RaspberryPi_Setup.md
Raspberry Pi Setup Guide
This guide covers setting up Debian (Raspberry Pi OS) on a Raspberry Pi for running the honeypot service.
Prerequisites
- Raspberry Pi OS (Lite recommended) installed using Raspberry Pi Imager.
- SSH enabled during imaging or via
raspi-config.
System Hardening
Initial Setup & User Security
- Do not use the default 'pi' user: If using an older image, create a new user and delete the
piuser. Modern Raspberry Pi Imager versions prompt you to create a custom user. - Disable Auto-login: Ensure the system boots to a login prompt.
- Use Strong Passwords: Always use unique, complex passwords for all accounts.
System Updates
Ensure the system is always up to date. Install unattended-upgrades to automatically apply security patches:
sudo apt update && sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
SSH Hardening
Edit /etc/ssh/sshd_config to apply the following security measures:
-
Change the SSH port:
Port 31096 -
Disable Root Login:
PermitRootLogin no -
Enable Key-Based Authentication: Generate an SSH key pair on your local machine and copy it to the Pi:
ssh-copy-id -p 31096 <user>@<raspberry-pi-ip> -
Disable Password Authentication (Optional but recommended after verifying key access):
PasswordAuthentication no
Restart SSH service:
sudo systemctl restart ssh
Firewall Setup
Install nftables:
sudo apt update
sudo apt install nftables
Create firewall rule for SSH in /etc/nftables.conf:
add rule inet filter input tcp dport 31096 accept comment "Allow SSH"
Example nftables.conf
A basic /etc/nftables.conf for Debian should look like this:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established/related traffic
ct state established,related accept
# Allow loopback
iifname "lo" accept
# Allow SSH (on non-standard port)
tcp dport 31096 accept comment "Allow SSH"
# Honeypot rules will be added here automatically by the service
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Enable and start nftables service:
sudo systemctl enable nftables
sudo systemctl start nftables
Intrusion Prevention (Fail2ban)
Install fail2ban to protect against brute-force attacks:
sudo apt install fail2ban
Create a local configuration for SSH:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Ensure the SSH jail uses the correct port and enabled (Example in /etc/fail2ban/jail.local):
[sshd]
enabled = true
port = 31096
logpath = %(sshd_log)s
backend = %(sshd_backend)s
Restart Fail2ban:
sudo systemctl restart fail2ban
Note
Fail2ban is recommended if you expose your Raspberry Pis SSH port to the internet.
Disable Unnecessary Services
Reduce the attack surface by disabling services you don't need (e.g., Bluetooth, Wi-Fi if using Ethernet):
Required Packages
sudo apt update
sudo apt install golang libpcap-dev jq
Build the Honeypot
- Download the latest release or clone the repository
- Build the honeypot
go build -o /opt/honeypot/honeypot .
Service Installation
- Copy the service files to the system:
sudo cp systemd/honeypot.service /etc/systemd/system/honeypot.service
sudo cp systemd/honeypot-firewall.sh /usr/local/bin/honeypot-firewall.sh
sudo chmod +x /usr/local/bin/honeypot-firewall.sh
This expects the honeypot to be installed in /opt/honeypot/. You can change this by editing the ExecStart line in systemd/honeypot.service.
- Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable honeypot
sudo systemctl start honeypot
Service Management
Check Status
sudo systemctl status honeypot
View Logs
tail -f /opt/honeypot/honeypot.log
The service will automatically configure nftables rules for the configured ports on startup and remove them on shutdown.