The cloud honeypot feature deploys honeypots (decoys) in your virtual private clouds (VPCs) and servers to detect attacks originating inside and outside the cloud. When attackers interact with a honeypot instead of a real asset, Security Center records their activity and generates alerts you can act on.
This topic walks you through the four-step setup: creating a management node, optionally creating a honeypot template, creating a honeypot, and deploying a probe.
Prerequisites
Before you begin, ensure that you have:
Enabled the cloud honeypot feature. For more information, see Purchase the cloud honeypot feature.
(For data center servers without a public IP address) A proxy server configured in your data center. See Build a proxy server in a data center below.
Build a proxy server in a data center
Skip this section if your servers have public IP addresses.
Honeypots use HTTPS connections, so you need a Layer 4 HTTPS reverse proxy (not a Layer 7 proxy). NGINX 1.9.0 supports this via the --with-stream parameter.
Requirements: GNU Compiler Collection (GCC) and zlib-devel must be installed on the proxy server.
Step 1: Download and compile NGINX
Compile and install NGINX with stream module support:
tar -xvf nginx-1.9.0.tar.gz cd nginx-1.9.0 ./configure --without-http_rewrite_module --with-stream make make install
Step 2: Update the NGINX configuration
Edit /usr/local/nginx/conf/nginx.conf and replace the contents with the following. Substitute <management-node-ip> with the IP address shown in the IP address of management node column on the Management Node tab (navigate to Risk Governance > Cloud Honeypot > Configuration Management in the Security Center console).
#user nobody;
worker_processes auto;
error_log logs/error.log;
#error_log logs/error.log notice;
error_log logs/error.log info;
pid logs/nginx.pid;
events {
use epoll;
worker_connections 60000;
}
stream {
server {
listen 1337;
proxy_timeout 10m;
proxy_connect_timeout 60s;
proxy_pass proxy1337;
}
upstream proxy1337 {
server <management-node-ip>:1337;
}
server {
listen 1338;
proxy_timeout 10m;
proxy_connect_timeout 60s;
proxy_pass proxy1338;
}
upstream proxy1338 {
server <management-node-ip>:1338;
}
}Step 3: Start NGINX
/usr/local/nginx/sbin/nginxHow it works
The setup involves three components working together:
Management node — the central controller. Honeypots run on management nodes, and probes forward captured traffic to them.
Honeypot — the decoy application (web server, database, etc.) that lures attackers.
Probe — the traffic redirector deployed on a host or VPC. A host probe intercepts traffic on specified ports. A VPC probe intercepts traffic destined for non-existent internal IP addresses and transparently routes it to a honeypot.
Deploy in this order: management node → honeypot (and optionally a template) → probe.
Make sure the host server running a newly added host probe can reach its associated management node before proceeding.
Step 1: Create a management node
Log in to the Security Center console. In the top navigation bar, select the region of the asset: China or Outside China.Log on to the Security Center console.
In the left-side navigation pane, choose Risk Governance > Cloud Honeypot > Configuration Management.
On the Management Node tab, click Create Management Node.
In the panel that appears, configure the following parameters and click OK.
| Parameter | Description | Example |
|---|---|---|
| Management node name | A name for the management node. | honeypot-node-prod |
| Assigned probes | The number of probes to allocate. Valid values: 20–100. Values above 100 are automatically capped at 100. For coverage, deploy 2–3 host probes per CIDR block and one VPC probe per VPC. | 30 |
| CIDR block allowed | The egress CIDR block(s) from which host probes can connect to this management node. Accepts up to 100 CIDR blocks. The probe's egress IP addresses must fall within these ranges. | 10.0.0.0/8 |
| Allow honeypot access internet | Whether honeypots in this management node can access the internet. Turn this off for internal network deployments — it limits the node to attack detection only and reduces the risk of an attacker pivoting out of the honeypot. | Off |
After creation, the management node status shows Preparing for approximately 5 minutes, then changes to Normal. Wait for Normal before continuing.
Step 2: (Optional) Create a honeypot template
Honeypot templates let you pre-configure custom attributes — such as website titles, office automation (OA) background images, and web page data — so honeypots better simulate your real applications. Create a template when you want to reuse the same custom configuration across multiple honeypots.
On the Honeypot Template tab of the Configuration Management page, select a honeypot type on the left and click Create Template.
In the Create Template panel, configure the parameters and click OK.
| Parameter | Description | Example |
|---|---|---|
| Template name | A name for the template. | web-app-decoy-template |
| Management node | The management node to deploy the honeypot on. Select the node created in Step 1. | honeypot-node-prod |
Available parameters vary by honeypot type. For additional customization options, submit a ticket to contact technical support.
Step 3: Create a honeypot
A honeypot is the individual decoy instance. The system provides built-in honeypot images for each supported type.
On the Honeypot Management tab of the Configuration Management page, click Create Honeypot.
In the Create Honeypot panel, configure the following parameters and click OK.
| Parameter | Description | Example |
|---|---|---|
| Name | A name for the honeypot. | web-honeypot-01 |
| Management node | The management node to deploy the honeypot on. Select the node created in Step 1. | honeypot-node-prod |
| Honeypot type | The type of decoy application. Options: Web, Advanced, Special Defect, System Service, Database. | Web |
| Honeypot custom configurations | Select this checkbox to configure custom attributes based on the honeypot type. To reuse a template, click Import Template for Configuration and select the template created in Step 2. For details on custom honeypots and templates, submit a ticket to contact technical support. | — |
Step 4: Create a probe
A probe redirects unusual traffic from hosts or networks to a honeypot. Two probe types are available:
Host probe — installs a client on the host and forwards traffic on specified ports to the honeypot cluster.
VPC probe — when an IP address (IP_A) in the VPC tries to reach a non-existent internal IP address (IP_B), the VPC probe intercepts the traffic and transparently routes IP_A to the honeypot (IP_C).
VPC probes can only be deployed in VPCs (not other network types), and each VPC supports only one VPC probe. Check the Limits page for supported regions before creating a VPC probe.
On the Probe Management tab of the Configuration Management page, click Add Probe, then click Host Probe or VPC Probe.
Configure the parameters for your probe type and click OK.
Host probe parameters
| Parameter | Description | Example |
|---|---|---|
| Probe name | A name for the probe. | host-probe-web-01 |
| Management node | The management node to associate with this probe. Select the node created in Step 1. | honeypot-node-prod |
| Proxy IP address | The IP address of the proxy server. Required only if deploying via a data center proxy server. Leave blank otherwise. | 192.168.1.10 |
| Host for probe deployment | The server on which to deploy the probe. | — |
| Configure service | The honeypot name and listener port. The listener port is a port on the host (such as an ECS instance) that the probe uses to redirect traffic to the honeypot. Reserve this port exclusively for the probe — no other services should use it. | Port 8080 → honeypot web-honeypot-01 |
VPC probe parameters
| Parameter | Description | Example |
|---|---|---|
| Probe name | A name for the probe. | vpc-probe-prod-01 |
| Management node | The management node to associate with this probe. Select the node created in Step 1. | honeypot-node-prod |
| Deployed VPC | The VPC in which to deploy the probe. | — |
| Configure service | The honeypot name and listener port for traffic forwarding. | — |
What's next
After the probe is deployed, the honeypot diverts attacks away from your real servers. Attackers interact with the decoy, and Security Center records their activity and generates alerts.
To review and respond to these alerts, see View and handle alert events.