A few weeks ago i wrote about attempted Brute Force attacks against my SSH Port on my home Network. If you haven’t read that post yet i would start there.
So i set up Kippo to act as an SSH Honeypot and left it running. After a couple of days uptime my IDS went insane and started spitting out alerts like there was no tomorrow. several different signatures firing all at the same time.
It didn’t take more than a second to figure out what was happening. The HoneyPot was being Brute Forced :) this is what i wanted a chance to look at what was going on.
The first issue i ran in to was trying to make sense of the raw data . . . There was a lot of it and no nice way to immediately view the interesting data. Thankfully, as with most things, someone had already considered this and created a solution.
Kippo is still actively developed and fairly feature full. The quote below is taken straight from the authors site. I have also include a few samples of the graphs from my HoneyPot.
Kippo-Graph currently shows 24 charts, including top 10 passwords, top 10 usernames, top 10 username/password combos, success ratio, connections per IP, connections per country, probes per day, probes per week, ssh clients, top 10 overall input, top 10 successful input, top 10 failed input and many more. There are also geolocation data extracted and displayed with Google visualization technology using a Google Map, a Intensity Map, etc. Lastly, input-related data and statistics are also presented giving an overview of the action inside the system.
Whilst Kippo has a lot of features there are a couple i needed that didn’t exist. Kippo gives you Top tens but doesn’t have any functions that allow you to see or export all the data. for that you need to dive in to the SQL back-end. This became annoying very quickly so i threw together a quick addition that would allow me to export the following data sets as CSV Files:
- IP Address’s
- Distinct Usernames
- Distinct Passwords
- Distinct user / Pass Combinations
With more time ill create more export options.
The other feature that was missing was any sort of authentication. Im working on an auth Module for Kippo but in the meantime im using Apache .htaccess to lock it down.
Once i have a larger data set ill release some of the stats in the mean time ill show you how to get your own Kippo-Graph installation up and running.
Im going to assume you successfully installed Kippo already as part of the previous segment.
This guide will make use of my Edited version of Kippo-Graph but you an use the Authors own version just as easily. There are no extra steps required.
First thing we need to do is get our Pre-Reqs installed.
apt-get update && apt-get install-y python-mysqldb mysql-server libapache2-mod-php5 php5-gd php5-mysql /etc/init.d/apache2 restart During installation you will be prompted to add a secure password for your SQL root account
Configuring Kippo requires setting up the sql tables and then telling kippo to use them.
to install the tables use the following commands
mysql -u root -p > CREATE DATABASE kippo; > GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'PASSWORD HERE' > exit
now we need to populate the table structure
cd /home/kippo/kippo mysql -u kippo -p > USE kippo; > source ./doc/sql/mysql.sql; > exit
edit the kippo.cfg file /home/kippo/kippo
look for the line [database_mysql]
uncomment the lines and add the username and password you used above. You should end up with something like this
[database_mysql] host = localhost database = kippo username = kippo password = password port = 3306
restart Kippo and we are good to go. At this point any NEW data you record is stored in the SQL tables.
As i mentioned before you can substite the Authors version here instead of my version if you so desire.
cd /var/www/ <del>wget https://github.com/kevthehermit/kippo-graph/archive/master.zip unzip master.zip </del>Edit: The author has merged my changes. git clone <a href="https://github.com/ikoniaris/kippo-graph">https://github.com/ikoniaris/kippo-graph</a> cd kippo-graph chmod 777 generated-graphs
Next edit config.php to match the values from the kippo configuration
As i mentioned earlier in the absence of any Auth im using htaccess and htpasswd to provide basic access control. this is fairly trivial to set up.
There are three things we need to do:
- set the htacess file
- set the account
- tell apache to use the htacess file.
enter the following
AuthType Basic AuthName "Home" AuthUserFile /usr/local/apache/passwd/passwords Require user Kevin
feel free to replace Kevin with your own name :)
htpasswd -c /usr/local/apache/passwd/passwords Kevin
again feel free to place your won name here and enter details as prompted.
The final edit we need to make is to our default site in apache.
locate your default site in /etc/apache2/sites-enabled/ in my case its called 000-default
edit the file and inside the DocumentRoot .. Directory section for /var/www add the following
You should end up with something like this
DocumentRoot /var/www Options FollowSymLinks AllowOverride AuthConfig Options Indexes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny allow from all
We should now be able to browse to http://ourkippoip/kippo-graph-master and after entering our credentials look at some of our data. Under some of the sections, if your using my version you should see some links to download the CSV Files.
As usual questions queries comments below.
I have a Turnkey appliance with Kippo and Kippo Graph pre configured for those interested let me know.
For now ill leave you with a quick glimpse of my Graphs.