Getting Started
What is ProxyPot?
ProxyPot is an advanced, proprietary honeypot technology developed by GCA, designed to elevate your network security by capturing and analyzing potentially malicious traffic in real-time. Its standout feature is the ability to proxy this traffic through to real devices, recording full, unencrypted PCAPs for in-depth analysis. ProxyPot performs high-level analysis of these PCAPs automatically, providing valuable data such as credentials, HTTP headers, shell commands, etc.
ProxyPot supports the following protocols:
- FTP
- FTPS
- HTTP
- HTTPS
- ICMP
- SFTP
- SMTP
- SMTPS
- SSH
- Telnet
In addition to proxying traffic to real devices, ProxyPot also provides fully configurable sandbox emulations. These emulations can be easily tailored via JSON or YAML, with a library of real-world templates included for quick deployment. For seamless integration, ProxyPot offers a fully documented REST API and a Go SDK, empowering you to automate and customize every aspect of your honeypot deployment.
Why deploy ProxyPot?
Deploying ProxyPots in your network offers a robust, complementary approach to network monitoring and security. ProxyPot's unique ability to proxy potentially malicious traffic to real devices, capturing full unencrypted PCAPs, allows for deep visibility into attack methods, credentials, and other critical data that can be used to fortify your defenses. By using ProxyPot's sandbox emulations and flexible configuration options, you can effectively mimic real-world environments, attracting and analyzing malicious behavior in a controlled manner.
System requirements
System requirements are heavily dependent on how many devices and IP addresses you intend to configure with ProxyPot. A typical deployment with 10 virtual device configurations (a virtual device configuration being 1 IP with 1 port bound) will operate just fine with minimal system resources:
- Any modern dual-core CPU (x86 or ARM)
- 1GB RAM
- 32GB storage
- 100mbps network
- Any modern OS with Docker installed (with root privileges for packet capture)
Deploying ProxyPot at the edge of your network, rather than behind a firewall, ensures it captures the full spectrum of incoming traffic, including threats that would otherwise be blocked. This placement allows ProxyPot to interact directly with potential attacks, providing rich, unfiltered data for comprehensive threat analysis and helping to strengthen your overall security posture.
There are no costs to host ProxyPot aside from the underlying machine needed. ProxyPot runs very well unmanned, and can be configured to send alerts in the event that an error (that requires investigation) occurs.
Installation
We provide a Docker image for ProxyPot, which makes deployment as simple as:
docker run --name=proxypot ghcr.io/globalcyberalliance/proxypot:latest
Cluster Deployment
ProxyPot also supports clustering many edge nodes together, feeding all data back to a single controller node. The system requirements for each of the nodes is largely the same as above; however, the Manager node acting as the controller would require considerably more storage as it would be pooling all of the data in one location.
What happens to the data?
You can view the data collected by ProxyPot via its intuitive web interface, which provides a high-level overview of your deployment (e.g. X number of devices, charts depicting attack trends, frequency of particular shell commands, etc.). If your installation is connected to AIDE, you’ll also be able to see our data on attacks potentially originating from your AS.
You can also connect your deployment to our global AIDE network, feeding data into our platform, providing you with greater visibility into how your deployment stacks against the rest of the internet.