Do you feel that someone is attempting to access you server? To find out, you can deploy a honeypot within your system to help you ease your paranoia by either confirming or dismissing your initial believe. As an example you can start the Kippo SSH honeypot, which allows you to monitor brute-force attempts, collect up today exploits and malware. Kippo also automatically records hacker's shell session, which you can replay to explore various hacking techniques and later use this gathered knowledge to harden your production server. Another reason why to install a honeypot is to take away an attention from your production server. In this tutorial we will show how to deploy a Kippo SSH honeypot on the Ubuntu server.
Kippo SSH honeypot is a python based application. Therefore, we need to first install python libraries:
$ sudo apt-get install python-twisted
Normally you would run you sshd service listening on default port 22. It makes sense to use this port for your SSH honeypot and thus if you already run the SSH service we need to change the default port to some other number. I would suggest not to use alternative port 2222 as its use is already generally known and it could sabotage your disguise. Let's pick some random 4-digit number like 4632. Open your SSH /etc/ssh/sshd_config configuration file and change the Port directive from:
Once done restart you sshd:
$ sudo service ssh restart
You can confirm that you have changed the port correctly with the netstat command:
$ netstat -ant | grep 4632
tcp 0 0 0.0.0.0:4632 0.0.0.0:* LISTEN
Furthermore, Kippo needs to run a non-privileged user so it is a good idea to create some separate user account and run Kippo under this account. Create a new user kippo:
$ sudo adduser kippo
Kippo does not require any tedious installation. All what needs to be done is to download a gziped tarball and extract it into the kippo's directory. First, login as or change user to kippo and then download the Kippo's source code:
kippo@ubuntu:~$ wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz
extract it with:
kippo@ubuntu:~$ tar xzf kippo-0.5.tar.gz
this will create a new directory called kippo-0.5.
Once you navigate into Kippo's directory you will see:
data dl doc fs.pickle honeyfs kippo kippo.cfg kippo.tac log start.sh txtcmds utils
Most notable directories and files here are:
- dl - this is a default directory when kippo will store all malware and exploits downloaded by hacker using the wget command
- honeyfs - this directory includes some files, which will be presented to attacker
- kippo.cfg - kippo's configuration file
- log - default directory to log attackers interaction with the shell
- start.sh - this is a shell script to start kippo
- utils - contains various kippo utilities from which most notable is playlog.py, which allows you to replay the attacker's shell session
Kippo comes pre-configured with port 2222. This is mainly because kippo needs to run as non-privilege user and non-privileged user is not able to open any ports, which are below number 1024. To solve this problem we can use iptables with "PREROUTING" and "REDIRECT" directives. This is not the best solution as any user can open port above 1024 thus creating an opportunity to exploit.
Open Kippo's configuration file and change default port number to some arbitrary number like, 4633. After this, create iptables redirect from port 22 to kippo's on port 4633:
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 4633
Next, you may wish to configure filesystem, which will be presented to attacker once s/he login to our honeypot. By default Kippo comes with its own filesystem but it dates back to 2009 and it does not look plausible anymore. You can clone your own filesystem without revealing any information with Kippo's utility utils/createfs.py. With a root privileges execute the following command to clone your file system:
# cd /home/kippo/kippo-0.5/
# utils/createfs.py > fs.pickle
Operating system name
Kippo also allows you to change the operating system name located in /etc/issue file. Let's say that we use Linux Mint 14 Julaya. Of course that you will use something real and plausible.
$ echo "Linux Mint 14 Julaya \n \l" > honeyfs/etc/issue
Edit honeyfs/etc/passwd and make it more plausible and juicy.
Alternative root passwords
Kippo comes with prefigured password "123456" . You can keep this setting and add more passwords like: pass, a , 123, password, root
kippo@ubuntu:~/kippo-0.5$ utils/passdb.py data/pass.db add pass kippo@ubuntu:~/kippo-0.5$ utils/passdb.py data/pass.db add a kippo@ubuntu:~/kippo-0.5$ utils/passdb.py data/pass.db add 123 kippo@ubuntu:~/kippo-0.5$ utils/passdb.py data/pass.db add password kippo@ubuntu:~/kippo-0.5$ utils/passdb.py data/pass.db add root
Now the attacker will be able to login with as root with any of the above passwords.
Creating New Commands
Furthermore, Kippo allows you to configure additional commands which are stored in txtcmds/ directory. To create a new command, for example df we simply redirect output form the real df command to txtcmds/bin/df:
# df -h > txtcmds/bin/df
The above is a simple static text output command but it will keep an attacker busy for some time.
Edit the configuration file kippo.cfg and change your hostname to something more attractive like:
hostname = accounting
Starting Kippo SSH Honeypot
If you followed the above instructions up to this point, by now you should have configured you SSH honeypot with the following settings:
- listening port 4633
- iptables portforward from 22 -> 4633
- hostname: accounting
- multiple root passwords
- fresh up to date honeyfs clone of your existing system
- OS: Linux Mint 14 Julaya
Let's start Kippo SSH honeypot now.
Starting kippo in background...Generating RSA keypair...
kippo@ubuntu:~/kippo-0.5$ cat kippo.pid
From the above, you can see that Kippo started and that it created all necessary RSA keys for the SSH communication. Moreover, it also created a file called kippo.pid, which contain a PID number of the running instance of Kippo, which you can use to terminate kippo with the kill command.
Testing SSH Honeypot deployment
Now, we should be able to login to our new ssh server alias ssh honeypot on default ssh port 22:
$ ssh root@server
The authenticity of host 'server (10.1.1.61)' can't be established.
RSA key fingerprint is 81:51:31:8c:21:2e:41:dc:e8:34:d7:94:47:35:8f:88.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server,10.1.1.61' (RSA) to the list of known hosts.
accounting:~# accounting:~# cd / accounting:/# ls var sbin home srv usr mnt selinux tmp vmlinuz initrd.img etc root dev sys lost+found proc boot opt run media lib64 bin lib accounting:/# cat /etc/issue Linux Mint 14 Julaya \n \l
Looks familiar? We are done
Kippo comes with multiple other options and settings. One of them is to use utils/playlog.py utility to replay attacker's shell interactions stored in log/tty/ directory. In addition, Kippo allows for log files to be stored by the MySQL database. See the configuration file for additional settings.
One thing, which needs to be mentioned is that it is advisable to configure the Kipps's dl directory to some separate filesystem. This directory will hold all files download by the attacker so you do not want your applications to hang because of no disk space.
Kippo seems to be a nice and easy to configure SSH honeypot alternative to full chrooted honeypot environments. Kippo has more features to offer than those described in this guide. Please read kippo.cfg to get familiar with them and adjust Kippo's settings to fit your environment.