Honey Pots Tar Pits

[jraff1]

This just came to me while reading;
http://www.computerworld.com/s/article/ ... ually_work
10 crazy IT security tricks that actually work,

http://www.infoworld.com/d/security-cen ... curity-165
Honeypots - Intrusion detection honeypots simplify network security

http://labrea.sourceforge.net/labrea-info.html
Tarpits - LaBrea: "Sticky" Honeypot and IDS

Using Raspberry Pi and other server like devices, sprinkle them all over one's network on all entrance ports and access p... and gateways
They are cheap, really cheap, can be programmed to slow down one's attackers and mal contents and report on the activities.

[section5]

Great idea, and good reading. I would think the Rpi would be a great for this task and like you said you could have a large number of them up and running compared to actual servers. You could easily make a net of them for any network.

[maverickit]

does anyone try to install dionaea or others honeypot such as kippo on a Raspberry Pi? It could be veeeery cool!

[pinkman]

Hi,

I just tried to install honeytrap which is great honeypot software imho.
Unfortunately it does not run properly on the Raspberry Pi.
At first after config errors occure while running make and make install:

Code: Select all

make  all-recursive
make[1]: Entering directory `/home/pi/honeytrap'
Making all in doc
make[2]: Entering directory `/home/pi/honeytrap/doc'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory `/home/pi/honeytrap/doc'
Making all in src
make[2]: Entering directory `/home/pi/honeytrap/src'
Making all in modules
make[3]: Entering directory `/home/pi/honeytrap/src/modules'
make[4]: Entering directory `/home/pi/honeytrap/src/modules'
/bin/sh ../../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../   -Wall -Werror -g -O2 -Wall -c -o htm_b64Decode.lo htm_b64Decode.c
 gcc -DHAVE_CONFIG_H -I. -I../.. -I../ -Wall -Werror -g -O2 -Wall -c htm_b64Decode.c  -fPIC -DPIC -o .libs/htm_b64Decode.o
htm_b64Decode.c: In function 'decode':
htm_b64Decode.c:99:79: error: array subscript is above array bounds [-Werror=array-bounds]
htm_b64Decode.c:92:9: error: array subscript is above array bounds [-Werror=array-bounds]
cc1: all warnings being treated as errors
make[4]: *** [htm_b64Decode.lo] Error 1
make[4]: Leaving directory `/home/pi/honeytrap/src/modules'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/home/pi/honeytrap/src/modules'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/pi/honeytrap/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/pi/honeytrap'
make: *** [all] Error 2

When making and installing with option "-i" to ignore errors honeytrap seems to get installed but after all you cannot run it:

Code: Select all

sudo: honeytrap: command not found

I have no clue about how to fix these errors to get "make" run correctly.
So I am going to check out dionaea at the next opportunity.

If you have any new information or experience in the meantime, please post it

[Thijxx]

The guy "Chris Taylor" who wrote the software (?did he?) tried to have honeypot added to the Debian
http://us.generation-nt.com/answer/rfs- ... 96281.html

Also, his request was open for MANY years, cannot find any recent news about him or Honeypot, hope the guy is doing well but his software seems to be dead

There are plenty of alternative, people say, this one is an instable package:
http://packages.debian.org/sid/tinyhoneypot

And this one is stable, eveything, should be easy to install (I know it's never easy)
http://packages.debian.org/squeeze/honeyd

[pinkman]

Yes, honeytrap seems not to be developed actively any more. What a pitty! It's features sounded promising to my ears.

I tried dionaea but this one seems a little to inflexible or not well-documented as it took some brain to install and afterwards did not find anything. Althoug I am missing an option to specify the interface or ip range dionaea should listen to. Maybe I misconfigured, but as said: I did not find a guideline to this. Dionaea runs, but nobody knows what it does.

And this one is stable, eveything, should be easy to install (I know it's never easy)
http://packages.debian.org/squeeze/honeyd

I agree! honeyd should be easy to install via apt-get. Unfortunately there is no package for the acutal version of raspbian. Hence, there is no installation candidate and I have to compile it from source.
I hope to report on this in the near future again.

For now there does not seem to be an easy solution for turning the raspberry pi into a honeypot.

[ManiacTwister]

I'm running dionaea on my raspberry pi and it works fine.
I've made some dionaea packages for raspbian also - a little tutorial how to use them can be found here: http://maniactwister.de/b/aazlvr (German, I'll translate it very soon)

Maybe I misconfigured, but as said: I did not find a guideline to this. Dionaea runs, but nobody knows what it does.

Yea, i agree. Dionaea needs a better documentation, but it's a very nice working honeypot.

cheers

[craiginb]

I tried your install but get several errors about libraries and compiler tools.
For instance I get an error about bison and I can't find any information about how to install it for Raspbian.
I aslo get a message that the libcurl4-openssl-dev is not available but the debian library list still shows it as latest build.

[ManiacTwister]

How does you sources.list looks like?

Code: Select all

cat /etc/apt/sources.list

bison is available in my repository and libcurl4-openssl-dev in the official raspbian repo..

[craiginb]

deb http://packages.s7t.de/raspbian wheezy main

[craiginb]

apt-get install libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev liblcfg libemu libev dionaea-python dionaea-cython libpcap udns dionaea

below is what i get when I execute that command set.
root@raspberrypi:/home/pi# apt-get install libglib2.0-dev libssl-dev libcurl4-openssl-dev libreadline-dev libsqlite3-dev libtool automake autoconf build-essential subversion git-core flex bison pkg-config libnl-3-dev libnl-genl-3-dev libnl-nf-3-dev libnl-route-3-dev liblcfg libemu libev dionaea-python dionaea-cython libpcap udns dionaea
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package autoconf is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

Package libtool is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

Package flex is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

Package bison is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

Package libglib2.0-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
libglib2.0-0

E: Package 'libglib2.0-dev' has no installation candidate
E: Unable to locate package libssl-dev
E: Unable to locate package libcurl4-openssl-dev
E: Unable to locate package libreadline-dev
E: Unable to locate package libsqlite3-dev
E: Package 'libtool' has no installation candidate
E: Unable to locate package automake
E: Package 'autoconf' has no installation candidate
E: Unable to locate package subversion
E: Unable to locate package git-core
E: Package 'flex' has no installation candidate
E: Package 'bison' has no installation candidate
E: Unable to locate package libnl-3-dev
E: Unable to locate package libnl-genl-3-dev
E: Unable to locate package libnl-nf-3-dev
E: Unable to locate package libnl-route-3-dev

[ManiacTwister]

The raspbian repository isn't in your sources list.. please add this line to your sources.list

Code: Select all

sudo echo "deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi" >> /etc/apt/sources.list

and run:

Code: Select all

apt-get update 

Afterwards try the apt-get install .... command again. If it doesn't work post the full output of the command here please.

[craiginb]

Excelent!

[pspears]

Has anyone tried Tiny Honeypot on the rasberry? It would be a more general honeypot. I can see these sprinkled throughout the network all logging back to a central syslog or even SIEM.

Also I found Honeeepi which seems promising but not yet released.