terraform/main.tf new file mode 100644 index 0000000..317cf1a --- /dev/null +++ b/terraform/main.tf @@ -0,0 +1,184 @@ +resource "aws_key_pair" "honeynet_key_us" { + provider = aws.us + key_name = "honeynet-key" + public_key = file("/mnt/c/Users/harir/.ssh/honeynet_key.pub") +} + +resource "aws_key_pair" "honeynet_key_eu" { + provider = aws.eu + key_name = "honeynet-key" + public_key = file("/mnt/c/Users/harir/.ssh/honeynet_key.pub") +} + +resource "aws_key_pair" "honeynet_key_ap" { + provider = aws.ap + key_name = "honeynet-key" + public_key = file("/mnt/c/Users/harir/.ssh/honeynet_key.pub") +} + +resource "aws_security_group" "honeynet_sg_us" { + provider = aws.us + name = "honeynet-sg" + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 2222 + to_port = 2222 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_security_group" "honeynet_sg_eu" { + provider = aws.eu + name = "honeynet-sg" + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 2222 + to_port = 2222 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_security_group" "honeynet_sg_ap" { + provider = aws.ap + name = "honeynet-sg" + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 2222 + to_port = 2222 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +data "aws_ami" "ubuntu_us" { + provider = aws.us + most_recent = true + + owners = ["099720109477"] + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] + } +} + +data "aws_ami" "ubuntu_eu" { + provider = aws.eu + most_recent = true + + owners = ["099720109477"] + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] + } +} + +data "aws_ami" "ubuntu_ap" { + provider = aws.ap + most_recent = true + + owners = ["099720109477"] + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] + } +} + +resource "aws_instance" "honeypot_us" { + provider = aws.us + + ami = data.aws_ami.ubuntu_us.id + instance_type = "t3.micro" + + key_name = aws_key_pair.honeynet_key_us.key_name + + vpc_security_group_ids = [aws_security_group.honeynet_sg_us.id] + + tags = { + Name = "honeynet-us-east" + } +} + +resource "aws_instance" "honeypot_eu" { + provider = aws.eu + + ami = data.aws_ami.ubuntu_eu.id + instance_type = "t3.micro" + + key_name = aws_key_pair.honeynet_key_eu.key_name + + vpc_security_group_ids = [aws_security_group.honeynet_sg_eu.id] + + tags = { + Name = "honeynet-eu-west" + } +} + +resource "aws_instance" "honeypot_ap" { + provider = aws.ap + + ami = data.aws_ami.ubuntu_ap.id + instance_type = "t3.micro" + + key_name = aws_key_pair.honeynet_key_ap.key_name + + vpc_security_group_ids = [aws_security_group.honeynet_sg_ap.id] + + tags = { + Name = "honeynet-ap-south" + } +} + +output "honeypot_ips" { + value = [ + aws_instance.honeypot_us.public_ip, + aws_instance.honeypot_eu.public_ip, + aws_instance.honeypot_ap.public_ip + ] +} \ No newline at end of file diff --git a/terraform/provider.tf b/terraform/provider.tf new file mode 100644 index 0000000..7dda925 --- /dev/null +++ b/terraform/provider.tf @@ -0,0 +1,14 @@ +provider "aws" { + alias = "us" + region = "us-east-1" +} + +provider "aws" { + alias = "eu" + region = "eu-west-1" +} + +provider "aws" { + alias = "ap" + region = "ap-south-1" +} \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf new file mode 100644 index 0000000..e69de29