Honeypots Interest
Hey ya'll,
I'm new to the Firewalla game, but I've been working on cyber deception research for a few months and was wondering what appetite there would be for a walk-through on setting up a honeypot/honeynet/deception environment on a Firewalla?
I'm interested in hearing if anyone else is running honeypots or deception operations, and if so what kind of telemetry you'd be interested in receiving/sharing in regards to adversary TTPs?
If you're at all interested in this, I can share my methodology and once I get a working prototype I'd be willing to write up a walkthrough on implementation. If nobody else thinks this would be cool, I would just play around with it on my own for a while.
-
I suggest looking into the SANS DShield honeypot they have available for download with some great setup write-ups and videos. I installed it on a Pi and have it running through the dmz of the firewalla.
https://www.dshield.org/tools/honeypot/index.html -
This is exactly what I have done.
I setup DShield on a Raspberry Pi Zero 2 W running Raspberry Pi OS Lite 64 bit, set the DMZ of my Firewalla Gold Plus to point to this Raspberry Pi, and added a block rule using the built in DShield list on the Firewalla.
I found that my Honeypot submitted information eventually led to hosts being added to the DShield list and was subsequently automatically blocked from trying to break in further.
-
Here's a walkthrough on DShield that I found very helpful --> https://medium.com/swlh/installing-dshield-honeypot-on-a-raspberry-pi-e10d967825b2
You then can either look at /var/log/dshield.log or log into your account in https://dshield.org/login.html to see what information was uploaded.
Here's a screenshot of some of the information:
-
@firewalla - you mentioned that a setup of using a docker container would be dangerous on an existing production device (which I am in agreement with). I am interested in getting into the Honeypot space. Have you considered allowing the modification of your products to be docker container only for the use of Honeypots. IE: take a Purple, using docker container methodologies convert to a supportable High-Interaction Honeypot and place that within the network isolated?
Please sign in to leave a comment.
Comments
6 comments