Using a Raspberry Pi as a network honeypot
Digital Tar Pit
A program launched by an attacker has invaded your network and is starting to port scan the environment; the next step will be to attack any systems it finds. LaBrea [7] – a "Sticky Honeypot" – is a good choice because it spoofs a whole army of non-existent computers.
The program, which was coded as a response to the Code Red [8] epidemic, is installed on your Raspberry Pi using apt-get
. To launch, type
sudo labrea -z -s -o -b -p 10000 -d -i eth0
The -z
option is a safety switch that you need to pass in whenever you call the program. The -s
option tells a program that a switch exists, and -o
redirects logout ports to the command line. The -b
and -p
parameters manage the bandwidth, and -i
defines the interface. From this point on, LaBrea will field incoming ICMP requests and port scan requests. Figure 2 shows how the program responds to IP addresses that do not exist on the test network.
The important thing to remember is that LaBrea can cause problems for DHCP servers and Solaris systems because of the way it works. Solaris has the unfortunate property of responding to certain ARP packets by deactivating its own IP stack [9].
Honeypots at the Application Level
Forensic investigations reveal that most attacks are launched from the inside: Disgruntled staff all too often use their knowledge to exact their revenge. Honeypots can provide a remedy for internal attacks. The simplest form of the honeypot is a "honeyfile," which is not normally needed to run the computer system.
The honeyfile, equipped with an enticing name, contains a macro that sends a message to the control server when opened. Because attackers today will tend to prevent macros executing on their systems, the recommended workaround is an HTML file with the mandatory external dependency required for display elements to work.
Advanced installations rely on a dedicated file server. Scripts running in the background evaluate any changes. Access to files tagged as prohibited trigger an immediate alert. Intrinsec [10] introduced a system in 2014 that sidetracks ransomware with a combination of honeyfiles and kernel drivers. Processes that access honeyfiles are automatically terminated, thus mitigating any potential damage.
Unfortunately, no prebuilt implementations offer a ready-made honey file configuration: Honey files and related applications within the honeypot category are not currently a subject of research. If you want to use them to secure your network, you have little choice but to program them yourself.
Conclusions
Honeypots simulate vulnerable systems. They motivate attackers invading an unknown network to spend time playing. This time in the pot offers administrators a considerable advantage. First, the attacker wastes time and resources experimenting with the honeypot that they would otherwise use for targeting production systems. Second, warning systems on the honeypot alert the administrator as soon as an attacker moves in.
Virtualization and the availability of low-budget, single-board computers means technology that was previously only possible on large networks is now part of the public domain. A honeypot can help you trap intruders and buy you valuable time to respond to an attack.
Infos
- Glastopf: http://glastopf.org/
- Kippo: https://github.com/desaster/kippo
- Kippo installation for Raspberry Pi: http://itgeekchronicles.co.uk/2013/05/14/honeypot-kippo-pi/
- Kippo statistics package download: http://bruteforce.gr/wp-content/uploads/kippo-graph-0.7.4.tar
- Honeyd: http://www.honeyd.org/
- BruteForce Labs analysis scripts: http://bruteforce.gr/honeyd2mysql
- LaBrea: http://labrea.sourceforge.net/
- Code Red: https://en.wikipedia.org/wiki/Code_Red_(computer_worm)
- Solaris and ARP packets: https://github.com/Hirato/LaBrea/blob/master/INSTALL
- Intrinsec: http://securite.intrinsec.com/2014/04/11/honeyfile-origins/
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome 48 Debuts New Audio Player
To date, the audio player found within the Gnome desktop has been meh at best, but with the upcoming release that all changes.
-
Plasma 6.3 Ready for Public Beta Testing
Plasma 6.3 will ship with KDE Gear 24.12.1 and KDE Frameworks 6.10, along with some new and exciting features.
-
Budgie 10.10 Scheduled for Q1 2025 with a Surprising Desktop Update
If Budgie is your desktop environment of choice, 2025 is going to be a great year for you.
-
Firefox 134 Offers Improvements for Linux Version
Fans of Linux and Firefox rejoice, as there's a new version available that includes some handy updates.
-
Serpent OS Arrives with a New Alpha Release
After months of silence, Ikey Doherty has released a new alpha for his Serpent OS.
-
HashiCorp Cofounder Unveils Ghostty, a Linux Terminal App
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.