Kippo SSH Honeypot on Ubuntu

From Zam Wiki
Revision as of 10:24, 10 July 2014 by Zam (talk | contribs) (Kippo Graph)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Creating Kippo SSH Honeypot on Ubuntu.

For those who don't know what is Kippo, please refer here for more information.


  • So, for the first step,
sudo apt-get update && sudo apt-get upgrade
  • Move SSH server from Port 22 to Port 66534
sudo sed -i 's:Port 22:Port 65534:g' /etc/ssh/sshd_config
sudo service ssh reload
  • Then, install the required package
sudo apt-get install ssh subversion mysql-server python-dev openssl python-openssl python-pyasn1 python-twisted python-mysqldb python-pip python-software-properties iptables gcc
  • Then create new dir for kippo
sudo mkdir /opt/kippo/
  • Download Kippo source code to your server
sudo svn checkout http://kippo.googlecode.com/svn/trunk/ /opt/kippo/
  • Add kippo user that can't login
sudo useradd -r -s /bin/false kippo
  • Now we set the alert to be logged to the database

The database that we will use is MySQL
Login to mysql, create 1 database named kippo & set grant permission

mysql -u root -p
mysql> create database kippo;
mysql> create user 'kippo'@'localhost' identified by 'kippo';
mysql> grant all privileges on kippo.* to 'kippo'@'localhost';
mysql> flush privileges;
  • Then we import mysql structure to the database that we made before
cd /opt/kippo/doc/sql
mysql -u kippo -p kippo < mysql.sql
  • Then we copy the config file
cd /opt/kippo/
sudo cp kippo.cfg.dist kippo.cfg
  • Edit the config file
sudo nano kippo.cfg

EDIT FORM THIS:

  #[database_mysql]
  #host = localhost
  #database = kippo
  #username = kippo
  #password = secret

TO THIS:

  [database_mysql]
  host = localhost
  database = kippo
  username = kippo
  password = kippo <-- your mysql password
  • At here, we want to redirect port 22 (ssh) to port 2222 (kippo)
* This is to connect to external/public internet
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
* This is for virtual/internally je (if using vmware/virtualbox)
sudo iptables -t nat -A PREROUTING -p tcp -d <virtual_ip> --dport 22 -j REDIRECT --to-port 2222
  • Create log dir
sudo mkdir -p /var/kippo/dl
sudo mkdir -p /var/kippo/log/tty
sudo mkdir -p /var/run/kippo
  • Delete old dirs to prevent confusion
sudo rm -rf /opt/kippo/dl
sudo rm -rf /opt/kippo/log
  • Set up permissions
sudo chown -R kippo:kippo /opt/kippo/
sudo chown -R kippo:kippo /var/kippo/
sudo chown -R kippo:kippo /var/run/kippo/
  • Then we start our Kippo honeypot
cd /opt/kippo/
./start.sh
  • The output that you should get is like this :
[email protected]:/opt/kippo$ ./start.sh
Starting kippo in background...Generating RSA keypair...
done.

Troubleshooting

  • If there is any error during kippo startup that saying somethings like this: "Failed to load application: [Errno 13] Permission denied: 'public.key' ",

you need to change the file permission:

sudo chown kippo /opt/kippo/
sudo chgrp kippo /opt/kippo/
sudo chown kippo /opt/kippo/data/
sudo chgrp kippo /opt/kippo/data/
sudo chown kippo /var/kippo/log/
sudo chgrp kippo /var/kippo/log/
sudo chown kippo /var/kippo/log/tty/
sudo chgrp kippo /var/kippo/log/tty/
  • If the problem still continue, you can try to run your kippo using this command rather than using the start.sh script:
sudo -u kippo /usr/bin/twistd -y /opt/kippo/kippo.tac -l /var/kippo/log/kippo.log --pidfile /var/run/kippo/kippo.pid -d /opt/kippo/


Kippo Graph

For those who doesn't know what is kippo graph, here I quote to you directly from BruteForce Lab's Blog

Kippo-Graph is a full featured script to visualize statistics from a Kippo SSH honeypot.
It uses “Libchart” PHP chart drawing library by Jean-Marc Trémeaux, “QGoogleVisualizationAPI” PHP Wrapper for Google’s Visualization API by Thomas Schäfer and geoPlugin geolocation technology (geoplugin.com).
Kippo-Graph currently shows 24 charts, including top 10 passwords, top 10 usernames, top 10 username/password combos, success ratio, connections per IP, connections per country, probes per day, probes per week, ssh clients, top 10 overall input, top 10 successful input, top 10 failed input and many more. There are also geolocation data extracted and displayed with Google visualization technology using a Google Map, a Intensity Map, etc. Lastly, input-related data and statistics are also presented giving an overview of the action inside the system.
  • As usual, update & upgrade your server
sudo apt-get udpate
sudo apt-get update
  • Install required package
sudo install apache2 php5 php5-mysql php5-cgi libapache2-mod-php5 php5-gd php5-mysql
  • Get the kippo graph file (current version on July 2013)
wget http://bruteforce.gr/wp-content/uploads/kippo-graph-0.7.6.tar
  • Move to /var/www/
mv kippo-graph-0.7.6.tar /var/www
  • Go to the directory
cd /var/www
  • Extract the file
tar xvf kippo-graph-0.7.6.tar --no-same-permissions
  • Change file permission
cd kippo-graph
sudo chmod 777 generated-graphs
  • Enter the appropriate values for MySQL
sudo nano config.php
  • Visit kippo graph with your web browser
http://localhost/kippo-graph
blog comments powered by Disqus