My next class:

Beta Testers Wanted: Use a Raspberry Pi as a DShield Sensor

Published: 2016-02-10. Last Updated: 2016-02-10 15:31:34 UTC
by Johannes Ullrich (Version: 1)
36 comment(s)

I am currently working on an easy way to turn a Raspberry Pi into a DShield sensor. If you would like to, you can try the current "beta version" of the software. Feedback is very much appreciated. To get started:

  • Install Raspbian Jessie on your Pi https://www.raspberrypi.org/downloads/raspbian/
  • change the default password (VERY IMPORTANT!!!)
  • claim the entire SD card for Raspbian (by default, you only use 4GB, and space may be tight). the easiest way to do this is to run sudo raspi-config and select "expand roofs"
  • you will need the e-mail address, the numeric userid and the "authkey" for your ISC/DShield account. You can retrieve it here: https://isc.sans.edu/myaccount.html
  • Download the software from github: git clone https://github.com/DShield-ISC/dshield.git
  • run the install script sudo dshield/bin/install.sh
  • enjoy (hopefully... and please let me know what works/doesn't work, if possible by entering an "issue" with github https://github.com/DShield-ISC/dshield/issues ) .

Important: The install script will move the SSH server to port 12222. So the next time you connect after a reboot, you will need to connect to that port (ssh -p 12222 pi@[your pi IP]) . The reason we do this is to keep port 22 free for an ssh honeypot.

In order to make the Raspberry Pi a useful sensor, you need to expose it to network traffic. For example, you could use your router's "DMZ" feature to expose the system. Other Raspbian versions may work, and if you do have one, by all means test it and let me know how it goes.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
36 comment(s)
My next class:

Comments

I was going to planet mod_security into my WP/LAMP Pi this weekend, but now you got me hooked. Will let you know.
Agreed, this sounds like a great weekend project. I'm in.
Great idea! Just ordered a 2nd Pi - other one is already in use. Is this just an SSH honeypot or something more? Does it only need public internet exposure, or visibility to traffic in & out of my main network? I ask because I have additional public IP's, so if all we want is internet exposure, I'll put it outside of my local network with a public IP. Thanks!
Please include me, assuming home connections are valuable.
I've had a Raspberry pi sitting around for ages, this might be a good way to give it something interesting to do.
I haven't played with it yet but am assuming it's some sort of Kippo equivalent SSH server with fake file system. So if you don't have port 22 NATed inbound you should be good to go. @Chapman
Dshield sensor is up and running with 22-->12222 NATed and tested. Couple of questions is this suppose to log username and passwords only? I haven't seen any legit users database or fake file system script. The other thing I wanted to ask you about is how do we verify that are pi's logs are being submitted to ISC Dshield? is there some sort of portal that we have access to?
Up & running also!

I'll look forward to hearing what is next or how to know if it's doing anything.
[quote=comment#36407]Dshield sensor is up and running with 22-->12222 NATed and tested. Couple of questions is this suppose to log username and passwords only? I haven't seen any legit users database or fake file system script. The other thing I wanted to ask you about is how do we verify that are pi's logs are being submitted to ISC Dshield? is there some sort of portal that we have access to?[/quote]

If you login you should have access through My Account > My SSH reports?

I want to jump aboard too! :)
No raw data under my SSH reports for the past three days, although I tried test/test couple of times thru my cellular LTE.

Diary Archives