Web honeypots > tomcat-manager-honeypot

= Tomcat manager honeypot

== Introduction

Honeypot that mimics Tomcat manager endpoints, but when called it logs requests and saves attacker's WAR file for later study. + This is a standalone (runnable jar) application, so you will not going to need any webcontainer to run it. + Created in Java using Spring Boot.

== Compilation

You can compile using Maven:

[source,bash] mvn clean install

== Usage

Default properties are defined under src/main/resources/default_configuration.properties file, but you can override any properties by creating a file in /etc/tomcat-manager-honeypot/configuration.properties. Alternatively this location can be changed by appending -DCONFIG_LOCATION=/some/path/config.properties flag when starting the application. + The most important property to override is honeypot.save.directory=/tmp, that changes where the uploaded (WAR) files are saved. By default they are saved to /tmp directory.

By default log files are generated in currentDirectory/tomcat-manager-honeypot/general.log but you can override this by supplying -DLOG_LOCATION=/var/log/tomcat-manager-honeypot when starting the application. + By default logs are not shown on the console, but you can turn them on, by running the application with dev profile. You can do this, by appending -Dspring.profiles.active=dev

Running the application can be done via Java:

[source,bash] java -jar [Optional flags] application.jar

This will block the terminal, if you want to run as daemon, run with & at the end, you can also disown the application, so if you close the session, it will still run:

[source,bash] java -jar [Optional -D flags] tomcat-manager-honeypot-{version}.jar & disown -a

For security reasons, it is usually the best to run it as a separate user

[source,bash] sudo useradd -m telnetsnake sudo passwd telnetsnake # enter some super secret password

Also for security reasons don't run the the honeypot at an admin port, so you will need to create a redirect from HTTP/HTTPS port:

[source,bash] iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8081

== Testing

Endpoints are separated to two major category, REST and HTML endpoint. + Basic authentication is required for all endpoints (except static resources), by default userName=tomcat and password=tomcat is used (can be overridden via properties file).

REST Endpoints are those listen on the Tomcat page: https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Deploy_a_Directory_or_WAR_by_URL These can be accessed via GET and POST calls, you can call this via a rest caller (like Postman).

HTML endpoint root is /manager/html, you can go visit it via a regular browser: http://localhost:8081/manager/html

== Troubleshooting

Check the log files (see above section about the location). If you cannot see log file, you can force logging to console by appending -Dspring.profiles.active=dev to application when starting.

On compilation failure check Java version (should be at least 8) and check Maven version (+3.5.0 should be able to compile it).

If you are not able to find the problem, please create a GitHub issue with as many details, as you can add.

== Integration with other programs

On Linux integration with the following tools are recommended:

=== Fail2Ban

Fail2ban can be used to automatically add IPs to your firewall to stop user, who once used the service. + Under environment/fail2ban folder I have defined a filter to ban user for an hour, who have uploaded a war file. + Append the content of jail.conf at the end of you fail2ban's jail.conf. + Don't forget to change the log location in the rule, if you have changed that.

=== Nginx

You can use an Nginx frontcontroller, so only /manager/* URLs get routed to this honeypot, while the rest can be routed to a real service. This would also allow this honeypot to be usable via HTTP, HTTPS.

You can apply this to you nginx.conf server to proxy manager traffic to this honeypot:

[source] location /manager { proxy_pass http://localhost:8081; proxy_http_version 1.1; }