Implementing Deception and Active Defense

2 min read Data Protection & Compliance

Implementing Deception and Active Defense

Deploy honeypot techniques to waste attackers' resources and gather intelligence about attack methods. Create fake SSH services that appear vulnerable but actually collect attacker information.

Configure SSH honeypot with logging:

# Install and configure Cowrie SSH honeypot
cd /opt
git clone https://github.com/cowrie/cowrie.git
cd cowrie

# Create virtual environment
python3 -m venv cowrie-env
source cowrie-env/bin/activate
pip install -r requirements.txt

# Configure honeypot
cp etc/cowrie.cfg.dist etc/cowrie.cfg

# Modify configuration
cat >> etc/cowrie.cfg << 'EOF'
[honeypot]
hostname = server
log_path = var/log/cowrie
download_path = var/lib/cowrie/downloads
contents_path = honeyfs
txtcmds_path = txtcmds

[ssh]
enabled = true
rsa_key_size = 2048
listen_endpoints = tcp:2222:interface=0.0.0.0

# Fake credentials to accept
[users]
root = admin,password,123456
admin = admin,password,123456
EOF

# Redirect real SSH to different port
# In sshd_config: Port 22222

# Forward honeypot port to standard SSH port
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

# Start honeypot
./bin/cowrie start

Create active response system:

#!/bin/bash
# active-ssh-defense.sh
# Active response to detected attacks

respond_to_attack() {
    local attacker_ip=$1
    local attack_type=$2
    
    case $attack_type in
        "credential_stuffing")
            # Slow down attacker with tarpitting
            iptables -A INPUT -s $attacker_ip -p tcp --dport 22 \
                -j TARPIT --tarpit-delay 5000
            ;;
            
        "scanner")
            # Redirect to honeypot
            iptables -t nat -A PREROUTING -s $attacker_ip -p tcp --dport 22 \
                -j REDIRECT --to-port 2222
            ;;
            
        "persistent")
            # Null route at network level
            ip route add blackhole $attacker_ip/32
            ;;
    esac
    
    # Report to threat intelligence
    report_to_threatintel $attacker_ip $attack_type
}

# Monitor for specific attack patterns
monitor_attacks() {
    tail -F /var/log/auth.log | while read line; do
        # Detect credential stuffing
        if echo "$line" | grep -q "Failed password.*admin\|root\|test"; then
            ip=$(echo "$line" | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}")
            respond_to_attack "$ip" "credential_stuffing"
        fi
    done
}