Skip to content

GUIDE

Deploy Modern Honey Network (MHN)

modern honey network

This tutorial will cover how to install the Modern Honey Network on an AWS instance.  Although not widely uses honeypots are extremely useful and essential to the modern network security ecosystem.  Companies can have the best perimeter security, antivirus, application, and network security but at some point, a bad actor or internal employee will attempt an attack.  Honeypots are the added layer of security that gives you a “digital tripwire” if someone is starting to probe or access sensitive data or areas of your network.

The Modern Honey Network (MHN) is open source and FREE!  The honeypots deployed and managed by MHN are open source and FREE!

 
 

Step 1 – Initial Server Setup

I am using an Ubuntu 18.04 t2.medium server with 40GB of attached storage on Amazon AWS.    This meets the hardware recommendations for a small/medium size deployment.  Although I am deploying this server in AWS, this tutorial should work on any platform running Ubuntu 18.04 (or any Debian-based Linux).  

Once the Ubuntu instance is ready, login and start doing some updates:

sudo apt-get update & sudo apt-get upgrade -y

ubuntu 18.02

Optional (but highly recommended):  Make sure you have a public domain name.  This is mandatory if you want to use SSL.

Step 2  – Install git

Since we are pulling Modern Honey Network (MHN) from GitHub, we need to install git.

sudo apt-get install git -y

install git

Luckily it looks like git is already installed.

Step 3 – Clone MHN

Now, all we have to do is clone MHN into the /opt directory.

cd /opt
git clone https://github.com/pwnlandia/mhn.git

git clone mhn

Step 4 – Install MHN

This is where the magic happens!  All we have to do is run the setup script, which will install and configure everything for MHN.

cd /opt/mhn/
sudo ./install.sh

Note:  This part will take a little bit to complete

At the end of the script it will ask you a few questions:

Do you wish to run in Debug mode?: y/n n
Superuser email: your email address
Superuser password: enter a good complex password
Superuser password: (again): repeat a good complex password
Server base url ["http://IPAddress"]: https://mhn.subproject9.com/ (or use IP)
Honeymap url ["https://domain:3000"]: https://mhn.subproject9.com:3000 (or use IP)
Mail server address ["localhost"]:
Mail Server port [25]:
Use TLS for email?: y/n
Use SSL for email?: y/n
Mail server username ['']:
Mail server password [""]:
Mail default sender [""]:
Path for log file ["/var/log/mhn/mhn.log]:

Note:  I am using HTTPS in my settings; this is optional but highly recommended.  I am not setting my server up to send emails and leaving the default configuration.

Next, we wait for the database’s initialization and import of SNORT rules.  This will take a long time.

snort rules are loading

After all the rules load, the install will ask if you want to install Graylog, ELK, and add rules to UFW.  In this tutorial, I will not be installing Graylog or ELK.  I plan to eventually integrate the alerts/logs into a pre-existing ELK server, but that is for another tutorial.

For this tutorial, I am not allowing the MHN install script to enable and configure the server UFW firewall.  If you install MHN for a production environment, ensure you secure your server.

splunk ELK UFW Configuration

Step 5 – Get SSL Certs using Certbot

First, lets install Certbot:

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx -y

Now we have to edit the default site configuration in NGINX:

sudo nano /etc/nginx/site-available/default

Change the line ‘server_name _;” to your server DNS name ‘server_name mhn.subproject9.com;’

edit nginx configuration

(CTL-O to save, CTL-X to exit)

Verify there are no NGINX errors

sudo nginx -t

If there are no errors, restart NGINX

sudo systemctl restart nginx

test and restart nginx

Now let’s get our SSL cert:

sudo certbot --nginx -d mhn.subproject9.com

If everything goes well, you should see something like this:

install certbot certificate

Now, let’s test the interface to make sure everything is working:

Open a browser to your

SUCCESS!

Login MHN

Step 7 – Deploying Honeypots

Deploying honeypots with MHN is extremely easy!

Log into the web interface and select “Deploy” on the top menu:

Deploy a honeypot

 

Select the honeypot you would like to deploy:

Select a honeypot to deploy

 

Now, all you have to do is copy the command and drop it a clean install of Ubuntu, Centos 7 or a Raspberry Pi.

deploy Suricata

 

Note:  You must install as root and the target server for install must not have any other services deployed.

 

Book Recommendation

The book does a great job at covering the different uses of deception as a detection mechanism, from honey services to honey credentials, and gives you food for thought with anecdotes and real-life examples. Some clever ideas made me smile, such as how a standard DHCP server can be used as an unauthorized devices detection mechanism. After these you’ll start getting your own ideas which will help raise the bar of cybersecurity.

  • If you think honeypots are not for you, read this book
  • If you think your company is not ready for honeypots, read this book
  • If you want to effectively and simply detect if adversaries are dwelling in your network (and have fun with it), read this book.