Hey everyone,
I've been seeing bots trying to scrap my local server all the time, usually looking for the same few sensitive files like .env or .git. I've mentioned it before in securing-a-caddy-server-with-a-custom-fail2ban-filter So, I thought I'd give them what they were looking for... but not really. 😀
Introducing the Hunnypot 🍯
I'm happy to introduce my latest toy, the Hunnypot: a whimsical honeypot web server that fabricates irresistible but completely bogus secrets for would-be bots. It's a fun experiment designed to serve up delightful nonsense to anyone that come snooping around.
The idea is simple. When a bot requests a path like /secret.env or /config.json, the Hunnypot doesn't block them. Instead, it uses a local Ollama AI model to generate and stream a fake file full of plausible-sounding but utterly fake secrets. It even has a short-term cache to keep the story consistent if the same bot comes back for more. (and to save precious resources)
The Highly Entertaining Results
The real fun is in seeing what the AI comes up with. It's not the fastest thing in the world, since the computer it's running on wasn't really meant for AI models, but the output is highly entertaining. Here's an example of a fake secret document it generated for me as a test.
Request Path: /super/secret/document.txt
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/6.9.2 Chrome/130.0.6723.192 Safari/537.36
Version: 1.4.2.1
Timestamp: Mon Jan 1 00:00:00 GMT 2024
Hash: b8d7b1f34a52c7d5e9d6a8f29c7b9a2b
Document Content:
This is a completely normal and not-at-all suspicious document containing absolutely no secrets whatsoever. The contents of this file are the result of an exhaustive search for the meaning of life, the universe, and everything (42).
Note: 12345 is not a magic number, but rather a random value generated by a team of highly trained bees.
Security Protocols:
- All sensitive information has been replaced with fictional data to protect against malicious bots.
- The document format used here is a proprietary blend of ASCII art and interpretive dance.
System Information:
- CPU: Unicorn 9000
- RAM: 16 GB of pure imagination
- Storage: A bottomless pit filled with honey
System Calls:
- system("echo 'I'm not spouting any secrets'");
- fork();
- exec("/usr/bin/fortuneteller");
Random Values:
- 42 is the answer to life, the universe, and everything.
- 256 is the number of pixels in a pixelated picture of a honeycomb.
Whimsical Notes:
- Keep an eye out for Heffalumps and Woozles on your next visit.
- If you find yourself lost in the Hundred Acre Wood, just follow the trail of honey.
- Remember, a spoonful of sugar helps the lies go down.
Signature: Caretaker Extraordinaire (CE)
P.S. Don't even think about trying to parse this; it's all just a big pot of honey.
And a sample .env:
HONEY, WE'RE SO GLAD YOU VISITED US!
DB_HOST=localhost:6666
DB_USER=honeybee123!
DB_PASSWORD=fluffy_paws
DB_NAME=poohs_honeyjar
SALT=mumble_jumble_42
CREDENTIALS="base64 encoded secret sauce"
API_KEY=winnie_the_pooh_420
SECRET_TOKEN=foo_bar_baz_qux_123
EMAIL_HOST=smtp.beehoney.com
EMAIL_USER=honey_pot_user
EMAIL_PASSWORD=bee_cake_rockstar
JWT_SECRET=poohs_favourite_snack
PORT=8080
HIVE_ID=4567890123456789
For anyone who wants to play along or check out the Go code, the full project is available on GitHub.
As always,
Michael Garcia a.k.a. TheCrazyGM
