Dockerized DShield SSH Honeypot
One month ago, Johannes released a beta version of a DShield sensor for the Raspberry Pi. The Pi is a cool computer to run such kind of tools but you must have a spare one and it requires extra cables and power (ok, not so much). Building and maintaining a virtual machine for an application with low requirements in CPU, memory and bandwidth is a bit overkill. Why not use a container?
I re-used Johannes’s installation script, restricted the installation to the bare minimum. The goal is just to run a cowrie instance and enable the DShield output module. To report collected data to DShield, you need an account.
Building the container is very easy:
# git clone https://github.com/xme/dshield-docker # cd dshield-docker # docker build -t dshield/honeypot
The container performs a check of your DShield credentials at boot time. You can pass them to the container using a text file (keep it in a safe place!)
# cat <<_END_ >env.txt DSHIELD_UID=xxxxx DSHIELD_APIKEY=xxxxx DSHIELD_EMAIL=xxxxx _END_ # docker run -d -p 2222:2222 —env=env.txt —restart=always —name dshield dshield/honeypot
Interested? More information and sources are available here. Happy hunting!
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
My next class:
Reverse-Engineering Malware: Advanced Code Analysis | Online | Greenwich Mean Time | Oct 28th - Nov 1st 2024 |
×
Diary Archives
Comments
Does one need a specific model of the Raspberry Pi to use this system?
Anonymous
Aug 23rd 2017
7 years ago
What is the advantage to using this instead of the built in SSH reporting ability in the Raspberry PI DShield Sensor Honeypot?
Currently my newly rebuilt PI Honeypot isn't submitting SSH traffic. I've opened a bug on the DShield github page on this.
I'll assume it can't run on the Dhield sensor as it is already listening on port 22 for external traffic, and uses a different port for admin connections to SSH.
My guess is that this project only listens for port 2222 SSH traffic, whereas the DShield sensor collects other data's as well.
Thank-You for the clarification.
-= BDM
Anonymous
Nov 2nd 2017
6 years ago
Anonymous
Nov 3rd 2017
6 years ago