Set Up Honeytokens to Detect Unauthorized Access

A honeytoken is a decoy file, database record, or credential that is intentionally placed in a system to detect unauthorized access. Honeytokens act as digital tripwires and help:

✅ Detect insider threats - Identifies employees or contractors accessing restricted data.
✅ Monitor unauthorized access - Triggers alerts when attackers or malware attempt to use fake credentials.
✅ Improve threat intelligence - Helps security teams understand how attackers navigate a system.
✅ Support compliance efforts - Provides evidence of unauthorized activity for security audits.

🔹 Honeytokens do not impact system operations but provide an early warning when accessed.

How to Implement Honeytokens on a Linux Server

1. Insert a Honeytoken in a Database

For databases, honeytokens are fake records that should never be accessed legitimately.

Step 1: Create a Fake Database Record

MySQL Example:

USE mydatabase;
INSERT INTO users (id, username, password, email) 
VALUES (9999, 'admin_test', 'FakePassword123', 'admin@secretmail.com');

🔹 No real user should ever log in with this account.

Step 2: Enable Logging for Unauthorized Access Attempts

Enable query logging to track access:

SET GLOBAL general_log = 'ON';

View log entries:

cat /var/log/mysql/mysql.log | grep 'admin_test'

🔹 Any access to this fake user is a security red flag.

2. Create a Fake API Key or SSH Credential

For cloud environments or Linux servers, place fake credentials in logs or config files.

Step 1: Generate a Honeytoken API Key

Save a fake AWS API key in a text file:

echo "AWS_SECRET_ACCESS_KEY=FAKE123456789EXAMPLEKEY" > /etc/secrets/api_keys.txt

Step 2: Monitor Access to the File

Use auditd to detect when this file is read:

auditctl -w /etc/secrets/api_keys.txt -p r -k honeytoken

Check logs for unauthorized access:

ausearch -k honeytoken --start today

🔹 If someone reads the file, it means they are snooping for credentials.

3. Monitor Honeytoken Access and Send Alerts

Use fail2ban, SIEM, or email alerts to track unauthorized activity.

A. Send an Email Alert When the Fake Database Entry is Accessed

Modify MySQL to trigger an email:

CREATE TRIGGER alert_access
BEFORE SELECT ON users
FOR EACH ROW
BEGIN
  IF NEW.username = 'admin_test' THEN
    INSERT INTO alert_logs (event, timestamp) 
    VALUES ('Unauthorized Honeytoken Access Detected', NOW());
  END IF;
END;

🔹 Whenever someone queries the "admin_test" account, an alert is logged.

B. Use a SIEM (Splunk, ELK, Wazuh) to Monitor Honeytoken Events

Log honeytoken access in syslog:

logger -t SECURITY "Honeytoken file accessed by $(whoami) from $(hostname -I)"

Forward this log entry to SIEM for further investigation.

4. Investigate Unauthorized Honeytoken Triggers

If a honeytoken is accessed, read, or modified, take immediate action:

✅ Check access logs - Identify the IP, user, and time of access.
✅ Verify process logs - Find out which script or user triggered the access.
✅ Isolate compromised accounts - Change passwords, disable suspicious accounts.
✅ Deploy forensic analysis - Review command history (~/.bash_history), open sessions, and network activity.

Example investigation command:

journalctl -u sshd | grep "$(whoami)"

Strengthen Your Linux Server Security

🔹 Cybersecurity is an ongoing process, not a one-time setup.
🔹 A layered defense (firewalls, encryption, RBAC, honeytokens) ensures stronger protection.
🔹 Regular audits, monitoring, and automation help detect and prevent attacks early.
🔹 Proactive security measures like honeytokens provide an early warning system for detecting breaches.

By implementing honeytokens, you gain valuable insights into unauthorized activity, helping you stay ahead of attackers and insider threats, ensuring your Linux environment remains secure and resilient.