Sunday, April 3, 2011

How To Set Up Kippo SSH Honeypot On CentOS 5.5


Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker. Kippo is inspired, but not based on Kojoney. If you need more information about Kippo please visit its official site on http://code.google.com/p/kippo/. This tutorial shows how you can compile and install Kippo on a CentOS 5.5 server.
I do not issue any guarantee that this will work for you!

Python 2.6 Installation

As you already know, CentOS only comes with Python 2.4, so you need to install Python 2.6 by using the tutorial from the following link:
http://www.geekymedia.com/tech-articles/rhel5-centos5-rpms-for-python-2-5-and-2-6/.
Important Notes!:
1) Just install the RPMs for the version that you want. You will need at least the base python version package and the libs package.
2) To start Python 2.6, type python26 at your command line rather than python. (Your original Python 2.4 is still installed.)
3) If you are installing packages with setuptools, make sure to use the correct python version. (i.e. python26 setup.py install)

Twisted, Zope Interface And Pycrypto Installation

Twisted is an event-driven networking engine written in Python and licensed under the MIT license. Twisted projects variously support TCP, UDP, SSL/TLS, multicast, Unix sockets, a large number of protocols (including HTTP, NNTP, IMAP, SSH, IRC, FTP, and others), and much more.
cd /tmp
wget http://twistedmatrix.com/Releases/Twisted/10.2/Twisted-10.2.0.tar.bz2
tar -xvf Twisted-10.2.0.tar.bz2
cd Twisted-10.2.0
python26 setup.py build
python26 setup.py install
Zope is an open source web application server primarily written in the Python programming language.
cd /tmp
wget http://www.zope.org/Products/ZopeInterface/3.3.0/zope.interface-3.3.0.tar.gz
tar -xvf zope.interface-3.3.0.tar.gz
cd zope.interface-3.3.0
python26 setup.py build
python26 setup.py install
Pycrypto is a collection of cryptographic algorithms and protocols, implemented for use from Python.
cd /tmp
wget wget http://www.amk.ca/files/python/crypto/pycrypto-2.0.1.tar.gz
tar -xvf pycrypto-2.0.1.tar.gz
cd pycrypto-2.0.1
python26 setup.py build
python26 setup.py install
ASN.1 types and codecs (BER, CER, DER) implementation in Python programming language.
cd /tmp
wget http://sourceforge.net/projects/pyasn1/files/pyasn1-devel/0.0.12a/pyasn1-0.0.12a.tar.gz/download
tar -xvf pyasn1-0.0.12a.tar.gz
cd pyasn1-0.0.12a
python26 setup.py build
python26 setup.py install

Create Regular User

Kippo doesnt run under root user! So we must create a regular user.
useradd kippouser

Download Kippo Source Package

You need to download latest version of Kippo source package from http://kippo.googlecode.com.
su - kippouser
wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz
tar -xvf kippo-0.5.tar.gz
cd kippo-0.5

Configure Kippo

vi kippo.cfg
#
# Kippo configuration file (kippo.cfg)
#
[honeypot]
# IP addresses to listen for incoming SSH connections.
#
# (default: 0.0.0.0) = any address
#ssh_addr = 0.0.0.0
# Port to listen for incoming SSH connections.
#
# (default: 2222)
ssh_port = 2222
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment.
#
# (default: sales)
hostname = sales
# Directory where to save log files in.
#
# (default: log)
log_path = log
# Directory where to save downloaded (malware) files in.
#
# (default: dl)
download_path = dl
# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs
# File in the python pickle format containing the virtual filesystem. 
#
# This includes the filenames, paths, permissions for the whole filesystem,
# but not the file contents. This is created by the createfs.py utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem_file = fs.pickle
# Directory for miscellaneous data files, such as the password database.
#
# (default: data_path)
data_path = data
# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
#   txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual
# filesystem {filesystem_file}
#
# (default: txtcmds)
txtcmds_path = txtcmds
# Public and private SSH key files. If these don't exist, they are created
# automatically.
#
# (defaults: public.key and private.key)
public_key = public.key
private_key = private.key
# Initial root password. Future passwords will be stored in
# {data_path}/pass.db
#
# (default: 123456)
password = 123456
# IP address to bind to when opening outgoing connections. Used exclusively by
# the wget command.
#
# (default: not specified)
#out_addr = 0.0.0.0
# Sensor name use to identify this honeypot instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# connection as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname
# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254
# MySQL logging module
#
# Database structure for this module is supplied in doc/sql/mysql.sql
#
# To enable this module, remove the comments below, including the
# [database_mysql] line.
#[database_mysql]
#host = localhost
#database = kippo
#username = kippo
#password = secret

Start Kippo

./start.sh

Log File

By default kippo output will be redirected to the file log/kippo.log. To see the Kippo logging data use the following command:
tail -f log/kippo.log

Note: How To Make Kippo Accessible To The World!

By default,Kippo is running on port 2222. If its running on Windows, port 22 is usually free and it's ok to run kippo on that port. On linux, port 22 is restricted for root only, except if you do this (quote from #twisted):
iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222
Replace IN_IFACE with your real interface name such as eth0!
 

Testing

Connect to the Kippo server on port 2222 by using root as username and 123456 as password.
ssh 127.0.0.1 -p 2222 -l root
You must see the following banner after successful login:
sales:~#

Links

The Honeynet Project: http://www.honeynet.org/
Honeypot: http://en.wikipedia.org/wiki/Honeypot_(computing)
Kippo Project: http://kippo.googlecode.com/
Iran Honeynet Project: http://www.honeynet.ir/
CentOS: http://www.centos.org/

No comments:

Post a Comment