Well it's been a while. A lot has changed since my last update. I scored a job doing some security engineering on a small team with a big workload, which makes me happy.
Enough about that nonsense ...
I have a home server that I've run linux on for remote access using ssh. I had locked it down pretty well. I did leave it on the default port because I did marvel at the number of brute force attempts people would slam against it daily, but I never went beyond reviewing the logs.
Lately I've been setting up a lab to do some analysis on drive by downloads and one of the things I wanted to see in greater detail were the brute force ssh logins. This is where Kippo comes in. PaulDotCom has a great video on how to use Kippo as part of a pentest, but my requirements are a bit more simple; I just want to harvest some of the target user/password pairs.
The honeypot box i've set up is an Ubuntu 10.04 VM running behind a iptables based firewall box with NAT forwarding traffic to internal hosts. This was a cinch to set up with Firewall Builder.
Before running Kippo you might want to read the instructions on how to get it running on your OS / distro. Since I am using Ubuntu, I ran the command:
sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted
If you haven't already figured it out, Kippo was written in Python. after you unpack it go into the kippo-0.5 folder and edit the kippo.cfg file to check over the settings.
Since I've already got NAT set up I just created a rule to forward from port 22 inbound to port 2222 on the honeypot, this also allowed me to run kippo under a normal user context. There are details on configuring your system for different scenarios on the Kippo page.
The kippo.log file should make for some entertaining reading tomorrow. Granted, "entertaining" is subjective.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment