I decided to give the second well-known SSH honeypot a try, the software that Kippo was inspired by: Kojoney. It is a low interaction honeypot that emulates the SSH service, and it’s written in Python like Kippo.
I’m using a system with CentOS 5 32-bit installed, but the following should work for higher versions as well. Login as root and let’s start…
1. First of all, since we’ll still want to be able to connect to our own machine, we must change the default SSH port 22 to something else:
vi /etc/ssh/sshd_config
You need to uncomment the “#Port 22″ line and change “22” to whatever you want (take note of it), let’s say 2222.
Restart the ssh server for the change to take effect:
/etc/init.d/sshd restart
At this stage you might want to logout of the system and connect again using the new port.
2. Let’s update the system and install required software:
yum update
Kojoney requires the following packages that can be installed through yum:
yum install gcc python python-devel
3. Download Kojoney itself:
cd /tmp wget http://dfn.dl.sourceforge.net/project/kojoney/kojoney-0.0.4.2.tar.gz tar -xvf kojoney-0.0.4.2.tar.gz
4. (OPTIONAL) The Iran Honeynet Project has created some updated packages to use with Kojoney making its geolocation feature better and also adding new sections to the report file. It would be good to install them:
cd /tmp wget http://www.honeynet.ir/software/kojoney-update/TwisteConch-0.6.0.tar.gz wget http://www.honeynet.ir/software/kojoney-update/IP-Country-2.27.tar.gz wget http://www.honeynet.ir/software/kojoney-update/Geography-Countries-2009041301.tar.gz wget http://www.honeynet.ir/software/kojoney-update/kojreport /bin/cp -vf /tmp/TwisteConch-0.6.0.tar.gz /tmp/kojoney/libs/ /bin/cp -vf /tmp/kojreport /tmp/kojoney/reports/ rm -rfv /tmp/kojoney/reports/ip_country/* /bin/cp -vf /tmp/IP-Country-2.27.tar.gz /tmp/kojoney/reports/ip_country/ /bin/cp -vf /tmp/Geography-Countries-2009041301.tar.gz /tmp/kojoney/reports/ip_country/
The above files are also stored here for backup purposes: kojoney-update-files
5. Let’s install Kojoney and run it:
cd /tmp/kojoney sh INSTALL.sh
I got an error here because the script wasn’t able to locate the man directory. Hopefully it asks for it so type the following: /usr/share/man/man1 (“1″ is not a typo) if required.
echo "/etc/init.d/kojoney start" >> /etc/rc.local /etc/init.d/kojoney start
You can check that everything is working alright by using
ps aux | grep kojoney
where you should see something like:
root 1573 0.0 1.4 14904 7748 ? S Jan09 0:33 python /usr/bin/kojoneyd
and also:
netstat -antp
where you should see something like this:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1573/python
6. Where is what? Kojoney itself is installed at “/usr/share/kojoney/” by default. You can go there to have a look at its source files. The log file it creates is located at “/var/log/honeypot.log“. Kojoney already has a built-in list of common username and password combinations, stored at “/etc/kojoney/fake_users“. If somebody enters a combo found in this file, he’s got access. Finally, the binary is stored at “/usr/bin/kojoneyd“.
7. There is a script distributed with it to make log parsing and statistics display easy. It is called kojreport and you can test it like this:
/usr/share/kojoney/kojreport /var/log/honeypot.log 0 0 1 > /tmp/report.txt cat /tmp/report.txt
8. Kojoney has some problems like Kippo. The responses for various commands are hardcoded and you might need to change them. You can alter the existing ones or create your own as well.
There are specifically two files you need to pay attention to. Both of them are located at the base directory (/usr/share/kojoney/) and are called coret_fake.py and coret_honey.py.
“coret_fake.py” includes all the responses to various commands. I would suggest changing at least the following: FAKE_SSH_SERVER_VERSION, FAKE_OS (your own or uncomment and edit another one from the list), FAKE_SHELL and FAKE_W.
The second file, “coret_honey.py” is used when you want to add responses for new commands. You first write your response constant variable into “coret_fake.py” and then add it to “coret_honey.py”. For example, if I was to create a response for the “uptime” command:
a) I would write something like:
FAKE_UPTIME = " 02:32:28 up 1 day, 21:20, 1 user, load average: 0.00, 0.00, 0.06"
into “coret_fake.py” and
b) I would add it to “coret_honey.py” file (lines 6 & 7 below):
if uname_re.match(data): transport.write(FAKE_OS) elif ls_re.match(data): for line in FAKE_LS: transport.write(line + '\r\n') elif data == "uptime": transport.write(FAKE_UPTIME)
And of course we need to restart the Kojoney service for the changes to take effect:
/etc/init.d/kojoney stop /etc/init.d/kojoney start
9. Trying out Kojoney was not really in my plans (since I have invested time and effort in Kippo) until I found these two excellent resources that inspired me to give it a try: How To Set Up Kojoney SSH Honeypot On CentOS 5.5, Using and Extending Kojoney SSH Honeypot
Sample results will be published soon!
Pingback: Edgis Security - Kojoney (A Honeypot for the SSH Service)()