Since I have a DMZ server, it is possible to setup a SSH honeypot, where we can track what hackers and crackers are trying to do when got into our system. My honeypot server setup will be like this:

Variable that I used is:

OS: CentOS 6.2 64bit
Web server IP: 202.82.109.14
User: kippo
Directory: /home/kippo

1. Before we start, we need to make sure our server SSH port has been changed to another port. In this case, I have changed my SSH port for this server to 22002. To change SSH port, simply edit SSH configuration file at /etc/ssh/sshd_config and change following line:

Port 22002

Dont forget to restart the service to apply the changes:

$ service sshd restart

2. We will use Kippo as the SSH honeypot. Download and extract it:

$ cd /usr/local/src
$ wget  http://kippo.googlecode.com/files/kippo-0.5.tar.gz
$ tar -xzf  kippo-0.5.tar.gz

3. Before we start installing Kippo, make sure you are running Python 2.6. You can check by using following command:

$ python -V

Then we need to install Twisted using yum:

$ yum install -y python-twisted*

4. Kippo need to be run as non-root user. So we need to create a user for this:

$ useradd -m kippo
$ passwd kippo

5. Lets copy Kippo folder to the user folder /home/kippo and assign ownership:

$ cp /usr/local/src/kippo-* /home/kippo/ -Rf
$ chown kippo.kippo /home/kippo/kippo-* -Rf

6. Change to normal user mode (kippo):

$ su - kippo

7. Change the SSH port value for kippo to use default SSH port 22. The configuration file is located under /home/kippo/kippo/kippo.cfg and change following line:

ssh_port = 22
hostname = web1

8. Lets start Kippo:

$ cd ~/kippo
$ ./start.sh

Now your SSH Honeypot is working. You can try to login via SSH to the server and you will realize that you are in Honeypot and not the real server. All user actions will be captured at /home/kippo/kippo/log/kippo.log. You can change the initial root password at Kippo configuration file and so on. To stop Kippo, you just need to kill the PID of the running process. You can use ps command to determine the PID.

9 Responses to Linux: Create and Configure SSH Honeypot

  1. IonNo Gravatar says:

    Hey there. You might want to use the SVN version of Kippo that supports MySQL logging. Details: http://bruteforce.gr/logging-kippo-events-using-mysql-db.html

    You can then visualize the honeypot data using Kippo-Graph. Details: http://bruteforce.gr/kippo-graph

    Let me know how it went.

  2. Christopher MengNo Gravatar says:

    Hi,

    I’ve ust encountered a rootkit security problem in my server.

    Can you suggest some tools for me?I know snort honeyd and kippo,anything else?

    Thanks!

    • SecaGuyNo Gravatar says:

      Rootkit can infect the OS up until kernel level. IMO the best way to get rid off rootkit is to shut down the server and boot into other OS like live CD, then scan with anti-rootkit software available on the market. This IDS (Kippo/Honeyd) is not helping you much in solving your problem.

  3. RubenNo Gravatar says:

    Hi

    I understand the concept but what do you do when you have honeypot running? Suppose attacker enter your honeypot, then what? You’ll list ther ip and get hacker banned from your network?

    Thanks

    • SecaGuyNo Gravatar says:

      Eventually, it was started when my boss did not believe that our network was still vulnerable after some major infra upgrade. I have setup this honeypot to show him that the possibilities are still exist. After 3 days, the honeypot captured 16 intruder IPs.

      • RubenNo Gravatar says:

        Thank you sou much. I asked you about because I read a Twitter of ISP which tell people they are using honeypot to locate range of attacking ips from China and then they manage to ban all of these ips. No explain how. But I’ve noticed this twitter spoke about “honeypot”.

        Thanks again, nice blog!

        • Christopher MengNo Gravatar says:

          Yep…I’m from China. Chinese governments often do this but they never admit it. And Great Firewall of China blocks us browsing these sites.

          Can you tell me the twitter location so I’ll take a look?Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>