Linux: Create and Configure SSH Honeypot

Since I have a DMZ server, it is possible to setup a SSH honeypot, where we can track what hackers and crackers are trying to do when got into our system. My honeypot server setup will be like this:

Variable that I used is:

OS: CentOS 6.2 64bit
Web server IP: 202.82.109.14
User: kippo
Directory: /home/kippo

1. Before we start, we need to make sure our server SSH port has been changed to another port. In this case, I have changed my SSH port for this server to 22002. To change SSH port, simply edit SSH configuration file at /etc/ssh/sshd_config and change following line:

Port 22002

Dont forget to restart the service to apply the changes:

$ service sshd restart

2. We will use Kippo as the SSH honeypot. Download and extract it:

$ cd /usr/local/src
$ wget  http://kippo.googlecode.com/files/kippo-0.5.tar.gz
$ tar -xzf  kippo-0.5.tar.gz

3. Before we start installing Kippo, make sure you are running Python 2.6. You can check by using following command:

$ python -V

Then we need to install Twisted using yum:

$ yum install -y python-twisted*

4. Kippo need to be run as non-root user. So we need to create a user for this:

$ useradd -m kippo
$ passwd kippo

5. Lets copy Kippo folder to the user folder /home/kippo and assign ownership:

$ cp /usr/local/src/kippo-* /home/kippo/ -Rf
$ chown kippo.kippo /home/kippo/kippo-* -Rf

6. Change to normal user mode (kippo):

$ su - kippo

7. Change the SSH port value for kippo to use default SSH port 22. The configuration file is located under /home/kippo/kippo/kippo.cfg and change following line:

ssh_port = 22
hostname = web1

8. Lets start Kippo:

$ cd ~/kippo
$ ./start.sh

Now your SSH Honeypot is working. You can try to login via SSH to the server and you will realize that you are in Honeypot and not the real server. All user actions will be captured at /home/kippo/kippo/log/kippo.log. You can change the initial root password at Kippo configuration file and so on. To stop Kippo, you just need to kill the PID of the running process. You can use ps command to determine the PID.