Kippo – A SSH Honeypot (Updated)

Update Note

Cowrie – a (relatively) new SSH honeypot – has been my obsession for the week. I took a quick first glimpse at Cowrie, and I thought before I proceed any further, I should relook at Kippo. Why? Because:

1. Cowrie is a fork project of Kippo; and

2. I wrote Kippo write-up v1 in Apr 2013. I should really understand the updated landscape of these SSH honeypots before I explore one of the latest.

Note: Kippo is no longer under active development. It is also advised by Upi Tamminen (author of Kippo), to check out Cowrie instead.

Kippo – A SSH Honeypot (Updated)

Kippo is a medium interaction SSH honeypot designed to log brute force attacks, and the shell interactions performed by the attackers.

My Network Setup

Setting Up the Kippo Box

Software required to run Kippo:

sudo apt-get install git python-twisted python-crypto python-zope.interface python-mysqldb mysql-server

It is highly recommended to run your honeypot using a dedicated non-root user:

sudo adduser –disabled-password <username>

Setting Up the Logging Database

mysql -h localhost -u root -p

You should have been prompted to set your MySQL root password earlier when you were installing it. If you already have MySQL set up and could not remember your password, check out: http://stackoverflow.com/questions/489119/mysql-error-1045-access-denied.

CREATE DATABASE kippo;
GRANT SELECT ON kippo.* TO ‘<username>’@’localhost’ IDENTIFIED BY ‘<password>’;
mysql> GRANT INSERT ON kippo.* TO ‘<username>’@’localhost’ IDENTIFIED BY ‘<password>’;
GRANT UPDATE ON kippo.* TO ‘<username>’@’localhost’ IDENTIFIED BY ‘<password>’;

You can, of course, GRANT ALL ON kippo.* to your dedicated Kippo user, but I rather give only the necessary authorisation of what’s required to run Kippo. Check out dblog/mysql.py to learn how Kippo does MySQL logging.

To check your MySQL access control list:

SHOW GRANTS FOR ‘<username>’@’localhost’;

Basic Kippo Configuration

Switch to your dedicated user

sudo su - <username>

Acquire Kippo

git clone https://github.com/desaster/kippo

Create the necessary logging table

(mysql.sql is located in doc/sql/)

mysql kippo -u root -p < mysql.sql 

Configure Kippo to your liking, and according to your environment

(e.g. your database settings under the [database_mysql] section)

cp kippo.cfg.dist kippo.cfg
vi kippo.cfg

Take note of the port number Kippo is listening on. By default, Kippo listens on port 2222. You can either change the default port number or use port forwarding:

sudo iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 22 -j REDIRECT –to-port 2222 

If you are configuring Kippo into a production environment, you should take time to modify settings that an attacker could use to identify the system as a honeypot.

Through the configuration file (kippo.cfg), you should also note where all the essential files and logs are located. E.g.:

• Directory where log files are saved in: log/

• Directory where downloaded (malware) files are saved in: dl/

• Directory where virtual file contents are kept in: honeyfs/

• The virtual file system (created by createfs.py): fs.pickle

• Directory for miscellaneous data files, e.g. the password database: data/

• Directory for creating simple commands that only output text: txtcmds/

Running Kippo

After you’ve edit kippo.cfg to your liking, you’re all set!

./start.sh

Fake Credentials Management

By default, the only root password is “123456”. Additional root passwords can be added to data/userdb.txt. It’s a good idea to have only one password set for each username – multiple successful logins of the same username, but with different passwords, might look suspicious.

Note: When an attacker uses the passwd command in the Kippo shell, the new password will be appended to data/userdb.txt.

Annoying “Sticky” Feature

When an attacker is in your Kippo shell, he/she will not be able to exit the shell by simply launching the command “exit”. The attacker will still be stuck in some annoying shell that doesn’t make much sense. Commands launched in that shell can yield very confusing results. It is quite a fun feature at first glimpse – watching how attackers can get really confused. It is also a big red flag telling the attacker it’s a honeypot. If you do not want to risk attackers blacklisting your honeypot, you should consider turning this feature off.

Check Out Your Logs

Raw logs are available in log/kippo.log.

They are also available in the MySQL database, structured beautifully in the tables created earlier.

Where’s Kippo-Graph?

In my Kippo write-up v1, I introduced Kippo-Graph – written by my dear friend Ioannis “Ion” Koniaris – a web statistics visualisation tool you can use for the monitoring of your Kippo honeypot. There have been 16 versions of Kippo-Graph since I last explored it. I’ve got many queries on why my Kippo write-up v1 doesn’t work for them. Because we’re using a different version!

I can't update my Kippo write-up without relooking into Ion's contributions to the Kippo ecosystem. Instead of embedding them into this updated Kippo write-up (v2), I've done a write-up on them in a separate, dedicated entry.

Author

Emil Tan, Chapter Lead, The Honeynet Project, Singapore Chapter