Configuring HoneyDB Agent
There are two configuration files for HoneyDB Agent, The default location for both files is /etc/honeydb
. The main configuration file is agent.conf
, and the services configuration file is services.conf
.
Agent Configuration
In the agent.conf
file, the main configuration section is the [agent]
section and actually only has one option to configure.
Name | Description |
---|---|
nodename | Name for this agent node to be displayed in tweets (if Twitter is configured). |
logging | Yes or no, to enable agent logging. Default is No. |
ip_address | remote or local, method agent uses to determine its IP address. When agent is behind a NAT gatway, using remote will apply the gatway's public facing IP instead of the agent host's internal private IP. |
Note
The logging option above relates to the honeydb-agent's operational activity, not events collected from honeypot interaction.
Loggers
Loggers tell the honeydb-agent where to send honeypot interaction events and are configured within the agent.conf
file. There are three loggers available.
HoneyDB
To log data back to HoneyDB you will need a HoneyDB API ID and HoneyDB Agent Sensor API key. These keys can be generated by creating an account on the HoneyDB website. Once you have keys, edit the [honeydb]
section in the agent.conf
file, see example below:
[honeydb]
enabled = Yes
api_id = abcd1234
api_key = 4321dcba
Local
To log data locally on the system edit the [local]
section in the agent.conf
file, see example below:
[local]
enabled = Yes
log_dir = /your/custom/path/honeydb
The honeydb-agent can be configured to tweet connection events (not all events are tweeted). To enable the
Twitter logger you will need to Twitter API credentials, see https://dev.twitter.com/oauth/application-only. Edit the [twitter]
section in the agent.conf
file, see example below:
[twitter]
enabled = Yes
consumerkey = abcdefg
consumersecret = 123456
oauthtoken = gfedcba
oauthsecret = 654321
Service Configuration
The service.conf
file tells HoneyDB Agent which services to launch. The service configuration file is used to define service names, ports, and plugins to run on your honeypot. Each service defined in the file has an enabled
option. This option can be set to Yes or No to determine which services run when the honeydb-agent is started.
Example service definition:
[FTP]
plugin = FTP_tcp
low_port = tcp:21
port = tcp:21
description = FTP service.
enabled = Yes
Explination of service definition:
[FTP]
- The service name. You can set your own service name, however service names must not contain spaces.
plugin = FTP_tcp
- The service plugin. The plugin specified determines what protocol emulation to implement.
low_port = tcp:21
- This value is used as a reference in scenarios where port forwarding with iptables is required. The protocol (TCP or UDP) and port the host will listen on for this service.
port = tcp:21
- The protocol (TCP or UDP) and port number to use when starting the service.
Note
If you are not implementing port forwarding with iptables, low_port
and port
should have the same values.
description = FTP service.
- The description of the service.
enabled = Yes
- Yes or No, tells honeydb-agent if the service should run or not.
Note
The default services.conf file comes with all services pre-configured. Review this file to see what plugins are available.