Logging Kippo events using MySQL DB

Continuing on the previous post about Kippo SSH honeypot, let’s see how we can make our lives easier and log its events in a MySQL database instead of the difficult to read text-based log files (located at kippo-dir/log by default). This post assumes that you have already followed the procedure and successfully installed Kippo on your Ubuntu Server (plus all the other things like adding a new user etc, as described in the previous post).

  1. We login as root in our box and install the required software packages:
apt-get install python-mysqldb mysql-server

MySQL server will ask for a root password, enter something a bit complex.

  1. We setup the database for Kippo logging:
mysql -u root -p
CREATE DATABASE kippo;
GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'Kippo-DB-pass';
exit
  1. We go to Kippo’s directory (normally /home/kippo/kippo/ if you followed the previous post) and load the table structures into the database:
mysql -u kippo -p
USE kippo;
source ./doc/sql/mysql.sql;
exit

At this stage re-login as ‘kippo’ user into the system.

  1. If Kippo is running we will have to kill it in order to change its configuration and start it again.
ps x

Look for a line like this: 10650 ? Sl  0:00 /usr/bin/python /usr/bin/twistd -y kippo.tac -l log/kippo.log –pidfile kippo.pid

The first column shows the process ID, and you will use this number to kill it:

kill 10650
  1. We are ready to make the necessary changes to Kippo’s config file:
nano kippo.cfg

Here we un-comment the following lines and type the corrent data:

[database_mysql]
host = localhost
database = kippo
username = kippo
password = Kippo-DB-pass
  1. We are now ready to start Kippo again:
./start.sh

Check that Kippo is running:

netstat -antp

where you should see a line like this: tcp 0  0 0.0.0.0:22  0.0.0.0:*  LISTEN  10650/python

We are now ready! To see the logging events in the database, you can use simple SQL commands like:

$ mysql -u kippo -p
USE kippo;
SELECT * FROM auth;
  1. (OPTIONAL) In order to make things even easier we can install phpmyadmin, a web GUI for our mysql server:
sudo apt-get install phpmyadmin

it will be located at: http://server-ip/phpmyadmin and you can login as root (with MYSQL’s root password that you entered above) or better yet as kippo user (using kippo’s password, in our example “Kippo-DB-pass”).

Installing Kippo SSH Honeypot on Ubuntu

I decided to setup a simple ssh honeypot in a small VPS (192MB RAM) to see if they actually record attacks. The honeypot that I chose was Kippo , a simple SSH honeypot written in Python with several possibilities. Here is a guide for the installation and configuration of Kippo, in accordance with the procedure I personally followed. The setup applies to Ubuntu Server (tested on 11.04 and 14.04) distro, but the procedure on any other Ubuntu/Debian-based system should be the same.

  1. First we login as root in our box and proceed to update and upgrade the system:
apt-get update && apt-get upgrade
  1. Kippo “listens” on port 2222 by default, which is fine for testing purposes, but it actually reduces the chances to record any attacks (because the usual automated tools that hackers run target the default SSH port 22). Thus, it would be good to make Kippo listen to port 22. To do this you must first change the port your ssh server uses, in order to be able to connect back to the system properly. So we change the configuration file of the ssh server (sshd):
nano /etc/ssh/sshd_config

We change the option Port 22, choosing another, eg 2222. We then restart the ssh server:

/etc/init.d/ssh restart

At this point it would be good to disconnect from the system and then reconnect using the new port.

  1. We continue installing the required software packages for Kippo:
apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted

We can download the latest stable version of Kippo (0.9) but it is better to use the latest development version directly from the GitHub. For this reason we need git:

apt-get install git

Another issue about port 22 that we want to use, is the problem that in Linux only the root user is allowed to use ports below port 1024 and we should not run Kippo as root for safety reasons. Kippo’s website offers several solutions on how to run a honeypot on port 22, but the simplest one is using the application authbind:

apt-get install authbind
  1. Before you go any further, create a new non-root user to run Kippo as:
adduser kippo

and add him to the list of users that can use the sudo command:

visudo

where we add the line:

kippo ALL=(ALL:ALL) ALL

under the “root” user.

We finish the required steps for using port 22:

touch /etc/authbind/byport/22
chown kippo:kippo /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22

At this point we enter the system as ‘kippo’ user and go to the /home directory.

  1. Download the latest Kippo version from GitHub:
git clone https://github.com/desaster/kippo.git

Change the port in Kippo’s configuration file from 2222 to 22:

cp kippo.cfg.dist kippo.cfg
nano kippo.cfg
  1. Finally, edit the Kippo start script:
nano start.sh

changing the following command from

twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

to

authbind --deep twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid

so that it uses authbind to “listen” on port 22, and run the honeypot:

./start.sh
  1. We check that our port has actually opened and Kippo is “listening”:
sudo netstat -antp

where there should be a line like this:

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22627/python

We are ready. Now any attempt to connect to port 22 of the system will be recorded by Kippo and log files will be stored in the corresponding folder.