This morning I cause myself a problem. Annoyingly it was foreseeable and avoidable, this is my excuse (not great, but I’ll stick to it). But as every problem is merely an opportunity in disguise whist I’m re-building systems I might as well document the process. The original InfoSanity guide for installing Kippo was based off of the latest stable version, but I rapidly migrated to the development SVN on learning of the MySQL logging capabilities, so this guide covers that.
Packages
As I’m using a Debian system a lot of the system pre-requisites are packaged, this aren’t all needed immediately but we might as well grab them all at once.
apt-get install subversion #for svn
apt-get install python-twisted python-mysqldb # Python and required modules
apt-get install mysql-server #
Basic Kippo setup
Grab Kippo direct from svn, at time of writing I got version 160. (latest instructions):
svn checkout http://kippo.googlecode.com/svn/trunk/ /opt/kippo-svn
Now we can start the honeypot system:
./start.sh
That’s it, all that is required to get the system running. To confirm you can ssh locally with ssh -p2222 root@127.0.0.1, unless you’ve jumped ahead and edited the config, password will be 123456.
MySQL
Log into MySQL via commanline, assuming you’ve not modified the kippo.cfg database directives build the database:
create database kippo;
grant all on kippo.* to ‘kippo’@’localhost’ identified by ‘secret’;
Next edit the kippo.cfg accordingly you database/user/password and uncomment the [database] configuration directives. REMEBER to uncomment ;[database] line not just the parameters, that has now caught me out twice.
Finally, build the database structure with the script that can be found in <kippo>/doc/sql/:
doc/sql/# mysql -ukippo -psecret kippo < mysql.sql
Restart your Kippo process and you should be good; re-test access to the shell and view the database tables to confirm that logs are being written to the database.
Happy Honeypotting
–Andrew Waite
Oh… and when editing kippo.cfg don’t forget to uncomment ‘[database]’ – I’ve lost 25 sessions… that’s what you get when you fall asleep working :/
Thanks! i was trying to figure out why it wasn’t working… it was the [database] commented issue.
Seems it catches most people out. Glad you got it running.
Let us know if you get any interesting results.
I’ve actually had this running for a little under 2 days and have already had two people try and connect! one was really funny to watch, they wget some tools, and i had a laugh watching them try to make a user and have to put in a “favorite movie”.
The second person connected and then disconnected right after, but got stuck in the fake localhost prompt, and then quit out… awesome stuff haha!
I got the ajaxterm up and running on my webserver (as the same limited user that runs the honeypot) and i created a basic php script that automatically lists the logs on my server.. check it out http://daveeddy.com/kippologs/
Nice work! Just watched the first capture, always good for a laugh.
Couldn’t see anything on your blog, any chance you could write-up process for get the ajaxterm running? It’s been on my to-do list for a while (and know others who are looking at the same thing), a decent install guide would be useful.
yeah definitely! i’ll get it up sometime this week.. i have heavily modded the ajaxterm.py file to make it more secure so i’ll zip that up and post it as well
http://www.daveeddy.com/tutorials-scripts/ubuntu/ajaxterm-for-kippo-logs/
Not sure if the last one posted or not i think my browser messed up… anyways enjoy
Nice work Dave, just had a read through and sounds nice and easy. Now know what I’ll be doing next time I get some free lab time 😉
Cheers for sharing with the rest of us.
Another thing to note (as per https://code.google.com/p/kippo/wiki/FAQ – last comment) is the size of max_allowed_packet in the MySQL configuration. Mine (mysql-server package at ubuntu server 11.04 32 bit) was at 16mb by default though (cat /etc/mysql/my.cnf | grep max_allowed_packet)