Armbian HoneyPot

[rothoma2]

Backrgound

Aggregating data from other feeds and sources into a general authoritative source is a great value added from the project. Still generating our own data sources gives another layer of autonomy, independence and relevance to the project. Depending on 3rd party sources comes with some downsizes:

• Discontinued Sources.
• Changes on Licenses.
• Drop in Quality from Thread Feeds.

For this, building a network of Low-Watt, Affordable Honey Pots run through few hundreds of volunteers is relevant. Its a great way for Students, Activists, Volunteers and other members to get involved in Cyber Security in an affordable way that has meaning.

A HoneyNet of traps is valuable because it allows to capture:

• Mass Scanners.
• IPs that are running exploits.
• Spam Senders.
• Brute Force Attackers.
• Bad ISPs, and ASNs that aggregate this activity.

Hardware Platform

Rapsberry pis would have been a good choice for platform but there are a few issues. Since Silicon Shortages Rapsberry PIs are expensive and permanently out of Stock. Running them 24x7 is also not the best.

An alternative good hardware platform could be cheap ARM, TV Boxes produced in china, mainly the x96 re-flashed. Few benefits.

• This STB in Aliexpress run for around 20$, cheaper than a Rapsberry pi. https://nl.aliexpress.com/item/1005005719499051.html
• Very low watt consumption.
• Designed to run 24x7 for many years.

People would run this on a few ways:

Corporate Sponsorships

• Run it behind a static NAT on some ports that area available on Public IPs:
• Run with a dedicated available Public IP Address.

We could contact Academia, Universities and ISP to host some of this for us and add them to our network. We would have to find ways to raise funds to acquire some of this.

Volunteer Sponsorships:

• Members of the org could run this at home, behind a DMZ and port forward setup on their home routers to expose the Port on the HoneyTrap to the Internet.
• At conferences we could give out/sell at cost this for enthusiast to host and run this at home. People could get access to additional data in exchange for hosting the sensor.

Over time the network would grow to a few hundreds or thousands of sensors, that would allow us to have our own authoritative source of Malicious IPs and Infraestructure on the internet.

The Catch

The only "drawback" is most of the HoneyPot tooling need to be "recompiled" and ported to run in Arm platform. There's a distro of Debian designed for ARM, called armbian.

The purpose of this task, is to get familiarized with Armbian, installing it on x96, and then compiling open source HoneyPots for this distro. Additionally add customizations to push data collected to a simple backend controlled by us.

We could look into using TPOT as a reusable base, for the honeypot engines and the backend.

https://github.com/telekom-security/tpotce/tree/master
We could also use other simpler honeypots like the ones here https://github.com/0xNslabs