Pi Zero HoneyPot
The ISC has had a Pi honeypot(1) for the last couple of years, but I haven't had much time to try it on the Pi zero. Recently, I've had a chance to try it out, and it works great.
Hardware
With the Pi zero($5), it has no network built-in at all. To connect, you need a micro USB wifi adapter or micro USB ethernet. You probably don't want all that extra traffic on your wifi network, so wired is the best option.
I'm using the pluggable USB2-E100 with a USB to Micro-USB adaptor. I already had it for another reason but is working well. Here is a list of tested USB adapters for the Pi. (2) Most of these cost around $10-$15. There are some cheap options on the form, but I haven't tried them. (3)
The Pi zero uses Micro USB for power. If you have an old phone charger lying around, you can use that. You will need a case, micro SD card (at least 8GB), and ethernet. If you have a friend with a 3d printer and an old microSD card, all you need is the Pi zero and USB ethernet.
For the total cost if you have nothing to start with:
Pi zero with power, case, micro sd card ~ $20
USB Ethernet Adapters $1-$15
Total:~$35
The Pi3b+ has one ethernet standard USB and lots of other features, but the starter kit is $79 dollars, which is more than double the cost. While you could get the latest Pi4, for the honeypot its way overkill for the price. Also, they run pretty hot and need more cooling, but they do have USB-C for power.
Install
Johannes has an excellent video that walks you through the whole process. (3) The install takes quite a long time to download and get set up on the Pi zero. I believe it took around an hour or so. Once it's done, performance has been excellent.
But in short:
1. Download Pi Raspberry Pi OS (32-bit) Lite
2. Burn Image to MicroSD on Windows with Etcher (4)
3. Make config changes
4. Boot Pi and SSH
5. Change default password
6. Run screen or BYOBU
7. Install honeypot
8. Setup ubuntu auto patching
Additional Tweaks for the Pie Zero
Once you get everything set up, you will want to remove the service random sound. This service is supposed to generate entropy but pegs the pi zero CPU at 100 percent.
$sudo apt-get remove randomsound
For performance monitoring over time, use TTYload. It's a great little tool to make sure your pi is doing ok once you start sending traffic to it.
#apt-get install ttyload
Logs
Most of the data is stored in the /srv folder and here are the location of the key logs.
/srv/www/DB/webserver.sqlite
/srv/cowrie/lvar/log/cowrie/cowrie.log
/var/log/dshield.log
I wrote a simple bash script(6) that you can cron to send out daily emails of logs for yourself to monitor. These logs are automatically sent to the ISC Storm Center, but you usually do not have visibility from the website for the web application traffic your honeypot gets.
For a small investment, it's a great project to set up and play with.
Johannes is going to talk on Tuesday about the honeypot (7) check it out!
(1)https://isc.sans.edu/honeypot.html
(2)https://elinux.org/RPi_USB_Ethernet_adapters
(4)https://www.youtube.com/watch?v=fMqhoNnyvmE&t=1s
(5)https://www.balena.io/etcher/
(6)https://github.com/tcw3bb/ISC_Posts/blob/master/honeypot-daily.sh
--
Tom Webb
@twsecblog
Comments