Using a Raspberry Pi honeypot to contribute data to DShield/ISC
We have been working for a while now on a honeypot based on a Raspberry Pi. Thanks to our volunteers, we now have a version of the honeypot that provides us not just with the firewall data that we usually collect, but also with data about telnet/ssh and web attacks. Traditionally, we have focused on firewall logs, and we will, of course, continue to collect them. But it has become more difficult to collect logs from many consumer level firewalls. The Raspberry Pi based system will allow us to maintain one code base that will make it easier to collect rich logs beyond firewall logs.
To participate, you will need a Raspberry Pi that is exposed to internet traffic. You can do so by either connecting it directly to your cable/DSL modem or by exposing it to Internet traffic via your firewall. But it is important that the device will receive more or less unfiltered traffic (it is ok if a couple of ports are blocked or used by other services). The Raspberry Pi should be dedicated to the task as a honeypot.
We have tested the system with a Raspberry 2 and 3. It works best if you use the wired network interface, but a WiFi connection should work as well.
To install the honeypot, it is best to follow the instructions in our GitHub repository for the project: https://github.com/DShield-ISC/dshield .
The short version of the instructions:
- Setup an account here to submit your reports
- Install the base Raspian OS (the Lite version will do)
- Install "git" (sudo apt install git)
- clone the repository (git clone https://github.com/DShield-ISC/dshield.git)
- run the install script.
But please see the full instructions for additional details.
What do you get out of it?
First of all, you are contributing to an awesome project that measures the internet's "background radiation" for about 16 years now. Our data is regularly used by researchers to improve defensive recommendations and to validate and observe trends in attack patterns. All of our data is made available for free under a creative commons license.
Secondly, you will be able to review summaries of your data via this site. Your data will be linked to IP address reports and summaries of data submitted by others.
In talking to people interested in submitting in the past, I often hear the following arguments against it, which I call my "top myths not to submit data":
- My data isn't all that interesting
Absolutely right. Your data, by itself, isn't all that interesting. But it becomes interesting once we can correlate it with data from other users. What we are looking for is "average home users," small businesses and just about anybody connected to the internet. We are not trying to find the next APT. Instead, we are looking for the next worm or bot scanning the internet for a new vulnerability, which may not even be a zero day. - My employer will not allow me to submit data
No need to submit data from work. Your home connection will work just fine (see above) - It is hard to submit data
I hope we make this easier using this Raspberry Pi honeypot. It shouldn't take much "care and feeding." Maybe an update once a month with new software.
We try our best to make this honeypot secure. We do use software like Cowrie and some additional python scripts to emulate services. We rather allow the honeypot to be fingerprinted as a honeypot then having it exploited.
If you do however find any bugs (security or functional), then please submit a report via GitHub ( https://github.com/DShield-ISC/dshield/issues ).
We are in the process of making the same code work in an Ubuntu virtual machine. For some that already have a local virtual machine setup, this may be an easier method to deploy these honeypots.
---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Anonymous
Aug 3rd 2017
7 years ago
So more a stupid issue with the logging script that needs to be fixed at some point.
Anonymous
Aug 3rd 2017
7 years ago
Anonymous
Aug 3rd 2017
7 years ago
- What to do when it becomes infected?
- Do I get notified if it becomes infected?
- What period of time to wipe and reload to mitigate the risk of infection?
Anonymous
Aug 3rd 2017
7 years ago
The Hygiene questions:
The honeypot should not get infected. This is not a full interaction honeypot. Instead, we picked low/medium interaction honeypot software that simulate vulnerable systems, but are not actually vulnerable.
If it ever becomes infected (for example due to a bug in out software), then just wipe it and reinstall from scratch.
Anonymous
Aug 3rd 2017
7 years ago
If you get infected, simply power down the Pi, remove old SD card, put in new SD card, and power-up again...Much easier to abuse a 35 dollar piece of h/w rather than a full blown computer/server or frankenputer
Anonymous
Aug 3rd 2017
7 years ago
I would like to find a way to have my firewall forward all ports that are not associated with an SPI established connection. (Save for a few ports like SSH.)
This would mean that the vast majority of traffic would be routed to the honeypot, but that it could miss some traffic that might otherwise go to it.
Anonymous
Aug 4th 2017
7 years ago
It might be a good idea to set up an organized web forum/blog for this initiative, if one doesn't exist already.
Someplace where people who will engage in this program can ask questions and share notes.
I know that the bug reporting is in github, but should that be used for other Q&A and collaboration activity as well?
BTW - I think this initiative is an exceptional idea. A non-government owned "collective sensor" for internet activity monitoring totally trips my trigger. Looking forward to joining that kind of a collective whole heartedly.
Anonymous
Aug 4th 2017
7 years ago
I just started using a Raspberry Pi 1 Model B as a DShield honeypot - it seems to work like a charm.
Let's see how it performs over time.
Regards
Thomas
Anonymous
Aug 5th 2017
7 years ago
Anonymous
Aug 6th 2017
7 years ago