Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-03-15 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Dockerized DShield SSH Honeypot

Published: 2016-03-15
Last Updated: 2016-03-15 07:34:51 UTC
by Xavier Mertens (Version: 1)
3 comment(s)

One month ago, Johannes released a beta version of a DShield sensor for the Raspberry Pi. The Pi is a cool computer to run such kind of tools but you must have a spare one and it requires extra cables and power (ok, not so much). Building and maintaining a virtual machine for an application with low requirements in CPU, memory and bandwidth is a bit overkill. Why not use a container? 
 
I re-used Johannes’s installation script, restricted the installation to the bare minimum. The goal is just to run a cowrie instance and enable the DShield output module. To report collected data to DShield, you need an account
 
Building the container is very easy:
# git clone https://github.com/xme/dshield-docker
# cd dshield-docker
# docker build -t dshield/honeypot
The container performs a check of your DShield credentials at boot time. You can pass them to the container using a text file (keep it in a safe place!)
# cat <<_END_ >env.txt
DSHIELD_UID=xxxxx
DSHIELD_APIKEY=xxxxx
DSHIELD_EMAIL=xxxxx
_END_
# docker run -d -p 2222:2222 —env=env.txt —restart=always —name dshield dshield/honeypot
Interested? More information and sources are available here. Happy hunting!

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

3 comment(s)
Diary Archives