Installing And Configuring Kippo Graph

A few weeks ago i wrote about attempted Brute Force attacks against my SSH Port on my home Network. If you haven’t read that post yet i would start there.

So i set up Kippo to act as an SSH Honeypot and left it running. After a couple of days uptime my IDS went insane and started spitting out alerts like there was no tomorrow. several different signatures firing all at the same time.



It didn’t take more than a second to figure out what was happening. The HoneyPot was being Brute Forced :) this is what i wanted a chance to look at what was going on.

The first issue i ran in to was trying to make sense of the raw data . . . There was a lot of it and no nice way to immediately view the interesting data. Thankfully, as with most things, someone had already considered this and created a solution.


Kippo is still actively developed and fairly feature full. The quote below is taken straight from the authors site. I have also include a few samples of the graphs from my HoneyPot.

Kippo-Graph currently shows 24 charts, including top 10 passwords, top 10 usernames, top 10 username/password combos, success ratio, connections per IP, connections per country, probes per day, probes per week, ssh clients, top 10 overall input, top 10 successful input, top 10 failed input and many more. There are also geolocation data extracted and displayed with Google visualization technology using a Google Map, a Intensity Map, etc. Lastly, input-related data and statistics are also presented giving an overview of the action inside the system.



Whilst Kippo has a lot of features there are a couple  i needed that didn't exist. Kippo gives you Top tens but doesn't have any functions that allow you to see or export all the data. for that you need to dive in to the SQL back-end. This became annoying very quickly so i threw together a quick addition that would allow me to export the following data sets as CSV Files:

  • IP Address’s
  • Distinct Usernames
  • Distinct Passwords
  • Distinct user / Pass Combinations

With more time ill create more export options.

The other feature that was missing was any sort of authentication. Im working on an auth Module for Kippo but in the meantime im using Apache .htaccess to lock it down.

Once i have a larger data set ill release some of the stats in the mean time ill show you how to get your own Kippo-Graph installation up and running.

Im going to assume you successfully installed Kippo already as part of the previous segment.

This guide will make use of my Edited version of Kippo-Graph but you an use the Authors own version just as easily. There are no extra steps required.

My changes are now a part of kippo graph.


First thing we need to do is get our Pre-Reqs installed.

sudo apt-get update
sudo apt-get install-y python-mysqldb mysql-server libapache2-mod-php5 php5-gd php5-mysql
sudo service apache2 restart

During installation you will be prompted to add a secure password for your SQL root account

Configure Kippo

Configuring Kippo requires setting up the sql tables and then telling kippo to use them.

to install the tables and create the kippo user account enter the following commands:

mysql -u root -p
GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'PASSWORD HERE';

now we need to populate the table structure

cd /home/kippo/kippo
mysql -u kippo -p
USE kippo;
source ./doc/sql/mysql.sql;

edit the kippo.cfg file /home/kippo/kippo

look for the line [database_mysql]

uncomment the lines and add the username and password you used above. You should end up with something like this

host = localhost
database = kippo
username = kippo
password = password
port = 3306

restart Kippo and we are good to go. At this point any NEW data you record is stored in the SQL tables.

Install Kippo-Graph

cd /var/www/html
git clone
cd kippo-graph
chmod 777 generated-graphs
cp config.php.dist config.php

Next edit config.php and update the following sections to match your kippo setup

define('DB_HOST', '');
define('DB_USER', 'username');
define('DB_PASS', 'password');
define('DB_NAME', 'database');
define('DB_PORT', '3306');

Secure Kippo-Graph (Optional)

As i mentioned earlier in the absence of any Auth im using htaccess and htpasswd to provide basic access control. this is fairly trivial to set up.

There are three things we need to do:

  • set the htacess file
  • set the account
  • tell apache to use the htacess file.

nano /var/www/html/.htaccess

enter the following details. You can change the location of the passwords file just make sure to use your own path in both the .htaccess file and the htpasswd command that follows.

AuthType Basic
AuthName "Home"
AuthUserFile /usr/local/apache/passwd/passwords
Require user Kevin

feel free to replace Kevin with your own name :)

htpasswd -c /usr/local/apache/passwd/passwords Kevin

The final edit we need to make is to our default site in apache.

locate your default site in /etc/apache2/sites-enabled/ in my case its called 000-default

edit the file and inside the DocumentRoot .. Directory section for /var/www/html add the following lines after the DocumentRoot line and before the error logging section.

DocumentRoot /var/www/html
<Directory /var/www/html/>

Options FollowSymLinks
AllowOverride AuthConfig

Options Indexes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
allow from all

We should now be able to browse to http://our.kippo.ip/kippo-graph-master and after entering our credentials look at some of our data. Under some of the sections, if your using my version you should see some links to download the CSV Files.

As usual questions queries comments below.

For now ill leave you with a quick glimpse of my Graphs.