Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Dockerized DShield SSH Honeypot - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dockerized DShield SSH Honeypot

One month ago, Johannes released a beta version of a DShield sensor for the Raspberry Pi. The Pi is a cool computer to run such kind of tools but you must have a spare one and it requires extra cables and power (ok, not so much). Building and maintaining a virtual machine for an application with low requirements in CPU, memory and bandwidth is a bit overkill. Why not use a container? 
I re-used Johannes’s installation script, restricted the installation to the bare minimum. The goal is just to run a cowrie instance and enable the DShield output module. To report collected data to DShield, you need an account
Building the container is very easy:
# git clone
# cd dshield-docker
# docker build -t dshield/honeypot
The container performs a check of your DShield credentials at boot time. You can pass them to the container using a text file (keep it in a safe place!)
# cat <<_END_ >env.txt
# docker run -d -p 2222:2222 —env=env.txt —restart=always —name dshield dshield/honeypot
Interested? More information and sources are available here. Happy hunting!

Xavier Mertens
ISC Handler - Freelance Security Consultant


305 Posts
ISC Handler
There is a dot (.) missing in the docker build command.
Does one need a specific model of the Raspberry Pi to use this system?


Sign Up for Free or Log In to start participating in the conversation!