Running an SSH honeypot with Debian and Kippo

The practice of running a honeypot, or, running a system with a bad configuration ON PURPOSE, might seem a it odd to most people. However, running an honeypot server can be quite fun and you might learn a bit or two about those evil hax0rs while you're at it.

I decided to run an SSH honeypot on my server, to get better insight into what crackers are doing once they get root on a box they don't own already. So, I installed Kippo and I thought you should know how to do it.

BEFORE ANYTHING ELSE:

Remember to set your REAL SSH daemon to listen on another port than port 22, or this will not work!

Now, log in to the server you want to run the honeypot on. Next, download kippo and unpack it on your server:

wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz
tar xzf kippo-0.5.tar.gz 
cd kippo-0.5

Next, you must install a couple of packages:

sudo apt-get install python-twisted authbind

Now, because you don't want to run Kippo as root, the fake SSH daemon will not, by default listen on port 22, like the real SSH daemon, so we need to fix that!

Open the file kippo.cfg in your favorite editor and find the line that says ssh_port = 2222 change it to ssh_port = 22 and save the file.

Then, open start.sh and replace twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid with authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

Next, input these three lines, and substitute kippo:kippo with the username running the honeypot:

sudo touch /etc/authbind/byport/22
sudo chown kippo:kippo /etc/authbind/byport/22
sudo chmod 777 /etc/authbind/byport/22

And then, you start Kippo: ./start.sh

Now hopefully, if everything works out, you should be able to connect via SSH client to your new honeypot. Now, the really cool part comes when someone actually think that they've "pwned ur box". See, in the log/tty/ directory, there will be saved replays of everything the attacker writes in the terminal. To play one of those replays:

python utils/playlog.py log/tty/somenumbershere.log

where somenumbershere of course should be replaced with an existing file in the log/tty/ directory.

How cool is THAT?! :-D


Written by Jannich Brendle ons 18 januar 2012 In How to

tags: honeypotsecurity

Related posts

social