Cowrie – a (relatively) new SSH honeypot – has been my obsession for the week. I took a quick first glimpse at Cowrie, and I thought before I proceed any further, I should relook at Kippo. There are two reasons behind this: (1) Cowrie is a fork project of Kippo, and (2) My previous write-up on Kippo is dated Apr 2013. I should really understand the updated landscape of these SSH honeypots before I explore one of the latest.
Note: Kippo is no longer under active development. It is also advised by Upi Tamminen (author of Kippo), to check out Cowrie instead.
Kippo – A SSH Honeypot – Write-Up Take 2!
Kippo is a medium interaction SSH honeypot designed to log brute force attacks, and the shell interactions performed by the attackers.
My Network Setup
Setting Up the Kippo Box
Software required to run Kippo: Python 2.5+, Twisted 8.0+, PyCrypto, Zope Interface:
$ sudo apt-get install git python-twisted python-crypto python-zope.interface python-mysqldb mysql-server
It is highly recommended to run your honeypot using a dedicated non-root user:
$ sudo adduser –disabled-password <username>
Setting Up the Logging Database
$ mysql -h localhost -u root -p
You should have been prompted to set your MySQL root password earlier when you were installing it. If you already have MySQL set up and could not remember your password, check out: http://stackoverflow.com/questions/489119/mysql-error-1045-access-denied.
mysql> CREATE DATABASE kippo;
mysql> GRANT SELECT ON kippo.* TO ‘<username>’@’localhost’ IDENTIFIED BY ‘<password>’;
mysql> GRANT INSERT ON kippo.* TO ‘<username>’@’localhost’ IDENTIFIED BY ‘<password>’;
mysql> GRANT UPDATE ON kippo.* TO ‘<username>’@’localhost’ IDENTIFIED BY ‘<password>’;
You can of course GRANT ALL ON kippo.* to your dedicated Kippo user, but I rather give only the necessary authorisation of what’s required to run Kippo. Check out dblog/mysql.py to learn how Kippo does MySQL logging.
To check your MySQL access control list:
mysql> SHOW GRANTS FOR ‘<username>’@’localhost’;
Basic Kippo Configuration
Switch to your dedicated user
$ sudo su - <username>
$ git clone https://github.com/desaster/kippo
Create the necessary logging table (mysql.sql is located in doc/sql/)
$ mysql kippo -u root -p < mysql.sql
Configure Kippo to your liking, and according to your environment (e.g. your database settings under the [database_mysql] section)
$ cp kippo.cfg.dist kippo.cfg
$ vi kippo.cfg
Take note of the port number Kippo is listening on. By default Kippo listens on port 2222. You can either change the default port number, or use port forwarding:
$ sudo iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 22 -j REDIRECT –to-port 2222
If you are configuring Kippo into a production environment, you should take time to modify settings that an attacker could use to identify the system as a honeypot.
Through the configuration file (kippo.cfg), you should also note where all the essential files and logs are located. E.g.:
Directory where log files are saved in: log/
Directory where downloaded (malware) files are saved in: dl/
Directory where virtual file contents are kept in: honeyfs/
The virtual file system (created by createfs.py): fs.pickle
Directory for miscellaneous data files, e.g. the password database: data/
Directory for creating simple commands that only output text: txtcmds/
After you’ve edit kippo.cfg to your liking, you’re all set!
Fake Credentials Management
By default, the only root password is “123456”. Additional root passwords can be added to data/userdb.txt. It’s a good idea to have only one password set for each username – multiple successful logins of the same username, but with different passwords, might look suspicious.
Note: When an attacker uses the passwd command in the Kippo shell, the new password will be appended to data/userdb.txt.
Annoying “Sticky” Feature
When an attacker is in your Kippo shell, he/she will not be able to exit the shell by simply launching the command “exit”. The attacker will still be stuck in some annoying shell that doesn’t make much sense. Commands launched in that shell can yield very confusing results. It is quite a fun feature at first glimpse – watching how attackers can get really confuse. It is also a big red flag telling the attacker it’s a honeypot. If you do not want to risk attackers blacklisting your honeypot, you should consider turning this feature off.
Check Out Your Logs
Raw logs are available in log/kippo.log.
They are also available in the MySQL database, structured beautifully in the tables created earlier.
In my previous write-up I introduced Kippo-Graph – written by my dear friend Ioannis “Ion” Koniaris – a web statistics visualisation tool you can use for the monitoring of your Kippo honeypot. There have been 16 versions of Kippo-Graph since then I last explored it. I’ve got many queries on why my write-up doesn’t work for them. Because we’re using a different version!
With my new write-up on Kippo, it is just plain rude if I do not relook into Ion’s contributions. However, unlike my previous write-up, I've done a write-up on them in a separate, dedicated entry.