Host Setup/Management

1. You must have root access on an ubuntu server to host a honeypot.

STINGAR only supports ubuntu as a platform for hosting honeypots, so you'll need root access to an ubuntu server that can be dedicated to hosting a honeypot. (Currently, if you deploy a honeypot to a server that's already hosting a honeypot, ensure that the honeypots do not use the same port numbers or the new deployment will replace the existing honeypot.)

To register this server as a STINGAR honeypot host, you will need to know:

  • The IP address or domain name
  • The ubuntu username you use to access this server. This user must have root access (ie. the user can successfully run commands with sudo.)
  • A non-standard port number to use for ssh communication to the server. This port serves 2 purposes: 1) STINGAR uses it to install honeypots & 2) the honeypot will listen on this port for access attempts. We often use 2222 for the ssh port. (We will explain how to configure this port for ssh communication later on.)

2. Login to STINGAR to register your ubuntu server as a host.

Login to your STINGAR instance to register your ubuntu server as a honeypot host. If you haven't yet installed STINGAR, refer to this site. If you don't know how to get logged in, check this link.

Once logged in, click Manage Hosts in the left sidebar.

Host Index Page

To create a host, you'll first need an authentication key to assign to the host, so we'll start with creating an authentication key.

Create Authentication Key

STINGAR needs an ssh authentication key to securely communicate with your honeypot host machines. The key includes 2 parts: 1) a public key that you'll need to copy to the honeypot host and 2) the private key that only STINGAR knows & keeps hidden. Whenever STINGAR needs to access the host (for example, to install a honeypot), it will provide the private key and the host responds with the public key. If they match, ssh allows access.

At the top of the Manage Hosts page is a section for adding/removing authentication keys.

Auth Key Section

Click anywhere in this section to expand it.

Auth Key Section 2

Click [+ Add Auth Key] to open a dialog box that will let you name a new authentication key.

Add Auth Key

Enter any name that will help you identify this authentication key. If you name it 'default', STINGAR will consider this the default key & assume you usually want to use it, so will go ahead and assign it automatically whenever you go to create a new host. (You can always override this default and assign any auth key you want to a host.)

Add Auth Key 2

Press [Submit] and STINGAR will create a public/private key pair and assign it this name. The public key starts with the string 'ssh-rsa' followed by a series of random characters. You'll need to copy this public key to your honeypot host machine (STINGAR provides buttons to copy/paste the public key to your clipboard.)

The new authentication key entry will then appear in the auth key list.

Auth Key List

Register your Honeypot Host

Now that you know the address/domain name, username & ssh port number of your honeypot host and have an authentication key to use, you're ready to setup this host in STINGAR. On the 'Manage Hosts' page, press the blue [ + Add New Host] button.

Enter information about your host. The screenshot below shows an example of registering host vcm-15556.vm.duke.edu for username vcm, and assigns the 'default' auth key to communication on port 2222.

Add New Host

When you press [Add New Host], the new host will appear in the host list.

New Host Added

Since you'll need this host information (particularly the authentication key) to setup the actual host machine, click on the host row to open a page that displays the host information.

Honeypot Show Page

Setup Your Host Machine

You need to do four things on your honeypot host:

  1. Verify the user has ssh setup in their root directory. (If not, set it up.)
  2. Add the ssh public key to ~/.ssh/authorized_keys.
  3. Setup a non-standard ssh port.
  4. Allow password-less sudo for the honeypot user.

To accomplish these 3 things, you need to open a terminal session & logon to your host machine as the user you identifed when registering this host with STINGAR. The command below is what we entered to logon to our example host server as the user we identified:

 ssh vcm@vcm-15556.vm.duke.edu
1. Verify the user has ssh setup in their root directory.

To see if .ssh already exists for this user, list the content of their root directory.

 ls -la

Does .ssh directory exist?

If .ssh doesn't appear in the list as it does in the image above, you'll need to start by creating this directory and the authorized_keys file with correct permissions. (If it's already setup, skip the following 4 commands.)

mkdir .ssh
chmod 700 .ssh

touch ~/.ssh/authorized_keys

chmod 600 ~/.ssh/authorized_keys
2. Add the STINGAR-generated public key to ~/.ssh/authorized_keys.

Now that the .ssh/authorized_keys file exists, open it and prepare to copy in the authorization key you had STINGAR create earlier. Open the file with an editor (we assume vi). Go to the last line of the file and press i to get into vi's 'insert mode'.

vi ~/.ssh/authorized_keys

Back to the STINGAR 'Show Host' page... press the [Copy Public Key] button.

Copy pub key button

This will save the public key part of your authentication key to your clipboard. Return to the authorized_keys file you have open in the vi editor and press [Ctrl]-v to copy it into the file. Save the file and quit by entering: ZZ

Note: It's important that you use the public key you assigned to the host registered in STINGAR. If for example, you copy the 'default' public key to the host machine's authorized_keys file, then later change the name of the auth key assigned to the host registered in STINGAR, STINGAR will be confused and won't be able to access the machine, so won't be able to manage the honeypot.


3. Setup a non-standard ssh port.

You need to tell your honeypot host which port you've identified for ssh communications. To do this, uncomment the 'Port' line in the file /etc/ssh/sshd_config and assign it the port number you defined in STINGAR; this requires root access, so prefix the command with sudo.

sudo vi /etc/ssh/sshd_config

The /etc/ssh/sshd_config file:

before edit edit /etc/ssh/sshd_config before

after edit (assuming you've defined ssh port to be 2222) edit /etc/ssh/sshd_config after

Once this file is updated, restart ssh on the server:

sudo systemctl restart ssh

At this point, your host machine should be ready for STINGAR to deploy & manage a honeypot. You may logout of the server by entering 'exit' at the command prompt.

4. Allow password-less sudo for the honeypot user.

Setup the honeypot user to so they can run sudo commands without entering a password:

sudo visudo

This should open a file that contains the line: rapid ALL=(ALL) NOPASSWD:ALL where {username} is a name. Replace the {username} value with the name of your honeypot user.

You can now logout of the host server; it should now be ready to host a honeypot.