Security Monitoring at Home With the Raspberry Pi (Part I)
Recently I decided that it’s nothing less than crazy (or maybe just lazy) that I haven’t used what I know as a network and security professional to secure my home network environment. So far I’ve just relied upon the built in security protections that are defaults when you set up a modern router. I have a lot of plans, but the first step to having control over security concerns on your network is having visibility into what’s going on in the network. Originally this article was going to be about how to set up the ELK stack on your Raspberry Pi and use it for monitoring at home. As I went along it quickly became, “why not to try using the ELK stack on your Raspberry Pi.”
I wanted to see how I might make use of my Raspberry Pi 3 that I’ve had for some time now. While looking into options for network monitoring, I came across some great articles that show how to use the ELK (Elasticsearch, Logstash, Kibana) stack for security event monitoring and thought to myself “that would be a great way to do this!”
The Peerlyst article by Chiheb Chebbi linked here provides a detailed explanation of how you might go about security monitoring with the ELK stack. There’s A TON of great info on Threat Hunting in general, not just ELK stack. Chiheb clearly spent quite some time researching, as well as contributed the benefit of his professional experience as a security consultant. Since that article’s intended implementation seems to be a larger platform (ideally the cloud), I then thought I might adapt PJ Hagerty's methods at logz.io to get the job done on the Pi. Boy was I mistaken! When that was written (2017) this might well have been feasible. (Though you’ll note that PJ advises against doing so for anything besides an experiment.) As I searched for working links to the repos used in his article, I ran into some surprises (and some great advice).
Heartache, or “sudo apt remove elasticsearch”
Looking for the new repos, I saw that there’s no reference to 32 bit ARM versions over at elastic.co. That’s when I searched a bit more and found Ben Prescott’s write-up here on doing just what I intended, setting up ELK stack on the Raspberry Pi. Ben details why this is a terrible idea, and what happened when he tried it. I could almost feel his scowl of disapproval. As an experienced Linux sysadmin and infrastructure engineer, I felt pretty confident that he knew what he was doing. Kudos to him for soldiering on for science when he ran into problems, but it was clear to me that this would no longer be a viable option.
I’ll pull out some of the most memorable quotes from Ben’s article for quick takeaways:
“Elastic no longer support[s] 32 bit, and I doubt they expect it running on a 1gb machine.”
“On a [R]aspberry [P]i B3+ the service takes just under 50 minutes from starting via systemctl to opening port 9300. Start up seems to be single threaded, so it’s slow.”
“Starting both [ElasticSearch and Logstash] in parallel extended ES [ElasticSearch] start time to an hour. At this point, [L]ogstash hadn’t started logging or started listening on any ports.”
There’s a lot more, and a thorough but concise explanation of the issues in the article, but suffice to say, it wasn’t pretty. So if we implement ELK on the Pi, it’s pretty clear from Ben’s research that we’ll run into issues with high CPU usage, high memory usage, and incompatibilities, making this a very unsuitable platform.
The Search Continues…
Currently I’m researching other options for monitoring with such a small system as the Pi 3. I need something to examine network traffic and process it, but ideally accept incoming logs from endpoints as well. I'd eventually like it to be a NIDS (Network Intrusion Detection System) and an EDM (Endpoint Detection/Response, not Electronic Dance Music!) solution. Soon I’ll write a post about the options I’m considering and what I finally chose.