Yesterday I bumped into an interesting post on Hackster.io titled ESPCanary Detects If a Hacker Is Spying on Your Network about an Arduino library to turns an ESP8266 or ESP32 into a FTP Honeypot. This looks like an inexpensive and interesting option to detect intruders on your network.
a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.Wikipedia
The concept of the library is that of a Honeypot for intruders on your network to trip over and alert you in case anyone accesses it. This is by no means a separate line of defence, but an additional probe that can be added to a network as additional way to notice when someone is exploring your network.
For this the library supports configuring a web hook that is called upon login of a user. By combining this with the free CanaryTokens service of Thinkst Applied Research who also offer a more advanced commercial product (I have no relation with them and don’t know nor endorse their product!).
The library is available on GitHub and through the Arduino library manager and is is a clever modification of ESP8266FTPServer (which in turn is an ESP-ready version of Arduino-Ftp-Server). It provides an Simple FTP server that can be protected by a specific username and password or simply accept any password (and even any username). The FTP Server is fully functional in that it can serve files present and allows for uploads, though any file uploaded is silently ignored and the files available reside in the flash of the ESP module (using the ESP’s deprecated SPIFFS Filesystem).
Since (at least in my case) the source IP address of an intrusion will generally always be an internal IP address, just having an IP server up and running is not really helpful (other than for getting the initial alert). Therefore it is advisable to plant a few interesting files that can also be generated with CanaryTokens on the FTP Server.
I got this working today pretty fast on a cheap ESP-01 module and it works fine, though in my setup it still needs some more work to make it really useful and I have some thoughts about additional functionality. The concept is great and a very simple and cheap solution that begs to be extended. A few things I would like to explore further (when I find time for this) are:
- Create a wired version using ESP or Arduino with a W5500 module
- Make the configuration easier and seperate from the firmware
- Use an LED to indicate status and support a button to get in config mode
- Make it easier to find the module (e.g. add mDNS broadcast)
- Support more wires for intruders to trip over (e.g. TELNET, SMTP, HTTP, SSH)
- Look into more ways to log/alerts (e.g. e-mail, syslog, SNMP, MQTT)
- Detect Network port scans
Please let me know via the comments what you think and what other features (simple ones please, it’s still only a microcontroller!) might be useful to add.