Here you can find the necessary docs and guides to setup and get started with virtual Kilpi honeypots.
The Kilpi Virtual Honeypot is available as both physical and virtual instances. This document describes how to set up a Kilpi virtual honeypot on ESXi.
You need to have active Kilpi account and subscription to be able to create new honeypots.
The Honeypot will currently only work with DHCP. If your deployment requires a static IP, contact support@kilpi.tech
It requires that the DHCP provides DNS and it will use that DNS.
For the honeypot to be effective, it needs to be reachable. The recommendation is to allow any connection to it. But this is at the customer's discretion, there is little benefit from allowing totally unrelated networks to access it unless there are other services nearby which are also accessible to allow the honeypot to hide among the legitimate services.
It does not generally need the ability to initiate connections outwards inside the network.
The exception is profiles where the goal is that the honeypot announces itself to the network so that it is visible to other clients, for example Windows File Sharing. Also if the honeypot is connected to common services, like Active Directory it requires the relevant access.
The Honeypot requires internet connectivity and it needs to be able to reach d1.kilpi.tech / 51.158.163.5 over TCP 443 and UDP 4242
Temporary NTP to ANY
Currently the honeypots use the ubuntu NTP pool, so they require outgoing NTP to any UDP 123
This will be fixed in the next release and from then UDP 123 will need to be allowed to
time.mikes.fi / 194.100.49.139
sth4.ntp.se / 194.58.207.148
The honeypot does not require any inbound access and the recommendation is that it should not be accessible from the outside internet.
These instructions are for VMWARE products. The steps and screenshots are for VMWARE ESXi 6.5 but the workflow should be similar for other VMWARE products.
Click "Virtual honeypot"
Download both available images and setup VM in new window while leaving this page open.
Click Create / Register VM
Select "Deploy a virtual machine from an OVF or OVA file."
Drag the vmdk and ovf file. Give the instance a suitable name so you remember what it does.
Select suitable storage for your environment.
Select a suitable network configuration for your environment. Then, the instance can run with Thin disk provisioning.
Click Finish and wait for the image to be uploaded and the instance to be started.
You should now see a screen like this. Save the honeypot ID so you can activate it in the Kilpi console
Select the type of service you want the honeypot to appear as
Add the saved honeypot ID to connect to the just created VM instance and finish up the honeypot configuration
Go back to doing whatever you were doing before, knowing that if you ever have someone doing reconnaissance in your network, they will find and trigger the honeypot.
If you have any issues during the steps contact us @ support@kilpi.tech