Jan 10 2012

Kojoney SSH Honeypot, installation (CentOS) and configuration

I decided to give the second well-known SSH honeypot a try, the software that Kippo was inspired by: Kojoney. It is a low interaction honeypot that emulates the SSH service, and it’s written in Python like Kippo.

I’m using a system with CentOS 5 32-bit installed, but the following should work for higher versions as well. Login as root and let’s start…

1. First of all, since we’ll still want to be able to connect to our own machine, we must change the default SSH port 22 to something else:

vi /etc/ssh/sshd_config

You need to uncomment the “#Port 22″ line and change “22” to whatever you want (take note of it), let’s say 2222.

Restart the ssh server for the change to take effect:

/etc/init.d/sshd restart

At this stage you might want to logout of the system and connect again using the new port.

2. Let’s update the system and install required software:

yum update

Kojoney requires the following packages that can be installed through yum:

yum install gcc python python-devel

3. Download Kojoney itself:

cd /tmp
wget http://dfn.dl.sourceforge.net/project/kojoney/kojoney-
tar -xvf kojoney-

4. (OPTIONAL) The Iran Honeynet Project has created some updated packages to use with Kojoney making its geolocation feature better and also adding new sections to the report file. It would be good to install them:

cd /tmp
wget http://www.honeynet.ir/software/kojoney-update/TwisteConch-0.6.0.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/IP-Country-2.27.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/Geography-Countries-2009041301.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/kojreport
/bin/cp -vf /tmp/TwisteConch-0.6.0.tar.gz /tmp/kojoney/libs/
/bin/cp -vf /tmp/kojreport /tmp/kojoney/reports/
rm -rfv /tmp/kojoney/reports/ip_country/*
/bin/cp -vf /tmp/IP-Country-2.27.tar.gz /tmp/kojoney/reports/ip_country/
/bin/cp -vf /tmp/Geography-Countries-2009041301.tar.gz /tmp/kojoney/reports/ip_country/

The above files are also stored here for backup purposes: kojoney-update-files

5. Let’s install Kojoney and run it:

cd /tmp/kojoney

I got an error here because the script wasn’t able to locate the man directory. Hopefully it asks for it so type the following: /usr/share/man/man1 (“1″ is not a typo) if required.

echo "/etc/init.d/kojoney start" >> /etc/rc.local
/etc/init.d/kojoney start

You can check that everything is working alright by using

ps aux | grep kojoney

where you should see something like:

root  1573  0.0  1.4  14904  7748 ?  S  Jan09  0:33 python /usr/bin/kojoneyd

and also:

netstat -antp

where you should see something like this:

Proto Recv-Q Send-Q Local Address  Foreign Address  State   PID/Program name
tcp        0      0*       LISTEN   1573/python

6. Where is what? Kojoney itself is installed at “/usr/share/kojoney/” by default. You can go there to have a look at its source files. The log file it creates is located at “/var/log/honeypot.log“. Kojoney already has a built-in list of common username and password combinations, stored at “/etc/kojoney/fake_users“. If somebody enters a combo found in this file, he’s got access. Finally, the binary is stored at “/usr/bin/kojoneyd“.

7. There is a script distributed with it to make log parsing and statistics display easy. It is called kojreport and you can test it like this:

/usr/share/kojoney/kojreport /var/log/honeypot.log 0 0 1 > /tmp/report.txt
cat /tmp/report.txt

8. Kojoney has some problems like Kippo. The responses for various commands are hardcoded and you might need to change them. You can alter the existing ones or create your own as well.

There are specifically two files you need to pay attention to. Both of them are located at the base directory (/usr/share/kojoney/) and are called coret_fake.py and coret_honey.py.

“coret_fake.py” includes all the responses to various commands. I would suggest changing at least the following: FAKE_SSH_SERVER_VERSION, FAKE_OS (your own or uncomment and edit another one from the list), FAKE_SHELL and FAKE_W.

The second file, “coret_honey.py” is used when you want to add responses for new commands. You first write your response constant variable into “coret_fake.py” and then add it to “coret_honey.py”. For example, if I was to create a response for the “uptime” command:

a) I would write something like:

FAKE_UPTIME = " 02:32:28 up 1 day, 21:20,  1 user,  load average: 0.00, 0.00, 0.06"

into “coret_fake.py” and

b) I would add it to “coret_honey.py” file (lines 6 & 7 below):

if uname_re.match(data):
    elif ls_re.match(data):
        for line in FAKE_LS:
            transport.write(line + '\r\n')
    elif data == "uptime":

And of course we need to restart the Kojoney service for the changes to take effect:

/etc/init.d/kojoney stop
/etc/init.d/kojoney start

9. Trying out Kojoney was not really in my plans (since I have invested time and effort in Kippo) until I found these two excellent resources that inspired me to give it a try: How To Set Up Kojoney SSH Honeypot On CentOS 5.5, Using and Extending Kojoney SSH Honeypot

Sample results will be published soon!

  • Pingback: Edgis Security - Kojoney (A Honeypot for the SSH Service)()

More in Honeypots
Some Dionaea statistics
Starting with Dionaea malware honeypot
Kippo-Graph 0.6.2 released.
Kippo reveals itself with ‘w’ and ‘uptime’ commands
Kippo2MySQL v0.1.1 update