as the subject says:
It'd be nice to have a status mail containing every submission and the status so it's easier to see if everthing is running smooth on the Pi w/o having to log into dshield.org

Thanks :-)

IPv6 was unhandled (e.g. no firewall rules). This may create some issues. Pull Request #38 disables IPv6.

After doing the

git pull
sudo bin/install.sh

reboot

I noticed that my firewall/ssh logs stopped updating.

pi@TRP2HP:~/dshield $ sudo bin/status.sh
API Key configuration ok
...
Last Web Log Received:
Last 404 Log Received:
Last ssh Log Received: 2017-05-08 15:45:31
Last ssh Firewall Log Received: 2017-05-08 16:40:03
Current Time/Date: 2017-05-08 16:44:11

I found that

pi@TRP2HP:~/dshield/bin $ sudo /srv/dshield/pifwparser.py
Traceback (most recent call last):
  File "/srv/dshield/pifwparser.py", line 11, in <module>
    from DShield import DshieldSubmit
ImportError: No module named DShield

is likely the cause. The prior version ran dshield.pl instead.

pi@TRP2HP:~/dshield $ more /etc/cron.d/dshield
10,40 * * * * root /srv/dshield/pifwparser.py

I changed the /etc/cron.d/dshield to run /srv/dshield/dshield.pl instead, and my submissions are going through again.

Looks like the Python module 'DShield' is missing from the current distribution.

Updated via git pull command, ran an update install.sh, then the install.sh script noticed that the MySQL database was already created and asked the question to reinitialize the MySQL. On that this error showed:

ERROR 1049 (42000): Unknown database 'create schema cowrie'

I've noticed that I'm not getting any 404 reports on the dshield website,

Last 404 Log Received: 2017-08-25 01:30:04
Last ssh Log Received: 2017-09-22 18:47:23
Last ssh Firewall Log Received: 2017-09-22 19:00:30
Current Time/Date: 2017-09-22 19:26:31

I've done a git pull, sudo bin/install.sh with the latest version 2 days ago, but no 404 joy yet...

Currently working on getting the web server working right.

Because the honeypot is now also tracking telnet login attempts, the dshield ssh Report should be enhanced by showing which service was tried to log in with the credentials, and perhaps renamed to "login reports" or so.

I show data is being collected using status.sh, but it never shows up in dshield.

I see entries in /var/log/dshield.log and in /var/log/mini-httpd.log for 404s and in /srv/cowrie/log both cowrie.json and cowrie.log are updating. I think I'm getting traffic, it's just not auto-uploading to dshield.

What should I check out to get it to update to dshield regularly?

Best regards,
Ken

I've manually moved in julrich's fix to weblogsubmit.py to /srv/dshield/weblogsubmit.py.

Cron shows it running every 30 minutes

Jul 23 18:03:01 TRP2HP CRON[12912]: (root) CMD (cd /srv/dshield; ./weblogsubmit.py)
Jul 23 18:33:01 TRP2HP CRON[23743]: (root) CMD (cd /srv/dshield; ./weblogsubmit.py)
Jul 23 19:03:01 TRP2HP CRON[470]: (root) CMD (cd /srv/dshield; ./weblogsubmit.py)
Jul 23 19:33:01 TRP2HP CRON[9297]: (root) CMD (cd /srv/dshield; ./weblogsubmit.py)
Jul 23 20:03:01 TRP2HP CRON[18605]: (root) CMD (cd /srv/dshield; ./weblogsubmit.py)

but nothing shows on Dshield or via status

Last Web Log Received:
Last 404 Log Received:
Last ssh Log Received: 2017-07-23 19:45:26
Last ssh Firewall Log Received: 2017-07-23 20:05:11
Current Time/Date: 2017-07-23 20:09:03

Is there something else I should check (basic build is with #54 installed.

Added user cowrie
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
bin/install.sh: line 496: [: -eq: unary operator expected
Enter password:

the Python script called by the cron job to submit web logs errors:

root@raspberrypi:/srv/dshield# cd /srv/dshield; ./weblogsubmit.py
/etc/dshield.ini
Traceback (most recent call last):
  File "./weblogsubmit.py", line 49, in <module>
    logdata['sip']=d.anontranslateip4((r[1]))
  File "/srv/dshield/DShield.py", line 126, in anontranslateip4
    ip=self.translateip4(ip)
  File "/srv/dshield/DShield.py", line 113, in translateip4
    return self.long2ip4(ip)
  File "/srv/dshield/DShield.py", line 151, in long2ip4
    return socket.inet_ntoa(struct.pack('!I', ip))
struct.error: integer out of range for 'I' format code

Note: the pid file /var/run/weblogparser.pidhas to be deleted to re-run the script.

Just did a

cd dshield
git pull
sudo bin/install.sh

with today's update to install.sh on a running HPot system and receive this error:

User cowrie already exists in OS. Making no changes
cowrie mysql database already exists. not touching it.
Adding / updating cowrie user in MySQL. +checking cowrie dependency: module 'twisted' ...
ERR: is installed in v14.0.2 but must at least be v16.6.0, will be updated
Downloading/unpacking twisted==16.6.0
Downloading Twisted-16.6.0.tar.bz2 (3.0MB): 3.0MB downloaded
Running setup.py (path:/tmp/pip-build-5bc9R3/twisted/setup.py) egg_info for package twisted
Traceback (most recent call last):
File "", line 3, in
File "/usr/lib/python2.7/dist-packages/setuptools/command/egg_info.py", line 14, in
from setuptools.command.sdist import sdist
File "/usr/lib/python2.7/dist-packages/setuptools/command/sdist.py", line 9, in
from setuptools import svn_utils
File "/usr/lib/python2.7/dist-packages/setuptools/svn_utils.py", line 12, in
from setuptools.py31compat import TemporaryDirectory
File "/usr/lib/python2.7/dist-packages/setuptools/py31compat.py", line 2, in
import unittest
File "/usr/lib/python2.7/unittest/init.py", line 58, in
from .result import TestResult
ValueError: bad marshal data (unknown type code)
Complete output from command python setup.py egg_info:
Traceback (most recent call last):

File "", line 3, in

File "/usr/lib/python2.7/dist-packages/setuptools/command/egg_info.py", line 14, in

from setuptools.command.sdist import sdist

File "/usr/lib/python2.7/dist-packages/setuptools/command/sdist.py", line 9, in

from setuptools import svn_utils

File "/usr/lib/python2.7/dist-packages/setuptools/svn_utils.py", line 12, in

from setuptools.py31compat import TemporaryDirectory

File "/usr/lib/python2.7/dist-packages/setuptools/py31compat.py", line 2, in

import unittest

File "/usr/lib/python2.7/unittest/init.py", line 58, in

from .result import TestResult

ValueError: bad marshal data (unknown type code)

Cleaning up...
Command python setup.py egg_info failed with error code 1 in /tmp/pip-build-5bc9R3/twisted
Storing debug log for failure in /root/.pip/pip.log
Error upgrading 'twisted'. Aborting.

The install script displays the "Congrats, you already changed your sshd port to something other than 22" message, but my ssh port has not been changed yet.

Logging:

Feb 17 00:00:04 raspberrypi dshield.pl[26707]: submitting dshield logs SHA1 ok

Feb 17 00:00:04 raspberrypi CRON[26697]: (CRON) info (No MTA installed, discarding output)

... would you like for us to install SMTP or is that a future task on your end?

Any preference on what email service to install if done locally?

Thanks!

-Scott

There is not a uninstall/remove script. How do I uninstall dshield?

I am opening this as an "issue" to track process implementing web log submissions.

Hello Folks,

I'm having an issue getting past the API Key Verification... I'm entering in my email address and AuthKey exactly from account but still getting the failed... I'm curious if it has to do with my [email protected] in my email address.

Thoughts?

Please create a LICENSE file to clarify the legal status of the codebase. (Need help choosing a license?.)

I license my own contribution, commit 39ad0a1, in the public domain so that it may be licensed properly as part of the project.

The other contributors should be contacted to seek permission before a license is applied to their contributions. If they don’t agree to a license then their contributions should be removed before applying a license.

I get the email every 30 mins saying: authorized Userid: [removed]
Format: DSHIELD
Timezone: +0000
Lines in file: 13688
Lines rejected: none
Unique lines written to database: 9624
identical lines are added up on import.
but on my report, it always says 0 for today's report (firewall and ssh) why does it say 0 all the time?
And I also get emails saying that I didn't submit any results. What do I do for that?

Also on "my report" on the graph and table section, no data shows and it's in a constant loop of waiting for data. What can I do to have the data show?

My original installation attempt was to clone dshield into /opt/sans/dshield this failed as the installation script apparently makes an assumption that the installation is within the user's home directory. I have not narrowed the issue down to the exact source of the issue.

Kernel messages are filling all three logs. Not sure if this needs to be considered since most rPI's have limited space. Is there any sort of clean up or consideration of these messages just going to the dshield.log?

Just saw that a new version of Raspbian was released. Opening this issue for any related problems. (downloading it right now to test)

Prompt the user for a public hostname, lookup the hostname with an authoritative DNS provider like Google (8.8.8.8). Fully qualified domain name? Does an authorative DNS provider know about the domain? Great, then we can use Let’s Encrypt to get a properly signed certificate! Install and use certbot to obtain certificates from Let’s Encrypt, and use these certificates instead of self-signing or asking user to submit to a CA.

certbot needs port 80 once per week to function. A cronjob set to run weekly could run systemctl stop webpy.service && certbot renew ; systemctl start webpy.service to keep certbot happy and the certificates fresh.

currently /etc/cron.hourly/dshield is configured for automatic updates of the honeypot distribution

IMHO automatic update should be opt-in, information about updates may be default

there is not a place in the documentation where it tells the path to the logs the honeypot collects

I've followed the instructions on the ISC diary entry, but it's a little unclear about what to do after the installation to make sure it's working.

Are there any additional steps that need to be taken after install?

Tracking from issue introduced by #39.

My RPi2 running jessie lite seized up and had to be rebuilt. I used 2016-09-23-raspbian-jessie-lite image on a 32GB card, did password, hostname, file system expansion, reboot,
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install git
git clone https://github.com/DShield-ISC/dshield.git
sudo dshield/bin/install.sh

Followed all the prompts of the install.sh script and it successfully completed. Rebooted, then opened the DMZ to it's IP address.

Running bin/status.sh shows the SSH firewall logs are flowing upward, but the Last ssh Log Received: 2016-10-10 04:18:35 is stuck in the past. Tried connecting to the cowrie SSH honeypot on 22 and 2222, and get 'connection refused'. I'm not sure the cowrie honeypot is fully functional..

Where should I look next?

The logging to dshield was done after rewriting the port for the honeypot so the logging to dshield was wrong (access to 22, but reported 2222). Should be solved with Pull Request #38.

I've updated the rpi and done a git pull/sudo bin/install.sh in the dshield directory. Also had the install.sh script remove/reinstall mySQL.
I see this in the cowrie.log:

2016-05-22 13:31:50-0700 [SSHService ssh-userauth on HoneyPotTransport,0,192.168.1.104] login attempt [pi/raspberry] failed
2016-05-22 13:31:50-0700 [SSHService ssh-userauth on HoneyPotTransport,0,192.168.1.104] RCP: got error (1044, "Access denied for user 'cowrie'@'localhost' to database 'cowrie'"), retrying operation
2016-05-22 13:31:50-0700 [-] 'MySQL Error:'
2016-05-22 13:31:51-0700 [-] dshield SUCCESS: Sent 53 bytes worth of data to secure.dshield.org
2016-05-22 13:31:51-0700 [-] pi failed auth keyboard-interactive
2016-05-22 13:31:51-0700 [-] unauthorized login:
2016-05-22 13:31:51-0700 [SSHService ssh-userauth on HoneyPotTransport,0,192.168.1.104] pi trying auth keyboard-interactive

2016-05-22 13:32:12-0700 [HoneyPotTransport,0,192.168.1.104] RCP: got error (1044, "Access denied for user 'cowrie'@'localhost' to database 'cowrie'"), retrying operation

I can see my firewall reports are up-to-date, but the ssh/kippo reports haven't been updated for a while.

Last Report: Firewall reports: 2016-05-22 20:12:45
ssh/kippo reports: 2016-05-16 17:20:41
Today's Firewall Reports: 40025 Lines
Current server time: Sun, 22 May 2016 20:37:54 +0000 (day # 736471)

Help?

Issue to track transition to the .ini configuration file format.

Posted this in the comments on initial ISC diary post:

It looks like the management sshd port is listening on all interfaces:

pi@raspberrypi:~ $ netstat -an| grep 2222
tcp 0 0 0.0.0.0:12222 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.20:12222 192.168.1.147:56176 ESTABLISHED
tcp6 0 0 :::12222 :::* LISTEN

If the management port is to be 12222 then it needs to be bound in the sshd_config. The ListenAddress is not set on a fresh install of Jessie; so not sure if it needs to be preset before the script changes the ssh port.

//What ports, IPs and protocols we listen for
Port 12222
//Use these options to restrict which interfaces/protocols sshd will bind to

ListenAddress ::

ListenAddress 0.0.0.0

Looking on the ISC site, I saw the 404 project.
With the RaspberryPi DShield, do we need to add in the 404 code snippet into the config to get it to work or is it already done as part of the install?

Cheers.

Has anyone had any luck getting this installed on Raspbian "Stretch" Lite? Every time I run the installer, it stops at:

"Checking, if the MySQL root account can connect."

There are no errors displayed, it just never makes it past this stage.

Problem: Something I've noticed when browsing the login attempts in the raw dshield data is lots username and password combos many related to mirai are obvious, but some are a bit harder to figure out.

Possible Solution: allow click through to a page with or additional column about possible applications of the username/password combo. Creating an individual page for each combo could allow for comments about possible sources.

Example:
User | Password | Comment
admin | 7ujMko0admin | Mirai Botnet Scanning
admin | pfsense | Default PFSENSE Login
pi | raspberry | Default Raspberry Pi Login

I've been having problems with my Pi stopping reporting or crashing completely. I tracked this down to a memory problem - specifically, running out of inodes (all 944704 inodes used in /dev/root). It is a 16Gb sdcard.

Once it had got to this stage, it was difficult to track down because of out of memory messages, but running ncdu allowed me to identify that the cause was /srv/cowrie/log, which was filled with hundreds of thousands of documents like cowrie.json.2016_3_16.1.gz.4.gz.1.gz.5.gz.1.1.5.gz.1.1.1.1.1.1.1.1

I don't know whether this is a bug, a problem with the original installation, or a logrotate issue. Once the directory has finally been emptied, I will monitor it to see whether the problem reoccurs, or whether it was a one-off.

There seemed to be a bug in the firewall configuration which may have accidentially exposed some services. Pull Request #38 should fix this,

Why you'd have to have at least one log under /var/log/dshield for dshield.pl to run?

Noticed since Mon 9/26/2016 I get this error in my email each evening:

Daily DShield Report 2016-09-26
[email protected]
Mon 9/26, 8:03 PMYou
you did not submit any reports today

I am getting the 30 minute email showing I am indeed submitting them:
Authorized Userid: 123456768
Format: DSHIELD
Timezone: -0400

           Lines in file: 73
          Lines rejected: none

Unique lines written to database: 72
identical lines are added up on import.

Lines written to database (up to 10):
2016-10-01 11:01:12 -0400 123456768 1 118.233.166.32 34173 192.168.1.132 23 6 S
2016-10-01 11:02:00 -0400 123456768 1 209.126.117.65 5114 192.168.1.132 5060 17

2016-10-01 11:02:04 -0400 123456768 1 0.0.0.0 0 255.255.255.255 0 139

2016-10-01 11:02:22 -0400 123456768 1 212.143.41.173 51989 192.168.1.132 23 6 S
2016-10-01 11:02:44 -0400 123456768 1 0.0.0.0 0 224.0.0.1 0 2

2016-10-01 11:04:04 -0400 123456768 1 0.0.0.0 0 255.255.255.255 0 139

2016-10-01 11:04:08 -0400 123456768 1 203.80.9.60 53 192.168.1.132 60205 17

2016-10-01 11:04:34 -0400 123456768 1 185.94.111.1 33704 192.168.1.132 161 17

2016-10-01 11:04:50 -0400 123456768 1 0.0.0.0 0 224.0.0.1 0 2

2016-10-01 11:04:50 -0400 123456768 1 173.208.198.14 51695 192.168.1.132 8000 6 S

Thanks a lot for your input

NOTE: This message indicates that your log submission was parsed. The
data will be imported into the database shortly.

Subject: FORMAT DSHIELD USERID 12345678 AUTHKEY XXXXXXXXXXXXXXXXXXXXX== TZ -0400 CLIENTNAME RASPI VERSION 0.2
From:
PGP: NO

Current cowrie version doesn't work anymore, the installation procedure has to be revised in several points.

from time to time web.py stops working (500 read timeout)...

• is this a bug which can be tracked down?
• perhaps we should schedule a regular re-start of web.py, e.g. after logfile processing?
  e.g.:

pkill -f "/usr/bin/python /srv/www/bin/web.py"
nohup su -c "cd /srv/www/bin; nohup /usr/bin/python /srv/www/bin/web.py &" cowrie

install.sh does not gracefully handle redirection characters read from dshield.conf
reading old configuration
./dshield/bin/install.sh: 1: /etc/dshield.conf: Syntax error: redirection unexpected

I made a few files for using systemd for starting the firewall at boot time, after network startup and shutdown. It replaces if-pre-up.d/dshield
File lib/systemd/system/dshieldfirewall_init.service
# This file is part of the package dshield
#
# Used to start the firewall before the network starts
#
# Designed following the openSUSE firewall ideas
# by Freek de Kruijf
#

[Unit]
Description=Dshield firewall phase 1
Before=network.service
DefaultDependencies=false'
Requires=sysinit.target
After=sysinit.target
RequiresMountsFor=/dev/shm
Conflicts=firewalld.service

[Service]
ExecStart=/usr/sbin/iptables-restore /etc/network/iptables-init
RemainAfterExit=true
Type=oneshot

[Install]
WantedBy=multi-user.target
Also=dshieldfirewall.service

File /etc/network/iptables-init
# Generated by iptables-save v1.6.1 on Fri Sep 22 13:32:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [56:5624]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -m pkttype --pkt-type multicast -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Fri Sep 22 13:32:04 2017
File lib/systemd/system/dshieldfirewall.service
# This file is part of the package dshield
#
# Used to start the firewall with honeypot rules
#
# Designed following the openSUSE firewall ideas
# by Freek de Kruijf
#

[Unit]
Description=DShield firewall phase 2
After=network.target nfs-client.target ypbind.service nfs-server.service rpcbind.service dshieldfirewall_init.service
Wants=dshieldfirewall_init.service
Conflicts=firewalld.service

[Service]
ExecStart=/usr/sbin/iptables-restore /etc/network/iptables
ExecStop=/usr/sbin/iptables-restore /etc/network/iptables-stop
RemainAfterExit=true
Type=oneshot

[Install]
WantedBy=multi-user.target
Alias=dshieldfirewall_setup.service
Also=dshieldfirewall_init.service

The mentioned file /etc/network/iptables is generated by the install script.
File /etc/network/iptables-stop:
# Generated by iptables-save v1.6.1 on Fri Sep 22 13:34:48 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Fri Sep 22 13:34:48 2017

The firewall gets started by enabling with "systemctl enable dshieldfirewall.service" and a reboot.

Hi

Yesterday I set up a raspberry pi with dshield and the installation went all well according to the log file.

I can in the log files /var/log/dshield see that log entrys are generated as the Pi is exposed to "raw" Internet.

When I enter my site at dshield to see my reports I don´t see any reports from me.

How often does the pi send the reports to the site or am I missing something here?

/Anders

after entering the email and api key manually after ctrl-v did not work. The install fails after reporting a temp directory could not be found.

Started with a fresh install of raspbian jessie that was updated and was following instructions here:
https://isc.sans.edu/diary/Beta+Testers+Wanted%3A+Use+a+Raspberry+Pi+as+a+DShield+Sensor/20717

there appears to be an issue with libpam-chksshpwd:armhf, not sure how to fix this.

Output from the console

The mail frontend needs a installed 'sendmail', using pager
(Reading database ... 115121 files and directories currently installed.)
Removing mysql-server (5.5.54-0+deb8u1) ...
Removing mysql-server-5.5 (5.5.54-0+deb8u1) ...
Purging configuration files for mysql-server-5.5 (5.5.54-0+deb8u1) ...
Removing mysql-server-core-5.5 (5.5.54-0+deb8u1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up libpam-chksshpwd:armhf (1.1.8-3.1+deb8u2+rpi2) ...
mkdir: cannot create directory ‘/var/lib/chksshpwd/’: File exists
dpkg: error processing package libpam-chksshpwd:armhf (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
libpam-chksshpwd:armhf
E: Sub-process /usr/bin/dpkg returned an error code (1)
The mail frontend needs a installed 'sendmail', using pager
Preconfiguring packages ...
Selecting previously unselected package mysql-server-core-5.5.
(Reading database ... 114942 files and directories currently installed.)
Preparing to unpack .../mysql-server-core-5.5_5.5.54-0+deb8u1_armhf.deb ...
Unpacking mysql-server-core-5.5 (5.5.54-0+deb8u1) ...
Selecting previously unselected package mysql-server-5.5.
Preparing to unpack .../mysql-server-5.5_5.5.54-0+deb8u1_armhf.deb ...
Unpacking mysql-server-5.5 (5.5.54-0+deb8u1) ...
Selecting previously unselected package mysql-server.
Preparing to unpack .../mysql-server_5.5.54-0+deb8u1_all.deb ...
Unpacking mysql-server (5.5.54-0+deb8u1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u6) ...
Setting up libpam-chksshpwd:armhf (1.1.8-3.1+deb8u2+rpi2) ...
mkdir: cannot create directory ‘/var/lib/chksshpwd/’: File exists
dpkg: error processing package libpam-chksshpwd:armhf (--configure):
subprocess installed post-installation script returned error exit status 1
Setting up mysql-server-core-5.5 (5.5.54-0+deb8u1) ...
Setting up mysql-server-5.5 (5.5.54-0+deb8u1) ...
170325 19:13:44 [Warning] Using unique option prefix key_buffer instead of key_buffer_size is deprecated and will be removed in a future release. Please use the full name instead.
170325 19:13:44 [Note] Ignoring --secure-file-priv value as server is running with --bootstrap.
170325 19:13:44 [Note] /usr/sbin/mysqld (mysqld 5.5.54-0+deb8u1) starting as process 10699 ...
Setting up mysql-server (5.5.54-0+deb8u1) ...
Processing triggers for systemd (215-17+deb8u6) ...
Errors were encountered while processing:
libpam-chksshpwd:armhf
E: Sub-process /usr/bin/dpkg returned an error code (1)
"can not find TMPDIR /tmp/dshieldinstw0eOF6n"

When installing on an AWS Stretch AMI (from https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch): debian-stretch-hvm-x86_64-gp2-2017-08-31-64407), I found a number of issues.

-/etc/os-release ID is 'debian' not 'raspbian' (checked in install.sh around lines 274-293). I fixed it by editing /etc/os-release but probably better to make the install script more aware.

-sshd_config has Port = 22 commented out. NOTE: this is already tracked in issue 79

-several packages were missing from the default install of the AMI - dialog curl zip gcc python-dev default-libmysqlclient-dev libswitch-perl libwww-perl

With these three issues addressed, the install proceeded normally.

Please change the installer to prompt for all questions upfront, and then do the time consuming task afterwards. It’s disrespectful of users’ time to have them sit and wait minutes between questions, only to have them wait several more minutes for the next one. It would also make it quicker and less burdensome for uses to set this up. (It would mean users don’t associate DShield with a time-consuming and slow installation process and are more likely to deploy more instances on other networks or repair an instance if it needs looking after.)

Just wondering if it would be beneficial to change the ports used by the honeypot (2222 for ssh, 8000 for http etc) to the defaults? Since the device is only to be used for a honeypot, I do not see any harm in using those well known ports. Could be missing something though too, totally possible :P

install.sh creates /var/log/mini-httpd but mini-httpd attempts to write to non-existant /srv/www/var/log/

install.sh

creating srv directories

mkdir -p /srv/www/html
mkdir -p /var/log/mini-httpd
chmod 1777 /var/log/mini-httpd

mini-httpd.conf

logfile=/srv/www/var/log/mini-httpd.log

dshield/bin/status.sh fails to parse ./etc/dshield.conf

sh ./status.sh

status.sh: 1: /etc/dshield.conf: Syntax error: redirection unexpected