Do you ever wanted to monitor the brute-force attacks and know how often the attackers tried to access your server? Well, you’re on the right track. Go on to find out how.
Kippo is a medium interaction SSH honeypot designed to log all brute force attacks and, most importantly, the entire shell interaction performed by the attacker. Kippo has a fake filesystem with ability to add and remove files. So the brute-force attackers will think that they are accessing the right system and start to do some interactions. All the interactions can be logged and we can view them later.
Also we can add some fake contents on the file system so the attacker can view the file contents. But it has a very old contents which can be easily recognized by the attacker. So it is better to clone our current filesystem to kippo filesystem. This can be easily done using Kippo without revealing any important information to the attacker. Kippo stores the logs in an UML compatible format for easy replay with original timings. It saves the files downloaded with wget for later investigation.
Install Kippo On Debian / Ubuntu / Linux Mint
This how-to was tested on Debian 7, although the sames steps are applicable for Ubuntu, Linux Mint etc.
Kippo can be installed on any machine that meets the following requirements.
– An operating system (tested on Debian, CentOS, FreeBSD and Windows 7)
– Python 2.5+
– Twisted 8.0+
– PyCrypto
– Zope Interface
Hence Kippo is Python based, Install some necessary Python libraries using the following command. From now on, all commands will be performed by root user.
# apt-get install python-twisted
The above command will install all necessary packages required by Kippo.
Probably all attackers will first try to attack the servers via SSH default port 22. So let us change the SSH port. Use any random number, for example here i use 1984.
To do that, edit file /etc/ssh/sshd_config,
# nano /etc/ssh/sshd_config
Find the following line and change the default port number.
[...] Port 1984 [...]
Save and exit the file. Restart ssh service.
# service ssh restart
Create a non-privileged user, ex.kippo and kippo under this user.
# adduser kippo
Now log out and log in back to Kippo user.
Get the latest Kippo package from the project download page.
$ wget http://kippo.googlecode.com/files/kippo-0.8.tar.gz
Extract the tar file using command:
$ tar xzf kippo-0.8.tar.gz
This will create a directory called kippo-0.8 in your current directory.
Kippo directory contains the following contents.
$ ls kippo-0.8
data dl doc fs.pickle honeyfs kippo kippo.cfg kippo.tac log start.sh txtcmds utils
Where,
dl – files downloaded with wget are stored here.
log/kippo.log – log/debug output.
log/tty/ – session logs.
utils/playlog.py – utility to replay session logs.
utils/createfs.py – used to create fs.pickle.
fs.pickle – fake filesystem.
honeyfs/ – file contents for the fake filesystem – feel free to copy a real system here.
The default port of Kippo is 2222. Now, enter the following command to create a new iptables rule to redirect all traffic from SSH port 22 to Kippo port 2222.
# iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
Note: Run the above command as root user and then switch back to kippo user.
Start Kippo
Once you done with all configuration, go to the Kippo directory and start it.
$ cd kippo-0.8/ $ ./start.sh Starting kippo in background...Generating RSA keypair... done.
Test Kippo Honeypot
After starting kippo, let us ssh to our debian server using command:
$ ssh root@192.168.1.200
The default password for kippo is 123456.
Sample output:
The authenticity of host '192.168.1.200 (192.168.1.200)' can't be established. RSA key fingerprint is d6:2c:ab:03:4e:61:d5:7f:70:5e:91:78:93:1e:95:0a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.200' (RSA) to the list of known hosts. Password: nas3:~#
As you see in the above result, the attacker will be able to log in to our Debian server, but only to the fake file system. From here, he can do all interactions like creating, deleting files or folders. But they don’t know they are logged-in to a fake filesystem. How pity!
As i mentioned before, the default kippo password is 123456. Also it is possible to set different passwords.
From your Kippo directory, enter the following commands:
kippo@server:~/kippo-0.8$ utils/passdb.py data/pass.db add password kippo@server:~/kippo-0.8$ utils/passdb.py data/pass.db add senthil kippo@server:~/kippo-0.8$ utils/passdb.py data/pass.db add unixmen
Where,
password, senthil and unixmen are alternative passwords for the root user. The attacker will be able to log in to the honeypot using any of above mentioned passwords with root user.
Miscellaneous
The following tasks are not mandatory. But if you want to trap your attacker more precisely, do the following.
Change hostname:
The default kippo hostname is nas3. If you want to use some real name ex. debian-server, edit kippo.cfg file and change the hostname.
Go to your kippo directory and edit file kippo.cfg,
$ nano kippo.cfg
Find the following line and change hostname as per your like.
[...] # (default: nas3) hostname = debian-server [...]
When the attacker try to ssh your server, he will be presented with the hostname debian-server.
Change OS name:
Go to kippo directory and edit file /etc/issue,
$ nano honeyfs/etc/issue
Change the os name as per your liking.
Debian GNU/Linux 7.0 \n \l
Clone filesystem:
As i mentioned before, the default kippo filesystem is outdated and it can be easily recognized by the attacker. So go to your kippo directory and clone the current filesystem using the following command with root user:
# utils/createfs.py > fs.pickle Doing stuff
Don’t forget to stop and start the kippo service after editing the configuration. To stop, the kippo simply kill the process. To find out the kippo process id, enter command:
# cat kippo.pid
Sample output:
6751
Now kill it using command:
# kill -9 6751
To start kippo service again, go to your kippo directory and start it with user kippo. As you already know, kippo doesn’t start with root user.
$ cd kippo-0.8/ $ ./start.sh
There are more options available to monitor the brute-force attacker. Go through the kippo.cfg file and tweak the settings as per your needs. Also it is advisable to keep the dl directory in a separate directory to save the space. Also you can use mysql database to save the logs.
View logs
Do you curious what did the attacker do in your system? That’s very simple. The logs will be stored in the log folder in the kippo directory.
Go to your kippo directory and view log file as shown below.
$ cat log/kippo.log
Sample output:
2014-01-30 13:10:56+0530 [-] Log opened. 2014-01-30 13:10:56+0530 [-] twistd 12.0.0 (/usr/bin/python 2.7.3) starting up. 2014-01-30 13:10:56+0530 [-] reactor class: twisted.internet.pollreactor.PollReactor. 2014-01-30 13:10:56+0530 [-] HoneyPotSSHFactory starting on 2222 2014-01-30 13:10:56+0530 [-] Starting factory <kippo.core.honeypot.HoneyPotSSHFactory instance at 0x89d186c> 2014-01-30 13:11:18+0530 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 192.168.1.100:46489 (192.168.1.200:2222) [session: 0] 2014-01-30 13:11:18+0530 [HoneyPotTransport,0,192.168.1.100] Remote SSH version: SSH-2.0-OpenSSH_6.1p1 Debian-4 2014-01-30 13:11:18+0530 [HoneyPotTransport,0,192.168.1.100] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2014-01-30 13:11:18+0530 [HoneyPotTransport,0,192.168.1.100] outgoing: aes128-ctr hmac-md5 none 2014-01-30 13:11:18+0530 [HoneyPotTransport,0,192.168.1.100] incoming: aes128-ctr hmac-md5 none 2014-01-30 13:11:18+0530 [HoneyPotTransport,0,192.168.1.100] connection lost 2014-01-30 13:11:28+0530 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 192.168.1.100:46492 (192.168.1.200:2222) [session: 1] 2014-01-30 13:11:28+0530 [HoneyPotTransport,1,192.168.1.100] Remote SSH version: SSH-2.0-OpenSSH_6.1p1 Debian-4 2014-01-30 13:11:28+0530 [HoneyPotTransport,1,192.168.1.100] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa 2014-01-30 13:11:28+0530 [HoneyPotTransport,1,192.168.1.100] outgoing: aes128-ctr hmac-md5 none 2014-01-30 13:11:28+0530 [HoneyPotTransport,1,192.168.1.100] incoming: aes128-ctr hmac-md5 none 2014-01-30 13:11:31+0530 [HoneyPotTransport,1,192.168.1.100] NEW KEYS 2014-01-30 13:11:31+0530 [HoneyPotTransport,1,192.168.1.100] starting service ssh-userauth 2014-01-30 13:11:31+0530 [SSHService ssh-userauth on HoneyPotTransport,1,192.168.1.100] root trying auth none 2014-01-30 13:11:31+0530 [SSHService ssh-userauth on HoneyPotTransport,1,192.168.1.100] root trying auth keyboard-interactive 2014-01-30 13:11:42+0530 [SSHService ssh-userauth on HoneyPotTransport,1,192.168.1.100] login attempt [root/123456] succeeded [...]
Conclusion
However, kippo has not had any real security audit done on it, and it’s definitely vulnerable to some DoS attacks, as there are no limits on how many people can connect to it, or how many files they can download. So it is recommended to run kippo in a well firewalled Virtual Machine.
What we discussed here is only the installation and some basic configuration. Using Kippo you can learn how the attackers are trying to attack your system and what they trying to do. Later you can harden your servers using the information gathered from attackers.
Good luck!
Reference Links:
