alikallel/RAMAPOT
Multi-honeypot deployment platform with centralized logging - Deploy Cowrie SSH, Elasticpot, and Redis honeypots on Kubernetes with Elastic Stack monitoring
RAMAPOT
Multi-Honeypot Deployment with Centralized Logging on Kubernetes
RAMAPOT is a honeypot deployment solution that orchestrates multiple honeypots (Cowrie SSH, Elasticpot, and Redis) with centralized logging using the Elastic Stack on a k3d Kubernetes cluster.
Features
- Multi-Honeypot Architecture: Deploy SSH, Elasticsearch, and Redis honeypots simultaneously
- Centralized Logging: Unified log collection and analysis with Elasticsearch and Kibana
- Kubernetes: Containerized deployment with k3d
- Real-time Monitoring: Live dashboards and alerting capabilities
- Scalable Design: Easy to extend with additional honeypots
Prerequisites
Before starting, ensure you have the following tools installed:
- Docker
- k3d
- kubectl
- Helm
- curl (for testing Elasticpot)
- redis-cli or any Redis client (for testing Redis honeypot)
Installation
Step 1: Build Docker Images
Build Elasticpot Image
cd elasticpot
docker build -t elasticpot .Build Redis Honeypot Image
cd redis-honeypot
docker build -t redishoneypot .Step 2: Create k3d Cluster
Create a k3d cluster with proper port forwarding:
k3d cluster create mycluster \
-p "30022:30022@server:0" \
-p "6379:6379@server:0" \
-p "9200:9200@server:0" \
-p "5601:5601@server:0" \
--agents 2Port Mapping:
30022→ Cowrie SSH service9200→ Elasticpot HTTP service6379→ Redis honeypot5601→ Kibana dashboard
Step 3: Import Docker Images
k3d image import elasticpot -c mycluster
k3d image import redishoneypot -c myclusterStep 4: Create Namespace
kubectl create namespace honeypotDeployment
Deploy Cowrie Components
kubectl apply -f cowrie-pvc.yaml -n honeypot
kubectl apply -f cowrie-configmap.yaml -n honeypot
kubectl apply -f cowrie-deployment.yaml -n honeypot
kubectl apply -f cowrie-service.yaml -n honeypotDeploy Elasticpot Components
kubectl apply -f elasticpot-pvc.yaml -n honeypot
kubectl apply -f elasticpot-configmap.yaml -n honeypot
kubectl apply -f elasticpot-deployment.yaml -n honeypot
kubectl apply -f elasticpot-service.yaml -n honeypotDeploy Redis Honeypot Components
kubectl apply -f redishoneypot-pvc.yaml -n honeypot
kubectl apply -f redishoneypot-deployment.yaml -n honeypot
kubectl apply -f redishoneypot-service.yaml -n honeypotElastic Stack Setup
Install Elasticsearch
helm repo add elastic https://helm.elastic.co
helm repo update
helm install elasticsearch elastic/elasticsearch -n honeypotWait for Elasticsearch to be ready:
kubectl get pods -n honeypot -wRetrieve Elasticsearch Password:
kubectl get secrets --namespace=honeypot elasticsearch-master-credentials -ojsonpath='{.data.password}' | base64 -d
⚠️ Important: Update the retrieved password in all Filebeat configuration files.
Install Kibana
helm install kibana elastic/kibana -n honeypot -f kibana-values.yamlWait for Kibana to be ready:
kubectl get pods -n honeypot -wDeploy Filebeat Instances
Filebeat for Cowrie
kubectl apply -f filebeat-cowrie-configmap.yaml -n honeypot
kubectl apply -f filebeat-cowrie-deployment.yaml -n honeypotFilebeat for Elasticpot
kubectl apply -f filebeat-elasticpot-configmap.yaml -n honeypot
kubectl apply -f filebeat-elasticpot-deployment.yaml -n honeypotFilebeat for Redis
kubectl apply -f filebeat-redis-configmap.yaml -n honeypot
kubectl apply -f filebeat-redis-deployment.yaml -n honeypotVerification
Check All Pods Status
kubectl get pods -n honeypotAll pods should be in Running state.
Testing Honeypots
Test Cowrie (SSH Honeypot)
ssh -p 30022 root@localhostTest Elasticpot (Elasticsearch Honeypot)
curl -XGET http://localhost:9200/
curl -XGET http://localhost:9200/_cluster/healthTest Redis Honeypot
redis-cli -h 127.0.0.1 -p 6379
# Try commands: INFO, GET test, SET test value, FLUSHALL, etc.Kibana Configuration
Access Kibana Dashboard
Navigate to: http://localhost:5601
Login Credentials:
- Username:
elastic - Password: (use the password retrieved in Elastic Stack Setup)
Configure Data Views
- Go to Stack Management → Data Views
- Click Create data view
- Create the following data views:
Cowrie Logs
- Index pattern:
honeypot-cowrie-* - Time field:
@timestamp
Elasticpot Logs
- Index pattern:
honeypot-elasticpot-* - Time field:
@timestamp
Redis Logs
- Index pattern:
honeypot-redis-* - Time field:
@timestamp - Filter:
event.dataset: "redis.honeypot"
Create Dashboards
Build visualizations for comprehensive monitoring:
- Time-based Charts: Line charts and bar charts for temporal analysis
- Data Tables: Top IPs, usernames, and executed commands
- Pie Charts: Success/failure ratios and attack distribution
- Metrics: Total events count and connection statistics
Security Monitoring
Create Detection Rules
- Go to Security → Manage → Rules
- Click Create rule
- Configure detection rules based on security requirements
Example Alert Types:
- Brute Force Detection: Multiple failed authentication attempts
- Successful Honeypot Logins: Legitimate access to honeypots
View generated alerts in Security → Alerts
Troubleshooting
Check Pod Status
kubectl get pods -n honeypot
kubectl describe pod <pod-name> -n honeypot
kubectl logs <pod-name> -n honeypotCheck Services
kubectl get services -n honeypotCommon Issues
- Pod Not Starting: Check resource limits and image availability
- Connection Refused: Verify port forwarding and service configuration
- Log Ingestion Issues: Ensure Filebeat configuration matches Elasticsearch credentials
Cleanup
To remove the entire RAMAPOT deployment:
k3d cluster delete myclusterContributing
Contributions are welcome! Please feel free to submit pull requests or open issues for bugs and feature requests.
Feel free to fork this repository and adapt it to your specific needs.
License
This project is licensed under the MIT License - see the LICENSE file for details.
RAMAPOT - Comprehensive Honeypot Deployment Solution