Tutorial

How To Install Kippo, an SSH Honeypot, on an Ubuntu Cloud Server

Published on June 20, 2013
author

James Summerill

How To Install Kippo, an SSH Honeypot, on an Ubuntu Cloud Server

Status: Deprecated

This article is deprecated and no longer maintained.

Reason

Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates.

According to the project README, Kippo is no longer maintained and has been superseded by Cowrie.

See Instead

This article may still be useful as a reference, but may not follow best practices or work on this or other Ubuntu releases. We strongly recommend using a recent article on Cowrie, Kippo’s successor project, written for the version of Ubuntu you are using.

If you are currently operating a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:

Introduction

Kippo is a SSH honeypot tool writen in Python that can log brute force attacks and the shell interaction performed by the said attacker. In this tutorial, I will show you how to setup Kippo and also how to add a simple solution which can help prevent brute force attacks on your cloud server.

Some interesting features that Kippo provides:

  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can ‘cat’ files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML compatible format for easy replay with original timings
  • Just like Kojoney, Kippo saves files downloaded with wget for later inspection
  • Trickery; ssh pretends to connect somewhere, exit doesn’t really exit, etc

As qoute by desaster, creater of Kippo, “By running kippo, you’re virtually mooning the attackers. Just like in real life, doing something like that, you better know really well how to defend yourself!”

If you wish to learn more about kippo, please click here.

Please note: This guide assumes you already know how to create a cloud server. If not, please follow this guide before continuing. Furthermore, this is based on a fresh installation of Ubuntu 12.10 x32 server.

Step 1: Access and Update/Upgrade Your Ubuntu Cloud Server

Log into your cloud server with SSH:

ssh root@YOUR_IP_HERE

Input the following commands:

apt-get update

and

apt-get upgrade

Step 2: Changing the SSH port

Kippo logs everything that has been accessed via port 2222. But most automated tools which are used by hackers, default SSH to port 22. Thus, it would be a good idea to make kippo listen to port 22 instead. To do this, we need to change the port which your server uses for SSH. It is also good practice to change your SSH port for security issues, but you have to remember this when dealing with other 3rd party programs.

From now on, I will be using vi as my text editor. If you use something else like nano, just replace vi with nano.

vi /etc/ssh/sshd_config

You should see the file below:

Output

We need to change the port number to something else. In this example, it will be 8925.

# What ports, IPs and protocols we listen for
Port 8925

This should be the expected outcome. Save the file and exit into your terminal.

We need to restart SSH. Input:

reload ssh

Step 3: Installing Dependencies

We need to install kippo’s dependencies. Here are the following commands:

apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted 

Now we are going to use ‘subversion’ to download kippo:

:-$ apt-get install subversion 

Step 4: Creating the Kippo User

We add the user, setting the home directory to /home/kippo, the default login shell to /bin/bash then create the home directory. Finally we give this user sudo privileges:

useradd -d /home/kippo -s /bin/bash -m kippo -g sudo

Step 5: Change the Port Number to Port 22

On linux systems, the root user is the only user that can run ports below 1024. It’s also not a very good idea to run Kippo as root for security reasons. There has been a lot of discussion at length on this topic. But in this tutorial, we will use AuthBind for its ease of use.

(If you would like to use another method, you can do so and can skip to Step 6.)

Install AuthBind:

apt-get install authbind

Create a new file:

touch /etc/authbind/byport/22

Change the ownership to our Kippo user:

chown kippo /etc/authbind/byport/22

Change the permissions of the file to read, write, and execute:

:-$ chmod 777 /etc/authbind/byport/22

Step 6: Downloading and Configuring Kippo

From now on, we will be using our kippo user. Access kippo by:

su kippo

Make sure we are in our Kippo home dir:

cd

Download kippos SVN:

svn checkout http://kippo.googlecode.com/svn/trunk/ ./kippo 

Change directory to the dir which was downloaded:

cd kippo

We want to change our port number, from 2222, which kippo listens to by default, to port 22. Move and rename the config file which is provided:

mv kippo.cfg.dist kippo.cfg

Now we edit the file (Remember, I’m using Vi):

vi kippo.cfg

The config file should look like this:

Output

From here, we edit this:

# Port to listen for incoming SSH connections.
#
# (default: 2222)
ssh_port = 2222

to

# Port to listen for incoming SSH connections.
#
# (default: 2222)
ssh_port = 22

Save and quit.

Step 7: Startup Script

At this point, it’s a good idea to edit kippo’s startup script to use AuthBind for our SSH solution.

Open the script:

vi start.sh

You should see the following:

#!/bin/sh
echo -n "Starting kippo in background..."
twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

We change:

twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

to

authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

Save and exit the file.

Now we start our script. You could automate this if your server ever restarts:

./start.sh

That should be it, everything is now being logged in /home/kippo/kippo/log/

Logging with Kippo

There are a few things which are logged without any extra configuration. One of which is the logging of unauthorized access. For example, when someone tries to login to our cloud server with SSH, not knowing that we have changed the port number, they would see something like this:

Output

As long as our start.sh script is running, our events will be logged in /home/kippo/kippo/log/kippo.log. Lets open that file with a text editor (of your choice) and see what has been logged (I am in the directory which we said above).

vi kippo.log

Doing this should display something of the lines of:

Output

Let’s break this down and get to know what is going on:

2013-05-09 00:34:55+0000 [-] Log opened.
2013-05-09 00:34:55+0000 [-] twistd 12.2.0 (/usr/bin/python 2.7.3) starting up.
2013-05-09 00:34:55+0000 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2013-05-09 00:34:55+0000 [-] HoneyPotSSHFactory starting on 22
2013-05-09 00:34:55+0000 [-] Starting factory 

First of all, the log file is opened so that kippo is able to make additions. We fire up our python enviroment. From here, on the 3rd line of our log, we define our event loop (If you wish to learn what that is, click here). Our Kippo enviroment gets set to port 22 which we specified in our configuration file earlier. Finally, we initiate our factory enviroment which will do the bulk of the work of which Kippo does.

Now this is where the logging of intruders will be displayed. As you’ve seen before, we are still able to connect through the default SSH port 22. But remember that this is a dummy access point. This is what we want our intruder to believe when they’re “hacking” our cloud server. This is key because now this gives us the ability to log the users information and what is entered into the terminal window.

2013-05-09 00:35:21+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 176.255.34.109:47908 (198.211.109.193:22) [session: 0]
2013-05-09 00:35:21+0000 [HoneyPotTransport,0,176.255.34.109] Remote SSH version: SSH-2.0-OpenSSH_6.1p1 Debian-4
2013-05-09 00:35:21+0000 [HoneyPotTransport,0,176.255.34.109] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
2013-05-09 00:35:21+0000 [HoneyPotTransport,0,176.255.34.109] outgoing: aes128-ctr hmac-md5 none
2013-05-09 00:35:21+0000 [HoneyPotTransport,0,176.255.34.109] incoming: aes128-ctr hmac-md5 none
2013-05-09 00:35:26+0000 [HoneyPotTransport,0,176.255.34.109] NEW KEYS
2013-05-09 00:35:26+0000 [HoneyPotTransport,0,176.255.34.109] starting service ssh-userauth

Now as you see, kippo has logged that there has been a connection detected when the attacker tries to into the server with SSH. As you can see, we catch their IP address and what port they’re using (note the port 22, our dummy default port). If you look back on the “hacker’s” machine, you will see the regular RSA (algorithm) fingerprint identity pop up, something that you would normally see if it was your first time logging into your cloud server.

We can see this in our logs also. Outgoing and incoming transmissions of the keypair is passed from server to client. The new key is then accepted and the service for ssh-userauth is started. At this point, they are now where we would be as if we are logging straight into the server and had the correct SSH keys setup as server and client. But of course, we’re not here. This can be seen on the next line:

2013-05-09 00:35:26+0000 [SSHService ssh-userauth on HoneyPotTransport,0,176.255.34.109] root trying auth none
2013-05-09 00:35:26+0000 [SSHService ssh-userauth on HoneyPotTransport,0,176.255.34.109] root trying auth keyboard-interactive
2013-05-09 00:35:42+0000 [SSHService ssh-userauth on HoneyPotTransport,0,176.255.34.109] login attempt [root/chccbcaqkyoz] failed
2013-05-09 00:35:42+0000 [SSHService ssh-userauth on HoneyPotTransport,0,176.255.34.109] root failed auth keyboard-interactive
2013-05-09 00:35:42+0000 [SSHService ssh-userauth on HoneyPotTransport,0,176.255.34.109] unauthorized login:
2013-05-09 00:35:42+0000 [SSHService ssh-userauth on HoneyPotTransport,0,176.255.34.109] root trying auth keyboard-interactive
2013-05-09 00:35:44+0000 [SSHService ssh-userauth on HoneyPotTransport,0,176.255.34.109] login attempt [root/chccbcaqkyoz] failed
2013-05-09 00:35:44+0000 [SSHService ssh-userauth on HoneyPotTransport,0,176.255.34.109] root failed auth keyboard-interactive
2013-05-09 00:35:44+0000 [SSHService ssh-userauth on HoneyPotTransport,0,176.255.34.109] unauthorized login:
2013-05-09 00:35:44+0000 [SSHService ssh-userauth on HoneyPotTransport,0,176.255.34.109] root trying auth keyboard-interactive
2013-05-09 00:35:45+0000 [HoneyPotTransport,0,176.255.34.109] connection lost

It instantly tries to connect us through a SSH key, but it fails. The log also detects that our “hacker” is using the keyboard in his terminal window and once an action is complete, it will log it.

Here we see that the “hacker” tries to enter a password, ‘chccbcaqkyoz’, for the root user. Of course this will fail, but we would like to see what they’ve entered. This will go on and on until the user quits, which is when the connection is lost.

Conclusion

There is a lot more to this tool and you can play some mighty tricks on people if you like. But the main thing to remember is, always be weary about what you do on your cloud server. Think security before doing anything. Doing so will help you in the long run if you need to scale, hold more sensitive data, and a whole lot more.

I would recommend you to make sure you are changing default port settings for you server on a regular basis, like we did in this tutorial for SSH access. This will go a long way, plus you can do stuff like we just did!

In addition, check out the source code of kippo. It will give a better understanding of what this tool does.

Now, go use the password ‘12345’ and find out what else is logged!

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors
Default avatar
James Summerill

author

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
9 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

When running SVN, the following link results in a 403. http://kippo.googlecode.com/svn/trunk/

If you choose: https://github.com/desaster/kippo.git

It seems to work. Though, you have a deeper directory structure.

After making the edits, there are a number of errors.

When starting start.sh: Starting kippo in the background… Unhandled Error

The errors seem to be tied to twisted python. Anyone else having issues?

Ubuntu: 16.04 64x, fully updated.

in step 6 , unable to perform su kippo. it says authentication failure. !! but i have tried all known passwords to me,and it still doesn’t work. then i tried while creating kippo user with ‘sudo useradd …’ i gave a switch -p to set a password for the user kippo ,but still it doesnt work. Please Help Me

Thanks! Very nice tutorial :-)

@Sthacher That is correct.

Stefan I think the point is to change the port to something nonstandard so you aren’t logged. And when someone attempts to ssh in with port 22 they are logged. And you can see what methods they are using and if they actually know your passwords ect. and you can make the changes with out having to be hacked to prevent an actual intrusion.

so you would connect like this ssh -p 8925 user@0.0.0.0

Okay thanks Kamal :)

Kamal Nasser
DigitalOcean Employee
DigitalOcean Employee badge
July 7, 2013

@stefan you can just change Kippo’s port to 5022 instead of 22. If you want to do that, you can skip the AuthBind section.

What is i have changed the port to 5022 for me to login to ssh?

do i still change it to port 22?

You can find a pretty good PHP frontend for it over here: http://bruteforce.gr/kippo-graph

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.