Best low-end VPS Providers for deploying honey-sites to learn Bot Behaviour
I'm working on a personal project inspired by some security research (like the honeypot techniques) to set up 5-10 low-interaction honeysites. The goal is to attract and analyse bot traffic and classifying "good" bots (search engine crawlers) vs. "bad" ones (malicious scanners or exploit probers) without any real human traffic. I'll be running simple web apps like WordPress, Joomla, etc., via Docker on these sites, with Nginx/Apache for logging, and some fingerprinting tools (JA3 for TLS, Fingerprintjs2 for browsers).
I plan to run the same for few months initially. The setup involves deploying these on separate VMs to mimic isolated sites, and I need to keep costs low since this is for learning/experimentation. Based on my initial plan, each VM should handle:
Basic specs:
1. Something like 1-2 vCPUs, 2-4GB RAM, 10-20GB SSD (similar to AWS t3.small or medium, but I'm open to cheaper alternatives).
2. HTTP/HTTPS traffic (ports 80/443), plus SSH (22).
3. Preferably spread across different regions/datacenters for diversity (EU, US, Asia) to observe geo-varied bot behaviour.
Which low-end/free VPS providers would you recommend for this? Appreciate any advice, provider recommendations, or even config tips if you've dabbled in this. Thanks in advance
Comments
"Hey guys so I'm here to poison the well so can you go ahead and tell me where it is?"
Even with the greatest intentions, nobody's going to want you as a client for that purpose. I know that Google and Oracle have had a couple of free tiers available after you validate your account.
My pronouns are like/subscribe.
Hey, dont be mean. He is not going to poison the well. He is just going to release some bait into shark infested water
Never make the same mistake twice. There are so many new ones to make.
It’s OK if you disagree with me. I can’t force you to be right.
Yeah chum the waters man!!! Chum them!! This will turn out great!!
Free Hosting at YetiNode | MicroNode| Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
Unless he's putting something dodgy on the site or taking some active action (blackhat SEO) to attract bot bot traffic this should just get the same traffic as any other site? i.e. Normal background noise
Maybe I'm missing something but just passive analysis of traffic seems no more risky than a blog about your grandmas cookie recipe to the provider
To clarify, I’m setting up passive low-interaction honeypots to log and analyse standard bot traffic (crawlers and scanners). Now once I get a corpus of these data I can effectively classify good vs bad bots. It’s low-risk, similar to typical website traffic, as @havoc pointed out, with no active baiting or questionable activities.
@WSS, haha, no well-poisoning here, I promise. But yeah it is a fair point, I don't disagree. But that is what I am actually seeking advice here as what to do. These are just passive low-interaction honeypots to log standard bot traffic for analysis, nothing that’ll make providers nervous just normal background scans any site gets. I think this happens to every websites.
@Not_Oles will you take them?
The all seeing eye sees everything...
You know one of the first ways to tell when someone is lying is that they have far too much information and they talk too much?
I'm not making that claim here - but I don't want a noisy neighbor even if it's to classify bad actors. I gave up running my own damn MX because it became a daily fight due to noisy neighbors.
My pronouns are like/subscribe.
Maybe. It would depend on various factors.
I hope everyone gets the servers they want!
With all due respect @WSS the project is inspired by research published as IEEE paper on honeypot-based cyber deception, which focuses on passive, low-interaction honeypots to study bot behaviour. This is purely for academic analysis, similar to observing background noise, as @havoc mentioned. I’ll ensure the setup complies with provider ToS and keeps resource usage minimal.
I think for honeypotting, big cloud like AWS is favourable choice due to their network being really popular, ability to rotate IP addresses and unwillingness of scanners to exclude them from their scans
Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden
Taking this back a step back despite me disagreeing with @WSS line of reasoning...the suggestions he landed on may be a good fit anyway for OP
Oracle free tier in particular will let you spin up 6 VMs for free. Don't recall how many ipv4...but at least 4 for sure (tested that myself). Wild guess says the other 2 as well but not sure. So you could probably run 6 unique IP honeypots in parallel for free.
Just pull the data logs frequently. Oracle is known to randomly delete free tiers. Also their FW stuff is a bit of a pain, so don't be surprised if just getting basic http working takes time
Oh wow thank you. Oracle’s free tier is generous. Services marked “Always Free” stay free within their limits, so we won’t be charged. I’ll deploy docker containers. Bots; both benign and malicious generally scan IP ranges for open ports (80, 443, 22). Once our VM is online, it is likely to be discovered and probed, giving us traffic to log, observe, and classify.
If you are comfortable enough with using IPv6 and possible v4 proxying through a CDN or other v4 solutions, we can help, that's an interesting study.
We have the EU servers and are currently on a pre-sale for the North America one - our EU servers will meet your low-cost pricing target easily, the North America one is a little higher (the processor is much more powerful as well, and it's 10 Gbps).
I can do some arrangements though, to lower your final cost at around 50% of the 2GB package with some concessions (e.g. 1 Gbps instead of the 10) and help with that study.
Send a DM if you're interested.
Tiago
wow TIL
I tried creating a free account in oracle cloud. Seems like they have strict rules in registration. I selected wrong card type and the registration got denied. Further no registration was allowed from my side. I will try mailing them.
Yeah it's very hit & miss. Some people have had a account for years, others can't make it past sign up, others have one for a bit then it gets deleted. Pattern wise best as I can tell - they don't like prepaid cards, and they don't like users from ahem less prosperous countries
Makes sense