Less than two weeks ago I've sent a tweet asking for honeypot recommendations. I wanted to play a bit with something new, something I never did before, mostly because I never had time for it (right, like I have it now). Anyway, thanks to all the great people that replied to my tweet I've learned a lot and found some great software. Now it's time to give something back to the community.
Kippo - simply amazing
First honeypot I've reached for was kippo. It is a medium interaction SSH honeypot designed to log brute force attacks and log the whole session as it goes - including timings, typos, etc. The magic sauce is that you can play the session back (with typos!) and see what the attackers are made of. Believe me - playing back those session is totally amazing! Some samples are available on project's page.
There are also other features to like, like trapping sessions and not disconnecting them even if bad guys do logout, logging ssh client used (very easy to tell scanning bots apart from real people), quite nice interaction and most of all easy way to extend your honeypot it with your own commands.
Kippo - simply amazing
First honeypot I've reached for was kippo. It is a medium interaction SSH honeypot designed to log brute force attacks and log the whole session as it goes - including timings, typos, etc. The magic sauce is that you can play the session back (with typos!) and see what the attackers are made of. Believe me - playing back those session is totally amazing! Some samples are available on project's page.
There are also other features to like, like trapping sessions and not disconnecting them even if bad guys do logout, logging ssh client used (very easy to tell scanning bots apart from real people), quite nice interaction and most of all easy way to extend your honeypot it with your own commands.
Installing kippo
For the base platform I used one of my Debian hosts and started with kippo 0.4. It was good to see how to run it, but options are limited, so go full steam ahead and get SVN version - it is well worth it!
By default kippo runs on port 2222 but I wanted it on port 22 as normal SSH would be (running as unprivileged user), so I've set it up on one of my unused IP addresses - the setup was very easy.
Before you grab the latest version from SVN repo, you should install required python packages (dependencies will be pulled in automagically):
Main benefit of SVN version is that it can use MySQL to log events (alongside the regular log file) and that it can actually bind to given IP address - version 0.4 binds to all available addresses which is a bummer for me when I want to spawn totally fake host and have normal ssh working as well.
Honeypots - rule #1
DO NOT run honeypot as root!
Remember that honeypots are software components, they may (and most likely do) have their own bugs. Of course you have to be root to bind to port <1024, or do you?
Configuration
Couldn't be easier... create unprivileged, regular user account to run your honeypot (I called it honeytrap), create your own kippo.cfg using kippo.cfg.dist as template, set MySQL parameters, honeypot hostname (attackers will see it after they log in), IP address to bind to and port. If you don't want to use MySQL - your call... it may come very handy for reporting. That's it - you are ready to go.
Now the trick is to get it running on port 22. There is obviously more than one way to do it. If you have only one IP address available, you should most likely go to kippo's Wiki page that describes how to make kippo reachable through port 22 but if you have spare IP address... =B-]
Now, how do I bind to port 22 as regular user? Somebody must have solved that problem before, right? Sure, and they even created a package that solves this issue! It's called authbind and it's amazingly easy to use.
Authbind works almost like sudo, except for the ports - not the commands. In kippo's directory you will find start.sh script - add authbind in front of the startup command and you are good to go.
Ready, set, go!
Ok - don't do my mistake... test your install - ssh into the honeypit and see if you can log in. The root password is in kippo.cfg. Testing setup is important - if sql database is gone, then you won't log in and in kippo.log it will say that the root password was incorrect, when in fact the problem is disconnected sql log backend.
Observations
Kippo is really great tool to learn what the bad guys are up to. If they add user, they can log in as that user later. If they change root password, it will be there for them when they return. The best part is that of course you can see those passwords and suddenly you will have new 'accounts' added and new, correct and active at the same time root passwords (yes, more than one correct password!).
I've spent some time watching the sessions recorded so far - there's so much to see, laugh and cry, but I'll leave that for another post...
BTW, I blame Andrew (@Infosanity) for all of that - he got me back to honeypots topic, then other great tweeps came back with advice (much appreciated), so make sure to visit his blog ;-)
For the base platform I used one of my Debian hosts and started with kippo 0.4. It was good to see how to run it, but options are limited, so go full steam ahead and get SVN version - it is well worth it!
By default kippo runs on port 2222 but I wanted it on port 22 as normal SSH would be (running as unprivileged user), so I've set it up on one of my unused IP addresses - the setup was very easy.
Before you grab the latest version from SVN repo, you should install required python packages (dependencies will be pulled in automagically):
apt-get install python-twisted
svn checkout http://kippo.googlecode.com/svn/trunk/ kippo-read-only
Main benefit of SVN version is that it can use MySQL to log events (alongside the regular log file) and that it can actually bind to given IP address - version 0.4 binds to all available addresses which is a bummer for me when I want to spawn totally fake host and have normal ssh working as well.
Honeypots - rule #1
DO NOT run honeypot as root!
Remember that honeypots are software components, they may (and most likely do) have their own bugs. Of course you have to be root to bind to port <1024, or do you?
Configuration
Couldn't be easier... create unprivileged, regular user account to run your honeypot (I called it honeytrap), create your own kippo.cfg using kippo.cfg.dist as template, set MySQL parameters, honeypot hostname (attackers will see it after they log in), IP address to bind to and port. If you don't want to use MySQL - your call... it may come very handy for reporting. That's it - you are ready to go.
Now the trick is to get it running on port 22. There is obviously more than one way to do it. If you have only one IP address available, you should most likely go to kippo's Wiki page that describes how to make kippo reachable through port 22 but if you have spare IP address... =B-]
Now, how do I bind to port 22 as regular user? Somebody must have solved that problem before, right? Sure, and they even created a package that solves this issue! It's called authbind and it's amazingly easy to use.
apt-get install authbind
touch /etc/authbind/byport/22
chown honeytrap:honeytrap /etc/authbind/byport/22
chmod +x /etc/authbind/byport/22
Authbind works almost like sudo, except for the ports - not the commands. In kippo's directory you will find start.sh script - add authbind in front of the startup command and you are good to go.
Ready, set, go!
Ok - don't do my mistake... test your install - ssh into the honeypit and see if you can log in. The root password is in kippo.cfg. Testing setup is important - if sql database is gone, then you won't log in and in kippo.log it will say that the root password was incorrect, when in fact the problem is disconnected sql log backend.
Observations
Kippo is really great tool to learn what the bad guys are up to. If they add user, they can log in as that user later. If they change root password, it will be there for them when they return. The best part is that of course you can see those passwords and suddenly you will have new 'accounts' added and new, correct and active at the same time root passwords (yes, more than one correct password!).
I've spent some time watching the sessions recorded so far - there's so much to see, laugh and cry, but I'll leave that for another post...
BTW, I blame Andrew (@Infosanity) for all of that - he got me back to honeypots topic, then other great tweeps came back with advice (much appreciated), so make sure to visit his blog ;-)
Leave a comment