Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: A Honeypot for home: Raspberry Pi - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Honeypot for home: Raspberry Pi

In numerous previous Diaries, my fellow Internet Storm Center Handlers have talk on honeypots, the values of full packet capture and value of sharing any attack data. In this Diary I'm going to highlight a fairly simple and cost effective way of rolling those together. 

If you have an always on internet connection, having a honeypot listening to what is being sent your way is never bad idea. There's plenty of ways to set up a honeypot, but a inexpensive way is to set up one up at home is with a Raspberry Pi [1]. The Raspberry Pi is a credit-card sized computer, which can be hidden away out of sight easily, has a very low power consumption and is silent but works very well for a home honeypot.  

These are plenty of install guides to install the OS (I like using Raspbian), secure it then, drop your pick, or mix, of honeypot such as Kippo [2], Glastopf [3] or Dionaea [4] on it. Again, guides on how to set these up litter the intertubes, so take your pick. As additional step, I like to install tcpdump and plug in a Linux formatted 4Gb USB drive in to the Pi and then do full packet capture of any traffic that is directed to the Pi's interface to the USB drive. Other than who doesn't like to sifted through packet captures during downtime, there are times capturing the full stream provides insights and additional options (like running it through your IDS of choice) on the connections being made to you.

Once you have it all set up, secured, tested and running don't forget to share the data with us, especially if you install Kippo [5]

From my observations, don't expect a massive amount of interaction with your home honeypot, but you will see plenty of scanning activity. It's a fairly interesting insight, especially if you pick a number of ports to forward on from your router/modem for the honeypot to listen on. If you do set up tcpdump to capture any traffic hitting the Raspberry Pi network interface (and haven't set up a firewall to drop all non-specified traffic) is that it'll pick up any chatty, confused or possibly malicious connections within your home network if they are broadcasting or scanning the subnet as well. With the Internet of Things being plugged in to home networks now, it's always handy to have a little bit of notification if your fridge starts port scanning every device on your network...

As one of my fellow Handler, Mark Hofman, sagely mentioned:

"if you are going to set one up, make sure you fully understand what you are about to do.  You are placing a deliberately vulnerable device on the internet.  Depending on your location you may be held liable for stuff that happens (IANAL).  It it gets compromised, make sure it is somewhere where it can't hurt you or others."

So keep an eye on your Pi!

Happy honeypotting!

 

[1] http://www.raspberrypi.org/
[2] https://github.com/desaster/kippo
[3] http://glastopf.org/
[4] http://dionaea.carnivore.it/
[5] https://isc.sans.edu/diary/New+Feature%3A+%22Live%22+SSH+Brute+Force+Logs+and+New+Kippo+Client/18433

 

Chris Mohan --- Internet Storm Center Handler on Duty

Chris

105 Posts
ISC Handler
My DSL Extreme account allows me to have up to four devices connected to the Internet, each with its own IP address. Those who have shopped around for ISPs that support this feature could easily install the honeypot fully exposed to the Internet that way - safely.

{^_^}
JD

5 Posts Posts
THIS JUST IN . . . "Security chap writes recipe for Raspberry Pi honeypot network
Cunning security plan: dangle £28 ARM boxes and watch crooks take the bait" (theRegister)
http://www.theregister.co.uk/2014/08/01/bust_comment_crew_with_this_armada_of_raspberry_pi_honeypots/
Anonymous

Posts
I've been running Kippo on a Raspberry Pi for over a year -- it's a continual source of amusement.
k6rtm

3 Posts Posts
I've been running Kippo on a Raspberry Pi for over a year -- it's a continual source of amusement.
k6rtm

3 Posts Posts
I've run Kippo on my Raz Pi and had good success with it. I currently have one instance of Kippo running on it, while I'm also running Conpot (ICS honeypot) on my BeagleBone Black. Honeypot's are a great way to learn and using these cheap computers, anyone can do it at minimal cost. I may start running tcpdump, as you mentioned, as well.
KPryor

7 Posts Posts
An update package for the Honeeepi Project was posted 1/25/2015.
The package includes many of the 'pots' mentioned in Chris's and others' posts.

http://sourceforge.net/projects/honeeepi/

Features
Conpot (Industrial control Honeypot)
Dionaea honeypot (catch bug)
Glastopf honeypot (Web Application Honeypot)
Kippo honeypot (SSH Honeypot)
Snort
ntop
Remote Packet Capture (rpcap)
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!