Part 1: Modern Honey Network (MHN) — Installing Server on EC2 Instance
Today, I’m going to show you the steps on how to deploy Modern Honey Network (MHN). The Modern Honey Network project makes deploying and managing secure honeypots extremely simple. Honeypots offer a powerful and exciting way of learning about attackers’ presence and methods. They contribute towards a security program that incorporates deception. However, honeypots can be tricky to set up and oversee. The open-source tool Modern Honey Network (MHN) by Anomali Inc (formerly known as ThreatStream) drastically simplifies the tasks of installing and managing low-interaction honeypots. Armed with MHN and access to an inexpensive public cloud provider, anyone can start experimenting with and learning from honeypots.
Installing MHN Server on EC2 Instance
I’ve tested installing the MHN Server on a Ubuntu 14.04 image (t2.small instance type) with 40GB storage & 2GB memory. So far, it has been working well with no hiccups! Once you have SSH into your fresh EC2 instance with your private key, run the following commands:
[mhn-server] sudo apt-get update && sudo apt-get upgrade
[mhn-server] sudo apt-get install git -y
[mhn-server] cd /opt/
[mhn-server] sudo git clone https://github.com/threatstream/mhn.git
[mhn-server] cd mhn/
[mhn-server] sudo ./install.shYou’ll be prompted for a few configuration parameters, including the desired login email and password.
Do you wish to run in Debug mode?: y/n n
Superuser email: <this email address will be your login>
Superuser password:
Superuser password: (again):
Server base url ["http://xxx.xxx.xxx.xxx"]:
Honeymap url [":3000"]: http://xxx.xxx.xxx.xxx:3000
Mail server address ["localhost"]:
Mail server port [25]:
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [""]:
Mail server password [""]:
Mail default sender [""]:
Path for log file ["/var/log/mhn/mhn.log"]:
Would you like to integrate with Splunk? (y/n)n
Would you like to install ELK? (y/n)nTo make sure everything is in order, issue these 3 commands and your output should be the same as below (all processes should be “RUNNING”):
[mhn-server] sudo /etc/init.d/nginx status
* nginx is running
[mhn-server] sudo /etc/init.d/supervisor status
is running
[mhn-server] sudo supervisorctl status
geoloc RUNNING pid 1210, uptime 1 day, 0:03:12
honeymap RUNNING pid 1214, uptime 1 day, 0:03:12
hpfeeds-broker RUNNING pid 1207, uptime 1 day, 0:03:12
hpfeeds-logger-splunk RUNNING pid 1518, uptime 23:57:00
mhn-celery-beat RUNNING pid 1204, uptime 1 day, 0:03:12
mhn-celery-worker RUNNING pid 1212, uptime 1 day, 0:03:12
mhn-collector RUNNING pid 2367, uptime 22:55:23
mhn-uwsgi RUNNING pid 1211, uptime 1 day, 0:03:12
mnemosyne RUNNING pid 1209, uptime 1 day, 0:03:12Should mhn-celery-worker process be showing as “FATAL”, fret not! Try this instead:
[mhn-server] cd /var/log/mhn/
[mhn-server] sudo chown www-data mhn.log
[mhn-server] sudo supervisorctl start mhn-celery-workerBy default, the MHN server send anonymous data of attacks to ThreatStream. If you would like to disable it, run the following command:
[mhn-server] cd /opt/mhn/scripts
[mhn-server] sudo ./disable_collector.shNote: Under your EC2 instance’s Security Groups, please ensure that port 80, 22, 3000, 10000 are open.
[mhn-server] netstat -tunlp
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::3000 :::* LISTEN -Once the installation completes, you can connect to MHN Server web interface by directing your browser to the server’s IP address or hostname, at which point you’ll have the opportunity to log in.
MHN Server Web Interface
Voila! Your MHN server is now running perfectly! Remember the superuser email and password you gave during the initial configuration? Use that for the login to your MHN server.
The next part that I’m going to share will be the installing of MHN Sensor on a separate EC2 Instance. Stay tuned! :)
For more Cybersecurity resources, check out my humble page — https://ceeso.co
