piTrap is a simple Docker image containing arpwatch and pyscanlogd, which can be configured to send the respective log files to an external syslog server. The purpose of piTrap is to monitor network segments for suspicious activity and trigger alerts via an external syslog server.
In the current version only logging to the Papertrail backend is preconfigured. I'm currently evaluating others, so feel free to send suggestions.
The idea behind piTrap is not new. In fact, I got inspired by an article from 1998 in the Phrack Magazine and the relatively new Thinkst Canaries. I wanted to have a solution that is preferably portable and runs also on small devices, such as the Raspberry Pi.
Disclaimer: I just put all the stuff together, so credits should go to the developers of arpwatch and pyscanlogd.
Note: This Docker image is in a very early stage and should not be used in a production environment. The image uses the
host network, which allows access to local network services. Don't run this image on a critical or important host.
The Docker base image is based on an Raspbian image provided by resin for the Raspberry Pi. This base image was upgraded and saved in a separate Docker Hub repository.
I used a current version of Arch Linux for the Raspberry Pi as the Raspberry Pi OS. Docker can easily be installed via the
pacman package management tool.
$ pacman -S docker
Log Management Configuration
In the current version only Papertrail can be used as a remote syslog backend. It is not hard to reconfigure the Dockerfile for alternative syslog servers, but Papertrail should work out-of-the-box.
The Papertrail host and port configuration is passed to the image via the environment variable
LOG_ENDPOINT (see Running the docker image).
Logging to Papertrail is configured using a TLS connection, so the certificate bundle needs to be included in the Docker configuration. The bundle was downloaded from https://papertrailapp.com/tools/papertrail-bundle.pem.
It is recommended to check for any changes in the Papertrail documentation.
Setting the hostname
You can set the hostname of the image via the
HOSTNAME environment variable (see Running the docker image). By default the hostname is set to
Build the image
To build this Docker container just run
$ docker build -t <name>:<tag> .
If you don't want to build it yourself, you can pull it from Docker Hub.
$ docker pull svnk/pitrap
Running the docker image
The following command can be used to run the Docker image:
$ docker run -d --restart=unless-stopped \ --cap-add=SYS_ADMIN \ --env HOSTNAME=myhostname --env LOG_ENDPOINT=<papertrail-host:port> \ --net=host \ pitrap:v0.7
SYS_ADMINis required to set the hostname, if you don't need this, leave it out.
HOSTNAMEwill be the hostname (surprise...)
LOG_ENDPOINTis the log destination (host and port) as provided by Papertrail.
--net=hostis required to access the ethernet interface. The network stack will not be containerized and allows the container access to local network services