ravenscott-blog/markdown/P2P Honeypot Security Network.md
2024-09-16 10:35:44 -04:00

415 lines
16 KiB
Markdown

<!-- lead -->
Building a Robust Peer-to-Peer Security Network
In today's interconnected world, cyber threats are more prevalent and sophisticated than ever. Traditional centralized security solutions often fall short in providing comprehensive protection across all networked devices. Enter the **Peer-to-Peer (P2P) Security Network**, a decentralized approach that empowers every participant (or "peer") to contribute to the collective defense against malicious activities. This article explores a cutting-edge P2P security network implemented using Node.js, delving into its architecture, components, and the technical intricacies that make it a formidable shield for all connected peers.
# Source
## https://git.ssh.surf/snxraven/honeypeer
## Introduction
The P2P security network described herein is designed to create a decentralized system where each peer actively participates in detecting, reporting, and mitigating cyber threats. By leveraging the collective intelligence and resources of all connected peers, the network ensures robust and dynamic protection against a wide array of attacks.
## Architecture Overview
At its core, the P2P security network comprises two primary entities:
1. **Server**: Acts as the central hub for managing client registrations and disseminating attack information.
2. **Client**: Represents individual peers that deploy various honeypots to detect malicious activities and report them to the server.
The communication between the server and clients is secured using cryptographic key pairs, ensuring that only authenticated peers can interact within the network.
## Key Components
### Hyper-IPC-Secure
**Hyper-IPC-Secure** is a secure inter-process communication (IPC) library that facilitates encrypted and authenticated communication between peers in the network. It leverages public-key cryptography to ensure that messages exchanged between the server and clients are both confidential and tamper-proof.
### Hypercore-Crypto
**Hypercore-Crypto** provides cryptographic utilities essential for generating and managing key pairs. These key pairs are pivotal for authenticating peers and securing the communication channels within the network.
## Server Implementation
The server serves as the central authority in the P2P security network, managing client registrations and orchestrating the distribution of attack reports to all connected clients for proactive defense measures.
### Key Management
#### Generating and Storing Key Pairs
Upon initialization, the server checks for the existence of a key pair file (`kp.json`). If absent, it generates a new key pair using `hypercore-crypto` and stores both the public and secret keys in hexadecimal format.
```javascript
const crypto = require('hypercore-crypto');
const fs = require('fs');
// Generate key pair and save to file if it doesn't exist
if (!fs.existsSync('kp.json')) {
const kp = crypto.keyPair();
fs.writeFileSync('kp.json', JSON.stringify({
publicKey: kp.publicKey.toString('hex'),
secretKey: kp.secretKey.toString('hex')
}));
}
// Read key pair from file
const kp = JSON.parse(fs.readFileSync('kp.json'));
kp.publicKey = Buffer.from(kp.publicKey, 'hex');
kp.secretKey = Buffer.from(kp.secretKey, 'hex');
```
This mechanism ensures that the server maintains a consistent identity across restarts, vital for establishing trust with clients.
### Client Registration
Clients must register with the server to participate in the network. The registration process involves the client sending its public key to the server, which the server then stores for future communications.
```javascript
node.serve(kp, 'register.client', async (args) => {
try {
console.log('Received register client request:', args);
const clientPublicKey = Buffer.from(args.publicKey, 'hex');
clients.push(clientPublicKey);
console.log(`Client registered: ${args.publicKey}`);
return { status: 'registered' };
} catch (e) {
console.error('Failed to register client:', e.message);
return { status: 'error', message: e.message };
}
});
```
- **Endpoint**: `register.client`
- **Functionality**: Receives the client's public key and adds it to the `clients` array.
- **Security**: Ensures that only clients with valid key pairs can register, preventing unauthorized entities from joining the network.
### Attack Reporting and Propagation
When a client detects an attack, it reports the details to the server. The server then disseminates a ban command to all registered clients, instructing them to block the attacker's IP address.
```javascript
node.serve(kp, 'report.attack', async (args) => {
const attackDetails = args.details;
console.log(`Received attack report from client. Details: ${JSON.stringify(attackDetails, null, 2)}`);
// Extract and use IPv4 address
const attackerIP = extractIPv4(attackDetails.ip);
for (const client of clients) {
try {
await node.run(client, 'ban.ip', { ip: attackerIP });
console.log(`Sent ban command to client for IP: ${attackerIP}`);
} catch (e) {
console.error(`Failed to send ban command to client: ${e.message}`);
}
}
return { status: 'ban commands sent' };
});
```
- **Endpoint**: `report.attack`
- **Functionality**: Processes attack reports and triggers the propagation of ban commands.
- **Process**:
1. Receives attack details from a client.
2. Extracts the attacker's IPv4 address.
3. Iterates through all registered clients, sending a `ban.ip` command to each.
4. Logs the success or failure of each ban command dispatch.
This decentralized approach ensures that once an attack is detected by any client, all peers in the network take immediate action to mitigate the threat.
## Client Implementation
Clients are the frontline defenders in the P2P security network, deploying various honeypots to detect and report malicious activities.
### Key Management and Registration
Similar to the server, each client generates and manages its own key pair. Upon startup, the client attempts to register with the server using its public key.
```javascript
const crypto = require('hypercore-crypto');
const fs = require('fs');
// Generate key pair and save to file if it doesn't exist
if (!fs.existsSync('kp.json')) {
const kp = crypto.keyPair();
fs.writeFileSync('kp.json', JSON.stringify({
publicKey: kp.publicKey.toString('hex'),
secretKey: kp.secretKey.toString('hex')
}));
}
const kp = JSON.parse(fs.readFileSync('kp.json'));
kp.publicKey = Buffer.from(kp.publicKey, 'hex');
kp.secretKey = Buffer.from(kp.secretKey, 'hex');
// Server public key (should be securely shared or known)
const serverPublicKey = '7c5b0b674e1af93a4df37a86ebc2cd58666c45fb46a78bbd02f198bbcf345f4c'; // Ensure this matches the server public key
```
#### Registration Process
```javascript
async function registerClient() {
try {
console.log('Attempting to register client...');
console.log(`Server public key: ${serverPublicKey}`);
console.log(`Client public key: ${kp.publicKey.toString('hex')}`);
const result = await node.run(Buffer.from(serverPublicKey, 'hex'), 'register.client', { publicKey: kp.publicKey.toString('hex') });
console.log('Client registered with the server');
console.log(result);
} catch (e) {
console.error('Failed to register client:', e.message);
}
}
```
- **Process**:
1. Logs the server and client public keys for transparency.
2. Sends a `register.client` request to the server with the client's public key.
3. Handles the server's response, logging success or failure.
### Honeypot Setup
Clients deploy multiple honeypots to simulate vulnerable services, attracting and detecting malicious activities. Each honeypot listens on standard ports and logs any unauthorized access attempts.
#### SSH Honeypot
```javascript
const net = require('net');
const sshServer = net.createServer((socket) => {
const attackerIP = socket.remoteAddress;
const timestamp = new Date();
console.log(`SSH attack detected from IP: ${attackerIP}`);
reportAttack({
service: 'SSH',
ip: attackerIP,
timestamp,
data: 'SSH connection attempt'
});
socket.end();
}).listen(2222, () => console.log('SSH Honeypot running on port 2222'));
```
- **Port**: `2222` (non-standard to avoid interfering with legitimate SSH services)
- **Functionality**: Logs and reports any connection attempts.
#### HTTP Honeypot
```javascript
const http = require('http');
const httpServer = http.createServer((req, res) => {
const attackerIP = req.connection.remoteAddress;
const timestamp = new Date();
console.log(`HTTP attack detected from IP: ${attackerIP}`);
reportAttack({
service: 'HTTP',
ip: attackerIP,
timestamp,
data: `HTTP request: ${req.method} ${req.url}`
});
res.end('Honeypot');
}).listen(88, () => console.log('HTTP Honeypot running on port 88'));
```
- **Port**: `88` (non-standard)
- **Functionality**: Captures HTTP requests, logs them, and responds with a generic message.
#### FTP Honeypot
```javascript
const ftpd = require('ftpd');
const ftpServer = new ftpd.FtpServer('0.0.0.0', {
getInitialCwd: () => '/',
getRoot: () => '/'
});
ftpServer.on('client:connected', (connection) => {
const attackerIP = connection.socket.remoteAddress;
const timestamp = new Date();
console.log(`FTP attack detected from IP: ${attackerIP}`);
reportAttack({
service: 'FTP',
ip: attackerIP,
timestamp,
data: 'FTP connection attempt'
});
});
ftpServer.listen(21);
console.log('FTP Honeypot running on port 21');
```
- **Port**: `21`
- **Functionality**: Detects FTP connection attempts and reports them.
#### Telnet Honeypot
```javascript
const TelnetServer = require('telnet');
const telnetServer = new TelnetServer({ shellPrompt: '/ # ' });
telnetServer.on('client', (client) => {
const attackerIP = client.socket.remoteAddress;
const timestamp = new Date();
console.log(`Telnet attack detected from IP: ${attackerIP}`);
reportAttack({
service: 'Telnet',
ip: attackerIP,
timestamp,
data: 'Telnet connection attempt'
});
client.on('data', (data) => {
console.log(`Received Telnet data: ${data.toString()}`);
reportAttack({
service: 'Telnet',
ip: attackerIP,
timestamp: new Date(),
data: `Telnet data: ${data.toString()}`
});
});
client.end();
});
telnetServer.listen(23);
console.log('Telnet Honeypot running on port 23');
```
- **Port**: `23`
- **Functionality**: Captures Telnet connection attempts and any data exchanged.
#### SMTP Honeypot
```javascript
const smtpServer = require('smtp-server').SMTPServer;
const smtp = new smtpServer({
onData(stream, session, callback) {
let emailData = '';
stream.on('data', (chunk) => {
emailData += chunk;
});
stream.on('end', () => {
const attackerIP = session.remoteAddress;
const timestamp = new Date();
console.log(`SMTP attack detected from IP: ${attackerIP}`);
reportAttack({
service: 'SMTP',
ip: attackerIP,
timestamp,
data: `SMTP data: ${emailData}`
});
callback();
});
}
});
smtp.listen(25, () => console.log('SMTP Honeypot running on port 25'));
```
- **Port**: `25`
- **Functionality**: Logs SMTP session data, useful for analyzing spamming or phishing attempts.
#### DNS Honeypot
```javascript
const dns = require('native-dns');
const dnsServer = dns.createServer();
dnsServer.on('request', (request, response) => {
const attackerIP = request.address.address;
const timestamp = new Date();
console.log(`DNS attack detected from IP: ${attackerIP}`);
reportAttack({
service: 'DNS',
ip: attackerIP,
timestamp,
data: `DNS request: ${request.question[0].name}`
});
response.answer.push(dns.A({
name: request.question[0].name,
address: '127.0.0.1',
ttl: 600,
}));
response.send();
});
dnsServer.serve(53);
console.log('DNS Honeypot running on port 53');
```
- **Port**: `53`
- **Functionality**: Captures DNS queries, potentially identifying reconnaissance or exploitation attempts.
### Attack Reporting Mechanism
Each honeypot, upon detecting an attack, invokes the `reportAttack` function to notify the server.
```javascript
async function reportAttack(details) {
try {
console.log(`Reporting attack: ${JSON.stringify(details)}`);
const result = await node.run(Buffer.from(serverPublicKey, 'hex'), 'report.attack', { details });
console.log('Reported attack to server:', result);
} catch (e) {
console.error('Failed to report attack:', e.message);
}
}
```
- **Functionality**:
1. Logs the attack details locally for audit and analysis.
2. Sends the attack details to the server using the `report.attack` service.
3. Handles any errors that occur during the reporting process.
This mechanism ensures that the server is kept up-to-date with real-time attack information, enabling swift collective defense actions.
### IP Banning Service
Clients listen for `ban.ip` commands from the server and execute system-level commands to block malicious IP addresses.
```javascript
node.serve(kp, 'ban.ip', async (args) => {
const ipToBan = args.ip;
console.log(`Received ban command for IP: ${ipToBan}`);
exec(`csf -d ${ipToBan}`, (error, stdout, stderr) => {
if (error) {
console.error(`Error executing ban command: ${error.message}`);
return;
}
if (stderr) {
console.error(`Command stderr: ${stderr}`);
return;
}
console.log(`Ban command executed: ${stdout}`);
});
return { status: 'banned', ip: ipToBan };
});
```
- **Endpoint**: `ban.ip`
- **Functionality**: Executes the `csf -d` command to ban the specified IP address using ConfigServer Security & Firewall (CSF).
- **Security**: Ensures that only authenticated ban commands from the server are executed, preventing unauthorized IP blocking.
## Security Considerations
Implementing a P2P security network introduces several security challenges that must be meticulously addressed:
1. **Authentication and Authorization**: Ensuring that only legitimate peers can register and communicate within the network is paramount. This is achieved through the use of cryptographic key pairs, where each peer possesses a unique public and secret key.
2. **Data Integrity**: All messages exchanged between peers are signed and encrypted, safeguarding against tampering and eavesdropping.
3. **Secure Key Storage**: Both server and clients store their key pairs securely (`kp.json`). It's crucial to protect these files from unauthorized access to prevent key compromise.
4. **Defense Against Malicious Peers**: While the network is designed for cooperative defense, it's essential to implement mechanisms to detect and mitigate any malicious peers attempting to disrupt operations or inject false attack reports.
5. **Command Execution Safety**: The `ban.ip` service executes system-level commands (`csf -d`). It's vital to validate and sanitize all inputs to prevent command injection vulnerabilities.
## Scalability and Resilience
The decentralized nature of the P2P security network offers inherent scalability and resilience:
- **Scalability**: As more clients join the network, the collective defense capability increases. The server efficiently manages client registrations and disseminates attack information, ensuring that all peers stay informed without becoming a bottleneck.
- **Resilience**: The network's distributed architecture ensures that the failure or compromise of a single client doesn't jeopardize the entire system. Additionally, the use of multiple honeypots across various services enhances the network's ability to detect diverse attack vectors.
## My Thoughts
The P2P security network presented here embodies a modern approach to collective cyber defense. By harnessing the power of decentralized architecture, cryptographic security, and collaborative intelligence, it offers robust protection against a myriad of cyber threats. Each client, equipped with multiple honeypots, not only safeguards its own resources but also contributes to the broader network's security posture. As cyber threats continue to evolve, such innovative solutions are indispensable in maintaining a secure and resilient digital ecosystem.