Honeypots have been the talk of many but the very few have actually installed one to see what they get. This tutorial will help you to install your own SSH Honeypot in a few minutes.
I decided on a SSH honeypot because there’s a large amount of SSH scanners scanning the web for easy guessable login credentials to gain access to systems.
Lets start… I used a Raspberry Pi and installed all the required packages to see how the Rasp Pi will handle the load of a database and a web server. Like most people, you dont want to filter through logs to see what people did on your honeypot.
With that in mind, installing a honeypot that logs all the events to a database with which you can draw pretty graphs and EVEN locate the ‘individual’ through a Geo-Location module. All in a simple to use Web Interface…. Pretty Nifty! Lets get started…
What you’ll need:
Now lets get started…
Install your Linux machine with your distro of choice. This tutorial will focus on the debian based kernels. (Ubuntu, Raspbian etc)
Update your APT repo.
Kippo by default runs on port 2222. I would like it to run on port 22 to simulate a standard SSH installation. Leaving it on port 2222 will get you less hits from scanners because SSH scanners by default scan for the default SSH port which is 22.
Therefore you will need to change your default SSH port to something else (such as 222), for you to still be able to manage the machine remotely. For this we do the following:
Edit the SSH daemon config to change the port:
Change ‘Port 22″ to “Port 222” (or which ever port number you choose)
Now restart your SSH server.
At this point it’s a good idea to disconnect from your SSH session if you connected to your host using SSH. Connect to the new port you specified. (i.e 222)
Lets install the prereq’s needed for kippo to function.
apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted
Now that the prereq’s are installed and ready, we need to install subversion which will download our Kippo instance.
apt-get install subversion
Another issue about port 22 that we want to use, is the problem that in Linux only the root user is allowed to use ports below port 1024 and we should not run Kippo as root for safety reasons. Kippo’s website offers several solutions on how to run a honeypot on port 22, but the simplest one is using the application authbind:
apt-get install authbind
Before you go any further, create a new non-root user to run Kippo as
…and add your newly created user to the list of users that can use the sudo command:
Where we add the line:
kippo ALL=(ALL:ALL) ALL
under the “root” user.
We finish the required steps for using port 22:
chown kippo:kippo /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22
At this point we enter the system as ‘kippo’ user and go to the /home directory.
Now lets download the latest version of kippo which we will use as our SSH honeypot.
After loggin in as the kippo user, within the /home/kippo directory download the kippo subversion
svn checkout http://kippo.googlecode.com/svn/trunk/ ./kippo
Change the port in Kippo’s configuration file from 2222 to 22:
mv kippo.cfg.dist kippo.cfg
Finally, edit the Kippo start script:
changing the following command from
twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
Now start your honeypot and see if it runs.
To see it it’s running, do a netstat to see if the port is open and the twistd process is listening on it.
sudo netstat -antp
Your output should look something like this:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22627/python
When you are satisfied that your honeypot is running you can not start to configure it to log all its data to a MySQL database.
Here we will need some extra prereq’s for the database and the web server.
apt-get install python-mysqldb mysql-server
Login to your MySQL database and create the database and the tables:
mysql -u root -p
shell> CREATE DATABASE kippo;
shell> GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'choose-your-password';
Now login to the MySQL database again using the ‘kippo’ user you just granted access with the password you decided on and start to populate the database you created with the following commands:
mysql -u kippo -p
shell> USE kippo;
shell> source /home/kippo/kippo/doc/sql/mysql.sql;
Now your database is ready to be populated with kippo events.
If kippo is running, please kill it. To the following to check if it’s running:
ps -e | grep twistd
Now kill it:
Now you need to edit the kippo config file in order to tell it to log it’s events to the database, in the kippo directory edit the kippo.cfg file uncomment and change the following:
host = localhost
database = kippo
username = kippo
password = Kippo-DB-pass
After saving this kippo.cfg file, you can start the kippo server again to see if everything is still running. You will see it’s calling the database module within kippo on startup.
Now for the nice GUI Web Interface… We will be using Kippo-Graph for this
Again, we have some prereq’s that we need to install for Kippo-Graph to function properly.
apt-get install -y libapache2-mod-php5 php5-gd php5-mysql
Now download the lastest version of kippo-graph and untar it in your /var/www directory.
Use TAR to untar the package. This will extract and create a folder called ‘kippo-graph’
tar xvf kippo-graph-0.7.6.tar
Within the kippo-graph folder, set the generated-graphs folder to have global read/write privilegdes. Ortherwise you might end up looking at blank graphs.
chmod 777 generated-graphs
Now within the kippo-graph folder you will see a config.php file, edit that file and provide the database information you setup earlier. (above steps)
Now you are ready to rumble!!! Start your kippo instance with ./start.sh and browse to the web server you on that host.
Remember to click on GENERATE_THE_KIPPO_GRAPHS() in order to pull the database information into the graphs.
Now SSH to port 22 and login with root and password 123456.. 🙂
More usernames and passwords can be set in the kippo/data/userdb.txt file