SANS Internet Storm Center

Beta Testers Wanted: Use a Raspberry Pi as a DShield Sensor
I am currently working on an easy way to turn a Raspberry Pi into a DShield sensor. If you would like to, you can try the current "beta version" of the software. Feedback is very much appreciated. To get started: Install Raspbian Jessie on your Pi https://www.raspberrypi.org/downloads/raspbian/ change the default password (VERY IMPORTANT!!!) claim the entire SD card for Raspbian (by default, you only use 4GB, and space may be tight). the easiest way to do this is to run sudo raspi-config and select "expand roofs" you will need the e-mail address, the numeric userid and the "authkey" for your ISC/DShield account. You can retrieve it here: https://isc.sans.edu/myaccount.html Download the software from github: git clone https://github.com/DShield-ISC/dshield.git run the install script sudo dshield/bin/install.sh enjoy (hopefully... and please let me know what works/doesn't work, if possible by entering an "issue" with github https://github.com/DShield-ISC/dshield/issues ) . Important: The install script will move the SSH server to port 12222. So the next time you connect after a reboot, you will need to connect to that port (ssh -p 12222 pi@[your pi IP]) . The reason we do this is to keep port 22 free for an ssh honeypot. In order to make the Raspberry Pi a useful sensor, you need to expose it to network traffic. For example, you could use your router's "DMZ" feature to expose the system. Other Raspbian versions may work, and if you do have one, by all means test it and let me know how it goes. --- Johannes B. Ullrich, Ph.D. STI\|Twitter\|LinkedIn I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022	Johannes 4346 Posts ISC Handler Feb 10th 2016
Thread locked Subscribe	Feb 10th 2016 5 years ago
I was going to planet mod_security into my WP/LAMP Pi this weekend, but now you got me hooked. Will let you know.	Krypt0ni8 21 Posts
Quote	Feb 10th 2016 5 years ago
Agreed, this sounds like a great weekend project. I'm in.	Jack G. 6 Posts
Quote	Feb 10th 2016 5 years ago
Great idea! Just ordered a 2nd Pi - other one is already in use. Is this just an SSH honeypot or something more? Does it only need public internet exposure, or visibility to traffic in & out of my main network? I ask because I have additional public IP's, so if all we want is internet exposure, I'll put it outside of my local network with a public IP. Thanks!	ScottChapman 4 Posts
Quote	Feb 11th 2016 5 years ago
Please include me, assuming home connections are valuable.	Juice 12 Posts
Quote	Feb 11th 2016 5 years ago
I've had a Raspberry pi sitting around for ages, this might be a good way to give it something interesting to do.	Endorean 3 Posts
Quote	Feb 11th 2016 5 years ago
I haven't played with it yet but am assuming it's some sort of Kippo equivalent SSH server with fake file system. So if you don't have port 22 NATed inbound you should be good to go. @Chapman	Krypt0ni8 21 Posts
Quote	Feb 12th 2016 5 years ago
Dshield sensor is up and running with 22-->12222 NATed and tested. Couple of questions is this suppose to log username and passwords only? I haven't seen any legit users database or fake file system script. The other thing I wanted to ask you about is how do we verify that are pi's logs are being submitted to ISC Dshield? is there some sort of portal that we have access to?	Krypt0ni8 21 Posts
Quote	Feb 13th 2016 5 years ago
Up & running also! I'll look forward to hearing what is next or how to know if it's doing anything.	ScottChapman 4 Posts
Quote	Feb 13th 2016 5 years ago
Quoting Krypt0ni8:Dshield sensor is up and running with 22-->12222 NATed and tested. Couple of questions is this suppose to log username and passwords only? I haven't seen any legit users database or fake file system script. The other thing I wanted to ask you about is how do we verify that are pi's logs are being submitted to ISC Dshield? is there some sort of portal that we have access to? If you login you should have access through My Account > My SSH reports? I want to jump aboard too! :)	dotBATman 70 Posts
Quote	Feb 15th 2016 5 years ago
No raw data under my SSH reports for the past three days, although I tried test/test couple of times thru my cellular LTE.	Krypt0ni8 21 Posts
Quote	Feb 15th 2016 5 years ago
Wow, that didn't take long. After installing today's updates, /var/log/dshield.log had over 10 different source IP's in just a few minutes. It'll be fun to see the aggregate totals once they start uploading! Great job, Johannes.	ScottChapman 4 Posts
Quote	Feb 15th 2016 5 years ago
I'm not sure you are supposed to forward your outside connection to 12222; I thought that was for the management on the pi. Dr. Ullrich has not setup the honeypot ssh according to this TODO list above. Unless I'm mistaken.	RyDogg 2 Posts
Quote	Feb 16th 2016 5 years ago
It looks like the management sshd port is listening on all interfaces: pi@raspberrypi:~ $ netstat -an\| grep 2222 tcp 0 0 0.0.0.0:12222 0.0.0.0:* LISTEN tcp 0 0 192.168.1.20:12222 192.168.1.147:56176 ESTABLISHED tcp6 0 0 :::12222 :::* LISTEN If the management port is to be 12222 then it needs to be bound in the sshd_config. The ListenAddress is not set on a fresh install of Jessie; so not sure if it needs to be preset before the script changes the ssh port. # What ports, IPs and protocols we listen for Port 12222 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0	RyDogg 2 Posts
Quote	Feb 16th 2016 5 years ago
Quoting ScottChapman:Great idea! Just ordered a 2nd Pi - other one is already in use. Is this just an SSH honeypot or something more? Does it only need public internet exposure, or visibility to traffic in & out of my main network? I ask because I have additional public IP's, so if all we want is internet exposure, I'll put it outside of my local network with a public IP. Thanks! The sensor is only interested in inbound traffic from the Internet.	Alex Stanford 136 Posts
Quote	Feb 16th 2016 5 years ago
You're right. for some reason I though it's an SSH honeypot. @RyDogg	Krypt0ni8 21 Posts
Quote	Feb 16th 2016 5 years ago
Heard the announcement for this on your podcast - a great way to keep informed. I was wondering what to do with a spare / older PI v1 and now up and running as a dshield sensor - reporting in straight away. Installation - almost a dream, very slow on a RPIv1 though - perhaps some feedback/progress indications during the installation script would stop impatient people like me thinking it has failed and pressing <Ctrl>c ..... Will submit to Git as a suggestion Awesome work - thank you !	DaveT 2 Posts
Quote	Feb 20th 2016 5 years ago
Just curious, I've run through the instructions and install the DShield onto the Pi and opened it up to the Internet. Is that it? Is there something else I should be doing? How can I know if it's working or not?	Endorean 3 Posts
Quote	Feb 22nd 2016 5 years ago
I have "+sans" in my email address for filtering purposes. The registration step in the shell script installer keeps balking at my ID and AuthKey, I'm guessing this is the reason. Anyone else have issues?	Endorean 1 Posts
Quote	Feb 22nd 2016 5 years ago
I think my Pi may be old and malfunctioning ... ERROR: ld.so: object 'h▒▒*"▒▒^S▒M▒Q▒J5wזW▒▒▒Q▒▒▒X▒B▒v▒&6' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. I get weird errors to stdout like that,, mysqql didnt couldnt update its passwd that i gave it,, ill pick up a new Pi , see how it goes...	TuggDougins 37 Posts
Quote	Feb 28th 2016 5 years ago
you should see data in reports https://www.dshield.org/myreports.html	TuggDougins 37 Posts
Quote	Feb 28th 2016 5 years ago