The DShield Honeypot is a low interaction honeypot that allows us to collect data for research purposes. The honeypot by default runs the following clients:
- Collecting SSH and Telnet usernames and passwords via Cowrie
- An HTTP honeypot collecting full http requests (we are currenctly working on our own. For now, Apache is used
- We also collect firewall logs from the honeypot
The honeypot can be installed on a Raspberry Pi or on most Linux systems running a Debian or Redhat based distribution. But most testing has been done with a Raspberry Pi and Ubuntu. For more details about the software, and how to install it, see our GitHub repository.
- Will running a honeypot increase my risk of an attack?
It should not. This is not an actual vulnerable system. But instead, we are using scripts like Cowrie to simulate a vulnerable system.
- Is it useful to DShield to have a honeypot on a residential DSL/Cable connection or do you need data from large networks?
Absolutely. We need a large number of diverse participants to make this project useful. Even a normal home connection will likely see several attacks a day.
- Can I run the honeypot on a free AWS instance (or other cloud service)?
Yes. The honeypot uses little resources. It should work well on a minimum cloud instanace. It needs only little disk storage as logs are sent to DShield.
- Can the honeypot be hacked? Can it be used to attack others?
We hope not. The honeypot uses scripts to simulate vulnerable services. This is not a vulnerable machine or "full interaction" honeypot.
- How do I report a problem or ask for help?
Report any problems as an "issue" via GitHub. This is the best way for us to track any problems.