A few weeks ago i wrote about attempted Brute Force attacks against my SSH Port on my home Network. If you haven’t read that post yet i would start there.
So i set up Kippo to act as an SSH Honeypot and left it running. After a couple of days uptime my IDS went insane and started spitting out alerts like there was no tomorrow. several different signatures firing all at the same time.
It didn’t take more than a second to figure out what was happening. The HoneyPot was being Brute Forced :) this is what i wanted a chance to look at what was going on.
The first issue i ran in to was trying to make sense of the raw data . . . There was a lot of it and no nice way to immediately view the interesting data. Thankfully, as with most things, someone had already considered this and created a solution.
Kippo is still actively developed and fairly feature full. The quote below is taken straight from the authors site. I have also include a few samples of the graphs from my HoneyPot.
Kippo-Graph currently shows 24 charts, including top 10 passwords, top 10 usernames, top 10 username/password combos, success ratio, connections per IP, connections per country, probes per day, probes per week, ssh clients, top 10 overall input, top 10 successful input, top 10 failed input and many more. There are also geolocation data extracted and displayed with Google visualization technology using a Google Map, a Intensity Map, etc. Lastly, input-related data and statistics are also presented giving an overview of the action inside the system.
Whilst Kippo has a lot of features there are a couple i needed that didn't exist. Kippo gives you Top tens but doesn't have any functions that allow you to see or export all the data. for that you need to dive in to the SQL back-end. This became annoying very quickly so i threw together a quick addition that would allow me to export the following data sets as CSV Files:
- IP Address’s
- Distinct Usernames
- Distinct Passwords
- Distinct user / Pass Combinations
With more time ill create more export options.
The other feature that was missing was any sort of authentication. Im working on an auth Module for Kippo but in the meantime im using Apache .htaccess to lock it down.
Once i have a larger data set ill release some of the stats in the mean time ill show you how to get your own Kippo-Graph installation up and running.
Im going to assume you successfully installed Kippo already as part of the previous segment.
This guide will make use of my Edited version of Kippo-Graph but you an use the Authors own version just as easily. There are no extra steps required.
My changes are now a part of kippo graph.
First thing we need to do is get our Pre-Reqs installed.
sudo apt-get update sudo apt-get install-y python-mysqldb mysql-server libapache2-mod-php5 php5-gd php5-mysql sudo service apache2 restart
During installation you will be prompted to add a secure password for your SQL root account
Configuring Kippo requires setting up the sql tables and then telling kippo to use them.
to install the tables and create the kippo user account enter the following commands:
mysql -u root -p CREATE DATABASE kippo; GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'PASSWORD HERE'; exit
now we need to populate the table structure
cd /home/kippo/kippo mysql -u kippo -p USE kippo; source ./doc/sql/mysql.sql; exit
edit the kippo.cfg file /home/kippo/kippo
look for the line [database_mysql]
uncomment the lines and add the username and password you used above. You should end up with something like this
[database_mysql] host = localhost database = kippo username = kippo password = password port = 3306
restart Kippo and we are good to go. At this point any NEW data you record is stored in the SQL tables.
cd /var/www/html git clone https://github.com/ikoniaris/kippo-graph cd kippo-graph chmod 777 generated-graphs cp config.php.dist config.php
Next edit config.php and update the following sections to match your kippo setup
define('DB_HOST', '127.0.0.1'); define('DB_USER', 'username'); define('DB_PASS', 'password'); define('DB_NAME', 'database'); define('DB_PORT', '3306');
Secure Kippo-Graph (Optional)
As i mentioned earlier in the absence of any Auth im using htaccess and htpasswd to provide basic access control. this is fairly trivial to set up.
There are three things we need to do:
- set the htacess file
- set the account
- tell apache to use the htacess file.
enter the following details. You can change the location of the passwords file just make sure to use your own path in both the .htaccess file and the htpasswd command that follows.
AuthType Basic AuthName "Home" AuthUserFile /usr/local/apache/passwd/passwords Require user Kevin
feel free to replace Kevin with your own name :)
htpasswd -c /usr/local/apache/passwd/passwords Kevin
The final edit we need to make is to our default site in apache.
locate your default site in /etc/apache2/sites-enabled/ in my case its called 000-default
edit the file and inside the DocumentRoot .. Directory section for /var/www/html add the following lines after the DocumentRoot line and before the error logging section.
DocumentRoot /var/www/html <Directory /var/www/html/> Options FollowSymLinks AllowOverride AuthConfig Options Indexes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny allow from all </Directory>
We should now be able to browse to http://our.kippo.ip/kippo-graph-master and after entering our credentials look at some of our data. Under some of the sections, if your using my version you should see some links to download the CSV Files.
As usual questions queries comments below.
For now ill leave you with a quick glimpse of my Graphs.