Kippo:an SSH honeypot (Ubuntu)

Some months ago,a friend of mine asked me to show him how coulg i log anything he did when he “injected” my server and rooted it,while I let him believe that the total control was on him.Actually,the only thing i had installed,was a custom SSH honeypot.For beginners,either in programming,either in hacking/sys-administrating, there are plenty of ready-to-use honeypots,like Kippo.

Kippo it is a great medium interaction SSH honeypot designed to log brute force attacks written in python.

This tutorial/how-to is gonna present how can you configure kippo to log all SSH attacks in your Ubuntu server.

First of all,install some dependencies required,to activate kippo and connect it with MySQL database,for logging issues:

sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted python-mysqldb

Next, download kippo and decompress, is important NOT to use the root use:

$ wget

$ tar xzvf kippo-0.8.tar.gz
$ cd kippo-0.8

Now you should edit the config file kippo.cfg, changing all options as you like.

It is interesting to integrate kippo with a mysql database,so that you can easily log and view any wannabe-hacker and haxor trying to log into your computer:

$ sudo apt-get install mysql-server
$ mysql -u root -p
> GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'somedifficultpassword';

After cd in kippo directory,

$ mysql -u kippo -p
> USE kippo;
> source ./doc/sql/mysql.sql;
> exit

Now in kippo.cfg file uncomment the latest lines and put the correct cofiguration data,in order to connect kippo honeypot with your MySQL db:

host = localhost
database = kippo
username = kippo
password = somedifficultpassword

Now we can start our honeypot, very important, don’t use root account:

$ ./
Starting kippo in background...Loading dblog engine: mysql

We check that the ssh honeypot it’s running in my case in port 2222:

$ sudo netstat -atnp | grep 2222
tcp 0 0* ESCUCHAR 3104/python

If browsing from another computer we try to launch an Nmap scan to 2222 port:

nmap -PN -sV -p 2222

Now, the fake SSH server is ready,

Nmap scan report for
Host is up (0.00046s latency).
2222/tcp open ssh OpenSSH 5.1p1 Debian 6 (protocol 2.0)
Service Info: OS: Linux

Thus try to connect with a good pass (like 123456):

ssh -l root -p 2222

Aaaand you’re in! You think that you are genius!! You can interact with the fake system!!


Ok, now in the honeypot machine we check our database with all the ssh connections attemps:

$ mysql -u kippo -p
> use kippo;
> select * from auth;


id session success username password timestamp


1 6eb05042605211e0b00c000c29fc1cf3 0 root sdfasdf 2012-07-23 13:33:19
2 6eb05042605211e0b00c000c29fc1cf3 0 root quit 2012-07-23 13:34:42


You can see all the attemps fails and successful. You can explore all other data logged:

show tables;
| Tables_in_kippo |
| auth |
| clients |
| input |
| sensors |
| sessions |
| ttylog |

All this runs Kippo under port 2222.In case you wanna run it under port 22,you may do the following:

$ sudo apt-get install authbind
sudo -i
# touch /etc/authbind/byport/22
# chown user:user /etc/authbind/byport/22

where user is the user that you use to run kippo (NOT the root user).

# chmod 777 /etc/authbind/byport/22

Now with the kippo’s user we need to change the file, from:

twistd -y kippo.tac -l log/kippo.log --pidfile


authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile

It is important in kippo.cfg file to change the value of ssh_port to 22. Now run ./, and check it:

# netstat -atnp | grep 22
tcp 0 0* LISTEN 22627/python

Your SSH honeypot runs under port 22,and now you can log anyone who tries to hack into your ssh!