Glastopf is a web application honeypot. It collects information about web application-based attacks like remote and local file inclusion and SQL injections. This article will show how to run the honeypot inside a Docker container.
It is highly recommended to setup a Docker host before reading any further.
The easiest way to get started is to use the file called Dockerfile from the glastopf git repository.
$ mkdir -p /tmp/glastopf
$ cd /tmp/glastopf
$ wget https://raw.githubusercontent.com/glastopf/glastopf/master/Dockerfile
After downloading the Dockerfile successfully the
docker buildcommand can be used to build an image file for the honeypot container. It may take some time until the buid process has finished.
$ sudo docker build --rm --tag glastopf .
If the build was successful create a new data directory on the Docker host to hold all the files from the honeypot.
$ sudo mkdir -p /opt/honeypot/glastopf1
Now it's time to launch the honeypot for the first time.
$ sudo docker run --rm --publish 80:80 --volume /opt/honeypot/glastopf1:/opt/myhoneypot glastopf
2015-02-16 20:45:12,097 (glastopf.glastopf) Initializing Glastopf 3.1.3-dev using "/opt/myhoneypot" as work directory.
2015-02-16 20:45:12,151 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db
2015-02-16 20:45:12,164 (glastopf.modules.handlers.emulators.dork_list.dork_page_generator) Bootstrapping dork database.
2015-02-16 20:45:14,296 (glastopf.modules.handlers.emulators.dork_list.database_sqla) Done with insert of 5096 dorks into the database.
2015-02-16 20:45:14,297 (glastopf.glastopf) Generating initial dork pages - this can take a while.
2015-02-16 20:45:14,352 (pyhpfeeds) connecting to hpfriends.honeycloud.net:20000
2015-02-16 20:45:14,356 (glastopf.glastopf) Glastopf started and privileges dropped.
It should be possible to access the Glastopf web-server at http://localhost/. To stop the honeypot press Ctrl. + C.
After the first run and before you play with your new honeypot have a look at the config-file at /opt/honeypot/glastopf1/glastopf.cfg. I would recommend to disable remote logging if you just play around and do some tests. But in production it might be a good idea to share your results with the community.
Links
- Webseite: glastopf at GitHub (English)
- Webseite: Docker Docs (English)