liquizell
Posts: 5
Joined: Thu May 31, 2018 7:25 pm

Filesystem for Honeypot

Sat Jul 21, 2018 12:43 pm

I set up a honeypot at home.
To offer attackers the most realistic fake system possible, I would like to load the entire contents of a specially created Rasbians system from the SD card. I have already tried it via SHH, but I can not download all the files there, since the system must be in operation.

How do I get the entire contents of my SD card?

mattmiller
Posts: 2102
Joined: Thu Feb 05, 2015 11:25 pm

Re: Filesystem for Honeypot

Sat Jul 21, 2018 1:00 pm

If you can't work out how to do this, you REALLY shouldn't be leaving ports open on your router and inviting the baddies in!

liquizell
Posts: 5
Joined: Thu May 31, 2018 7:25 pm

Re: Filesystem for Honeypot

Sat Jul 21, 2018 2:01 pm

If you cannot make a sensible contribution, you should not do anything.

User avatar
B.Goode
Posts: 8271
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Filesystem for Honeypot

Sat Jul 21, 2018 3:02 pm

liquizell wrote:
Sat Jul 21, 2018 2:01 pm
If you cannot make a sensible contribution, you should not do anything.

I was going to suggest taking a copy of your customised Raspbian installation by means of the SD Card Copier utility provided with Raspbian and using the resulting card to boot your RPi.

But you might not think that is 'sensible', so since I would hate to be sneered at in public I'd better not suggest it.

User avatar
thagrol
Posts: 1780
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: Filesystem for Honeypot

Sat Jul 21, 2018 6:17 pm

Gonna risk being sneered at...

Before exposing your honeypot to the internet ask yourself this:

Do I know enough and have I done enough to:
  • Isolate your honeypot from your internal network?
  • Prevent attackers from damaging other machines on your network?
  • Prevent attackers from using your honeypot for illegal purposes (DDoS attacks, spam relay, sharing copyrighted files, etc)?
  • Deal with local authorities when (not if) it all goes pear shaped?
Given your initial question, I'm guessing the answer is no but, hey, it's your system and network at risk...
This space unintentionally left blank.

PhilE
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 2317
Joined: Mon Sep 29, 2014 1:07 pm
Location: Cambridge

Re: Filesystem for Honeypot

Sat Jul 21, 2018 6:46 pm

Moved to Advanced Users - a more natural home.

liquizzell - although the advice may not have been what your were hoping for, you would be wise to think carefully before opening your system up to invaders.

liquizell
Posts: 5
Joined: Thu May 31, 2018 7:25 pm

Re: Filesystem for Honeypot

Sat Jul 21, 2018 8:59 pm

Thanks for your criticism, but my honeypot is running on a DMZ.

However, I have come to a solution myself now. I'll set up a Raspberry fake system, then copy its contents into a folder of the same Raspberry and then install the honeypot on it.

Apart from that, if you run several servers at home then ports are inevitably open, so the honeypot makes it more secure

User avatar
thagrol
Posts: 1780
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: Filesystem for Honeypot

Sun Jul 22, 2018 12:31 pm

liquizell wrote:
Sat Jul 21, 2018 8:59 pm
Thanks for your criticism, but my honeypot is running on a DMZ.
A DMZ does nothing to protect the rest of your network from a hacked honeypot. All it does it tell th router where to send incoming packets that aren't addressed to machines on your network.

Think of it as a default rule for port forwarding.

A DMZ does not isolate the machine in it from the rest of your network.
Apart from that, if you run several servers at home then ports are inevitably open, so the honeypot makes it more secure
No, not at all, that's a false assumption. Ports you're using for servers wil still be forwarded to those servers so they'll still be vulnreable and a honeypot will never see traffic on those ports. And once your honeypot has been hacked, your entire network will be vulnerable.

For your own sake, do a lot more reading on this before you go live.
This space unintentionally left blank.

epoch1970
Posts: 3568
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Filesystem for Honeypot

Sun Jul 22, 2018 1:47 pm

thagrol wrote:
Sun Jul 22, 2018 12:31 pm
liquizell wrote:
Sat Jul 21, 2018 8:59 pm
Thanks for your criticism, but my honeypot is running on a DMZ.
A DMZ does nothing to protect the rest of your network from a hacked honeypot. All it does it tell th router where to send incoming packets that aren't addressed to machines on your network.

Think of it as a default rule for port forwarding.

A DMZ does not isolate the machine in it from the rest of your network.
Depends on what you call "DMZ".
- In consumer-grade products what DMZ means is "forward any port to host X". It's just a form of port forwarding and nothing tells what happens when the DMZ machine is taken over.
- In more "advanced" products you can manage multiple networks, say a LAN and a DMZ (for that single host). In this case the DMZ can be isolated from the LAN, at least until the router gets hacked.

A honeypot or IDS in general is a network security experiment, and could be of interest as such. It is not a practical way of improving the level of security/privacy of a network; for this, staying under the radar and silently dropping unwanted traffic is (still) the best way to go.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

User avatar
thagrol
Posts: 1780
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: Filesystem for Honeypot

Sun Jul 22, 2018 11:05 pm

epoch1970 wrote:
Sun Jul 22, 2018 1:47 pm
Depends on what you call "DMZ".
- In consumer-grade products what DMZ means is "forward any port to host X". It's just a form of port forwarding and nothing tells what happens when the DMZ machine is taken over.
- In more "advanced" products you can manage multiple networks, say a LAN and a DMZ (for that single host). In this case the DMZ can be isolated from the LAN, at least until the router gets hacked.
Yeah, can't argue with that but I was assuming the OP has a consumer grade router in my posts above.
A honeypot or IDS in general is a network security experiment, and could be of interest as such.
Yep, but seting one up safely (i.e. with minimal risk to other machines on your LAN) will take more knowledge and experience than the OP appears to have. And no, I can't help with that setup. I've never done this, and don't intend to set one up. The risks far out weight the minimal benefits.
It is not a practical way of improving the level of security/privacy of a network; for this, staying under the radar and silently dropping unwanted traffic is (still) the best way to go.
Second that, but if the OP still wants to put a host in a DMZ, they'll learn the hard way why it's a bad idea.
This space unintentionally left blank.

ejolson
Posts: 3424
Joined: Tue Mar 18, 2014 11:47 am

Re: Filesystem for Honeypot

Mon Jul 23, 2018 2:25 am

liquizell wrote:
Sat Jul 21, 2018 8:59 pm
However, I have come to a solution myself now. I'll set up a Raspberry fake system, then copy its contents into a folder of the same Raspberry and then install the honeypot on it.
While it usually works to copy a live root filesystem to a new SD card mounted in a USB card reader, you are right in thinking it is better to make a copy when the filesystem is not root mounted.

If you are planning to make SD card copies of a particular setup and boot them simultaneously on multiple Pi computers, there are a few configuration items that should be updated. For example, you may want to generate different hostnames, user passwords and host ssh keys for each cloned system. I think there are some UUIDs that need to be regenerated as well, maybe relating to the Bonjour network protocol, but I don't know what they are. It would be great if someone could explain what parameters need to be reconfigured for copy of an already setup SD card to be used to boot another Pi.

Did you get it set up? Details of how the honeypot provides additional security would be interesting.

User avatar
Yukon Cornelius
Posts: 20
Joined: Tue Jul 03, 2018 7:24 am

Re: Filesystem for Honeypot

Mon Jul 23, 2018 8:15 am

I think the project has merit , albeit with some possible security risks , as outlined in other posts above .

I have Pihole running 24/7 on a Pi ZeroW and it is a marvel ..... I would not be without it .
While I was working away , I used Real VNC ( the cloud version ) to check the logs and I noticed some
very unusual behaviour afterwards , so I locked the PI down much tighter .

I won't bore folk with details , but it started me thinking along the exact same lines as the OP .

I would suggest installing Fail2ban and watching carefully for attempts to access the device remotely .
Simply leaving the username as the default " Pi " is enough to cast bait on the waters ....
and there's no shortage of savage creatures swimming around the internet looking for easy prey .
Fail2ban will provide a wealth of data to use as a baseline measure .
Shodan and canyouseeme help give a view of what you look like from the outside .... open ports etc.

I would hold off on the honeypot strategy until I had a good scope on what happens without trying to attract attention.

Just my 2 escudos .....

But I'd like to read some results from the project 8-)

Return to “Advanced users”