Share this post
FaceBook  Twitter  
Contents[Hide]

1. Introduction

Do you feel that someone is attempting to access you server? To find out, you can deploy a honeypot within your system to help you ease your paranoia by either confirming or dismissing your initial believe. As an example you can start the Kippo SSH honeypot, which allows you to monitor brute-force attempts, collect up today exploits and malware. Kippo also automatically records hacker's shell session, which you can replay to explore various hacking techniques and later use this gathered knowledge to harden your production server. Another reason why to install a honeypot is to take away an attention from your production server. In this tutorial we will show how to deploy a Kippo SSH honeypot on the Ubuntu server.

2. Prerequisites

Kippo SSH honeypot is a python based application. Therefore, we need to first install python libraries:

$ sudo apt-get install python-twisted

Normally you would run you sshd service listening on default port 22. It makes sense to use this port for your SSH honeypot and thus if you already run the SSH service we need to change the default port to some other number. I would suggest not to use alternative port 2222 as its use is already generally known and it could sabotage your disguise.  Let's pick some random 4-digit number like 4632. Open your SSH /etc/ssh/sshd_config configuration file and change the Port directive from:

Port 22

to

Port 4632

Once done restart you sshd:

$ sudo service ssh restart

You can confirm that you have changed the port correctly with the netstat command:

$ netstat -ant | grep 4632
tcp        0      0 0.0.0.0:4632            0.0.0.0:*               LISTEN

Furthermore, Kippo needs to run a non-privileged user so it is a good idea to create some separate user account and run Kippo under this account. Create a new user kippo:

$ sudo adduser kippo

3. Installation

Kippo does not require any tedious installation. All what needs to be done is to download a gziped tarball and extract it into the kippo's directory. First, login as or change user to kippo and then download the Kippo's source code:

kippo@ubuntu:~$ wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz

extract it with:

kippo@ubuntu:~$ tar xzf kippo-0.5.tar.gz 

this will create a new directory called kippo-0.5.

4. Configuration

 Once you navigate into Kippo's directory you will see:

kippo@ubuntu:~/kippo-0.5$ ls
data  dl  doc  fs.pickle  honeyfs  kippo  kippo.cfg  kippo.tac  log  start.sh  txtcmds  utils

 

Most notable directories and files here are:

  • dl - this is a default directory when kippo will store all malware and exploits downloaded by hacker using the wget command
  • honeyfs - this directory includes some files, which will be presented to attacker
  • kippo.cfg - kippo's configuration file
  • log - default directory to log attackers interaction with the shell
  • start.sh - this is a shell script to start kippo
  • utils - contains various kippo utilities from which most notable is playlog.py, which allows you to replay the attacker's shell session

Kippo comes pre-configured with port 2222. This is mainly because kippo needs to run as non-privilege user and non-privileged user is not able to open any ports, which are below number 1024. To solve this problem we can use iptables with "PREROUTING" and "REDIRECT" directives. This is not the best solution as any user can open port above 1024 thus creating an opportunity to exploit.

Open Kippo's configuration file and change default port number to some arbitrary number like, 4633. After this, create iptables redirect from port 22 to kippo's on port 4633:

$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 4633

5. Optional configurations

5.1. Filesystem

Next, you may wish to configure filesystem, which will be presented to attacker once s/he login to our honeypot. By default Kippo comes with its own filesystem but it dates back to 2009 and it does not look plausible anymore.  You can clone your own filesystem without revealing any information with Kippo's utility utils/createfs.py. With a root privileges execute the following command to clone your file system:

# cd /home/kippo/kippo-0.5/
# utils/createfs.py > fs.pickle
Doing stuff

5.2. Operating system name

Kippo also allows you to change the operating system name located in /etc/issue file. Let's say that we use Linux Mint 14 Julaya. Of course that you will use something real and plausible.

$ echo "Linux Mint 14 Julaya \n \l" > honeyfs/etc/issue

5.3. Password file

Edit honeyfs/etc/passwd and make it more plausible and juicy. 

5.4. Alternative root passwords

Kippo comes with prefigured password "123456" . You can keep this setting and add more passwords like: pass, a , 123, password, root

kippo@ubuntu:~/kippo-0.5$ utils/passdb.py data/pass.db add pass
kippo@ubuntu:~/kippo-0.5$ utils/passdb.py data/pass.db add a 
kippo@ubuntu:~/kippo-0.5$ utils/passdb.py data/pass.db add 123 
kippo@ubuntu:~/kippo-0.5$ utils/passdb.py data/pass.db add password 
kippo@ubuntu:~/kippo-0.5$ utils/passdb.py data/pass.db add root

Now the attacker will be able to login with as root with any of the above passwords.

5.5. Creating New Commands

Furthermore, Kippo allows you to configure additional commands which are stored in txtcmds/ directory. To create a new command, for example df we simply redirect output form the real df command to txtcmds/bin/df:

# df -h > txtcmds/bin/df

The above is a simple static text output command but it will keep an attacker busy for some time.

5.6. Hostname

Edit the configuration file kippo.cfg and change your hostname to something more attractive like:

hostname = accounting

6. Starting Kippo SSH Honeypot

If you followed the above instructions up to this point, by now you should have configured you SSH honeypot with the following settings:

  • listening port 4633
  • iptables portforward from 22 -> 4633
  • hostname: accounting
  • multiple root passwords
  • fresh up to date honeyfs clone of your existing system
  • OS: Linux Mint 14 Julaya

Let's start Kippo SSH honeypot now.

$ pwd
/home/kippo/kippo-0.5
kippo@ubuntu:~/kippo-0.5$ ./start.sh
Starting kippo in background...Generating RSA keypair...
done.
kippo@ubuntu:~/kippo-0.5$ cat kippo.pid
2087

From the above, you can see that Kippo started and that it created all necessary RSA keys for the SSH communication. Moreover, it also created a file called kippo.pid, which contain a PID number of the running instance of Kippo, which you can use to terminate kippo with the kill command.

7. Testing SSH Honeypot deployment

 Now, we should be able to login to our new ssh server alias ssh honeypot on default ssh port 22:

$ ssh root@server 
The authenticity of host 'server (10.1.1.61)' can't be established.
RSA key fingerprint is 81:51:31:8c:21:2e:41:dc:e8:34:d7:94:47:35:8f:88.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server,10.1.1.61' (RSA) to the list of known hosts.
Password:
accounting:~# accounting:~# cd / accounting:/# ls var sbin home srv usr mnt selinux tmp vmlinuz initrd.img etc root dev sys lost+found proc boot opt run media lib64 bin lib accounting:/# cat /etc/issue Linux Mint 14 Julaya \n \l

Looks familiar? We are done

8. Additional Features

Kippo comes with multiple other options and settings. One of them is to use utils/playlog.py utility to replay attacker's shell interactions stored in log/tty/ directory. In addition, Kippo allows for log files to be stored by the MySQL database. See the configuration file for additional settings.

9. Conclusion

One thing, which needs to be mentioned is that it is advisable to configure the Kipps's dl directory to some separate filesystem. This directory will hold all files download by the attacker so you do not want your applications to hang because of no disk space.

Kippo seems to be a nice and easy to configure SSH honeypot alternative to full chrooted honeypot environments. Kippo has more features to offer than those described in this guide. Please read kippo.cfg to get familiar with them and adjust Kippo's settings to fit your environment.

Partners

Who are we?

LinuxCareer.com is not affiliated with any local or international company, nor is it a recruitment or employment agency. We specialise in Linux based careers and closely related Information Technology fields by providing careers advice and latest employment opportunities.

JOIN LINUXCAREER

You can also get involved in the LinuxCareer project by participating on our FORUM or SUBMITTING A LINUX ARTICLE. We offer a range of privileges to our authors and good company.