The practice of running a honeypot, or, running a system with a bad configuration ON PURPOSE, might seem a it odd to most people. However, running an honeypot server can be quite fun and you might learn a bit or two about those evil hax0rs while you're at it.
I decided to run an SSH honeypot on my server, to get better insight into what crackers are doing once they get root on a box they don't own already. So, I installed Kippo and I thought you should know how to do it.
BEFORE ANYTHING ELSE:
Remember to set your REAL SSH daemon to listen on another port than port 22, or this will not work!
Now, log in to the server you want to run the honeypot on. Next, download kippo and unpack it on your server:
wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz tar xzf kippo-0.5.tar.gz cd kippo-0.5
Next, you must install a couple of packages:
sudo apt-get install python-twisted authbind
Now, because you don't want to run Kippo as root, the fake SSH daemon will not, by default listen on port 22, like the real SSH daemon, so we need to fix that!
Open the file
kippo.cfg in your favorite editor and find the line that
ssh_port = 2222 change it to
ssh_port = 22 and save the file.
start.sh and replace
twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid with
authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
Next, input these three lines, and substitute kippo:kippo with the username running the honeypot:
sudo touch /etc/authbind/byport/22 sudo chown kippo:kippo /etc/authbind/byport/22 sudo chmod 777 /etc/authbind/byport/22
And then, you start Kippo:
Now hopefully, if everything works out, you should be able to connect
via SSH client to your new honeypot. Now, the really cool part comes
when someone actually think that they've "pwned ur box". See, in the
log/tty/ directory, there will be saved replays of everything the
attacker writes in the terminal. To play one of those replays:
python utils/playlog.py log/tty/somenumbershere.log
where somenumbershere of course should be replaced with an existing file in
How cool is THAT?! :-D
Written by Jannich Brendle ons 18 januar 2012 In How to