For this entire post you can find important links at the bottom.
Perhaps you’ve seen my new Attack Map. Sure, it’s pretty boring right now. Building that was no simple feat as I leverage the Modern Honey Network (MHN) which was not built for ARM processors. Quick step back, most computers run on x86/x64 processors where most mobile devices run a slimmer processor called ARM. One of those mobile devices is the Raspberry Pi.
MHN is an open source project from ThreatStream, which you’ll see labeled on the Attack Map. They have simplified the deployment and monitoring of honeypots. It’s a standard Client/Server relationship where the honeypots are the clients. For me, I’m always looking to cut down on power consumption and optimize space usage. Enter the Raspberry Pi. I originally used it as a honeypot itself which was honestly a pain for plenty of reasons I won’t get into here. Then began my journey to building the MHN server on a processor it wasn’t made for.
How’d I do it? A lot of Googling. If anyone ever tells you they did something any other way, they’re probably lying. Figuring out what would break was the first step. So, naturally I just ran the setup as they published it. The first problem came pretty quickly. MongoDB is the backbone server used and it failed to install properly using the Debian repositories. I built it from scratch using the MongoDB reference at the bottom of the page. This was a super lengthy process but worked flawlessly. I decided to start a script at this point to make this process programmatic instead of willy-nilly.
Next, I stumbled across the problem of available space on my Pi. Mostly due to other things I had been trying. However, it pulled the curtain back on the bigger problem. I was using the standard Raspbian OS which has a lot of stuff on there that I never use. After a little hunting I found MiniBian which is a minimal version of Raspbian. After some work I finally got my SD card flashed and optimized with the tiny OS. I was starting to get really excited at this point because I thought I’d actually pull this off cleanly.
Obviously there were more problems right? I continued running the standard MHN installation process cutting out everything that tried to install MongoDB. A lot went smoothly. However, for some reason coffescript “had no installation candidate.” Compiling from source is really the only choice when that happens in my mind. For some reason, I don’t really like adding other repo’s to my Linux distributions. I found a pretty solid link that was actually trying to do something else but first they needed to compile coffeescript from source as well. I took the important parts out and added it to my running script I was building.
Finally, I took everything out about installing coffeescript and continued the standard install. It worked. After the process I took the liberty of changing a few things up on the MHN standard installation. For example, they have an install.sh script that calls several other scripts to install various parts. I moved the apt-get calls from the secondary scripts to the main installation script. Sounds trivial, however it will allow it to be a little faster and intelligent. Don’t think I’m calling them stupid. But, the install script will just change the apt-get and script calls based on what processor it’s running on. That way the secondary scripts never have to change.
I’ll be posting my fork of their project at https://github.com/fracsec/mhn as soon as I iron out a few issues and test some features. At that point you’ll be able to clone my repo and run install.sh on your ARM or x86/x64 and have a server of your own.
What then? Well, I’ll get into honeypot deployment and monitoring in another post. Enjoy yourself and let me know if you would like to deploy your own honeypot and have it tracked on my Attack Map!
I have pushed all of my work to the fracsec repo on github. Go to the FracSec MHN link at the bottom to view the code or get the link to clone the repo. Enjoy!
I made a few updates to file permissions and uploaded a script I accidentally forgot. Everything should work cleanly from the repo now.
MHN github – https://github.com/threatstream/mhn
MongoDB – http://c-mobberley.com/wordpress/2013/10/14/raspberry-pi-mongodb-installation-the-working-guide/
MiniBian – https://minibianpi.wordpress.com/
FracSec MHN – https://github.com/fracsec/mhn