You can use the cloud honeypot feature to deploy honeypots (decoys) in your virtual private clouds (VPCs) and servers and detect attacks that are initiated within and outside the cloud on your servers. You can use honeypots to trace attacks and use the tracing information to defend against attackers. The cloud honeypot feature improves security awareness and prevents attacks. This topic describes how to configure a honeypot.

Prerequisites

  • The cloud honeypot feature is enabled. For more information, see Purchase the cloud honeypot feature.
  • If you want to deploy a honeypot in a server that does not have a public IP address in a data center, you must build a proxy server in the data center and configure a proxy IP address for the server when you create a probe in the Security Center console. This way, you can deploy the honeypot in the server in proxy mode.
    1. Prepare at least one server that you can use as a proxy server. Make sure that GNU Compiler Collection (GCC) and zlib-devel are installed on the server.
    2. Download a version of NGINX that supports reverse proxies.
      Note: Honeypots use HTTPS connections. To deploy a honeypot, you must build a Layer 4 HTTPS proxy. After you download NGINX, you must add the --with-stream parameter when you compile and install NGINX.
      tar -xvf nginx-1.9.0
      cd nginx-1.9.0
      ./configure --without-http_rewrite_module --with-stream
      make
      make install
      
    3. In the /usr/local/nginx/conf/ directory of the NGINX application, modify the nginx.conf configuration file.
      #user nobody;
      worker_processes auto;
      error_log logs/error.log;
      
      #error_log logs/error.log notice;
      error_log logs/error.log info;
      pid logs/nginx.pid;
      
      events {
          use epoll;
          worker_connections 60000;
      }
      
      stream {
              server {
                  listen 1337;
                  proxy_timeout 10m;
                  proxy_connect_timeout 60s;
                  proxy_pass proxy1337;
              }
              upstream proxy1337 {
                 # You can view the IP address of the management node for a honeypot in the IP Address of Management Node column of the Management Node tab. To go to the tab, choose Risk Management > Cloud Honeypot > Configuration Management in the left-side navigation pane of the Security Center console.
                 server # The IP address of the management node for a honeypot#:1337; 
              }
      
              server {
                  listen 1338;
                  proxy_timeout 10m;
                  proxy_connect_timeout 60s;
                  proxy_pass proxy1338;
              }
              upstream proxy1338 {‘’
                # You can view the IP address of the management node for a honeypot in the IP Address of Management Node column of the Management Node tab. To go to the tab, choose Risk Management > Cloud Honeypot > Configuration Management in the left-side navigation pane of the Security Center console.
                 server # The IP address of the management node for a honeypot#:1338; 
              }
      }
      						
    4. After you modify the configuration file, run the following command to start NGINX:
      /usr/local/nginx/sbin/nginx
      

Step 1: Create a management node

A management node is the core and basic component for delivering deception-based protection capabilities. You can configure honeypots in a management node and use probes to forward traffic to the honeypots.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Risk Management > Cloud Honeypot > Configuration Management.
  2. On the Management Node tab of the Config Manage page, click Create Management Node. In the panel that appears, configure the following parameters and click OK.
    Parameter Description
    Management Node Name Specify a name for the management node.
    Assigned Probes Specify the number of probes that you want to allocate for the management node. Valid values: 20 to 100. If you specify a value greater than 100, the system automatically sets this parameter to 100. We recommend that you install two to three host probes for each CIDR block and one VPC probe for each VPC.
    Note A probe is used for traffic redirection. Cloud honeypot supports host probes and VPC probes. Host probes are installed on hosts to forward port traffic to honeypots. VPC probes are installed on VPCs to forward traffic that is destined for non-existing internal IP addresses to honeypots.
    CIDR Block Allowed Specify the egress CIDR block of a host probe. This allows the CIDR block to access the management node from the host probe. The default value is 0.0.0.0/0. You can specify up to 100 CIDR blocks. To provide deception-based protection, the probe must communicate with the management node. Make sure that the egress IP addresses of the probe are within the specified CIDR blocks.
    Allow Honeypot Access Internet Specify whether the management node allows a honeypot to access the Internet.
    Notice If you turn on the switch, security risks may occur. Attackers can intrude into the honeypot and launch severe attacks. If you turn off the switch, only attack detection is supported, which is suitable for internal networks.
    You can view the management node that you created in the management node list. The value of the Management Node Status parameter for the newly created management node is Preparing. The node stays in this state for approximately 5 minutes.

Step 2: (Optional) Create a honeypot template

Honeypot templates allow you to configure custom attributes based on honeypot types. You can use honeypot templates to create honeypots that are suitable for various business scenarios and better simulate real-world applications. You can configure custom attributes, such as the titles of websites, background image of office automation (OA), and data of web pages. You can create a honeypot template based on your business requirements.

  1. On the left side of the Honeypot Template tab of the Config Manage page, select a honeypot type and click Create Template.
  2. In the Create Template panel, configure the following parameters and click OK.
    Parameter Description
    Template Name Specify a name for the honeypot template.
    Management Node Specify the management node to which you want to deploy the honeypot. In this example, select the management node that you created in Step 1.
    Note The parameters in the Create Template panel vary based on the honeypot type. If you have more requirements, submit a ticket to contact Alibaba Cloud technical support.

Step 3: Create a honeypot

A honeypot is the basic unit for delivering deception-based protection capabilities. The system provides various built-in honeypot images. You can create honeypots based on the honeypot images.

  1. On the Honeypot Management tab of the Config Manage page, click Create Honeypot.
  2. In the Create Honeypot panel, configure the following parameters and click OK.
    Parameter Description
    Name Specify a name for the honeypot.
    Management Node Specify the management node to which you want to deploy the honeypot. In this example, select the management node that you created in Step 1.
    Honeypot Type Specify the type of the honeypot. Valid values:
    • Web
    • Advanced
    • Special Defect
    • System service
    • Database
    Honeypot Custom Configurations Specify the custom attributes of the honeypot. You can configure custom attributes based on honeypot types. You can create honeypots that are suitable for various business scenarios and better simulate real-world applications. You can configure custom attributes, such as the titles of websites, background image of OA, and data of web pages.

    You can also create a honeypot template on the Honeypot Template tab in advance and click Import Template for Configuration to import custom attributes from the template.

    For more information about how to configure custom attributes and honeypot templates, you can submit a ticket to contact Alibaba Cloud technical support.

Step 4: Create a probe

A probe is a tool that is used to redirect traffic and forward unusual traffic from hosts and networks to a honeypot. VPC probes and host probes are supported.

  1. On the Probe Management tab of the Config Manage page, click Add Probe. Then, click Host Probe or VPC Probe.
  2. In the AddHost Probe or AddVPC Probe panel, configure the parameters and click OK.
    • The following table describes the parameters in the AddHost Probe panel.
      Parameter Description
      Probe Name Specify a name for the probe.
      Management Node Specify the management node of the server to which you want to deploy the probe. In this example, select the management node that you created in Step 1.
      Proxy IP Address If your honeypot is deployed in a server in a data center by using a proxy server, enter the IP address of the proxy server. Otherwise, you do not need to configure this parameter.
      Host for Probe Deployment Specify the server to which you want to deploy the probe.
      Configure Service Specify the name and listener port of the honeypot to which the probe forwards traffic.
    • The following table describes the parameters in the AddVPC Probe panel.
      Notice You can create honeypots only in VPCs. You cannot create honeypots in other types of networks. You can create only one honeypot in a VPC. You can deploy the VPC probe only in supported regions. For more information, see Limits.
      Parameter Description
      Probe Name Specify a name for the probe.
      Management Node Specify the management node of the server to which you want to deploy the probe. In this example, select the management node that you created in Step 1.
      Deployed VPC Specify the VPC to which you want to deploy the probe.
      Configure Service Specify the name and listener port of the honeypot to which the probe forwards traffic.

What to do next

After you configure the honeypot, the honeypot diverts attacks from targets. This way, attackers attack the decoy application in the honeypot, and the honeypot records the information about the attacks and generates alerts. You can view and handle the alerts to enhance the security of your servers and VPCs. For more information, see View and handle alerts.