Putting aside this repositories root privilege requirements and lack of documentation on locking down the honeypot, I cannot stress how bad an idea running a honeypot inside a container is.
Containers are an isolation mechanism, not a security mechanism. Honeypots should be run at minimum on a virtual machine, ideally hardware, in a separate network segment.
To be fair to it, it does describe itself as "A shitty attempt at a honeypot/sandbox that uses docker" and contains a fairly large & up front "WARNING WARNING WARNING" section :p
Well this gives me an idea to make a meta-honeypot. A honeypot network running in containers, running in VMs, running on hardware.
They'll say "Oh! This is the Docker container thing I read on HN! I'll just use (X_BUG) that will allow me to gain root on the real system" and instead they pull themselves into root on a VM.
4 comments
[ 2.6 ms ] story [ 15.8 ms ] threadContainers are an isolation mechanism, not a security mechanism. Honeypots should be run at minimum on a virtual machine, ideally hardware, in a separate network segment.
Think of it as more of a brainstorming exercise than a real-world, production ready app.
EDIT Also I would note that in the true sense of open source, PRs are always accepted.
They'll say "Oh! This is the Docker container thing I read on HN! I'll just use (X_BUG) that will allow me to gain root on the real system" and instead they pull themselves into root on a VM.