Using a Raspberry Pi as a network honeypot
Digital Tar Pit
A program launched by an attacker has invaded your network and is starting to port scan the environment; the next step will be to attack any systems it finds. LaBrea [7] – a "Sticky Honeypot" – is a good choice because it spoofs a whole army of non-existent computers.
The program, which was coded as a response to the Code Red [8] epidemic, is installed on your Raspberry Pi using apt-get
. To launch, type
sudo labrea -z -s -o -b -p 10000 -d -i eth0
The -z
option is a safety switch that you need to pass in whenever you call the program. The -s
option tells a program that a switch exists, and -o
redirects logout ports to the command line. The -b
and -p
parameters manage the bandwidth, and -i
defines the interface. From this point on, LaBrea will field incoming ICMP requests and port scan requests. Figure 2 shows how the program responds to IP addresses that do not exist on the test network.
The important thing to remember is that LaBrea can cause problems for DHCP servers and Solaris systems because of the way it works. Solaris has the unfortunate property of responding to certain ARP packets by deactivating its own IP stack [9].
Honeypots at the Application Level
Forensic investigations reveal that most attacks are launched from the inside: Disgruntled staff all too often use their knowledge to exact their revenge. Honeypots can provide a remedy for internal attacks. The simplest form of the honeypot is a "honeyfile," which is not normally needed to run the computer system.
The honeyfile, equipped with an enticing name, contains a macro that sends a message to the control server when opened. Because attackers today will tend to prevent macros executing on their systems, the recommended workaround is an HTML file with the mandatory external dependency required for display elements to work.
Advanced installations rely on a dedicated file server. Scripts running in the background evaluate any changes. Access to files tagged as prohibited trigger an immediate alert. Intrinsec [10] introduced a system in 2014 that sidetracks ransomware with a combination of honeyfiles and kernel drivers. Processes that access honeyfiles are automatically terminated, thus mitigating any potential damage.
Unfortunately, no prebuilt implementations offer a ready-made honey file configuration: Honey files and related applications within the honeypot category are not currently a subject of research. If you want to use them to secure your network, you have little choice but to program them yourself.
Conclusions
Honeypots simulate vulnerable systems. They motivate attackers invading an unknown network to spend time playing. This time in the pot offers administrators a considerable advantage. First, the attacker wastes time and resources experimenting with the honeypot that they would otherwise use for targeting production systems. Second, warning systems on the honeypot alert the administrator as soon as an attacker moves in.
Virtualization and the availability of low-budget, single-board computers means technology that was previously only possible on large networks is now part of the public domain. A honeypot can help you trap intruders and buy you valuable time to respond to an attack.
Infos
- Glastopf: http://glastopf.org/
- Kippo: https://github.com/desaster/kippo
- Kippo installation for Raspberry Pi: http://itgeekchronicles.co.uk/2013/05/14/honeypot-kippo-pi/
- Kippo statistics package download: http://bruteforce.gr/wp-content/uploads/kippo-graph-0.7.4.tar
- Honeyd: http://www.honeyd.org/
- BruteForce Labs analysis scripts: http://bruteforce.gr/honeyd2mysql
- LaBrea: http://labrea.sourceforge.net/
- Code Red: https://en.wikipedia.org/wiki/Code_Red_(computer_worm)
- Solaris and ARP packets: https://github.com/Hirato/LaBrea/blob/master/INSTALL
- Intrinsec: http://securite.intrinsec.com/2014/04/11/honeyfile-origins/
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.