Kippo honeypot on Cubieboard Ubuntu

Kippo is an SSH honeypot written in Python. Kippo is used to log brute force attacks and the entire shell interaction performed by an attacker so I have installed it on my cubieboard2 Lubuntu version. According to wiki a honeypot is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.

So lets start to install and test my first honeypot.

Preparation for the kippo installation

update repositories:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get clean

and install python prerequisites for kippo

sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted

I had problems since my repository was not longer supported so I need to changes repository source. For more info visit the following forums:



Install Kippo honeypot

Create user kippo:

sudo adduser --disabled-login kippo

This will create a user called ‘kippo’ with no rights to login (like via SSH). A home directory will be created for him: /home/kippo/.

login as kippo and download kippo source from git (also svn and file is available on internet)

sudo su kippo
cd ~
git clone
cd kippo

Inside this folder are some interesting other folders:


  • dl: downloaded files will be stored here
  • txtcmds: when the attacker enters a command it will just cat the content to his session
  • doc: contains readme files, read them! And contains a MySQL file to be imported to your database
  • honeyfs: contains existent files, all files which exist here can be viewed by the attacker
  • kippo: contains Kippo itself, the Python scripts
  • log: contains the kippo.log and in subfolder tty/ the tty logs of attackers
  • utils: contains usefull Python scripts
  • data: contains userdb.txt where login data for the honeypot is stored


Start kippo

To use default configuration (port 2222) just clone kippo.cfg.dist file to kippo.cfg file that will be used for the later kippo configuration and then just start kippo honeypot with kippo user

cp kippo.cfg.dist kippo.cfg

To check if kippo is listening on port 2222, execute netstat from a home user (with sudo privileges)

sudo netstat -antp | grep 2222


To see the connections tries:

 cat ./kippo/log/kippo.log

The default password for kippo is 123456.

simple add new user with passwords in kippo/data/userdb.txt file

To stop kippo, just execute:

bash ./

To test file download try wget and the downloaded file is in kippo/dl directory.
Connect to kippo from localhost with:

ssh -p 2222 tomas@localhost


Log files in a mem disk (not in NAND flash)

To not use NAND storage I have move logs and storage of downloaded files to memory disk, more in this ubuntu-data-in-memory-disk post. I have also set the limit of the storage to 5MB so the intruder will not harm my cubieboard storage (hopefully).

As user kippo

mkdir -p /home/kippo/kippo/memlog
mkdir -p /home/kippo/kippo/memdl

As user linaro (my home user with sudo rights)

sudo mount -t tmpfs -o size=5M,mode=0777 tmpfs /home/kippo/kippo/memlog
sudo chown kippo:kippo /home/kippo/kippo/memlog
mkdir /home/kippo/kippo/memlog/tty
sudo chown kippo:kippo /home/kippo/kippo/memlog/tty
sudo mount -t tmpfs -o size=5M,mode=0777 tmpfs /home/kippo/kippo/memdl

sudo chown kippo:kippo /home/kippo/kippo/memdl

Change  kippo.cfg and configuration with new log files directories. example of changed line:

twistd -y kippo.tac -l memlog/kippo.log --pidfile

Be careful to copy log files from the memory storage before the system restart or you lost them.

Make you kippo honeypot visible to the world!

Configure your router to forward 22 internet port to your cubieboard (ubuntu) 2222 port. In my router like this (my cubiboard IP is and in other configruation it is configured as static IP in my local network:


Change login banner

I wanted to be a little creative so I’ve added a banner to login screen. By using this text to ASCII tool I’ve created a new file called banner in kippo folder. In kippo.cfg uncomment line:

banner_file = banner

The result that is shown to the attacker is depicted on the screen bellow (although many robots will not recognize it).


If you do not have or want to use git try this tutorial:

with wget

Other resources:


  • auto start
  • connect kippo to central repository
  • add more files to the kippo file system

Related Posts

Enable UART on Cubieboard with Lubuntu

I wanted to connect my cubieboard with lubuntu to my arduino via serial communication. For that I had to enable a UART and connect pins to my arduino (only RX/TX is needed). I have arduino[…]

Continue reading ...

WiFi Access Point Bridge with Raspberry Pi 3 – ETH to WLAN

WiFi Modes

A Raspberry Pi WiFi Extender is a cheap and power efficient way of increasing the total range of your WiFi Network. In my case I needed to extend a WiFi coverage within the same LAN[…]

Continue reading ...

Cubieboard2 – Lubuntu installation

I wanted to install Lubuntu on my new Cubieboard2 so I decided to go for this v1.06 Lubuntu 12.10 image. You have option to have NAND or SD card and I’ve decided to go for[…]

Continue reading ...