Threat Level: green Handler on Duty: Chris Mohan

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Friday, August 1st 2014 http://isc.sans.edu/podcastdetail.html?id=4087
WireShark 1.10.9 and 1.12.0 has been released

A Honeypot for home: Raspberry Pi

Published: 2014-07-31
Last Updated: 2014-07-31 14:20:07 UTC
by Chris Mohan (Version: 1)
0 comment(s)

In numerous previous Diaries, my fellow Internet Storm Center Handlers have talk on honeypots, the values of full packet capture and value of sharing any attack data. In this Diary I'm going to highlight a fairly simple and cost effective way of rolling those together. 

If you have an always on internet connection, having a honeypot listening to what is being sent your way is never bad idea. There's plenty of ways to set up a honeypot, but a inexpensive way is to set up one up at home is with a Raspberry Pi [1]. The Raspberry Pi is a credit-card sized computer, which can be hidden away out of sight easily, has a very low power consumption and is silent but works very well for a home honeypot.  

These are plenty of install guides to install the OS (I like using Raspbian), secure it then, drop your pick, or mix, of honeypot such as Kippo [2], Glastopf [3] or Dionaea [4] on it. Again, guides on how to set these up litter the intertubes, so take your pick. As additional step, I like to install tcpdump and plug in a Linux formatted 4Gb USB drive in to the Pi and then do full packet capture of any traffic that is directed to the Pi's interface to the USB drive. Other than who doesn't like to sifted through packet captures during downtime, there are times capturing the full stream provides insights and additional options (like running it through your IDS of choice) on the connections being made to you.

Once you have it all set up, secured, tested and running don't forget to share the data with us, especially if you install Kippo [5]

From my observations, don't expect a massive amount of interaction with your home honeypot, but you will see plenty of scanning activity. It's a fairly interesting insight, especially if you pick a number of ports to forward on from your router/modem for the honeypot to listen on. If you do set up tcpdump to capture any traffic hitting the Raspberry Pi network interface (and haven't set up a firewall to drop all non-specified traffic) is that it'll pick up any chatty, confused or possibly malicious connections within your home network if they are broadcasting or scanning the subnet as well. With the Internet of Things being plugged in to home networks now, it's always handy to have a little bit of notification if your fridge starts port scanning every device on your network...

As one of my fellow Handler, Mark Hofman, sagely mentioned:

"if you are going to set one up, make sure you fully understand what you are about to do.  You are placing a deliberately vulnerable device on the internet.  Depending on your location you may be held liable for stuff that happens (IANAL).  It it gets compromised, make sure it is somewhere where it can't hurt you or others."

So keep an eye on your Pi!

Happy honeypotting!

 

[1] http://www.raspberrypi.org/
[2] https://github.com/desaster/kippo
[3] http://glastopf.org/
[4] http://dionaea.carnivore.it/
[5] https://isc.sans.edu/diary/New+Feature%3A+%22Live%22+SSH+Brute+Force+Logs+and+New+Kippo+Client/18433

 

Chris Mohan --- Internet Storm Center Handler on Duty

Keywords: honeypot
0 comment(s)
ISC StormCast for Thursday, July 31st 2014 http://isc.sans.edu/podcastdetail.html?id=4085

If you have more information or corrections regarding our diary, please share.

Recent Diaries

A Honeypot for home: Raspberry Pi
published 11 hours ago by Chris (0 comments)

Symantec Endpoint Protection Privilege Escalation Zero Day
published 1 day ago by Rick (1 comment)

Interesting HTTP User Agent "chroot-apach0day"
published 3 days ago by Dr. J. (16 comments)

Management and Control of Mobile Device Security
published 4 days ago by Guy (0 comments)

"Internet scanning project" scans
published 6 days ago by Chris (12 comments)

View All Diaries →

Latest Discussions

DSHIELD with fail2ban
created 3 weeks ago by Ernest (0 replies)

Router Upgrade
created 3 weeks ago by ICI2Eye (2 replies)

ENDPOINT SERVICE DEFINITIONS (TCP/UDP)
created 3 weeks ago by Ratatosk (1 reply)

Router- FW Upgrade
created 3 weeks ago by ICI2Eye (0 replies)

Malware infected ATMs in China via specialized device
created 4 weeks ago by Safensoft (0 replies)

View All Forums →

Latest News

View All News →