Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: DShield Honeypot DShield Honeypot

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DShield Honeypot

The DShield Honeypot is a low interaction honeypot that allows us to collect data for research purposes. The honeypot by default runs the following clients:

  • Collecting SSH and Telnet usernames and passwords via Cowrie
  • An HTTP honeypot collecting full http requests
  • We also collect firewall logs from the honeypot

The honeypot can be installed on a Raspberry Pi using Raspbian Lite, Ubuntu 18.04 LTS and an AWS host running AMI Linux 2. For more details and up to date instructions, see our GitHub repository.

Complete Install Video via YouTube (long/thorough)

Honeypot FAQs

  • Will running a honeypot increase my risk of an attack?
    It should not. This is not an actual vulnerable system. But instead, we are using scripts like Cowrie to simulate a vulnerable system.
  • Is it useful to DShield to have a honeypot on a residential DSL/Cable connection or do you need data from large networks?
    Absolutely. We need a large number of diverse participants to make this project useful. Even a normal home connection will likely see several attacks a day.
  • Can I run the honeypot on a free AWS instance (or other cloud service)?
    Yes. The honeypot uses little resources. It should work well on a minimum cloud instanace. It needs only little disk storage. Logs are sent to DShield every 30 minutes and no longer term log storage is needed.
  • Can the honeypot be hacked? Can it be used to attack others?
    We hope not. The honeypot uses scripts to simulate vulnerable services. This is not a vulnerable machine or "full interaction" honeypot.
  • How do I report a problem or ask for help?
    Report any problems as an "issue" via GitHub. This is the best way for us to track any problems. Or use our Slack channel.