Kippo is an SSH honeypot written in Python. Kippo is used to log brute force attacks and the entire shell interaction performed by an attacker so I have installed it on my cubieboard2 Lubuntu version. According to wiki a honeypot is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.
So lets start to install and test my first honeypot.
Preparation for the kippo installation
update repositories:
sudo apt-get update sudo apt-get upgrade sudo apt-get clean
and install python prerequisites for kippo
sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted
I had problems since my repository was not longer supported so I need to changes repository source. For more info visit the following forums:
- http://www.cubieforums.com/index.php?topic=2963.0
- https://help.ubuntu.com/community/Repositories/CommandLine
Install Kippo honeypot
Create user kippo:
sudo adduser --disabled-login kippo
This will create a user called ‘kippo’ with no rights to login (like via SSH). A home directory will be created for him: /home/kippo/.
login as kippo and download kippo source from git (also svn and file is available on internet)
sudo su kippo cd ~ git clone https://github.com/desaster/kippo.git cd kippo
Inside this folder are some interesting other folders:
- dl: downloaded files will be stored here
- txtcmds: when the attacker enters a command it will just cat the content to his session
- doc: contains readme files, read them! And contains a MySQL file to be imported to your database
- honeyfs: contains existent files, all files which exist here can be viewed by the attacker
- kippo: contains Kippo itself, the Python scripts
- log: contains the kippo.log and in subfolder tty/ the tty logs of attackers
- utils: contains usefull Python scripts
- data: contains userdb.txt where login data for the honeypot is stored
Start kippo
To use default configuration (port 2222) just clone kippo.cfg.dist file to kippo.cfg file that will be used for the later kippo configuration and then just start kippo honeypot with kippo user
cp kippo.cfg.dist kippo.cfg
./start.sh
To check if kippo is listening on port 2222, execute netstat from a home user (with sudo privileges)
sudo netstat -antp | grep 2222
To see the connections tries:
cat ./kippo/log/kippo.log
The default password for kippo is 123456.
simple add new user with passwords in kippo/data/userdb.txt file
To stop kippo, just execute:
bash ./stop.sh
To test file download try wget and the downloaded file is in kippo/dl directory.
Connect to kippo from localhost with:
ssh -p 2222 tomas@localhost
Log files in a mem disk (not in NAND flash)
To not use NAND storage I have move logs and storage of downloaded files to memory disk, more in this ubuntu-data-in-memory-disk post. I have also set the limit of the storage to 5MB so the intruder will not harm my cubieboard storage (hopefully).
As user kippo
mkdir -p /home/kippo/kippo/memlog mkdir -p /home/kippo/kippo/memdl
As user linaro (my home user with sudo rights)
sudo mount -t tmpfs -o size=5M,mode=0777 tmpfs /home/kippo/kippo/memlog sudo chown kippo:kippo /home/kippo/kippo/memlog mkdir /home/kippo/kippo/memlog/tty sudo chown kippo:kippo /home/kippo/kippo/memlog/tty
sudo mount -t tmpfs -o size=5M,mode=0777 tmpfs /home/kippo/kippo/memdl
sudo chown kippo:kippo /home/kippo/kippo/memdl
Change kippo.cfg and start.sh configuration with new log files directories. Start.sh example of changed line:
twistd -y kippo.tac -l memlog/kippo.log --pidfile kippo.pid
Be careful to copy log files from the memory storage before the system restart or you lost them.
Make you kippo honeypot visible to the world!
Configure your router to forward 22 internet port to your cubieboard (ubuntu) 2222 port. In my router like this (my cubiboard IP is 192.168.1.11) and in other configruation it is configured as static IP in my local network:
Change login banner
I wanted to be a little creative so I’ve added a banner to login screen. By using this text to ASCII tool I’ve created a new file called banner in kippo folder. In kippo.cfg uncomment line:
banner_file = banner
The result that is shown to the attacker is depicted on the screen bellow (although many robots will not recognize it).
Remarks
If you do not have or want to use git try this tutorial: http://www.unixmen.com/kippo-ssh-honeypot-monitor-brute-force-attacks-debian-7-ubuntu-13-10/
with wget http://kippo.googlecode.com/files/kippo-0.8.tar.gz
Other resources:
http://bruteforce.gr/installing-kippo-ssh-honeypot-on-ubuntu.html
https://capsop.com/kippo
http://resources.infosecinstitute.com/tracking-attackers-honeypot-part-2-kippo/
http://bruteforce.gr/kippo-graph
https://lvdeijk.wordpress.com/2012/12/24/kippo-ssh-honeypot-over-the-years/
http://www.micheloosterhof.com/cowrie/
https://github.com/g0tmi1k/os-scripts
TODO:
- auto start
- connect kippo to central repository
- add more files to the kippo file system