«

»

Dec 05 2011

Installing Kippo SSH Honeypot on Ubuntu

I decided to setup a simple ssh honeypot in a small VPS (192MB RAM) to see if they actually record attacks. The honeypot that I chose was Kippo , a simple SSH honeypot written in Python with several possibilities. Here is a guide for the installation and configuration of Kippo, in accordance with the procedure I personally followed. The setup applies to Ubuntu Server 11.04 (32-bit) distro (but the procedure on any other Ubuntu/Debian-based system should be the same).

1. First we login as root in our box and proceed to update and upgrade the system:

apt-get update && apt-get upgrade

2. Kippo “listens” on port 2222 by default, which is fine for testing purposes, but it actually reduces the chances to record any attacks (because the usual automated tools that hackers run target the default SSH port 22). Thus, it would be good to make Kippo listen to port 22. To do this you must first change the port your ssh server uses, in order to be able to connect back to the system properly. So we change the configuration file of the ssh server (sshd):

vi /etc/ssh/sshd_config

We change the option Port 22, choosing another, eg 2222. We then restart the ssh server:

/etc/init.d/ssh restart

At this point it would be good to disconnect from the system and then reconnect using the new port.

3. We continue installing the required software packages for Kippo:

apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted

We can download the latest stable version of Kippo (0.5) but it is better to use the latest development version directly from the SVN server. For this reason we need subversion:

apt-get install subversion

Another issue about port 22 that we want to use, is the problem that in Linux only the root user is allowed to use ports below port 1024 and we should not run Kippo as root for safety reasons. Kippo’s website offers several solutions on how to run a honeypot on port 22, but the simplest one is using the application authbind:

apt-get install authbind

4. Before you go any further, create a new non-root user to run Kippo as:

adduser kippo

and add him to the list of users that can use the sudo command:

visudo

where we add the line:

kippo ALL=(ALL:ALL) ALL

under the “root” user.

We finish the required steps for using port 22:

touch /etc/authbind/byport/22
chown kippo:kippo /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22

At this point we enter the system as ‘kippo’ user and go to the /home directory.

5. Download the latest Kippo version from SVN:

svn checkout http://kippo.googlecode.com/svn/trunk/ ./kippo

Change the port in Kippo’s configuration file from 2222 to 22:

mv kippo.cfg.dist kippo.cfg
vi kippo.cfg

6. Finally, edit the Kippo start script:

vi start.sh

changing the following command from

twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

to

authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

so that it uses authbind to “listen” on port 22, and run the honeypot:

./start.sh

7. We check that our port has actually opened and Kippo is “listening”:

sudo netstat -antp

where there should be a line like this:

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22627/python

We are ready. Now any attempt to connect to port 22 of the system will be recorded by Kippo and log files will be stored in the corresponding folder.

  • Pingback: Logging Kippo events using MySQL DB » bruteforce.gr

  • Andrew Waite

    Nice guide, few configuration settings I’ve not used before that I’ll have to look at in more detail. Thanks for sharing :)

  • Cory

    Thanks for posting this guide. This is the only decent guide I can find on how to install a honeypot on Ubuntu. One thing that I’m not clear on from your instructions is how you give sudo access to the kippo user. Is this needed? Being a security concerned admin I like to keep my list of sudo-able users fairly small.

    • http://bruteforce.gr Ion

      Hello Cory, thanks for your comment. Creating a “dedicated” user to run Kippo is needed, but adding the user to the sudoers group is not. The instructions are clear I think, but as I said you don’t have to. You might as well just create the user and that’s all. Let me know how it went.

      • Cory

        Thanks for the details Ion. The honeypot works great. It’s pretty amazing how well kippo mimics a real server.

  • Pingback: Oh yes, wait a minute Mister Postman – OpenWRT as Mailrelay/MTA | IT-Unsecurity

  • http://www.facebook.com/ashrafluffy Ashraf Luffy

    can you give me example of topology to do this honeypot

    please anwer quikly.. :)

    • http://bruteforce.gr/ Ion

      Hey there, just add the honeypot to your local subnet and if required enable port-forwarding on your router for port 22. Regards, Ion.

      • http://www.facebook.com/ashrafluffy Ashraf Luffy

        i use ur tutorial to configure but when i nmap my server with other computer it said port 22 is closed, so how i can open port 22?

  • Mara

    I found this on kippo.log…

    should this worry me?? Do I need to do something?? Do you have any idea??

    the honeypot is still running and still listening on port 22…

    Thanks a lot!! :-)

    2013-04-28 13:27:21+0300 [kippo.core.honeypot.HoneyPotSSHFactory] Rollback failed
    Traceback (most recent call last):
    File “/usr/lib/python2.7/dist-packages/twisted/python/threadpool.py”, line 167, in _worker
    result = context.call(ctx, function, *args, **kwargs)
    File “/usr/lib/python2.7/dist-packages/twisted/python/context.py”, line 118, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
    File “/usr/lib/python2.7/dist-packages/twisted/python/context.py”, line 81, in callWithContext
    return func(*args,**kw)
    File “/home/user/kippo/kippo/dblog/mysql.py”, line 22, in _runInteraction
    self, interaction, *args, **kw)
    — —
    File “/usr/lib/python2.7/dist-packages/twisted/enterprise/adbapi.py”, line 455, in _runInteraction
    conn.rollback()
    File “/usr/lib/python2.7/dist-packages/twisted/enterprise/adbapi.py”, line 52, in rollback
    self._connection.rollback()
    _mysql_exceptions.OperationalError: (2006, ‘MySQL server has gone away’)

  • Mara

    I found this on kippo.log…

    should this worry me?? Do I need to do something?? Do you have any idea??

    the honeypot is still running and still listening on port 22…

    Thanks a lot!! :-)

    2013-04-28 13:27:21+0300 [kippo.core.honeypot.HoneyPotSSHFactory] Rollback failed
    Traceback (most recent call last):
    File “/usr/lib/python2.7/dist-packages/twisted/python/threadpool.py”, line 167, in _worker
    result = context.call(ctx, function, *args, **kwargs)
    File “/usr/lib/python2.7/dist-packages/twisted/python/context.py”, line 118, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
    File “/usr/lib/python2.7/dist-packages/twisted/python/context.py”, line 81, in callWithContext
    return func(*args,**kw)
    File “/home/user/kippo/kippo/dblog/mysql.py”, line 22, in _runInteraction
    self, interaction, *args, **kw)
    — —
    File “/usr/lib/python2.7/dist-packages/twisted/enterprise/adbapi.py”, line 455, in _runInteraction
    conn.rollback()
    File “/usr/lib/python2.7/dist-packages/twisted/enterprise/adbapi.py”, line 52, in rollback
    self._connection.rollback()
    _mysql_exceptions.OperationalError: (2006, ‘MySQL server has gone away’)

  • Jeremy

    I followed this article and when I go to start (./start.sh) I get: “Error: You must not run kippo as root!” I did everything as “root” user, should I not have? I also tried to run it as the local user and it did not run either.

    From the article it appears that you were root as well with the use of “apt-get” rather than “sudo apt-get”

    • http://bruteforce.gr/ Ion

      Hello Jeremy, if you notice on step 4 I create a “kippo” user just for that purpose. Now that I’ve re-read my article I think it’s not very clear, but yes, you’ll have to switch to that user before executing start.sh. In case you get a permissions error try to do a “chown -R kippo:kippo kippo/” first (the 3rd “kippo” in the command being the program’s folder). Regards, Ion.

  • William Harris

    Great article here, probably the best on the web for this, how do I make sure kippo starts on reboot? Add start.sh to rc.local?

  • sean

    I am having issue with hippo graph plotting
    Kippo is working as I see ssh attempts being populated in kippo.log

    but it is not refelected on the webpage

    I have followed the instructions to change the permissions and I have edited config.php to include the username password and db name

    any thoughts ?

    • http://bruteforce.gr/ Ion

      Hi Sean, please check my reply on the other comment you’ve made (Kippo-Graph page) and continue there. Regards, Ion.

  • john

    When I vi into sshd_config my file is empty…Help me pls!!!

More in Honeypots
Εγκατάσταση του Kippo SSH Honeypot (Ubuntu 11.04)
Close