UniFi UDM Honneypot Hits from C-3 and C-4 and C-7 Hubs

I recently upgraded my network to include a UDM Pro as my Controller / Firewall.

After activating the Honneypot feature i am now getting notifications of Honneypot Hits from my C-3 and C-4 Hubs, (nothing from my C-7 )

I am not super concerned about it, but i do not know of any reason that they should be doing this.

Any thoughts or ideas?

Thanks

Could simply be random scans looking for open ports. I don't use a DM (I use watchguard) I simply block all uninitiated traffic.

1 Like

It is coming from the IPs of the 2 Hubs, and only those IPs, so if it is a random scan it appears is being performed by the hubs.

Oops, sorry I wasn't paying attention. Do you have hubmesh turned on? That will likely set it off.

Which ports/services is it hitting?
A couple of examples off the top of my head, hub mesh does discovery in the background and Wiz integration sends UDP packets looking for compatible devices.

3 Likes

I do have hub mesh turned on the two hubs that hit the Honeypot, so that is a likely candidate. It is also turned on on the C-7 but it is functioning more as the receiver of the mesh, so maybe that is the difference.I will have to look at the Mesh setup and see if there is a difference there.
I do not have the Wiz integration installed
I do not know what port it is using, I will try to catch it sooner next time it happens and see what my firewall logged. The Honeypot is on the UDM and i have a Untangle firewall between it and the hubs, so it should log the activity.

Interesting. The honeypot on my UXG-Pro has never flagged my C7 hub. But I donโ€™t have hub mesh turned on, so perhaps thatโ€™s why.

I have not gotten hits from my C-7 either, which makes it even more odd to me

Found a bit more info... Port 80

Honeypot Alert

Overview
DateDec 27 2022
Time10:59 AM
Source IP
192.168.xx.xx
ServiceHTTP
Port80

After the latest update (2.3.4.138) my C-7 hits the honneypot every few minutes

I would guess that's how a hub searches for other Hubitat hubs on the network.

1 Like

Could be, but it must be a broad search since it is hitting the Honeypot on a different VLAN/Subnet.

Hi Everyone,

I'm on the C5 Hub, OS Version 2.3.4.139. My honeypot started getting hits two days ago, for about 4-5 hours, and again yesterday, for the same amount of time.

It was at two different time periods. First time, it started happening at around 12 AM, until about 5 AM, and second time, at around 4 PM, until about 9 PM.

I've had an integration with Unifi for Presence, and monitoring devices, which was removed. Another network application that was running, and was showing activity around the "hit" times was LG integration which was also removed. After finding this forum entry, I re-checked that Meshing is set to off (this C5 is my only hub anyway). Hub was rebooted after every major change

Hub mesh is now using TCP instead of UDP (UDP has been eliminated) and apparently hub mesh scanning is setting off peoples honeypots on the unifi's

We'll be moving hub mesh discovery to use mDNS. It's on the to do list.

4 Likes

When will this be done?

I updated from .134 to .148 last night before bed and woke up to over 100 hits every 5-10 minutes getting multiple hits.