I've been running Linux Honeypots for a while. Around 7 years ago I did some research using Sebek which works at kernel level, hooking the system call. Based on this research, I did a talk / presentation to the students of the Master in Security and Forensics at Dublin City University.
A few years ago I started using Kippo honeypot running in several Raspberry Pi spread across different ISP providers and countries.
Recently, I migrated some of my honeypots to a new Raspberry Pi 3 model B. This new Raspberry has WiFi integrated which it is very cool. Instead of continue using Kippo, I decided to install honssh (a fork from Kippo), which permits to do a SSH MiTM. The main advantage of this high interaction honeypot setup is that attackers are accessing a real system.
The setup is as follow:
- 2 Raspberry pi running Raspbian: Raspberry Pi 3 with Wifi and Eth0, and Raspberry Pi 2 with only eth0
- The Raspberry Pi 3 connects though WiFi to the router.
- The Interface eth0 of the Raspberry Pi 3 connects to the eth0 or Raspberry Pi 2. With this setup the traffic from/to Raspberry Pi 2 goes always through Rasperry Pi 3.
- Proper NAT and firewall rules are setup in Raspberry Pi 3
- Port 22 is NAT on the router to Raspberry Pi 3
- HonSSH runs on Raspberry Pi 3 which does SSH MiTM. Any incoming SSH connection is redirected to Raspberry 2, which runs a real Debian system
On the Raspberry Pi 3 host, I run iptables to have control on the traffic. Basically, from the Raspberry Pi 2, which is the ones that will be compromised, I only accept outgoing HTTP, NTP and DNS and Incoming SSH. The rest is blocked. The iptables script I created is as follow:
In the Honssh Wiki https://github.com/tnich/honssh/wiki you can find some documentation to set it up. I did a couple of additional things:
- In Raspberry Pi 2 I created several accounts easy to brute force
- The sshd keys from the SSHD in Raspberry Pi 2 were copied to the HonSSH, hence the keys are the same. This makes more difficult to spot the MiTM SSH through SSH finger printing
- The default openssh-server in Raspbian 8, is 6.7. This version doesn't support SSH legacy protocols. I included manually some of them to be compatible with some of the attacks. Hence, I included this line in /etc/ssh/sshd_config
- Advanced networking is enabled on HonSSH to fool the attacker
There is a bug in HonSSH, so from time to time the HonSSH process crashes. I created a cron script which runs every 5 minutes, in order to check if the process is running, if not, the process is relaunched. The script is as follow
Now the fun begins :)