Blog Roll!

Some interesting things I have come across in my daily workings related to Security and Privacy.

Installing Kippo Honeypot

Honeypots have been the talk of many but the very few have actually installed one to see what they get. This tutorial will help you to install your own SSH Honeypot in a few minutes.
I decided on a SSH honeypot because there’s a large amount of SSH scanners scanning the web for easy guessable login credentials to gain access to systems.
Lets start… I used a Raspberry Pi and installed all the required packages to see how the Rasp Pi will handle the load of a database and a web server. Like most people, you dont want to filter through logs to see what people did on your honeypot.

With that in mind, installing a honeypot that logs all the events to a database with which you can draw pretty graphs and EVEN locate the ‘individual’ through a Geo-Location module. All in a simple to use Web Interface…. Pretty Nifty! Lets get started…

What you’ll need:

  1. A machine or Virtual Machine (which ever you have available).
  2. Internet Access (ofcourse!)
  3. Time.

Like I mentioned, I used a Raspberry Pi to install my honeypot, but you can really use any linux based machine.
The honey pot framework I’m using is called Kippo.

Now lets get started…

Install your Linux machine with your distro of choice. This tutorial will focus on the debian based kernels. (Ubuntu, Raspbian etc)
Update your APT repo.
apt-get update

Kippo by default runs on port 2222. I would like it to run on port 22 to simulate a standard SSH installation. Leaving it on port 2222 will get you less hits from scanners because SSH scanners by default scan for the default SSH port which is 22.

Therefore you will need to change your default SSH port to something else (such as 222), for you to still be able to manage the machine remotely. For this we do the following:
Edit the SSH daemon config to change the port:
vi /etc/ssh/sshd_config

Change ‘Port 22″ to “Port 222” (or which ever port number you choose)
Now restart your SSH server.
/etc/init.d/ssh restart

At this point it’s a good idea to disconnect from your SSH session if you connected to your host using SSH. Connect to the new port you specified. (i.e 222)
Lets install the prereq’s needed for kippo to function.
apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted

Now that the prereq’s are installed and ready, we need to install subversion which will download our Kippo instance.
apt-get install subversion

Another issue about port 22 that we want to use, is the problem that in Linux only the root user is allowed to use ports below port 1024 and we should not run Kippo as root for safety reasons. Kippo’s website offers several solutions on how to run a honeypot on port 22, but the simplest one is using the application authbind:
apt-get install authbind

Before you go any further, create a new non-root user to run Kippo as
adduser kippo

…and add your newly created user to the list of users that can use the sudo command:
visudo

Where we add the line:
kippo ALL=(ALL:ALL) ALL
under the “root” user.

We finish the required steps for using port 22:
touch /etc/authbind/byport/22
chown kippo:kippo /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22

At this point we enter the system as ‘kippo’ user and go to the /home directory.
Now lets download the latest version of kippo which we will use as our SSH honeypot.
After loggin in as the kippo user, within the /home/kippo directory download the kippo subversion
svn checkout http://kippo.googlecode.com/svn/trunk/ ./kippo

Change the port in Kippo’s configuration file from 2222 to 22:
mv kippo.cfg.dist kippo.cfg
vi kippo.cfg

Finally, edit the Kippo start script:
changing the following command from
twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
to
authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

Now start your honeypot and see if it runs.
./start.sh

To see it it’s running, do a netstat to see if the port is open and the twistd process is listening on it.
sudo netstat -antp

Your output should look something like this:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22627/python

When you are satisfied that your honeypot is running you can not start to configure it to log all its data to a MySQL database.
Here we will need some extra prereq’s for the database and the web server.
apt-get install python-mysqldb mysql-server

Login to your MySQL database and create the database and the tables:
mysql -u root -p
shell> CREATE DATABASE kippo;
shell> GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'choose-your-password';
shell> exit

Now login to the MySQL database again using the ‘kippo’ user you just granted access with the password you decided on and start to populate the database you created with the following commands:
mysql -u kippo -p
shell> USE kippo;
shell> source /home/kippo/kippo/doc/sql/mysql.sql;
shell> exit

Now your database is ready to be populated with kippo events.
If kippo is running, please kill it. To the following to check if it’s running:
ps -e | grep twistd

Now kill it:
killall twistd

Now you need to edit the kippo config file in order to tell it to log it’s events to the database, in the kippo directory edit the kippo.cfg file uncomment and change the following:
vi kippo.cfg
[database_mysql]
host = localhost
database = kippo
username = kippo
password = Kippo-DB-pass

After saving this kippo.cfg file, you can start the kippo server again to see if everything is still running. You will see it’s calling the database module within kippo on startup.
./start.sh

Now for the nice GUI Web Interface… We will be using Kippo-Graph for this
Again, we have some prereq’s that we need to install for Kippo-Graph to function properly.
apt-get install -y libapache2-mod-php5 php5-gd php5-mysql
/etc/init.d/apache2 restart

Now download the lastest version of kippo-graph and untar it in your /var/www directory.
wget http://bruteforce.gr/wp-content/uploads/kippo-graph-0.7.6.tar

Use TAR to untar the package. This will extract and create a folder called ‘kippo-graph’
tar xvf kippo-graph-0.7.6.tar

Within the kippo-graph folder, set the generated-graphs folder to have global read/write privilegdes. Ortherwise you might end up looking at blank graphs.
chmod 777 generated-graphs

Now within the kippo-graph folder you will see a config.php file, edit that file and provide the database information you setup earlier. (above steps)
vi config.php

Now you are ready to rumble!!! Start your kippo instance with ./start.sh and browse to the web server you on that host.

http://<ip_address>/kippo_graph

Remember to click on GENERATE_THE_KIPPO_GRAPHS() in order to pull the database information into the graphs.

Now SSH to port 22 and login with root and password 123456.. 🙂
More usernames and passwords can be set in the kippo/data/userdb.txt file

Enjoy..

Leave a Reply