Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Setting SSH Honeypot Detection

A honeypot deployed within a customer enterprise network can be used to detect network activity generated by malware attempting to infect or attack other machines in a local area network. Attempted SSH login honeypots are used to supplement detection of lateral spread events. A honeypot can be deployed on a customer Traffic Collector from which event information is sent to the Juniper ATP Appliance Core for processing. Customers can place a honeypot on any local network they desire.

A malicious actor attempting to perform brute force SSH entry, or execute targeted SSH access to a “root” account, will also be detected by the Juniper ATP Appliance SSH Honeypot feature.

Results of SSH Honeypot detections are displayed on the Central Manager Web UI Incidents page, and included in generated Reports.

Data sent to the Juniper ATP Appliance GSS for honeypot detection events include “Threat Target” and a detailing of all attempted “SSH sessions” (including username and password) with timestamps.

Note:

A Juniper ATP Appliance Enterprise License is required for SSH Honeypot ateral Detection configurations.

A honeypots can operate on a Juniper ATP Appliance All-in-One system or on a Traffic Collector-only device, as long as the host has enough physical interfaces. Each honeypot uses two interfaces, one externally-facing interface for internet/intranet traffic and one for internal host-to-guest communication. This means that each honeypot will use the eth3 interface for all outbound traffic.

Tip:

Note that eth3 is not necessarily the fourth interface on a device. On a Collector-only device with three interfaces, the interfaces are named eth0, eth1, and eth3. A collector with four interfaces uses eth0, eth1, eth2, and eth3 naming. If a Collector has less than three interfaces, then the honeypot feature cannot be enabled. An All-in-One device requires at least four interfaces for the honeypot feature, because the 3rd interface is already reserved as the analysis exhaust interface.

SSH Honeypot is configured from the Juniper ATP Appliance device CLI. There are two parameters that can be set for a honeypot:

  • Enable/disable the honeypot

  • Provide a Static IP (IP, mask, and gateway) or DHCP of the publicly addressable interface

Note:

The static IP configuration does not require configuring DNS; at this time, honeypots do not require a DNS server.

For more information:

  • Refer to the CLI Command Reference for usage of the SSH Honeypot commands.

  • Refer to the Operator’s Guide for information about honeypots and lateral detections.