Conpot is a low interactive honeypot. It can simulate industrial control systems and capture attack information. This article will show you how to run the honeypot inside a Docker container.
It is highly recommended to setup a Docker host before reading any further.
The easiest way to get started is to use a file called Dockerfile but at the time of writing the developers don't provide such a file. Thats why we have to create our own. You can find it below or you can download it.
FROM ubuntu:14.04.1
ENV DEBIAN_FRONTEND noninteractive
# Prepare source.list
RUN sed -i '1ideb mirror://mirrors.ubuntu.com/mirrors.txt trusty main universe multiverse' /etc/apt/sources.list && \
sed -i '1ideb mirror://mirrors.ubuntu.com/mirrors.txt trusty-updates main universe multiverse' /etc/apt/sources.list && \
sed -i '1ideb mirror://mirrors.ubuntu.com/mirrors.txt trusty-backports main universe multiverse' /etc/apt/sources.list && \
sed -i '1ideb mirror://mirrors.ubuntu.com/mirrors.txt trusty-security main universe multiverse' /etc/apt/sources.list
# Install dependencies
RUN apt-get update && apt-get install -y \
git \
libmysqlclient-dev \
libsmi2ldbl \
libxslt1-dev \
python \
python-dev \
snmp-mibs-downloader && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
# Clone git repo and build the honeypot
RUN cd /opt/ && \
git clone https://github.com/glastopf/conpot.git && \
cd conpot/ && \
python setup.py install && \
rm -rf /opt/conpot /tmp/* /var/tmp/*
## Create directories
RUN mkdir -p /opt/myhoneypot/var
WORKDIR /opt/myhoneypot
VOLUME /opt/myhoneypot
EXPOSE 80 102 161/udp 502
CMD ["/usr/local/bin/conpot", "--template", "default", "--logfile", "/opt/myhoneypot/var/conpot.log"]
To build the image for the Docker container download the Dockerfile.
$ mkdir -p /tmp/conpot
$ cd /tmp/conpot
$ wget https://www.dinotools.de/file/article/2015/02/19/run-conpot-inside-a-docker-container/Dockerfile
After downloading the Dockerfile successfully the
docker buildcommand can be used to build an image file for the honeypot container. It may take some time until the build process has finished.
$ sudo docker build --rm --tag conpot .
If the build was successful create a new data directory on the Docker host to hold all the files created and used by the honeypot.
$ sudo mkdir -p /opt/honeypot/conpot1
Now it's time to launch the honeypot for the first time.
$ sudo docker run --rm --publish 80:80 --publish 102:102 --publish 161:161/udp --publish 502:502 --volume /opt/honeypot/conpot1:/opt/myhoneypot/var conpot
2015-02-18 18:27:45,595 Starting Conpot using template: /usr/local/lib/python2.7/dist-packages/Conpot-0.4.0-py2.7.egg/conpot/templates/default
2015-02-18 18:27:45,595 Starting Conpot using configuration found in: /usr/local/lib/python2.7/dist-packages/Conpot-0.4.0-py2.7.egg/conpot/conpot.cfg
2015-02-18 18:27:45,795 Fetched 89.16.154.168 as external ip.
2015-02-18 18:27:45,797 Conpot modbus initialized
2015-02-18 18:27:45,798 Found and enabled ('modbus', <class conpot.protocols.modbus.modbus_server.ModbusServer at 0x7fbde415f530>) protocol.
2015-02-18 18:27:45,799 Conpot S7Comm initialized
2015-02-18 18:27:45,799 Found and enabled ('s7comm', <class 'conpot.protocols.s7comm.s7_server.S7Server'>) protocol.
2015-02-18 18:27:45,800 Found and enabled ('http', <class 'conpot.protocols.http.web_server.HTTPServer'>) protocol.
2015-02-18 18:27:45,801 Found and enabled ('snmp', <class 'conpot.protocols.snmp.snmp_server.SNMPServer'>) protocol.
2015-02-18 18:27:45,802 No proxy template found. Service will remain unconfigured/stopped.
2015-02-18 18:27:45,802 Modbus server started on: ('0.0.0.0', 502)
2015-02-18 18:27:45,802 S7Comm server started on: ('0.0.0.0', 102)
2015-02-18 18:27:45,802 HTTP server started on: ('0.0.0.0', 80)
2015-02-18 18:27:45,911 SNMP server started on: ('0.0.0.0', 161)
2015-02-18 18:27:50,967 Privileges dropped, running as nobody/nogroup.
As you can see from the logs there are three services listening on the TCP ports 80, 102 and 502 and one service listening on port 161 UDP.
To stop the honeypot press Ctrl. + C.
Links
- Website: conpot (English)
- Website: conpot auf GitHub (English)
- Website: Docker Dokumentation (English)