Saturday 31 July 2010

Making new friends with kippo

Less than two weeks ago I've sent a tweet asking for honeypot recommendations. I wanted to play a bit with something new, something I never did before, mostly because I never had time for it (right, like I have it now). Anyway, thanks to all the great people that replied to my tweet I've learned a lot and found some great software. Now it's time to give something back to the community.

Kippo - simply amazing

First honeypot I've reached for was kippo. It is a medium interaction SSH honeypot designed to log brute force attacks and log the whole session as it goes - including timings, typos, etc. The magic sauce is that you can play the session back (with typos!) and see what the attackers are made of. Believe me - playing back those session is totally amazing! Some samples are available on project's page.
There are also other features to like, like trapping sessions and not disconnecting them even if bad guys do logout, logging ssh client used (very easy to tell scanning bots apart from real people), quite nice interaction and most of all easy way to extend your honeypot it with your own commands.


Installing kippo



For the base platform I used one of my Debian hosts and started with
kippo 0.4. It was good to see how to run it, but options are limited,
so go full steam ahead and get SVN version - it is well worth it!


By default kippo runs on port 2222 but I wanted it on port 22 as normal
SSH would be (running as unprivileged user), so I've set it up on one
of my unused IP addresses - the setup was very easy.



Before you grab the latest version from SVN repo, you should install
required python packages (dependencies will be pulled in
automagically):



apt-get install python-twisted

svn checkout http://kippo.googlecode.com/svn/trunk/ kippo-read-only




Main benefit of SVN version is that it can use MySQL to log events
(alongside the regular log file) and that it can actually bind to given
IP address - version 0.4 binds to all available addresses which is a
bummer for me when I want to spawn totally fake host and have normal
ssh working as well.



Honeypots - rule #1



DO NOT run honeypot as root!



Remember that honeypots are software components, they may (and most
likely do) have their own bugs. Of course you have to be root
to bind to port <1024, or do you?



Configuration



Couldn't be easier... create unprivileged, regular user  account to run
your honeypot (I called it honeytrap), create your own kippo.cfg using
kippo.cfg.dist as template, set MySQL parameters, honeypot hostname
(attackers will see it after they log in), IP address to bind to and
port. If you don't want to use MySQL - your call... it may come very
handy for reporting. That's it - you are ready to go.



Now the trick is to get it running on port 22. There is obviously more
than one way to do it. If you have only one IP address available, you
should most likely go to kippo's Wiki page that describes how to make
kippo reachable through port 22
but if you
have spare IP address... =B-]



Now, how do I bind to port 22 as regular user? Somebody must have solved that problem before, right?
Sure, and they even created a package that solves this issue! It's called authbind and it's amazingly easy to use.



apt-get  install authbind

touch /etc/authbind/byport/22


chown honeytrap:honeytrap /etc/authbind/byport/22


chmod +x /etc/authbind/byport/22




Authbind works almost like sudo, except for the ports - not the
commands. In kippo's directory you will find start.sh script - add
authbind in front of the startup command and you are good to go.



Ready, set, go!



Ok - don't do my mistake... test your install - ssh into the honeypit and
see if you can log in. The root password is in kippo.cfg. Testing setup
is important - if sql database is gone, then you won't log in and in
kippo.log it will say that the root password was incorrect, when in
fact the problem is disconnected sql log backend.



Observations



Kippo is really great tool to learn what the bad guys are up to. If
they add user, they can log in as that user later. If they change root
password, it will be there for them when they return. The best part is
that of course you can see those passwords and suddenly you will have
new 'accounts' added and new, correct and active at the same time root
passwords (yes, more than one correct password!).

I've spent some time
watching the sessions recorded so far - there's so much to see, laugh
and cry, but I'll leave that for another post...

BTW, I blame Andrew (@Infosanity) for all of that - he got me back to honeypots topic, then other great tweeps came back with advice (much appreciated), so make sure to visit his blog ;-)