I decided to setup a simple ssh honeypot in a small VPS (192MB RAM) to see if they actually record attacks. The honeypot that I chose was Kippo , a simple SSH honeypot written in Python with several possibilities. Here is a guide for the installation and configuration of Kippo, in accordance with the procedure I personally followed. The setup applies to Ubuntu Server 11.04 (32-bit) distro (but the procedure on any other Ubuntu/Debian-based system should be the same).
1. First we login as root in our box and proceed to update and upgrade the system:
apt-get update && apt-get upgrade
2. Kippo “listens” on port 2222 by default, which is fine for testing purposes, but it actually reduces the chances to record any attacks (because the usual automated tools that hackers run target the default SSH port 22). Thus, it would be good to make Kippo listen to port 22. To do this you must first change the port your ssh server uses, in order to be able to connect back to the system properly. So we change the configuration file of the ssh server (sshd):
vi /etc/ssh/sshd_config
We change the option Port 22, choosing another, eg 2222. We then restart the ssh server:
/etc/init.d/ssh restart
At this point it would be good to disconnect from the system and then reconnect using the new port.
3. We continue installing the required software packages for Kippo:
apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted
We can download the latest stable version of Kippo (0.5) but it is better to use the latest development version directly from the SVN server. For this reason we need subversion:
apt-get install subversion
Another issue about port 22 that we want to use, is the problem that in Linux only the root user is allowed to use ports below port 1024 and we should not run Kippo as root for safety reasons. Kippo’s website offers several solutions on how to run a honeypot on port 22, but the simplest one is using the application authbind:
apt-get install authbind
4. Before you go any further, create a new non-root user to run Kippo as:
adduser kippo
and add him to the list of users that can use the sudo command:
visudo
where we add the line:
kippo ALL=(ALL:ALL) ALL
under the “root” user.
We finish the required steps for using port 22:
touch /etc/authbind/byport/22 chown kippo:kippo /etc/authbind/byport/22 chmod 777 /etc/authbind/byport/22
At this point we enter the system as ‘kippo’ user and go to the /home directory.
5. Download the latest Kippo version from SVN:
svn checkout http://kippo.googlecode.com/svn/trunk/ ./kippo
Change the port in Kippo’s configuration file from 2222 to 22:
mv kippo.cfg.dist kippo.cfg vi kippo.cfg
6. Finally, edit the Kippo start script:
vi start.sh
changing the following command from
twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
to
authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
so that it uses authbind to “listen” on port 22, and run the honeypot:
./start.sh
7. We check that our port has actually opened and Kippo is “listening”:
sudo netstat -antp
where there should be a line like this:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22627/python
We are ready. Now any attempt to connect to port 22 of the system will be recorded by Kippo and log files will be stored in the corresponding folder.
This tutorial was tested on the following articles: thigh highs to stop lymphedema, medical socks for swollen legs. You can visit any of those pages to see the completed script working from a website visitor (non server-side) perspective.
Pingback: Logging Kippo events using MySQL DB » bruteforce.gr
Pingback: Oh yes, wait a minute Mister Postman - OpenWRT as Mailrelay/MTA | IT-Unsecurity