Using a Raspberry Pi as a network honeypot

Fly Catcher

© Lead Image © Richard Blaker, fotolia.com

© Lead Image © Richard Blaker, fotolia.com

Article from Issue 178/2015
Author(s):

Adding a honeypot to your network will slow down attackers and warn you that intruders are on the wire.

Honeypots are traps that attract invaders on the network and reveal information about their approaches. A server that is part of the normal departmental network is always an attractive target. A honeypot pretends to be a real server, responding to queries and commands from the intruder and tracking the intruder's actions, alerting network authorities that an attack is taking place. This article describes some options for implementing a honeypot on a tiny $35 Raspberry Pi computer.

The easiest form of a honeypot is the low-interaction honeypot – a comparatively simple piece of software that offers a tasty target for attackers. High-interaction honeypots are more complex because they simulate one or more complete computer systems; a pure honeypot presents a modified version of a normal production server that is additionally equipped with forensic tools. Thanks to falling hardware costs, you can easily equip even smaller networks with honeypots, especially if you have access to cheap hardware like a Raspberry Pi.

Installing the Software

Attackers follow the "low-hanging fruit" principle: After analyzing the network, they usually settle on the target that looks most vulnerable. Glastopf [1] is a server written in Python that has a number of simulated vulnerabilities. According to the project website, Glastopf "… emulates thousands of vulnerabilities to gather data from attacks targeting web applications." A computer equipped with Glastopf magically attracts attackers. The comparatively frugal hardware requirements – Glastopf can do without virtualization and complex services – make the system ideally suited for single-board computers.

Installing Glastopf can take a while. The first step en route to creating a working honeypot is to download the packages required to run the software (Listing 1).

Listing 1

Download Packages

 

Then, you need to download a couple of helpers. In addition to the BFR (Better Function Replacer) sandbox, you also need to install LibInjection (Listing 2).

Listing 2

Install Helpers

 

BFR shows that the install was successful by outputting the installation path. This path is important for configuring Glastopf downstream.

If you have a Raspberry Pi configured per the defaults, the output will be:

Installing shared extensions: /usr/lib/php5/20100525+lfs/

PyLibInjection can be installed using the pip package manager for Python tools. The list of instructions on the Internet that run a commit against Git are out of date – they will fail because of a change in the configuration files located in the repositories. Luckily, the following command line is all you need to fix this problem:

sudo pip install pylibinjection

Next, add:

zend_extension = /usr/lib/php5/20100525+lfs/bfr.so

to the PHP configuration file that resides below /etc/php5/cli/php.ini.

Starting Glastopf

After completing preparations, you can then proceed to download Glastopf and make it executable. Downloading the various support files with pip will take a while due to the low-powered processor in the Raspberry Pi:

sudo pip install glastopf
cd /opt
sudo mkdir myglastopf
cd myglastopf
sudo pip install greenlet==dev
sudo glastopf-runner

Starting Glastopf takes well over five minutes. An error occurring on requesting the configurations – referred to as "dorks" – is normal. When it outputs the Glastopf started and privileges dropped string (Figure 1), the server is ready for action – any actions performed by attackers will appear at the command line.

Figure 1: Glastopf gives the administrator a variety of information and tips when the program launches.

You can configure Glastopf using several settings. All of these settings end up in the glastopf.conf file, which is created in the current working directory. In the log directory, you will find a file named glastopf.log that contains all of the commands run by attackers. If so desired, you can import the command log into an SQL database; administrators with SQL experience can then use familiar tools for their forensic analysis.

If you run Glastopf on a Raspberry Pi that also runs Apache, you will need to stop the web server before starting the honeypot; Glastopf creates a socket, which is bound to port 80. This process fails if the port is already occupied by Apache.

SSH Trap with Kippo

Kippo is a honeypot tool that specializes in SSH. Kippo can log brute force attacks and capture the intruder's entire interaction with the shell. Inexperienced hackers will often start with a port scan and then connect with any services that are addressable from the outside. Kippo [2] exploits this behavior by emulating a Debian system that is accessible using SSH. The files uploaded there allow you to analyze the behavior of uninvited guests. If you have copies of all the tools used in the attack, this can usually facilitate your data forensics work.

When you install Kippo, it makes sense to add a couple of tools for data visualization. A meaningful basic installation includes the packages in Listing 3.

Listing 3

Packages for Kippo

 

You can use SVN to download the program, which is written in Python. Then, change to the desired directory and enter:

svn checkout http://kippo.googlecode.com/svn/trunk/kippo-read-only

The program is basically ready for action after processing these commands, but it still cannot access the database. Log in by typing

mysql -h localhost -u root -p

at the MySQL console; then run:

create database kippo;
GRANT ALL ON kippo.* TO 'kippo'@' localhost' IDENTIFIED BY' Kippo-DB-pass';
exit

The developers provide their honeypot with a predefined data schema. Change to the kippo-read-only/doc/sql directory and open the MySQL console again.

Next, load the content of the schema into the database:

mysql -u kippo -p
use kippo;
source mysql.sql;

Before running the program, you need to provide a configuration file. Rename the file named kippo.cfg.dist in the directory /kippo-read-only to kippo.cfg. Then, modify the following sections to connect your honeypot with the database:

[database_mysql]
host = localhost
database = kippo
username = kippo
password = Kippo-DB-pass

After you finish the configuration, redirect the SSH server running on your Raspberry Pi to a different port if you deploy Kippo on port 22 [3]. Start the service with sudo ./start.sh. From this point on, the honeypot accepts command switches stored in a logfile.

Acquired information can be transferred to a web interface for easy evaluation. To do this, first extract the statistics package [4] in the /var/www directory and modify the config.php file; then, open /kippo-graph/index.php and enjoy the prebuilt back end.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column: Glastopf

    Good traps catch mice, and honeypots catch malicious scripts. Sys admin Charly resorts to a honeypot in this issue, which, although difficult to install, is easy to manage.

  • Honeypots

    Use Cowrie as a honeypot to capture attack data and learn more about your attacker's methods.

  • Honeynet

    Security-conscious admins can use a honeynet to monitor, log, and analyze intrusion techniques.

  • Tutorials – Intrusion Protection

    No computer security is perfect, so make sure you've got a second line of protection.

  • Tool Tips

    Tools tested: MenuMaker, CLOC, ddrescueview, Hiawatha, pam_honeycreds.so, and XDM.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News