Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Dockerized DShield SSH Honeypot - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dockerized DShield SSH Honeypot

One month ago, Johannes released a beta version of a DShield sensor for the Raspberry Pi. The Pi is a cool computer to run such kind of tools but you must have a spare one and it requires extra cables and power (ok, not so much). Building and maintaining a virtual machine for an application with low requirements in CPU, memory and bandwidth is a bit overkill. Why not use a container? 
 
I re-used Johannes’s installation script, restricted the installation to the bare minimum. The goal is just to run a cowrie instance and enable the DShield output module. To report collected data to DShield, you need an account
 
Building the container is very easy:
# git clone https://github.com/xme/dshield-docker
# cd dshield-docker
# docker build -t dshield/honeypot
The container performs a check of your DShield credentials at boot time. You can pass them to the container using a text file (keep it in a safe place!)
# cat <<_END_ >env.txt
DSHIELD_UID=xxxxx
DSHIELD_APIKEY=xxxxx
DSHIELD_EMAIL=xxxxx
_END_
# docker run -d -p 2222:2222 —env=env.txt —restart=always —name dshield dshield/honeypot
Interested? More information and sources are available here. Happy hunting!

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

Xme

250 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!