Public Repository

Last pushed: 2 years ago
Short Description
piTrap is a simple Docker image for the Raspberry Pi containing arpwatch and pyscanlogd.
Full Description

Description

https://github.com/svnk42/pitrap

piTrap is a simple Docker image containing arpwatch and pyscanlogd, which can be configured to send the respective log files to an external syslog server. The purpose of piTrap is to monitor network segments for suspicious activity and trigger alerts via an external syslog server.

In the current version only logging to the Papertrail backend is preconfigured. I'm currently evaluating others, so feel free to send suggestions.

The idea behind piTrap is not new. In fact, I got inspired by an article from 1998 in the Phrack Magazine and the relatively new Thinkst Canaries. I wanted to have a solution that is preferably portable and runs also on small devices, such as the Raspberry Pi.

Disclaimer: I just put all the stuff together, so credits should go to the developers of arpwatch and pyscanlogd.

Note: This Docker image is in a very early stage and should not be used in a production environment. The image uses the host network, which allows access to local network services. Don't run this image on a critical or important host.

Base image

The Docker base image is based on an Raspbian image provided by resin for the Raspberry Pi. This base image was upgraded and saved in a separate Docker Hub repository.

I used a current version of Arch Linux for the Raspberry Pi as the Raspberry Pi OS. Docker can easily be installed via the pacman package management tool.

$ pacman -S docker

Log Management Configuration

In the current version only Papertrail can be used as a remote syslog backend. It is not hard to reconfigure the Dockerfile for alternative syslog servers, but Papertrail should work out-of-the-box.

The Papertrail host and port configuration is passed to the image via the environment variable LOG_ENDPOINT (see Running the docker image).

papertrail bundle

Logging to Papertrail is configured using a TLS connection, so the certificate bundle needs to be included in the Docker configuration. The bundle was downloaded from https://papertrailapp.com/tools/papertrail-bundle.pem.

It is recommended to check for any changes in the Papertrail documentation.

Setting the hostname

You can set the hostname of the image via the HOSTNAME environment variable (see Running the docker image). By default the hostname is set to pitrap.

Build the image

To build this Docker container just run

$ docker build -t <name>:<tag> .

If you don't want to build it yourself, you can pull it from Docker Hub.

$ docker pull svnk/pitrap

Running the docker image

The following command can be used to run the Docker image:

$ docker run -d
  --restart=unless-stopped \
  --cap-add=SYS_ADMIN \
  --env HOSTNAME=myhostname
  --env LOG_ENDPOINT=<papertrail-host:port> \
  --net=host \
  pitrap:v0.7
  • SYS_ADMIN is required to set the hostname, if you don't need this, leave it out.
  • HOSTNAME will be the hostname (surprise...)
  • LOG_ENDPOINT is the log destination (host and port) as provided by Papertrail.
  • --net=host is required to access the ethernet interface. The network stack will not be containerized and allows the container access to local network services
Docker Pull Command
Owner
svnk

Comments (0)