Installing And Configuring Kippo Graph

A few weeks ago i wrote about attempted Brute Force attacks against my SSH Port on my home Network. If you haven’t read that post yet i would start there.

So i set up Kippo to act as an SSH Honeypot and left it running. After a couple of days uptime my IDS went insane and started spitting out alerts like there was no tomorrow. several different signatures firing all at the same time.

Alerts1

Alerts2

 

It didn’t take more than a second to figure out what was happening. The HoneyPot was being Brute Forced :) this is what i wanted a chance to look at what was going on.

The first issue i ran in to was trying to make sense of the raw data . . . There was a lot of it and no nice way to immediately view the interesting data. Thankfully, as with most things, someone had already considered this and created a solution.

Kippo-Graph.

Kippo is still actively developed and fairly feature full. The quote below is taken straight from the authors site. I have also include a few samples of the graphs from my HoneyPot.

Kippo-Graph currently shows 24 charts, including top 10 passwords, top 10 usernames, top 10 username/password combos, success ratio, connections per IP, connections per country, probes per day, probes per week, ssh clients, top 10 overall input, top 10 successful input, top 10 failed input and many more. There are also geolocation data extracted and displayed with Google visualization technology using a Google Map, a Intensity Map, etc. Lastly, input-related data and statistics are also presented giving an overview of the action inside the system.

top10_passwords

top10_combinations

 

connections_per_ip

Whilst Kippo has a lot of features there are a couple  i needed that didn’t exist. Kippo gives you Top tens but doesn’t have any functions that allow you to see or export all the data. for that you need to dive in to the SQL back-end. This became annoying very quickly so i threw together a quick addition that would allow me to export the following data sets as CSV Files:

  • IP Address’s
  • Distinct Usernames
  • Distinct Passwords
  • Distinct user / Pass Combinations

With more time ill create more export options.

The other feature that was missing was any sort of authentication. Im working on an auth Module for Kippo but in the meantime im using Apache .htaccess to lock it down.

Once i have a larger data set ill release some of the stats in the mean time ill show you how to get your own Kippo-Graph installation up and running.

Im going to assume you successfully installed Kippo already as part of the previous segment.

This guide will make use of my Edited version of Kippo-Graph but you an use the Authors own version just as easily. There are no extra steps required.

Dependencies.

First thing we need to do is get our Pre-Reqs installed.

apt-get update && apt-get install-y python-mysqldb mysql-server libapache2-mod-php5 php5-gd php5-mysql
/etc/init.d/apache2 restart

During installation you will be prompted to add a secure password for your SQL root account

Configure Kippo

Configuring Kippo requires setting up the sql tables and then telling kippo to use them.

to install the tables use the following commands

mysql -u root -p
> CREATE DATABASE kippo;
> GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'PASSWORD HERE'
> exit

now we need to populate the table structure

cd /home/kippo/kippo
mysql -u kippo -p
> USE kippo;
> source ./doc/sql/mysql.sql;
> exit

edit the kippo.cfg file /home/kippo/kippo

look for the line [database_mysql]

uncomment the lines and add the username and password you used above. You should end up with something like this

[database_mysql]
host = localhost
database = kippo
username = kippo
password = password
port = 3306

restart Kippo and we are good to go. At this point any NEW data you record is stored in the SQL tables.

Install Kippo-Graph

As i mentioned before you can substite the Authors version here instead of my version if you so desire.

cd /var/www/
<del>wget https://github.com/kevthehermit/kippo-graph/archive/master.zip
unzip master.zip
</del>Edit:
The author has merged my changes. 
git clone <a href="https://github.com/ikoniaris/kippo-graph">https://github.com/ikoniaris/kippo-graph</a>
cd kippo-graph
chmod 777 generated-graphs

Next edit config.php to match the values from the kippo configuration

 

Secure Kippo-Graph

As i mentioned earlier in the absence of any Auth im using htaccess and htpasswd to provide basic access control. this is fairly trivial to set up.

There are three things we need to do:

  • set the htacess file
  • set the account
  • tell apache to use the htacess file.
nano /var/www/.htaccess

enter the following

AuthType Basic
AuthName "Home"
AuthUserFile /usr/local/apache/passwd/passwords
Require user Kevin

feel free to replace Kevin with your own name :)

htpasswd -c /usr/local/apache/passwd/passwords Kevin

again feel free to place your won name here and enter details as prompted.

The final edit we need to make is to our default site in apache.

locate your default site in /etc/apache2/sites-enabled/ in my case its called 000-default

edit the file and inside the DocumentRoot .. Directory section for /var/www add the following

AllowOverride AuthConfig.

You should end up with something like this

DocumentRoot /var/www

Options FollowSymLinks
AllowOverride AuthConfig

Options Indexes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
allow from all

 

We should now be able to browse to http://ourkippoip/kippo-graph-master and after entering our credentials look at some of our data. Under some of the sections, if your using my version you should see some links to download the CSV Files.

As usual questions queries comments below.

I have a Turnkey appliance with Kippo and Kippo Graph pre configured for those interested let me know.

For now ill leave you with a quick glimpse of my Graphs.

Kippo-Graph   Fast Visualization for your Kippo SSH Honeypot Stats

 

 

2 comments to Installing And Configuring Kippo Graph

  • JB  says:

    Nicely done :)

  • Nil Novum Sub Sole » Kippo: SSH Honeypot Revisited  says:

    […] The only hiccup was that I forgot to populate the database with tables before setting it all off (this page to the rescue!). There are files included with Kippo (in /doc/sql/) that can be used to create the […]

Leave a Reply