My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Dockerized DShield SSH Honeypot

Published: 2016-03-15. Last Updated: 2016-03-15 07:34:51 UTC
by Xavier Mertens (Version: 1)
3 comment(s)

One month ago, Johannes released a beta version of a DShield sensor for the Raspberry Pi. The Pi is a cool computer to run such kind of tools but you must have a spare one and it requires extra cables and power (ok, not so much). Building and maintaining a virtual machine for an application with low requirements in CPU, memory and bandwidth is a bit overkill. Why not use a container? 
 
I re-used Johannes’s installation script, restricted the installation to the bare minimum. The goal is just to run a cowrie instance and enable the DShield output module. To report collected data to DShield, you need an account
 
Building the container is very easy:
# git clone https://github.com/xme/dshield-docker
# cd dshield-docker
# docker build -t dshield/honeypot
The container performs a check of your DShield credentials at boot time. You can pass them to the container using a text file (keep it in a safe place!)
# cat <<_END_ >env.txt
DSHIELD_UID=xxxxx
DSHIELD_APIKEY=xxxxx
DSHIELD_EMAIL=xxxxx
_END_
# docker run -d -p 2222:2222 —env=env.txt —restart=always —name dshield dshield/honeypot
Interested? More information and sources are available here. Happy hunting!

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

3 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

There is a dot (.) missing in the docker build command.
Does one need a specific model of the Raspberry Pi to use this system?
Hi Xavier,
What is the advantage to using this instead of the built in SSH reporting ability in the Raspberry PI DShield Sensor Honeypot?

Currently my newly rebuilt PI Honeypot isn't submitting SSH traffic. I've opened a bug on the DShield github page on this.

I'll assume it can't run on the Dhield sensor as it is already listening on port 22 for external traffic, and uses a different port for admin connections to SSH.

My guess is that this project only listens for port 2222 SSH traffic, whereas the DShield sensor collects other data's as well.

Thank-You for the clarification.

-= BDM
The advantage of Docker containers is the easy deployment on new sensors in a few seconds!

Diary Archives