准备

一台1核2G或以上的服务器
服务器系统为Ubuntu 14.04/16.04/12.02或Centos 6.9 。以下操作我是在Ubuntu16.04 LTS服务器版本下进行的
如果为国内服务器请务必连接代理或更换软件源为腾讯云镜像源&以下地址

deb http://us-east-2.ec2.archive.ubuntu.com/ubuntu/ xenial main restricted
deb http://us-east-2.ec2.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
deb http://us-east-2.ec2.archive.ubuntu.com/ubuntu/ xenial universe
deb http://us-east-2.ec2.archive.ubuntu.com/ubuntu/ xenial main restricted
deb http://us-east-2.ec2.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
deb http://us-east-2.ec2.archive.ubuntu.com/ubuntu/ xenial universe
deb http://us-east-2.ec2.archive.ubuntu.com/ubuntu/ xenial-updates universe
deb http://us-east-2.ec2.archive.ubuntu.com/ubuntu/ xenial multiverse
deb http://us-east-2.ec2.archive.ubuntu.com/ubuntu/ xenial-updates multiverse

部署

cd /opt/
sudo git clone https://github.com/threatstream/mhn.git
cd mhn/
sudo ./install.sh

若Github clone速度较慢可使用国内镜像仓库https://git.code.tencent.com/MengXin/mhn.git
过程中请保证网络畅通,确保你当前网络环境可以访问上述源和Github,避免进行二次安装下载包错误。如果安装顺利3分钟左右就可以进入配置

配置后台

1.不运行debug
2.输要设置的后台管理的账号邮箱可以不填自己真实的
3.设置你的后台密码
4.重复密码
5.后台管理系统的地址,如果你的服务器开了80端口可以直接空格下一项
6.攻击地图的地址,请开启服务器的3000端口或者自行设置其他端口
7.邮件设置空格跳过
8.TLS和SSL都选n
9.不安装Splunk和ELK
安装完成后(设置完规则后)执行supervisorctl status 检查服务状态
不出意外的话mhn-celery-worker是启动失败的,执行chmod 777 -R /var/log/mhn/mhn.log后重新启动一遍服务supervisorctl restart all正确的情况是全部服务都在 RUNNING状态,此时访问服务器ip就可以进入后台管理页面。

关于报错

启动失败的服务除honeymap服务外都可以尝试用supervisorctl start 服务名字
honeymap服务启动失败多半是因为网络原因,更换一个更好的梯子代理后重新尝试安装install.sh。这里给出了一个手动修复的教程,但我在尝试安装go的时候还是会被墙或者报错。

原版配置

Installation

  • The MHN server is supported on Ubuntu 18.04, Ubuntu 16.04, and Centos 6.9.
  • Other versions of Linux may work but are generally not tested or supported.

Note: if you run into trouble during the install, please checkout the troubleshooting guide on the wiki. If you only want to experiment with MHN on some virtual machines, please check out the Getting up and Running with Vagrant guide on the wiki.

Install Git

# on Debian or Ubuntu
$ sudo apt install git -y

Install MHN

$ cd /opt/
$ sudo git clone https://github.com/pwnlandia/mhn.git
$ cd mhn/

Run the following script to complete the installation. While this script runs,
you will be prompted for some configuration options. See below for how this
looks.

$ sudo ./install.sh

Configuration

===========================================================
MHN Configuration
===========================================================
Do you wish to run in Debug mode?: y/n n
Superuser email: YOUR_EMAIL@YOURSITE.COM
Superuser password: 
Server base url ["http://1.2.3.4"]: 
Honeymap url ["http://1.2.3.4:3000"]:
Mail server address ["localhost"]: 
Mail server port [25]: 
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [""]: 
Mail server password [""]: 
Mail default sender [""]: 
Path for log file ["mhn.log"]: 

Running

If the installation scripts ran successfully, you should have a number of
services running on your MHN server. See below for checking these.

user@precise64:/opt/mhn/scripts$ sudo /etc/init.d/nginx status
 * nginx is running
user@precise64:/opt/mhn/scripts$ sudo /etc/init.d/supervisor status
 is running
user@precise64:/opt/mhn/scripts$ sudo supervisorctl status
geoloc                           RUNNING    pid 31443, uptime 0:00:12
honeymap                         RUNNING    pid 30826, uptime 0:08:54
hpfeeds-broker                   RUNNING    pid 10089, uptime 0:36:42
mhn-celery-beat                  RUNNING    pid 29909, uptime 0:18:41
mhn-celery-worker                RUNNING    pid 29910, uptime 0:18:41
mhn-collector                    RUNNING    pid 7872,  uptime 0:18:41
mhn-uwsgi                        RUNNING    pid 29911, uptime 0:18:41
mnemosyne                        RUNNING    pid 28173, uptime 0:30:08

Running MHN Behind a Proxy

For directions on running MHN behind a web proxy, follow the directions in the
wiki.

Running MHN Over HTTPS

By default MHN will run without HTTPS, to configure your installation to use SSL
certificates directions can be found in the wiki.

Running MHN with Docker

Running MHN in docker is not officially supported, but it works.
The container takes a few minutes to start at the first launch to initialize.
Splunk, ArcSight and ELK are not yet supported in Docker.

Build it

$ docker build -t mhn .

Run it

$ docker run -d -p 10000:10000 -p 80:80 -p 3000:3000 -p 8089:8089 \
$ --restart unless-stopped \
$ --name mhn \
$ -e SUPERUSER_EMAIL=root@localhost \
$ -e SUPERUSER_PASSWORD=password \
$ -e SERVER_BASE_URL="http://mhn" \
$ -e HONEYMAP_URL="http://mhn:3000" \
$ mhn

Environment variables

SUPERUSER_EMAIL
SUPERUSER_PASSWORD
SERVER_BASE_URL
HONEYMAP_URL
DEBUG_MODE
SMTP_HOST
SMTP_PORT
SMTP_TLS
SMTP_SSL
SMTP_USERNAME
SMTP_PASSWORD
SMTP_SENDER
MHN_LOG

Deploying honeypots with MHN

MHN was designed to make scalable deployment of honeypots easier. Here are the
steps for deploying a honeypot with MHN:

  1. Login to your MHN server web app.
  2. Click the “Deploy” link in the upper left hand corner.
  3. Select a type of honeypot from the drop down menu (e.g. “Ubuntu Dionaea”).
  4. Copy the deployment command.
  5. Login to a honeypot server and run this command as root.

If the deploy script successfully completes you should see the new sensor listed
under your deployed sensor list. For a full list of supported sensors, check the list here: List of Supported Sensors

Integration with Splunk and ArcSight

hpfeeds-logger can be used to integrate MHN with Splunk and ArcSight.

Splunk

cd /opt/mhn/scripts/
sudo ./install_hpfeeds-logger-splunk.sh

This will log the events as key/value pairs to /var/log/mhn-splunk.log. This
log should be monitored by the SplunkUniversalForwarder.

Arcsight

cd /opt/mhn/scripts/
sudo ./install_hpfeeds-logger-arcsight.sh

This will log the events as CEF to /var/log/mhn-arcsight.log


一个好奇的人