Honeypot
Package name: intrudect-honeypot
Honeypot agent listens on the TCP or UDP ports specified in its configuration, records what clients send, and reports the activity to the central web as an alert. A TCP port can also emulate a service to capture what an attacker attempts.
Configuration
The initial example (not default) configuration for Honeypot can be created in the web UI under Agents > Add new honeypot. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-honeypot/etc/config.json. Once in place, Honeypot will request an updated configuration from the web UI every minute.
Listeners
A listener specifies an IP and the TCPPorts and UDPPorts to monitor. Each TCPPorts entry is an object with a Port and optional Protocol and Banner fields (see TCP port options); UDPPorts is a plain list of port numbers.
"Listeners": [
{
"IP": "192.168.1.2",
"TCPPorts": [
{ "Port": 25, "Protocol": "smtp" },
{ "Port": 110, "Protocol": "pop3", "Banner": "+OK mycorp POP3 ready\r\n" },
{ "Port": 143, "Protocol": "imap" }
],
"UDPPorts": [
123,
161
]
}
]
In this example TCP port 25 emulates SMTP with its default banner, port 110 emulates POP3 with a custom banner, and port 143 emulates IMAP; the UDP ports and any TCP port without a Protocol stay silent.
The IP field controls which local address the listener binds to:
- an IPv4 literal (
192.168.1.2) — that IPv4 address only - an IPv6 literal (
2001:db8::5) — that IPv6 address only ::or an empty string — all interfaces, both IPv4 and IPv60.0.0.0— all interfaces, IPv4 only
TCP port options
Each TCPPorts entry has a required Port and two optional fields:
Protocol— the service to emulate, one of the supported values. Omit it (or set"silent") for a silent port: it accepts the connection and records traffic without answering.Banner— the greeting sent on connect. When empty, a known protocol uses its default banner; when set, it is sent verbatim (use JSON escapes such as\r\n) and overrides the default.
"TCPPorts": [
{ "Port": 9000 },
{ "Port": 22, "Protocol": "ssh" },
{ "Port": 25, "Protocol": "smtp", "Banner": "220 mail.example.com ESMTP\r\n" }
]
| Entry | Behavior |
|---|---|
{ "Port": 9000 } |
silent — accept and record, send nothing |
{ "Port": 9000, "Banner": "..." } |
send the banner, then record |
{ "Port": 25, "Protocol": "smtp" } |
emulate SMTP with its default banner |
{ "Port": 25, "Protocol": "smtp", "Banner": "..." } |
emulate SMTP with a custom banner |
An unsupported Protocol is reported as an agent-health alert and the port stays silent (a custom Banner is still sent). These options apply to TCP ports only; UDPPorts is always a plain list.
Supported protocols
| Value | Behavior |
|---|---|
silent (or "") |
capture only; show Banner if provided |
smtp, pop3, imap, ftp |
emulate the login exchange and capture attempted credentials |
ssh |
complete an SSH handshake and capture attempted passwords, keyboard-interactive answers and public-key fingerprints |
telnet |
present a login prompt and capture username/password attempts |
redis |
answer RESP commands and capture the AUTH password and abuse commands (CONFIG SET, SLAVEOF, MODULE LOAD, …) |
http |
serve a blank page; capture the request line, path and User-Agent |
http-basic-auth |
answer 401 with a Basic challenge; capture submitted Authorization credentials |
http-login |
serve a fake HTML login form; capture credentials POSTed to it |
postgresql, mysql, mssql |
emulate the database login handshake and capture the attempted username and password |
ldap |
answer BindRequests and capture simple-bind credentials (username and cleartext password) |
vnc |
run the RFB authentication handshake and log the challenge/response pair for offline cracking |
smb |
present an SMB2 server and capture the NetNTLMv2 hash of any account that authenticates (crackable offline; reveals DOMAIN\user) |
rdp |
capture only, no emulation at this time |
Emulated login protocols capture the submitted username and password into the alert message where possible. For smb account's NetNTLMv2 response as a hashcat mode-5600 hash (for example SMB: NetNTLMv2 CORP\administrator administrator::CORP:1122334455667788:…), which identifies the account and can be cracked offline.
The http* protocols are request-driven and ignore Banner.
Sessions and alerting
A session is one connection for TCP, or a flow of datagrams from the same source IP:port for UDP. A session ends when:
- the client closes or resets the connection,
- the client stops sending (UDP, after
UDPIdleSeconds), - the capture size limit is reached (
MaxCaptureBytes), or - the session lifetime is reached (
MaxCaptureSeconds).
By default the agent sends one alert per session, emitted when the session ends. This alert carries the number of bytes received, the session duration, and — if SendPCAP is enabled — the captured packets. Set AlertOnConnect to true to additionally receive an immediate alert the moment a session starts, giving two alerts per session (a connect alert with no payload, and a session-end alert with the pcap).
Scan detection
The agent detects TCP SYN scans (half-open connection attempts) and reports them. Probes from the same source are aggregated into a single Honeypot TCP scan alert listing the ports touched, for example TCP SYN scan / half-open connection attempt to 3 port(s): 22, 23, 443. Established connections are reported through the normal per-session alert.
"Level": 30,
"AlertOnConnect": false,
"SendPCAP": true,
"SaveLocalPCAP": false,
"MaxCaptureBytes": 1048576,
"MaxCaptureSeconds": 120,
"UDPIdleSeconds": 30,
"DetectSYNScan": true,
"ExcludeSrcCIDR": ["192.168.1.10", "192.168.2.0/24"]
Level— severity assigned to honeypot alerts. Must be10(info),20(medium) or30(high); any other value defaults to30.AlertOnConnect— whentrue, send an immediate alert at session start in addition to the session-end alert. Defaultfalse(one alert per session).SendPCAP— attach the captured packets to the alert as a PCAP file (both directions, including the TCP handshake).SaveLocalPCAP— also write the packets to a local PCAP file at/opt/intrudect-honeypot/honeypot_<srcip>_<dstip>_<dstport>_<datetime>.pcap. Whenfalse, a PCAP written only for transmission is removed a couple of minutes after sending.MaxCaptureBytes— maximum payload and PCAP data collected per session, in bytes; the session is ended and reported when reached. Default1048576(1 MB).MaxCaptureSeconds— maximum session lifetime in seconds; the session is cut and reported when reached. Default120.UDPIdleSeconds— for UDP, the amount of silence after which a session is considered finished and reported. Default30.DetectSYNScan— report TCP SYN scans; see Scan detection. Defaulttrue. Set tofalseon internet-facing hosts where such scans are constant background traffic.ExcludeSrcCIDR— array of source ranges that are ignored by the honeypot. Each entry is a CIDR (10.0.0.0/8) or a bare IP; a bare IP is treated as/32for IPv4 or/128for IPv6. Traffic from a matching source is neither alerted on nor captured.