Using a Raspberry Pi as a network honeypot
Fly Catcher
Adding a honeypot to your network will slow down attackers and warn you that intruders are on the wire.
Honeypots are traps that attract invaders on the network and reveal information about their approaches. A server that is part of the normal departmental network is always an attractive target. A honeypot pretends to be a real server, responding to queries and commands from the intruder and tracking the intruder's actions, alerting network authorities that an attack is taking place. This article describes some options for implementing a honeypot on a tiny $35 Raspberry Pi computer.
The easiest form of a honeypot is the low-interaction honeypot – a comparatively simple piece of software that offers a tasty target for attackers. High-interaction honeypots are more complex because they simulate one or more complete computer systems; a pure honeypot presents a modified version of a normal production server that is additionally equipped with forensic tools. Thanks to falling hardware costs, you can easily equip even smaller networks with honeypots, especially if you have access to cheap hardware like a Raspberry Pi.
Installing the Software
Attackers follow the "low-hanging fruit" principle: After analyzing the network, they usually settle on the target that looks most vulnerable. Glastopf [1] is a server written in Python that has a number of simulated vulnerabilities. According to the project website, Glastopf "… emulates thousands of vulnerabilities to gather data from attacks targeting web applications." A computer equipped with Glastopf magically attracts attackers. The comparatively frugal hardware requirements – Glastopf can do without virtualization and complex services – make the system ideally suited for single-board computers.
Installing Glastopf can take a while. The first step en route to creating a working honeypot is to download the packages required to run the software (Listing 1).
Listing 1
Download Packages
Then, you need to download a couple of helpers. In addition to the BFR (Better Function Replacer) sandbox, you also need to install LibInjection (Listing 2).
Listing 2
Install Helpers
BFR shows that the install was successful by outputting the installation path. This path is important for configuring Glastopf downstream.
If you have a Raspberry Pi configured per the defaults, the output will be:
Installing shared extensions: /usr/lib/php5/20100525+lfs/
PyLibInjection can be installed using the pip package manager for Python tools. The list of instructions on the Internet that run a commit against Git are out of date – they will fail because of a change in the configuration files located in the repositories. Luckily, the following command line is all you need to fix this problem:
sudo pip install pylibinjection
Next, add:
zend_extension = /usr/lib/php5/20100525+lfs/bfr.so
to the PHP configuration file that resides below /etc/php5/cli/php.ini
.
Starting Glastopf
After completing preparations, you can then proceed to download Glastopf and make it executable. Downloading the various support files with pip will take a while due to the low-powered processor in the Raspberry Pi:
sudo pip install glastopf cd /opt sudo mkdir myglastopf cd myglastopf sudo pip install greenlet==dev sudo glastopf-runner
Starting Glastopf takes well over five minutes. An error occurring on requesting the configurations – referred to as "dorks" – is normal. When it outputs the Glastopf started and privileges dropped string (Figure 1), the server is ready for action – any actions performed by attackers will appear at the command line.
You can configure Glastopf using several settings. All of these settings end up in the glastopf.conf
file, which is created in the current working directory. In the log directory, you will find a file named glastopf.log
that contains all of the commands run by attackers. If so desired, you can import the command log into an SQL database; administrators with SQL experience can then use familiar tools for their forensic analysis.
If you run Glastopf on a Raspberry Pi that also runs Apache, you will need to stop the web server before starting the honeypot; Glastopf creates a socket, which is bound to port 80. This process fails if the port is already occupied by Apache.
SSH Trap with Kippo
Kippo is a honeypot tool that specializes in SSH. Kippo can log brute force attacks and capture the intruder's entire interaction with the shell. Inexperienced hackers will often start with a port scan and then connect with any services that are addressable from the outside. Kippo [2] exploits this behavior by emulating a Debian system that is accessible using SSH. The files uploaded there allow you to analyze the behavior of uninvited guests. If you have copies of all the tools used in the attack, this can usually facilitate your data forensics work.
When you install Kippo, it makes sense to add a couple of tools for data visualization. A meaningful basic installation includes the packages in Listing 3.
Listing 3
Packages for Kippo
You can use SVN to download the program, which is written in Python. Then, change to the desired directory and enter:
svn checkout http://kippo.googlecode.com/svn/trunk/kippo-read-only
The program is basically ready for action after processing these commands, but it still cannot access the database. Log in by typing
mysql -h localhost -u root -p
at the MySQL console; then run:
create database kippo; GRANT ALL ON kippo.* TO 'kippo'@' localhost' IDENTIFIED BY' Kippo-DB-pass'; exit
The developers provide their honeypot with a predefined data schema. Change to the kippo-read-only/doc/sql
directory and open the MySQL console again.
Next, load the content of the schema into the database:
mysql -u kippo -p use kippo; source mysql.sql;
Before running the program, you need to provide a configuration file. Rename the file named kippo.cfg.dist
in the directory /kippo-read-only
to kippo.cfg
. Then, modify the following sections to connect your honeypot with the database:
[database_mysql] host = localhost database = kippo username = kippo password = Kippo-DB-pass
After you finish the configuration, redirect the SSH server running on your Raspberry Pi to a different port if you deploy Kippo on port 22 [3]. Start the service with sudo ./start.sh
. From this point on, the honeypot accepts command switches stored in a logfile.
Acquired information can be transferred to a web interface for easy evaluation. To do this, first extract the statistics package [4] in the /var/www
directory and modify the config.php
file; then, open /kippo-graph/index.php
and enjoy the prebuilt back end.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.