Handler on Duty: Didier Stevens
Threat Level: green
DShield Honeypot
The DShield Honeypot is a low interaction honeypot that allows us to collect data for research purposes. The honeypot by default runs the following clients:
- Collecting SSH and Telnet usernames and passwords via Cowrie
- An HTTP honeypot collecting full http requests
- We also collect firewall logs from the honeypot
The honeypot can be installed on a Raspberry Pi using Raspbian OS or a system running Ubuntu 20.04 LTS. For more details and up to date instructions, see our GitHub repository.
Complete Install Video via YouTube (long / thorough)
Honeypot FAQs
- Will running a honeypot increase my risk of an attack?
It should not. This is not an actual vulnerable system. But instead, we are using scripts like Cowrie to simulate a vulnerable system. - Is it useful to DShield to have a honeypot on a residential DSL/Cable connection or do you need data from large networks?
Absolutely. We need a large number of diverse participants to make this project useful. Even a normal home connection will likely see several attacks a day. - Can I run the honeypot on a free AWS instance (or other cloud service)?
Yes. The honeypot uses little resources. It should work well on a minimum cloud instanace. It needs only little disk storage. Logs are sent to DShield every 30 minutes and no longer term log storage is needed. - Can the honeypot be hacked? Can it be used to attack others?
We hope not. The honeypot uses scripts to simulate vulnerable services. This is not a vulnerable machine or "full interaction" honeypot. - How do I report a problem or ask for help?
Report any problems as an "issue" via GitHub. This is the best way for us to track any problems. Or use our Slack channel.