How to set up a Kippo Honeypot on a VPS

I was planning on setting up another honeypot. So this time I figured that I would write a guide on how to set up a honeypot on a VPS. Personally I will using a VPS from ChicagoVPS.net. I was able to pick up a VPS with 2GB ram, 100GB Hard Drive, 2 IP addresses, and 3TB Bandwidth for just $40 a year. The deal has "expired" but you can still get it. Just message me if you're interested and I'll send the link over.

For this honeypot I will just be using Kippo which is a SSH honeypot. I do plan on a later date to explain how to set up a large compilation of honeypots on the same VPS(Not just kippo). I say a later date because I'm still working on it myself. For this guide I will also explain how to set up a Kippo-graph which gives you a graphical representation of the attacks on the system.

For the first step you're going to want to get a VPS up and running. This should be easy for most of you. For the template/operating system of the VPS most Linux distribution will work. I will be using Ubuntu 12.04 64-bit which should be offered by most VPS providers. If not the guide should still be easily translated to another operating system.

Single IP Address

Most people following this guide will be limited to 1 IP Address. -So I will be explaining how to set it up as such. To start just ssh into your VPS. To do this with one IP you will want to start by changing the default ssh port. You can change the port in the following file- /etc/ssh/sshd_config

You will want to edit the line that looks like the following line.

Port 22

You'll want to change it to a number between -49152 and 65535. Make sure you remember this port or you won't be able to ssh into the box anymore. You will now have to restart the ssh service.

service ssh restart

You will now want to disconnect from your vps and connect with the new port. You can now skip to the "Continue below" section.

Multiple IP Addresses

In some cases your VPS may come with multiple IP Addresses like mine. In this section I'll explain how to set this up. For my setup I will use one of the IPs for the kippo honeypot and the other for basic management of the system. To start start you will want to configure ssh to only work on the need interface by changing a line in the file-

/etc/ssh/sshd_config

You will want to edit the line that looks like the following line.

#ListenAddresss 0.0.0.0

You'll want to remove the # and replace 0.0.0.0 with the IP that you want to use to manage the system. Save the file and restart the ssh service.

service ssh restart

You will now want to disconnect from your vps and make sure you're connected with the management IP.

Continue below

Now we are going to install the packages that you're system will need to run Kippo. So do do this just run this command if you're using ubuntu-

apt-get update && apt-get upgrade -y && apt-get install -y python-dev openssl python-openssl python-pyasn1 python-twisted authbind

This will most likely ask you if you want to install a bunch of packages just type yes. We will now setup a normal user account for kippo so it won't run as root(Security reasons).

adduser kippo

Fill in the necessary information. You can leave the fields like name blank. We will now configure your system so kippo can actually bind to port 22. This is done with the Following commands. Make sure you replace KIPPO-IPADDRESS with your IP address. If you have multiple IP addresses this will be the one you configured to run kippo on(Not management IP).

touch /etc/authbind/byaddr/KIPPO-IPADDRESS:22

chown kippo:kippo /etc/authbind/byaddr/KIPPO-IPADDRESS:22

chmod 777 /etc/authbind/byaddr/KIPPO-IPADDRESS:22

Next you will have to download kippo. There are multiple ways of doing this. If you want the latest version from the SVN repo. Which is recomended. You will want to issue the following command.

apt-get install subversion

Once you've done that we will now log into the kippo user.

su - kippo

Now if you elected for the SVN route just issue the following command to download kippo.

svn checkout http://kippo.googlecode.com/svn/trunk/ ./kippo

cd kippo

If you didn't want to use SVN, you can just download the latest tarball with wget.

wget https://kippo.googlecode.com/files/kippo-0.8.tar.gz

tar -xvf kippo-0.8.tar.gz

cd kippo-0.8

You now have kippo downloaded. Now we just have to configure it. So start by renaming the kippo configuration file if needed. This is done as so.

mv kippo.cfg.dist kippo.cfg

We will not edit that file. The lines you will want to change are listed below.

#ssh_addr = 0.0.0.0

ssh_port = 2222

you will want the lines to look like the following.

ssh_addr = Your Kippo IP address here ssh_port = 22

Now we just need to change some things in the start.sh file. You will just want to change the line that looks like the following

twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

to look like

authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid<

Now all you have to is type the following command to start kippo.

./start.sh

So you should now have kippo running on port 22. If you only want Kippo then you can stop here. Otherwise if you want kippo-graph it's just a couple most things and you should be set.

Setting up kippo-graph

To start you will need to return to the root user just by using the exit command. You will then need to install these packages.

apt-get install -y python-mysqldb mysql-server libapache2-mod-php5 php5-gd php5-mysql

With this command it will prompt you with a root password for the mysql database. Enter a password you will be able to remember.

If you have problems with this step, you're most likely using 12.10 and not 12.04. I originally tried this with 12.10 and the mysql package wouldn't install correctly. It will complain about not being able set the root password. So if you have this problem start over with 12.04.

We will now enter log back into the kippo user account and change into the kippo directory.

su - kippo

cd kippo

Next we will need to access the mysql database with the following command.

mysql -u root -p

This will prompt for the root password you set in the previous step. Just enter it and you can proceed.

This will give you a new prompt. With this new prompt you will need to enter these commands to set up the database.

(Replace Kippo-DB-pass with a password for the kippo mysql database)

CREATE DATABASE kippo;

GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'Kippo-DB-pass';

exit

mysql -u kippo -p

USE kippo;

source ./doc/sql/mysql.sql;

exit

You will now want to stop your kippo process if it's still running. This can be with kill command but you will first need the PID. So start off by issue the following command.

ps x

This will show all of the processes running from the kippo user. Now look for a process with kippo in the name. When you find it copy down the PID. Then stop it with the kill command like so, with the x's substituted with the PID.

kill xxxx

We will then have to reconfigure kippo by changing values in the configuration file.

vi kippo.cfg

In the file you will want to change the following lines in the kippo.cfg file.

#[database_mysql]
#host = localhost
#database = kippo
#username = kippo
#password = secret
#port = 3306

The line should be changed to look like the following. (Make sure you replace-Kippo-DB-pass with the kippo database password you set above.)

[database_mysql]
host = localhost
database = kippo
username = kippo
password = Kippo-DB-pass
port = 3306

You can now start up kippo again with the following command.

./start.sh

This will now have kippo logging to a mysql database. This is required for kippo graph because it's where kippo-graph gains it's data. We will now set up kippo-graph.

To continue make sure you are root user again by using the exit command.

So the first step is to download kippo-graph with this command.

wget http://bruteforce.gr/wp-content/uploads/kippo-graph-0.7.7.tar

This command is for the 0.7.7 version of kippo-graph. If the version changes just change it in the above command.

We will now move the download into th correct directory and extract it.

mv kippo-graph-VERSION.tar /var/www

cd /var/www

tar xvf kippo-graph-VERSION.tar --no-same-permissions

cd kippo-graph

Now that it's in the right directory and extracted we will just have to set some file permissions and configure it.

chmod 777 generated-graphs

You will now just need to configure the following lines in the config.php file.

define('DB_HOST', 'localhost');
define('DB_USER', 'username');
define('DB_PASS', 'password');
define('DB_NAME', 'database');
define('DB_PORT', '3306');

change these lines to look like the following. (Again replacing-Kippo-DB-pass with the kippo database password)

define('DB_HOST', 'localhost');
define('DB_USER', 'kippo');
define('DB_PASS', 'Kippo-DB-pass');
define('DB_NAME', 'kippo');
define('DB_PORT', '3306');

Now you should be all set. Just visit your the following address and you should be able to access kippo-graph.

http://ipaddress/kippo-graph

You may want to generate some dummy data so some information will show up. If you have any problems feel free to comment or shoot me a message and I'll try my best to help you out.

Update: Sorry left out some steps. Should be fixed now.




comments powered by Disqus