Kippo-Graph 0.5 released!

Happy X-Mas! Get your honeypot gift: the new version of Kippo-Graph 🙂

Kippo-Graph reached version 0.5 and includes a new component: Kippo-Input, where I have put seperate input-related tables about various commands. New graphs have also been added where suitable, and Kippo-Graph currently displays 15 in total. Two extras are the links for the files attackers downloaded and the online lookup feature for the top 10 IP addresses. Lastly, there is a update checker displayed on the index page that alarms you if there is a newer version available.

Download Kippo-Graph 0.5 from here: kippo-graph-0.5


Version 0.5:
+ Added Kippo-Input: display and visualization of input data, wget (with file links) and apt-get commands.
+ Added online version checking function (include/misc/versionCheck.php).
+ Added new pie charts, Kippo-Graph now shows 15 – updated gallery.
+ Added IP table on Kippo-Geo with whois/lookup feature.
+ Changed all files to .php.

For comments, suggestions, fixes, please use the Kippo-Graph page:


Kippo-Graph 0.4 released, introducing Kippo-Geo!

New version of Kippo-Graph released, with brand new features!

I have utilized the “QGoogleVisualizationAPI” PHP Wrapper for Google’s Visualization API by Thomas Schäfer and Kippo-Graph now has a component called Kippo-Geo that extracts geolocation information from the stored IP addresses and visualizes the data using Google Maps.

Download Kippo-Graph 0.4 from here: kippo-graph-0.4

An example of how it looks:


Version 0.4:
+ Added geolocation features at beta stage, using geoplugin and google maps/charts.
+ Fixed file/folder structure and updated config.php.
+ Added new logo.

For comments, suggestions, fixes, please use the Kippo-Graph page:

Kippo-Graph 0.3 released.

New version of Kippo-Graph with 3 additional graph charts and minor fixes.

Download it here: kippo-graph-0.3

Instructions inside the README.txt file.


Version 0.3:
+ Added 3 new input-related graphs.
+ Updated graph gallery.
+ Fixed minor web UI and graph details.
+ Added TODO.txt.
+ Updated README.txt

For comments, suggestions, fixes, please use the Kippo-Graph page:

Kippo-Graph 0.2 released!

Since I had some more time today, I decided to continute working on Kippo-Graph in order to make it usable and add the much needed web interface. I am pleased to say that it has a template now and it looks far better. See the README.txt file for instructions.

You can download it from here: kippo-graph-0.2

Local demo:


Version 0.2:
+ Added web template to Kippo-Graph.
+ Changed functionality of kippo-graph.php turning into a generator for the graphs.
– index.php removed.

Version 0.1:
+ Initial version.

For comments, suggestions, fixes, please use the Kippo-Graph page:

Kippo-Graph 0.1 released

Kippo-Graph is a simple script I wrote today to visualize statistics from a Kippo SSH honeypot.

It uses the Libchart PHP chart drawing library by Jean-Marc Trémeaux.

Kippo-Graph currently shows 7 charts: top 10 passwords, top 10 usernames, top 10 username/password combos, success ratio, connections per IP, probes per day, ssh clients.

You can download the initial version (0.1) here: kippo-graph-0.1

For comments, suggestions, fixes, please use the Kippo-Graph page:

The big post of Kippo scripts, front-ends, bash one-liners and SQL queries

Continuing on the previous posts about Kippo, and assuming you have already setup, configured it and logged some probes or intrusions, let’s take a look at some of the scripts, front-ends, commands, and other useful 3rd party stuff available in our disposal to get a better understading of what’s going on with our honeypots.

Continue reading

Logging Kippo events using MySQL DB

Continuing on the previous post about Kippo SSH honeypot, let’s see how we can make our lives easier and log its events in a MySQL database instead of the difficult to read text-based log files (located at kippo-dir/log by default). This post assumes that you have already followed the procedure and successfully installed Kippo on your Ubuntu Server (plus all the other things like adding a new user etc, as described in the previous post).

  1. We login as root in our box and install the required software packages:
apt-get install python-mysqldb mysql-server

MySQL server will ask for a root password, enter something a bit complex.

  1. We setup the database for Kippo logging:
mysql -u root -p
GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'Kippo-DB-pass';
  1. We go to Kippo’s directory (normally /home/kippo/kippo/ if you followed the previous post) and load the table structures into the database:
mysql -u kippo -p
USE kippo;
source ./doc/sql/mysql.sql;

At this stage re-login as ‘kippo’ user into the system.

  1. If Kippo is running we will have to kill it in order to change its configuration and start it again.
ps x

Look for a line like this: 10650 ? Sl  0:00 /usr/bin/python /usr/bin/twistd -y kippo.tac -l log/kippo.log –pidfile

The first column shows the process ID, and you will use this number to kill it:

kill 10650
  1. We are ready to make the necessary changes to Kippo’s config file:
nano kippo.cfg

Here we un-comment the following lines and type the corrent data:

host = localhost
database = kippo
username = kippo
password = Kippo-DB-pass
  1. We are now ready to start Kippo again:

Check that Kippo is running:

netstat -antp

where you should see a line like this: tcp 0  0*  LISTEN  10650/python

We are now ready! To see the logging events in the database, you can use simple SQL commands like:

$ mysql -u kippo -p
USE kippo;
  1. (OPTIONAL) In order to make things even easier we can install phpmyadmin, a web GUI for our mysql server:
sudo apt-get install phpmyadmin

it will be located at: http://server-ip/phpmyadmin and you can login as root (with MYSQL’s root password that you entered above) or better yet as kippo user (using kippo’s password, in our example “Kippo-DB-pass”).