Slashdot Mirror
Recipe For Building a Cheap Raspberry Pi Honeypot Network
mask.of.sanity (1228908) writes "Honeypots are the perfect bait for corporate IT shops to detect hackers targeting and already within their networks and now a guide has been published to build a dirt cheap battalion of the devices from Raspberry Pis. "By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor," the author explained."
and a TiVo? For watching TV. beh, so which should you buy?
It's a computer. You can do a lot of things with a computer. Why do we need an article every time anyone uses it for anything?
Why not buy a cheap couple of hundred dollar PC and run as many VMs as could possibly fit. Install a really old Linux distribution (or early Windows) and the resource use is small. Many honey pots with less maintenance....
Pi! Raspberry raspberry rasp-berry. Pi raspberry, Raspberry Pi. Rasberry Pi raspberry pi [1].
[1] Raspberry
Imagine hundreds of those and satisfying all the users at the same time.
Instead of putting out bait to encourage people to have a go at fragile systems what about hardening the stuff you've got or put it in segments behind stuff you can harden? Putting out fragile honeypots can lead to wasting time on the merely curious who are no real threat to systems that are not fragile.
Do the other "thing" Raspberry Pis are semi "good" for (minus a slow XBMC system).
Turn your raspberry Pi into a dedicated BitTorrent power house!
Premade optimized image here:
http://fuzon.co.uk/phpbb/viewt...
Honeypots, what a waste or an ARM.... ;)
These articles generally increase interest because a lot of people buy the latest tech based on curiosity and skill improvement rather than need. As such, they have a collection of items that have outlived their usefullness to some degree (because they are potentially useful, but not bought with a purpose), so providing a purpose can reignite interest in an item.
The downside is that now we will have lots of PI powered honeypots which aren't going to be useful (except in creating more electricity usage), because if you needed a honeypot, you wouldn't have waited to build one on some sort of exotic platform, and monitoring a honeypot is a very expensive (in time) operation.
I (sarcasm) can't wait to see how security improves with tons of purposefully exploitable computers out there which aren't being monitored.
Yes - bait on an internal network to catch people who see the "shiny" and act.
The question to ask before deploying such things is to ask yourself (or you boss) what your job actually is. Is it to catch a number of people and meet some sort of "arrest quota" or is it to actually protect things? If it's the former then putting up fragile things to attract the attention of the weak willed may be a go, but if it's the latter you may well just be wasting time while the serious threats are getting into your serious systems. They could be getting in while you are distracted playing this game.
IMHO you are better off having better monitoring on the serious systems on a properly segmented network and watching that instead of scattering toys about and looking to see who they distract.
Honeypots are a cool research tool for seeing what people out on the net are trying to do, but as a security measure on internal networks? Sounds more like buzzword overload than anything useful in that situation unless you want some heads on pikes of the entrapped to scare people.
If I'd pulled this shit and enforced some sort of penalty I'd probably be down three or four decent developers because they decided to take a bit of a look around the local network when they first started. Those are just the ones that did really obvious portscans from their own desktop computers so there may have been more.
That, and Elon Musk are the two most masturbatory topics on Slashdot these days.
I want to delete my account but Slashdot doesn't allow it.
They ARE leaving something out in "public" when the public are the employees of the company - leaving the money out in the hallway and punching whoever picks it up.
Clearly not because the people you are trying to catch are already "in the house" but you just happen to have put something shiny in their sight in the house with a sign "don't touch" on it. Ready made crime. Just add criminal. Whether the potential criminal would exploit other, more difficult, opportunities and become an actual criminal is unknown, so it's largely pointless and better to go after something real instead of wasting time unless your goal is to impress others by setting people up for crimes and getting an impressive "arrest record".
Let's consider the last piece of malware I dealt with. It searched the network for shared storage and did nasty things on the storage. The REAL storage server is used by thousands of people, so it gets many, many requests per minute. Sorting out legitimate use of the storage vs something suspicious would be nearly impossible. The honeypot storage, on the other hand, gets NO legitimate traffic. Any traffic to the honeypot is worth investigation. That makes it a much more reliable way to find malware or other traffic sources that merit investigation.
Same with the active directory, the mail server, the database ...
Do you have any idea how much traffic a corporate mail server can get? Looking for suspicious connections is worse than a needle in a haystack. An otherwise unused machine with the mail ports open quickly flags strange behaviour for investigation.
I should emphasize strange traffic being investigated doesn't mean anyone gets in trouble. The head of security cut off my network port once when he detected something weird. I explained what I was doing. He pointed out a security concern, and we agreed to a compromise configuration we could both live with.
If your network is too large to comprehend then apply an engineering solution instead of a basket weaving solution and handle things in managable chunks. Since IT folk like to pretend they are engineers (which was to my benefit when I changed careers from engineering a couple of decades back) why not act like them? Suspicious stuff coming in or out of segments is one way of tracking, does that really compare with hoping something randomly hits your honeypot? Oh that's right - if you are not tracking what is coming in and out of managable segments then hope is all you've got. Carry on then. Let's hope they don't use your fragile honeypot as a springboard to something else before you find out they are there.
Take a look at how people handle security on very large compute clusters. It is not "nearly impossible". If you are not on the list you don't get in. If you try to get in you get logged. If it's too large to monitor you cut it into chunks that are not too large to monitor.
I see now - fully trusted hosts, potential malware ridden with no way to keep it off other than hoping the antivirus updates arrive before the malware, and a closed system where you have to guess at the legitimate traffic to boot. I can see now why you grasp at straws such as honeypots and hope the malware is so badly written that they randomly get attacked before your real systems instead of the malware taking a look at what the machine it is on has connected to in the past.
After they do get attacked what do you do to stop an attacker using the honeypot as a potential vector to do other stuff? Even if they can't get out they can work out you are watching them and feed you disinformation.
True but decent monitoring should turn up attempted traffic to addresses that do not exist in the same situation. Decent monitoring is hard to bolt on after the fact but a rock solid playpen for crackers, with decent monitoring of that, is probably not going to be easy to do either. It's one thing having a research honeypot outside of your external firewall, but with one inside your LAN with the welcome mat out what do you do when a cracker gets more control than you expect?
Or I could do the same thing with VMs and not tie up a bunch of physical resources in the process.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
That's an awful lack of reason friend. It is well known and established security fact that the vast majority of threats to a network come from within - as in NOT external. As such, and coming from a business owner myself, your assertion that an employee is or should somehow be exempt from not only suspicion, but shouldn't know better than to be intruding where they don't belong - say, an investment, payroll or other sensitive out-of-bounds area is just flat ignorant. I want to know if an employee is going where they don't belong & am well within ethical bounds to protect my assets from nefarious persons - employed or not.
In other words: you are grotesquely wrong in your perspective of right & wrong & employee rights. Additionally, your necessity to defend with such vigor, such a blatantly ignorant argument just kills any concept of consideration of logic coming from your corner. Time to take a critical-thinking (& possibly ethics) course(s) - for the laymen: you need more school.
> > active directory
> I see now - fully trusted hosts, potential malware ridden with no way to keep it off other than hoping the antivirus
> updates arrive before the malware, and a closed system where you have to guess at the legitimate traffic to boot.
Yep, welcome to office networking. In a government office, throw in a few DOS terminals and other systems that haven't seen a security update since 1982.
The idea suggested in TFA is good, but why not do the same thing with the (SOHO) routers themselves? OpenWRT *is linux*, and flexible enough to be helpful for things like this.. hell, you could use both RPis and routers..
... which is great because I get to learn something with y'all helping.
This honeypot inside a network intrigues me. If I created a share on a server (or desktop) that was useless, would that serve as a honeypot looking to serve as a trip wire for malware that goes after shares?
In a Windows environment, all I know to do is look at Event logs. I don't know how to get Security events to bark.
I read the article(s) but it was a "whoosh," event.
Thanks.
It little behooves the best of us to comment on the rest of us.
That's an analogy that works far better.
Visit Here Now For Download New 2013 Games and important software and hollywood and bollywood new 2013 movies free games full version download
If there's a defect in the VM software or hypervisor, it might be exploitable to break out of the VM and attack the root OS.