Installing DShield Honeypot on a Raspberry Pi
A lightweight honeypot that contributes threat intelligence data to SANS Internet Storm Center (ISC) for research purposes.
DShield Honeypot is a lightweight honeypot intended to mimic a vulnerable system to gather threat intelligence. This data is then sent to SANS ISC’s vast data repository for research purposes.
Honeypots are not intended to hold any valuable data that can be compromised. Instead, these systems are used to attract attackers to learn more about their techniques, patterns, and the way they operate.
In this article, we will walk through the steps to install and configure DShield Honeypot on a Raspberry Pi running Raspberry Pi OS Lite.
Prerequisites
- Raspberry Pi 2, 3, or 4 running Raspberry Pi OS Lite
- Internet Connection
Other versions of Raspberry Pi OS should work as well, but Lite has the smallest footprint
1. SSH to your Raspberry Pi
You can use PuTTY or your favorite SSH client.
Type in your Raspberry Pi’s IP address and click Open.
The default username is “pi” and the default password is “raspberry”. You should update the password to something more secure.
2. Run the “date” command to check the time and date on your Raspberry Pi.
pi@raspberrypi:~ $ date
Mon 29 Jun 01:55:54 BST 2020
pi@raspberrypi:~ $
You can adjust your timezone by using the raspi-config command.
sudo raspi-config
Choose option 4 Localisation Options from the menu.
Select option I2 Change Time Zone from the menu.
Select your geographic area in which you live.
Select the city or region corresponding to your time zone.
Select Finish to apply your new time zone settings.
Your new time zone will now be displayed.
Current default time zone: 'America/Chicago'
Local time is now: Sun Jun 28 20:03:48 CDT 2020.
Universal Time is now: Mon Jun 29 01:03:48 UTC 2020.pi@raspberrypi:~ $
3. Update Raspberry Pi
Run the following commands to update your Raspberry Pi.
Note: Times can vary on updates due to OS version, internet speed, and Raspberry Pi hardware specs.
pi@raspberrypi:~ $ sudo apt-get update
...
Fetched 13.5 MB in 11s (1,212 kB/s)
Reading package lists... Done
pi@raspberrypi:~ $ sudo apt-get -uy dist-upgrade
...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
4. Reboot Raspberry Pi
Run the following command to reboot your Raspberry Pi. SSH back in when the system is back up and running.
pi@raspberrypi:~ $ sudo reboot
5. Install GIT
GIT does not come installed by default on Raspberry Pi OS Lite. You’ll need to install it using the following command.
pi@raspberrypi:~ $ sudo apt-get install -y git
Reading package lists... Done
...
Setting up git (1:2.20.1-2+deb10u3) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10+rpi1) ...
pi@raspberrypi:~ $
You can ensure it’s been installed by running the following command.
pi@raspberrypi:~ $ which git
/usr/bin/git
6. Create Installation Directory
You’ll need to create a directory called install. This directory will be where we clone the GIT repository. Run the following command to make a directory.
pi@raspberrypi:~ $ mkdir install
pi@raspberrypi:~ $ ls -l
total 4
drwxr-xr-x 2 pi pi 4096 Jun 28 20:24 install
pi@raspberrypi:~ $
Change into the directory using the following command.
pi@raspberrypi:~ $ cd install
pi@raspberrypi:~/install $ pwd
/home/pi/install
pi@raspberrypi:~/install $
7. Clone the DShield GIT Repository
Run the following command to clone the dshield.git repository to the install folder.
pi@raspberrypi:~/install $ git clone https://github.com/DShield-ISC/dshield.git
Cloning into 'dshield'...
...
Receiving objects: 100% (2476/2476), 1.14 MiB | 9.00 MiB/s, done.
Resolving deltas: 100% (1480/1480), done.
pi@raspberrypi:~/install $
You can verify the dhsield.git repository has been cloned to the install folder by running the following command.
pi@raspberrypi:~/install $ ls -l
total 4
drwxr-xr-x 8 pi pi 4096 Jun 28 20:27 dshield
pi@raspberrypi:~/install $
8. Run the Install Script
You’ll need to change into the dshield/bin directory using the following command.
pi@raspberrypi:~/install $ cd dshield/bin/
pi@raspberrypi:~/install/dshield/bin $
Run the following command to execute the install script in the bin folder.
pi@raspberrypi:~/install/dshield/bin $ sudo ./install.sh
The installation script will now begin to run.
You will be prompted with a WARNING message asking you to acknowledge you know that you are turning your Raspberry Pi into a honeypot.
Select Yes.
The next screen will ask if you’d like updates to be done automatically or manually. It’s recommended you choose automatic.
Select OK.
9. Create DShield Account
The next screen requires that you enter your E-Mail Address and API Key to move forward. You will need to create a DShield account to get this information.
Click the following link to create a DShield account https://dshield.org/login.html
Select Register as new user.
Enter in an E-Mail address and create a password. Select the checkbox after reading the content.
Click Register.
Check your E-Mail and click the link provided to validate your account.
You will need to enter your E-Mail address to complete the validation.
Type in your email address and click Submit Query.
Your account is now validated. Use the link provided to log into your account.
10. Get API Key
Now that you have an account you will need to get the API key.
Log into your DShield Account. You’ll be brought to your dashboard by default.
Click My Account in the top-right corner.
Your API key will be displayed.
This page also has the option to set up 2FA and a Recovery Phone. It is highly recommended you set these up.
11. Enter DShield Account Information
Type or copy/paste your E-Mail Address into the E-Mail Address field.
Copy/paste your API key into the API Key field.
Hit the enter key to Verify the information.
Your API Key will be verified and you’ll be allowed to move to the next step.
Select OK.
12. Select Default Interface
A wired Ethernet connection is preferred. The Raspberry Pi has one network interface. We will leave the default option selected.
Select OK.
13. Local Network and Access
The next step will configure admin access. By default, the SSH port will be changed from port 22 to 12222.
You will need to enter the local network range you want to be allowed to have access.
You can also enter in other trusted IPs and networks in the “Further IPs” field.
Note: Your local network will vary from the screenshot. Your local network may use 10.x or 192.x. Be sure to check your network settings before proceeding.
Select OK.
Select OK.
14. IPs to Ignore for Firewall Log
The next step allows you to enter in a network that the firewall will not log and will not redirect to the honeypot ports.
Ensure your local network is entered in the field.
Select OK.
Select OK.
15. IPs/Ports to Disable Honeypot
The next option allows you to disable the honeypot to prevent reporting internal access attempts.
Ensure your network from above is entered in the field.
I left the Honeypot Ports at their default.
Select OK.
Select OK.
Configurations and installations will continue.
16. Create SSL Certificate
You’ll need to enter your details to create an SSL certificate.
The script can create a Certificate Authority (CA) to sign the certificate or you can select No and send the certificate to another CA for signing.
I recommend you select Yes and have the script create a CA.
Select Yes.
Your SSL certificate will be created.
17. Reboot the Raspberry Pi
Run the following command to reboot your Raspberry Pi.
pi@raspberrypi:~ $ sudo reboot
Note: Your SSH port will change from 22 to 12222.
18. Expose Your Raspberry Pi to the Internet
Note: This step exposes your device to the public internet. While this is the intended purpose, please be aware of what you are doing in this step and be sure to revert these steps if you choose to take down your honeypot.
Currently, your Raspberry Pi is running DShield but it’s not accessible from the public internet.
This step can vary based on your network setup and devices. Essentially, you need to configure your router to use the Raspberry Pi as your DMZ.
You will need to enter your Raspberry Pi as the DMZ server.
After your settings have been applied you can use a free online port scanner to scan your public IP address. You should see something similar to the image below.
Your honeypot is now exposing these ports to the public internet.
Wrapping Up
Congrats! You now have DShield running on your Raspberry Pi.
Logs will be sent to DShield every 30 minutes. You can check out the DShield dashboard at https://secure.dshield.org/dashboard.html. You can search by IP address to see any reports associated with your IP address. Your data will also be aggregated into summaries with other data sent to DShield.
Choosing to install DShield helps ISC by contributing data to their research. Know that your contribution does help.
If you have any questions feel free to Tweet or PM me @mrkmety