My team at CZ.NIC finally introduces a stable version of HaaS, Honeypot as a Service. Who knows Czech can read it in an official blog post (edit: English version). For non-Czech readers, CZ.NIC is mainly known for the Czech domain registry, but does much more. For example secure router called Turris, which had honeypot included a long time ago. We decided to provide honeypot for anybody, not just Turris owners.

What is a honeypot, exactly? The honeypot is a specialized application simulating an operating system and allows a potential attacker to log in (we support SSH only now) and do any command or download malware. It’s not easy to install such an application for ordinary users, and mostly it’s not very secure. We decided to do it for you. :-)

Unfortunately, still, it’s not super easy to join the project. At least now, you need to install only a tiny proxy. The proxy has to be there to know small but essential details: IP address of potential attackers. Without a proxy, we would know only the IP of our user, which is useless.

The collected data are used by our CSIRT.CZ team to inform owners of infected servers and computers by some botnet about the issue. Currently, the biggest source of the attacks to our users is coming from China, so we share our data with the security team in Taiwan. We plan to share data with other CERT/CSIRT teams as well.

If you want to join the project, you can do that on the page haas.nic.cz. Register a new account and install proxy (available as deb/rpm package, on PyPI or as simple tar). In case of interest in the analysis, we provide data on page with global statistics. Well, except passwords, because we experienced more than one oversight where the user logged into the honeypot…