Monitor a Honeypot with Azure App Insights

Richard P
7 min readNov 30, 2020
Photo by Boba Jaglicic on Unsplash

Have you ever wanted to watch foreign malicious actors attack a virtual machine in real time? In this article, we will do just that with a python honeypot and Azure Monitor.

First, I need to give a shout-out to the Microsoft docs for setting up Application Insights. This explains in greater detail some things that I gloss over.

Also check out my GitHub repo with python honeypot.

Outline

This article has 3parts:

  1. Create a honeypot — set up a virtual machine that will run a python script to expose a port to public connections. The script will reject attempts to connect by foreign actors and close the connection.
  2. Send the hackers’ IP address information to Application Insights on Azure.
  3. Analyze log data using Kustos Query Language in the Application Insights Logs dashboard.

Part 1. Create a honeypot

Rather than setting up the honeypot on your personal machine, I recommend setting up an Linux Azure virtual machine and creating a Resource Group. The Resource Group can house both the virtual machine and the Application Insights resource.

When you set up your virtual machine, you can remote into it via either RDP or ssh. I recommend adding the VM ssh public key to your known hosts file and accessing the VM through VS Code. Also don’t forget to run apt-get update from a termin on the VM, and install python 3.

Virtual Machine networking

For your python application to listen on a port, you will need to open that port up on the virtual machine. If you are working on an Azure virtual machine, you can open the port up from Networking tab. Add Inbound port rule with a Destination Port Range of the port your app will listen on. I used port 1025.

Also, the python socket function requires an IP address to listen on. You must use the internal IP address given by the…

--

--