Skip to content

ModSecBox Honeypot Setup


As a learning opportunity I decided to set up another honeypot. What's the difference between this one and the previous iteration?

It was a chance to review my notes from last time and I added a WAF component using ModSecurity running OWASP’s Core Rule Set. This is the OG defacto Web Access Firewall (WAF) that many firewalls (and appliances) are based on today.

I also built in on nginx because it is different from Apache HTTP Server which is what I’m very familiar with.

To tie it all together the goal was to set up new dashboards and dive deeper into Splunk which is also the gold standard for visualizing data in an enterprise envirnonment.

There is some overlap with the setup of the previous honeypot. While this walkthrough covers cowrie also, it is a bit more complete.

Stand up nginx

  1. Install nginx
    sudo apt update
    sudo apt install nginx
  2. Configure nginx site-specific config files are kept in /etc/nginx/sites-available and symlinked into /etc/nginx/sites-enabled/
    sudo unlink /etc/nginx/sites-enabled/default
    sudo ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/
  3. Test nginx
    sudo nginx -t
    sudo nginx -s reload
  4. Start/Stop
    sudo service nginx start
    sudo service nginx stop
    sudo service nginx restart

Build ModSecurity

  1. install dependencies
    sudo apt install bison build-essential ca-certificates curl dh-autoreconf doxygen \
      flex gawk git iputils-ping libcurl4-gnutls-dev libexpat1-dev libgeoip-dev liblmdb-dev \
      libpcre3-dev libpcre++-dev libssl-dev libtool libxml2 libxml2-dev libyajl-dev locales \
      pkg-config wget zlib1g-dev libgd-dev git
  2. Clone repo and cd
    cd /opt && sudo git clone
    cd ModSecurity
  3. Initialize and update submodule
    sudo git submodule init
    sudo git submodule update
  4. Compile
    $ ./
    $ ./configure
    $ make
    $ sudo make install

Get ModSecurity-Nginx

cd /opt && sudo git clone --depth 1

Building the ModSecurity Module For Nginx

  1. Enumerate the version of Nginx

    nginx -v
    nginx version: nginx/1.22.0 (Ubuntu)

  2. Download the exact version of Nginx running on your system into the /opt directory

    cd /opt && sudo wget

  3. Extract the tarball

    tar -zxvf nginx-1.22.0.tar.gz

  4. Change to new directory

    cd nginx-1.22.0

  5. Display the configure arguments used for your version of Nginx

    nginx -V
    nginx version: nginx/1.22.0 (Ubuntu)
    built with OpenSSL 3.0.5 5 Jul 2022
    TLS SNI support enabled
    configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-NEw8AJ/nginx-1.22.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --add-dynamic-module=/build/nginx-NEw8AJ/nginx-1.22.0/debian/modules/http-geoip2 --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module

  6. The next step is to compile in Modsecurity module (apparently this is how it's done?). You are supposed to copy all of the arguments following configure arguments: from your output of the above command and paste them in place of in the following command. However it didn’t like the geoip2 module that came with it, so I compiled in a new one. Here is the configure command I used (includes modsec and geoip2):

    ./configure --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../ngx_http_geoip2_module --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-NEw8AJ/nginx-1.22.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module

  7. Build the modules with the following command:

    sudo make modules

  8. Create a directory for the Modsecurity module in your system's Nginx configuration folder:
    sudo mkdir /etc/nginx/modules
  9. Copy the compiled Modsecurity module into your Nginx configuration folder:
    sudo cp objs/ objs/ /etc/nginx/modules
  10. Test config

    nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful

  11. Edit /etc/nginx/ngix.conf and insert:

    load_module /etc/nginx/modules/;

Set up CRS

  1. Clone repo
    sudo git clone /usr/local/modsecurity-crs
  2. Rename the crs-setup.conf.example to crs-setup.conf:
    sudo mv /usr/local/modsecurity-crs/crs-setup.conf.example /usr/local/modsecurity-crs/crs-setup.conf
  3. Rename the default request exclusion rule file:
    sudo mv /usr/local/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/local/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Configure Modsecurity

  1. Create ModSecurity directory
    sudo mkdir -p /etc/nginx/modsec
  2. Copy over the unicode mapping file and the ModSecurity configuration file from your cloned ModSecurity GitHub repository:
    sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec
    sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
  3. Edit /etc/nginx/modsec/modsecurity.conf and change the value for SecRuleEngine to On
  4. Create main.conf in /etc/nginx/modsec with the following lines
    Include /etc/nginx/modsec/modsecurity.conf
    Include /usr/local/modsecurity-crs/crs-setup.conf
    Include /usr/local/modsecurity-crs/rules/*.conf

Configure nginx

  1. Edit /etc/nginx/sites-available/default to add:
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;

Set up Splunk

  1. Get Splunk (Free trial is good enough)
    wget -O splunk- ""
  2. Install Splunk
    cd /opt
    tar -zxvf splunk-7.2...
    cd /opt/splunk/bin/
  3. Secure Splunk
  4. Set SPLUNK_BINDIP= in $splunk_home/etc/splunk-launch.conf so it will only bind to localhost.
  5. Connect via SSH port forwarding and open Splunk in a browser by going to
    ssh -L 8000: root@serverIP
  6. Start Splunk
    cd /opt && ./splunk start
  7. Create collector
  8. Settings -> Add Data -> Monitor -> Files and Directories
    Input Type      Directory Monitor
    Source Path     /var/log/nginx
    Includelist     N/A
    Excludelist     N/A
    Source Type     Automatic
    App Context     search
    Host            modsecbox
    Index           default
  9. Create new index
  10. Settings -> Data -> Indexes
  11. Confirm index is working
  12. New search with index=* will show that your index is being collected

Installing cowrie

See Cowrie Honeypot Setup.