Using a Raspberry Pi as a network honeypot
Fly Catcher
Adding a honeypot to your network will slow down attackers and warn you that intruders are on the wire.
Honeypots are traps that attract invaders on the network and reveal information about their approaches. A server that is part of the normal departmental network is always an attractive target. A honeypot pretends to be a real server, responding to queries and commands from the intruder and tracking the intruder's actions, alerting network authorities that an attack is taking place. This article describes some options for implementing a honeypot on a tiny $35 Raspberry Pi computer.
The easiest form of a honeypot is the low-interaction honeypot – a comparatively simple piece of software that offers a tasty target for attackers. High-interaction honeypots are more complex because they simulate one or more complete computer systems; a pure honeypot presents a modified version of a normal production server that is additionally equipped with forensic tools. Thanks to falling hardware costs, you can easily equip even smaller networks with honeypots, especially if you have access to cheap hardware like a Raspberry Pi.
Installing the Software
Attackers follow the "low-hanging fruit" principle: After analyzing the network, they usually settle on the target that looks most vulnerable. Glastopf [1] is a server written in Python that has a number of simulated vulnerabilities. According to the project website, Glastopf "… emulates thousands of vulnerabilities to gather data from attacks targeting web applications." A computer equipped with Glastopf magically attracts attackers. The comparatively frugal hardware requirements – Glastopf can do without virtualization and complex services – make the system ideally suited for single-board computers.
Installing Glastopf can take a while. The first step en route to creating a working honeypot is to download the packages required to run the software (Listing 1).
Listing 1
Download Packages
Then, you need to download a couple of helpers. In addition to the BFR (Better Function Replacer) sandbox, you also need to install LibInjection (Listing 2).
Listing 2
Install Helpers
BFR shows that the install was successful by outputting the installation path. This path is important for configuring Glastopf downstream.
If you have a Raspberry Pi configured per the defaults, the output will be:
Installing shared extensions: /usr/lib/php5/20100525+lfs/
PyLibInjection can be installed using the pip package manager for Python tools. The list of instructions on the Internet that run a commit against Git are out of date – they will fail because of a change in the configuration files located in the repositories. Luckily, the following command line is all you need to fix this problem:
sudo pip install pylibinjection
Next, add:
zend_extension = /usr/lib/php5/20100525+lfs/bfr.so
to the PHP configuration file that resides below /etc/php5/cli/php.ini
.
Starting Glastopf
After completing preparations, you can then proceed to download Glastopf and make it executable. Downloading the various support files with pip will take a while due to the low-powered processor in the Raspberry Pi:
sudo pip install glastopf cd /opt sudo mkdir myglastopf cd myglastopf sudo pip install greenlet==dev sudo glastopf-runner
Starting Glastopf takes well over five minutes. An error occurring on requesting the configurations – referred to as "dorks" – is normal. When it outputs the Glastopf started and privileges dropped string (Figure 1), the server is ready for action – any actions performed by attackers will appear at the command line.
You can configure Glastopf using several settings. All of these settings end up in the glastopf.conf
file, which is created in the current working directory. In the log directory, you will find a file named glastopf.log
that contains all of the commands run by attackers. If so desired, you can import the command log into an SQL database; administrators with SQL experience can then use familiar tools for their forensic analysis.
If you run Glastopf on a Raspberry Pi that also runs Apache, you will need to stop the web server before starting the honeypot; Glastopf creates a socket, which is bound to port 80. This process fails if the port is already occupied by Apache.
SSH Trap with Kippo
Kippo is a honeypot tool that specializes in SSH. Kippo can log brute force attacks and capture the intruder's entire interaction with the shell. Inexperienced hackers will often start with a port scan and then connect with any services that are addressable from the outside. Kippo [2] exploits this behavior by emulating a Debian system that is accessible using SSH. The files uploaded there allow you to analyze the behavior of uninvited guests. If you have copies of all the tools used in the attack, this can usually facilitate your data forensics work.
When you install Kippo, it makes sense to add a couple of tools for data visualization. A meaningful basic installation includes the packages in Listing 3.
Listing 3
Packages for Kippo
You can use SVN to download the program, which is written in Python. Then, change to the desired directory and enter:
svn checkout http://kippo.googlecode.com/svn/trunk/kippo-read-only
The program is basically ready for action after processing these commands, but it still cannot access the database. Log in by typing
mysql -h localhost -u root -p
at the MySQL console; then run:
create database kippo; GRANT ALL ON kippo.* TO 'kippo'@' localhost' IDENTIFIED BY' Kippo-DB-pass'; exit
The developers provide their honeypot with a predefined data schema. Change to the kippo-read-only/doc/sql
directory and open the MySQL console again.
Next, load the content of the schema into the database:
mysql -u kippo -p use kippo; source mysql.sql;
Before running the program, you need to provide a configuration file. Rename the file named kippo.cfg.dist
in the directory /kippo-read-only
to kippo.cfg
. Then, modify the following sections to connect your honeypot with the database:
[database_mysql] host = localhost database = kippo username = kippo password = Kippo-DB-pass
After you finish the configuration, redirect the SSH server running on your Raspberry Pi to a different port if you deploy Kippo on port 22 [3]. Start the service with sudo ./start.sh
. From this point on, the honeypot accepts command switches stored in a logfile.
Acquired information can be transferred to a web interface for easy evaluation. To do this, first extract the statistics package [4] in the /var/www
directory and modify the config.php
file; then, open /kippo-graph/index.php
and enjoy the prebuilt back end.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Wine 10 Includes Plenty to Excite Users
With its latest release, Wine has the usual crop of bug fixes and improvements, along with some exciting new features.
-
Linux Kernel 6.13 Offers Improvements for AMD/Apple Users
The latest Linux kernel is now available, and it includes plenty of improvements, especially for those who use AMD or Apple-based systems.
-
Gnome 48 Debuts New Audio Player
To date, the audio player found within the Gnome desktop has been meh at best, but with the upcoming release that all changes.
-
Plasma 6.3 Ready for Public Beta Testing
Plasma 6.3 will ship with KDE Gear 24.12.1 and KDE Frameworks 6.10, along with some new and exciting features.
-
Budgie 10.10 Scheduled for Q1 2025 with a Surprising Desktop Update
If Budgie is your desktop environment of choice, 2025 is going to be a great year for you.
-
Firefox 134 Offers Improvements for Linux Version
Fans of Linux and Firefox rejoice, as there's a new version available that includes some handy updates.
-
Serpent OS Arrives with a New Alpha Release
After months of silence, Ikey Doherty has released a new alpha for his Serpent OS.
-
HashiCorp Cofounder Unveils Ghostty, a Linux Terminal App
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.