Table of Contents
DENDRITE is a
- low-interaction
- server
- static
honeypot entirely written in Python. It currently implements two services:
- SSH Server
- MySQL Server.
It works leveraging Docker containers. Whenever a user connects to the machine, a new container is run. It will essentially consist in a running instance of an Ubuntu image over which MySQL server has been installed and populated and the file system has been enriched with arbitrary content. This enables the possibility to support multiple sessions for the same user. Each IP address will have its own file system for each subsequent session. Different users will never see modifications done by others.
DENDRITE has been mainly implemented with the aim of a comparative evaluation. It is the static equivalent of a dynamic honeypot leveraging generative AI: SYNAPSE.
-
Clone this repository
git clone https://github.com/eneagizzarelli/DENDRITE.git
-
Enter the project folder and install requirements
pip install -r requirements.txt
Note 1: in my configuration, DENDRITE project folder has been cloned under the specific path /home/enea/DENDRITE. Every script/source file in this project refers to other scripts/source file using the above absolute path as a base path. If you plan to use an alternative configuration, like different location or user, remember to change the paths and to replace enea everywhere.
-
Copy
configDENDRITE.shscript fromscripts/folder outside theDENDRITEdirectory and, after assigning the necessary permissions, run itchmod +x configDENDRITE.sh ./configDENDRITE.sh
This will complete the configuration of DENDRITE, creating the necessary folders, downloading GeoLite2 database and assigning ownership and permissions to user enea (or the one you specifically decided).
-
Modify your
/etc/ssh/sshd_configfile in order to disable many SSH parameters (not handled by the code) whenever user enea (or the one you specifically decided) connects to your machine using SSH:Match User enea X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no PermitTunnel no PermitOpen none
Note 2: if you are hosting the code on a VM like AWS EC2 and you want to allow password authentication, remember to change your /etc/ssh/sshd_config.d/50-cloud-init.conf file setting PasswordAuthentication yes (60-cloudimg-settings.conf for Oracle Cloud Infrastructure).
-
Restart your SSH service
systemctl restart sshd
-
Install Docker
apt install docker.io
-
Add user enea (or the one you specifically decided) to the docker group
usermod -aG docker enea
-
Enter DENDRITE project folder and build the Dockerfile to create an image named
dendrite-imagedocker build -t dendrite-image .Where the dot is the location of the Dockerfile.
-
Modify your
/home/enea/.profilefile appending the content ofconfig/profilefile you can find in this project. This enables the possibility, whenever user enea (or the one you specifically decided) connects to your machine using SSH, to: create/run (if not already existing) or re-start (if already existing) the Docker container, attach the user to it and extract both terminal and MySQL logs from the container itself to the local machine. In this way the user will not be able to access your machine. Its interactions with the terminal will be constrained to the container file system.
Adopting the aforementioned configuration will run a DENDRITE container instead of the real file system whenever user enea (or the one you specifically decided) connects to your SSH server.
Distributed under the MIT License. See LICENSE for more information.
Enea Gizzarelli - eneagizzarelli2000@gmail.com
LinkedIn - https://linkedin.com/in/eneagizzarelli