DShield 树莓派传感器_Python_代码_相关文件_下载

# dshield ## DShield Raspberry Pi Sensor This is a set of scripts to setup a Raspberry Pi as a DShield Sensor. Current design goals and prerequisites for using the automated installation procedure: - use of a __dedicated__ device (Raspberry Pi, any model as [per] (https://isc.sans.edu/forums/diary//22680/)) - current Raspberry Pi OS ("Lite" version will suffice) - easy installation / configuration (and therefor not that much configurable) - disposable (when something breaks (e.g. during upgrade): re-install from scratch) - minimize complexity and overhead (e.g. no virtualization like docker) - support for IPv4 only (for the internal net) - one interface only (e.g. eth0) The current version is only tested on Raspberry Pi OS and Ubuntu 20.04 LTS Server, not on other distros, sorry. If there is the need for other distros, "someone" has to check and maintain the installation script. ## Installation ** For more detailed instructions with screen shots, see https://isc.sans.edu/honeypotinstall.pdf . ** In order to use the installation script on the Raspberry Pi, you will need to first prepare it. - Download and install the [Raspberry Pi Imager] (https://www.raspberrypi.com/software/) - Select "Raspberry Pi OS Lite (32-bit)" as your operating system. The default selection will work too if you prefer a GUI. - Customize the installation by clicking on the "gear" icon in the lower right hand corner of the image. - select "Enable SSH" - set a username and password (use this username instead of the "pi" user) - Optional (but recommended): Set up public-key authentication - Select the micro SD Card as "Storage". Be careful to select the right disk. - click "WRITE"  - connect to the device using an ssh client (port 22), log in with user user and password you configured above. - make sure the Pi can reach out to the Internet using http(s), can resolve DNS, ... (DHCP) - make sure Pi's system time is somewhat reasonable, e.g. ``` date ``` if the time is "off" run (replace date with current date) ``` sudo date --set='2017-04-21 21:46:00' +'%Y-%m-%d %H:%M:%S' ``` - update your Pi. The install script will do this as well, but it can take **hours**, so you are better off doing it first. ``` sudo apt update sudo apt -uy dist-upgrade ``` - reboot ``` sudo reboot ``` - if GIT isn't already installed (will be the case e.g. when using the lite distro): install GIT ``` sudo apt -y install git ``` - clone the GIT repository (which will create the "dshield" directory) ``` git clone https://github.com/DShield-ISC/dshield.git ``` - run the installation script, in case you do have an earlier system, copy the files `/etc/dshield.ini` and `/etc/dshield.sslca` from that system to `/etc`; you will be able to reuse the data entered for that system. ``` cd dshield/bin sudo ./install.sh ``` - if curious watch the debug log file in parallel to the installation: connect with an additional ssh session to the system and run (name of the log file will be printed out by the installation script): ``` sudo tail -f LOGFILE ``` - answer the questions of the installation routine - if everything goes fine and the script finishes OK: reboot the device ``` sudo reboot ``` - from now on you have to use port 12222 to connect to the device by SSH - expose the Pi to inbound traffic. For example, in many firewalls and home routers you will be able to configure it as a "DMZ Hosts", "exposed devices", ... see [hints below](#how-to-place-the-dshield-sensor--honeypot) for - well - hints ... ## Background: `install.sh` This script will: - disable IPv6 on the Pi - enable firewall logging and submitting of logs to DShield - change your ssh server to listen on port 12222 - install the ssh honeypot cowrie (for ssh) - install needed environment (e.g. MySQL server, Python packages, ...) ## Troubleshooting - logs are sent twice an hour to the [dshield portal](https://www.dshield.org) by the cron job `/etc/cron.d/dshield`, this can be verified by ['My Account' -> 'My Reports'](https://www.dshield.org/myreports.html) - have a look at the output from the status script: `/home/pi/install/dshield/bin/status.sh` - if you get strange python / pip errors during installation / updates you may try the following commands as root: `pip freeze --local | grep -v '^\-e' | cut -d = -f 1 | xargs -n1 pip install -U` ## Updates ### Normal Updates Inside your "dshield" directory (the directory created above when you run `git clone`), run ``` cd install/dshield git pull sudo bin/install.sh ``` Configuration parameters like your API Key will be retained. To edit the configuration, edit `/etc/dshield.ini`, to configure the firewall edit `/etc/network/iptables` (note: nat table is also used). A new feature has been introduced, especially for automatic updates. At the end of the installation the install.sh script will search for the file /root/bin/postinstall.sh and execute its content, if it exists. If you need some extra changes in the newly installed files, this is the location to put them. This file NEEDS execute rights. Please make sure to keep special port and network configuration up to date (e.g. manually configure recently added telnet / web ports in firewall config), e.g. no-log config, no-honey config, ... unfortunately this can't be done automagically as of now. If unsure delete respective lines in `/etc/dshield.ini` and re-run the installation script. Testing of update procedure is normally done (between two releases) as follows: - update on Pi 3 from the last version to current - install on a current clean image of raspbian lite on a Pi 3 ### Special Update Note: Versions < 0.4 to >= 0.4 The handling of Python packages had to be changed from distro package manager to pip. This means the update is pain. Sorry for that. You have three alternatives: #### Easy The easiest, preferred and warmly recommended way: backup old installation (if you can't stand a complete loss), reinstall from scratch using current Raspbian image. #### Manual The manual procedure: uninstall all below mentioned packages and then autoremove and cross fingers: ``` sudo su - /etc/init.d/cowrie stop dpkg --remove python-crypto dpkg --remove python-gmpy dpkg --remove python-gmpy2 dpkg --remove python-mysqldb dpkg --remove python-pip dpkg --remove python-pyasn1 dpkg --remove python-twisted dpkg --remove python-virtualenv dpkg --remove python-zope.interface apt-get autoremove apt-get update apt-get dist-upgrade ``` #### Automatic The "automatic" **brutal** procedure (chances to break your system are **VERY** high, but hey, it's a disposable honeypot anyway ...): backup (if needed), uninstall all Python distro packages (and hope that's it): ``` sudo su - /etc/init.d/cowrie stop for PKG in `dpkg --list | grep python- | cut -d " " -f 3 | grep "^python"` ; do echo "uninstalling ${PKG}"; dpkg --force-depends --purge ${PKG}; done apt-get update apt-get -f install apt-get dist-upgrade apt-get autoremove apt-get update apt-get dist-upgrade ``` ## Hints ### How to place the dshield sensor / honeypot This dshield sensor and honeypot is meant to only analyze Internet related traffic, i.e. traffic which is issued from public IP addresses: - this is due to how the dshield project works (collection of information about the current state of the Internet) - only in this way information which is interesting for the Internet security community can be gathered - only in this way it can be ensured that no internal, non-public information is leaked from your Pi to Dshield So you must place the Pi on a network where it can be exposed to the Internet (and won't be connected to from the inner networks, except for administrative tasks). For a maximum sensor benefit it is desirable that the Pi is exposed to the whole traffic the Internet routes to a public IP (and not only selected ports). For SoHo users there i