Some months ago,a friend of mine asked me to show him how coulg i log anything he did when he “injected” my server and rooted it,while I let him believe that the total control was on him.Actually,the only thing i had installed,was a custom SSH honeypot.For beginners,either in programming,either in hacking/sys-administrating, there are plenty of ready-to-use honeypots,like Kippo.
Kippo it is a great medium interaction SSH honeypot designed to log brute force attacks written in python.
This tutorial/how-to is gonna present how can you configure kippo to log all SSH attacks in your Ubuntu server.
First of all,install some dependencies required,to activate kippo and connect it with MySQL database,for logging issues:
sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted python-mysqldb
Next, download kippo and decompress, is important NOT to use the root use:
$ wget http://kippo.googlecode.com/files/kippo-0.8.tar.gz $ tar xzvf kippo-0.8.tar.gz $ cd kippo-0.8
Now you should edit the config file kippo.cfg, changing all options as you like.
It is interesting to integrate kippo with a mysql database,so that you can easily log and view any wannabe-hacker and haxor trying to log into your computer:
$ sudo apt-get install mysql-server $ mysql -u root -p > CREATE DATABASE kippo; > GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'somedifficultpassword'; exit
After cd in kippo directory,
$ mysql -u kippo -p > USE kippo; > source ./doc/sql/mysql.sql; > exit
Now in kippo.cfg file uncomment the latest lines and put the correct cofiguration data,in order to connect kippo honeypot with your MySQL db:
[database_mysql] host = localhost database = kippo username = kippo password = somedifficultpassword
Now we can start our honeypot, very important, don’t use root account:
$ ./start.sh Starting kippo in background...Loading dblog engine: mysql
We check that the ssh honeypot it’s running in my case in port 2222:
$ sudo netstat -atnp | grep 2222 tcp 0 0 0.0.0.0:2222 0.0.0.0:* ESCUCHAR 3104/python
If browsing from another computer we try to launch an Nmap scan to 2222 port:
nmap -PN -sV -p 2222 10.10.0.8
Now, the fake SSH server is ready,
Nmap scan report for 10.10.0.8 Host is up (0.00046s latency). PORT STATE SERVICE VERSION 2222/tcp open ssh OpenSSH 5.1p1 Debian 6 (protocol 2.0) Service Info: OS: Linux
Thus try to connect with a good pass (like 123456):
ssh -l root -p 2222 192.168.1.1 Password: sales#
Aaaand you’re in! You think that you are genius!! You can interact with the fake system!!
Ok, now in the honeypot machine we check our database with all the ssh connections attemps:
$ mysql -u kippo -p > use kippo; > select * from auth;
| id | session | success | username | password | timestamp |
| 1 | 6eb05042605211e0b00c000c29fc1cf3 | 0 | root | sdfasdf | 2012-07-23 13:33:19 |
| 2 | 6eb05042605211e0b00c000c29fc1cf3 | 0 | root | quit | 2012-07-23 13:34:42 |
You can see all the attemps fails and successful. You can explore all other data logged:
show tables; +-----------------+ | Tables_in_kippo | +-----------------+ | auth | | clients | | input | | sensors | | sessions | | ttylog | +-----------------+
All this runs Kippo under port 2222.In case you wanna run it under port 22,you may do the following:
$ sudo apt-get install authbind sudo -i # touch /etc/authbind/byport/22 # chown user:user /etc/authbind/byport/22
where user is the user that you use to run kippo (NOT the root user).
# chmod 777 /etc/authbind/byport/22
Now with the kippo’s user we need to change the start.sh file, from:
twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
It is important in kippo.cfg file to change the value of ssh_port to 22. Now run ./start.sh, and check it:
# netstat -atnp | grep 22 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22627/python
Your SSH honeypot runs under port 22,and now you can log anyone who tries to hack into your ssh!
*This post in a part of the unpublished BlackHack Duology Project.