Modern Honeypot Network / MHN on Raspberry PI 3 - HOWTO GUIDE


#1

I would not recommend using the unsupported version in this first post this will get the core of MHN setup but I had issues with the two supported honeypots from the deploy menu for Raspberry PI. Please review the second post after this initial post. Additionally the third post will give an overview of how to forward the logs to Splunk.

Summary

I am posting to the forum to provide a howto guide on setting up MHN on a Raspberry PI 3. This was a fun project none the less while MHN is supported on various operating systems there is no support for Raspbian until now

I had to do several tweaks and work arounds that are outlined below

Hardware & Software Used

Raspberry PI 3
2017-08-16-raspbian-stretch-lite.img (This is a headless option for Raspbian remember to create the blank ssh file on the root of the sd card to active SSH upon boot)

Default Raspbian settings

user: pi
pass: raspberry

Setup Howto

sudo apt-get install dirmngr
cd /opt/
sudo apt-get install git -y
sudo git clone https://github.com/threatstream/mhn.git
sudo chown -R pi:pi /opt/mhn/
cp /opt/mhn/scripts/install_mongo.sh /opt/mhn/scripts/install_mongo.sh.bak
sudo echo “apt-get install mongodb-server -y” > /opt/mhn/scripts/install_mongo.sh
chmod 755 /opt/mhn/scripts/install_mongo.sh
sudo apt-get install python-setuptools -y
sudo apt-get install python-dev -y
sudo apt-get install mongodb -y
sudo easy_install uWSGI
sudo apt-get install python-openssl -y
sed -i ‘s/uWSGI==2.0.14/#uWSGI==2.0.14/g’ /opt/mhn/server/requirements.txt

cd mhn/
sudo ./install.sh

mhn-uwsgi

sudo ln -n /usr/bin/uwsgi /opt/mhn/env/bin/

hpfeeds-broker

mv /opt/hpfeeds/env/lib/python2.7/site-packages/OpenSSL /opt/hpfeeds/env/lib/python2.7/site-packages/OpenSSL.old
cp -r /usr/lib/python2.7/dist-packages/OpenSSL /opt/hpfeeds/env/lib/python2.7/site-packages/

honeymap

Below is the error message I have tried and tried to get this portion to work if and once I figure this out I will update this section or if anyone in the community figures this out let me know. As far as I can tell only the map portion does not work without having this running the software functions as intended but no maps.

honeymap FATAL can’t find command ‘/opt/honeymap/server/server’

Status Checking & Other Commands

If after the steps above you notice one of the services are showing not running then you can restart

supervisorctl status (checks status)

In this example set I am using mhn-uwsgi component of MHN
supervisorctl restart mhn-uwsgi (restarts and individual component of mhn)
supervisorctl start mhn-uwsgi (starts and individual component of mhn)
supervisorctl restops mhn-uwsgi (restarts and individual component of mhn)

supervisorctl restart all (restarts all components)

Final Note

The remaining prompts are self-explanatory as far as the options and setup goes if any questions reply to this thread and I will do my best to respond


#2

According to the documentation on github mhn is supported on the following

The MHN server is supported on Ubuntu 12, Ubuntu 14, and Centos 6.7.

Which does not include any version of stretch which I was able to successfully install minus getting honeymap working in the prior post on this thread. The chart below is Ubuntu version to corresponding Raspbian version to corresponding Debian version.

MHN install script will ONLY more than likely fully work with the versions of Ubuntu mentioned above and from the docs also mention was tested on Ubuntu Server; howerver, I bet Ubuntu desktop version would just work for an out of box solution.

Ubuntu to Raspbian to Debian
17.04 zesty stretch / sid
16.10 yakkety stretch / sid
16.04 xenial stretch / sid
15.10 wily jessie / sid
15.04 vivid jessie / sid
14.10 utopic jessie / sid
14.04 trusty jessie / sid
13.10 saucy wheezy / sid
13.04 raring wheezy / sid
12.10 quantal wheezy / sid
12.04 precise wheezy / sid
11.10 oneiric wheezy / sid
11.04 natty squeeze / sid
10.10 maverick squeeze / sid
10.04 lucid squeeze / sid

Now I did more testing and I was able to get the core mhn working with the prior directions, but it was a nightmare to get the two supported honeypots for the Raspberry PI to work dionaea and kippo using the install deploy commands provided by the web interface.

Moving forward I tried to match up the closest Raspbian version image I could use to the closest supported Ubuntu version to see if I could get something working out of box. I could not get an out of box solution, but I was able to use the below image and get both Dionaea and Kippo running perfectly fine. The ONLY component still not working is honeymap and this will not work with the install scripts bc Raspberry PI 3 hardware is armv7 and the install scripts try to pull and i386 arch version of golang which is the language that honeymap is programmed in. I am still trying to figure out a solution to the honeymap issue. The below directions is what I have done to get an almost perfect running MHN on a Raspberry PI 3 this time only requiring very few tweaks.

old image used downloaded from archives: 2016-02-09-raspbian-jessie.img

default user: pi
default pass: raspberry

Core Setup

  1. raspi-config expand the operating system to use the full sd on older version of raspbian you have to do this
  2. sudo apt-get install dirmngr
  3. cd /opt
  4. sudo git clone https://github.com/threatstream/mhn.git
  5. cp /opt/mhn/scripts/install_mongo.sh /opt/mhn/scripts/install_mongo.sh.bak
  6. sudo echo “apt-get install mongodb-server -y” > /opt/mhn/scripts/install_mongo.sh
  7. chmod 755 /opt/mhn/scripts/install_mongo.sh
  8. cd mhn/
  9. ./install.sh
  10. You will have to answer prompts and most are self-explainitory
  11. After install script finishes this will take some time to finish login into your mhn through the web console
  12. Copy the dionaea install command for raspberrypi and run that on the command line
  13. Then copy the kippo command and do the same
  14. supervisorctl restart all
  15. supervisorctl status to verify everything is running except honeymap

Important Note
The install scripts will swap your ssh port to 2222 and kippo will mimick an ssh server on the default port 22. Do not forget to port forward which ever services on your router to get the benefit of your MHN deployment


#3

I have been able to successfully get MHN logs forwarded to splunk there is a splunk forwarder for armv6 so I suppose there is some backward compatibility between armv7 arch and armv6 since PI 3 is armv7

Here are the steps

  1. cd /opt/mhn/scripts
  2. ./install_hpfeeds-logger-splunk.sh
  3. After script finishes verify hpfeeds-logger-splunk is running supervisorctl status
  4. A log file will be generated at /var/log/mhn/mhn-splunk.log
  5. Download universal armv6 forwarder and upload to PI 3
  6. tar -xvf splunkforwarder-6.6.3-e21ee54bc796-Linux-arm.tgz
  7. mv splunkforwarder /opt/splunkforwarder
  8. cd /opt/splunkforwarder/bin
  9. ./splunk start and accept license
  10. On splunk setup receiver setting a receiver to listen on 9997 in settings > forwarding and receiving > configure receiving > add new
  11. On PI 3 — ./splunk add forward-server 192.168.1.20:9997
  12. ./splunk add monitor /var/log/mhn/mhn-splunk.log

Now you can download the MHN splunk app and install to get a good overview of the honeypot data from within splunk as well there are some really nice built in dashboards.

Enjoy!!


#4

This instruction is not longer working for Raspberry Pi 3 B+. The script does not work. Please update and configure the script to work


#5

Are you sure you followed the second set of directions?

The second set of directions should work make sure you are selecting the correct OS I used as well.


#6

From what steps should I follow?