Kippo Honeypot Setup
I wanted to make a post about how I go about setting up my honeypots, so that anyone viewing this blog can follow along and get Kippo up and running with minimal effort.
There's plenty of guides out there on doing this, however, I thought I would throw mine into the bag in case I have something that others don't in their guides.
This guide was tested using a fresh install of Ubuntu 14.04
Let's start by installing the requirements (perform these as root):
$ apt-get install python-dev python-openssl python-pyasn1 authbind python-pip $ pip install pycrypto twisted $ cd /opt $ git clone https://github.com/micheloosterhof/kippo.git $ cp kippo/kippo.cfg.dist kippo.cfg $ cp kippo.cfg.dist kippo.cfg $ vi kippo.cfg
You'll want to change your kippo.cfg around to better suite your needs. Here are some items I would normally change:
- listen_port = 2222
- Change this to 22, since we'll be using authbind to bind to a privileged port.
- hostname = svr03
- Change this to anything you think the attacker would like, such as prod-CA-01 or something.
Those are the only two things I change in my kippo.cfg, but, please feel free to change as you see fit, especially if you need other logging mechanisms, such as textlog, hpfeeds or XMPP.
After you made the changes above, we'll need to set up authbind (perform these as root):
$ touch /etc/authbind/byport/22 $ chown kippo:kippo /etc/authbind/byport/22 $ chmod 777 /etc/authbind/byport/22 $ chown -R kippo:kippo /opt/kippo $ cd /opt/kippo $ sed -i "s,twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid,authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid," start.sh
Next, we'll change what passwords can be accepted by the honeypot over in data/userdb.txt. Take note of the message in the file:
This file contains user authorizations.
To allow all passwords, use '*'
To deny specific passwords, user '!password'
The file is processed linearly, denials need to happen before allows.
Default config allows all root passwords except 'root' and '123456'
I usually take out the allow all, and add in just one or two passwords (easy to guess passwords though) and that's it. If an attacker could log in with any password, it's kind of a big tip-off that it's a honeypot.
Next, we'll want to change the MOTD to something more appealing. Feel free to use anything scary that would intice a would be attacker. I'm using the following:
You are accessing a U.S. Government information system, which includes: (1) this computer, (2) this computer network, (3) all computers connected to this network, and (4) all devices and storage media attached to this network or to a computer on this network. This information system is provided for U.S. Government-authorized use only.
Unauthorized or improper use of this system may result in disciplinary action, as well as civil and criminal penalties. By using this information system, you understand and consent to the following:
You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system. At any time, and for any lawful Government purpose, the Government may monitor, intercept, and search and seize any communication or data transiting or stored on this information system.
Any communication or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose.
You can change the MOTD over at etc\motd.
There's some other files you can change if you feel so inclined, such as anything in honeyfs/etc or honeyfs/proc or even changing command output in txtcmds. But, for now, the above should get you going to a nice honeypot install.
Lastly, you'll want to start the honeypot. Also, you'll probably want to use a different user than root to run this, so, let's go ahead and create a new user. (Again, run these commands as root)
$ useradd kippo $ chown -R kippo:kippo /opt/kippo $ su kippo -c "./start.sh"
Once I edit other aspects of the honeypot, I'll post some more things you can do, to make a genuine looking system.