HaaS: Honeypot as a Service

My team at CZ.NIC finally introduces a stable version of HaaS, Honeypot as a Service. Who knows Czech can read it in an official blog post (edit: English version). For non Czech readers, CZ.NIC is mainly known for Czech domain registry, but does much more. For example secure router called Turris which had honeypot included a long time ago. We decided to provide honeypot for anybody, not just Turris owners.

What is honeypot, exactly? The honeypot is special application simulating operating system and allows potential attacker to log in (we support SSH only now) and do any command or download malware. It's not easy to install such application for ordinary users and mostly it's not very secure. We decided to do it for you. :-)

Unfortunately, still, it's not super easy to join the project. At least now you need to install only very small proxy. The proxy has to be there so we can know small but important detail: IP address of potential attackers. Without proxy we would know only the IP of our user, which is useless.

The collected data are used by our CSIRT.CZ team to inform owners of infected servers and computers by some botnet about the issue. Currently the biggest source of the attacks to our users is coming from China so we share our data with the security team in Taiwan. We plan to share data with other CERT/CSIRT teams as well.

If you want to join the project, you can do that on the page haas.nic.cz. Register new account and install proxy (available as deb/rpm package, on PyPI or as simple tar). In case of interest into analysis, we provide data on page with global statistics. Well, except passwords, because we experienced more than one oversight where the user logged into the honeypot…