Note that Docker is not a security technology (or not a secure technology?); one should not assume that an attacker cannot break out of a Docker container. This honeypot does assume the security of Docker containers; be extremely careful running it in production.
To me, Docker doesn't seem like a good choice of technology for a honeypot, as any kernel-level exploits could lead to potentially lead to complete system compromise or worse.
If they manage to find an exploit in the Kernel then we have something far more valuable on our hands than the run of the mill WordPress malware. Remember, anything inside the honeypot is being aggressively monitored, so we'll know where it came from and what it did.
Would a VM be better for this? Is a VM less likely to be broken out of than Docker in this case? I'm guessing bare metal is the most secure thing to run a honeypot in? My limited knowledge says... probably?
I have run various honeypots for years. I wouldn't feel comfortable with a "honeypot in a container". I'm not even that comfortable with a honeypot in a virtual machine, though I have done it for short periods of time.
My personal preference is always for bare-metal. There's always an old PC or server sitting around that can be put into service as a honeypot and if something happens to it -- e.g., hardware failure with no replacements -- well, it's not a big deal.
6 comments
[ 2.5 ms ] story [ 30.9 ms ] threadMy personal preference is always for bare-metal. There's always an old PC or server sitting around that can be put into service as a honeypot and if something happens to it -- e.g., hardware failure with no replacements -- well, it's not a big deal.