Устанавливаем ssh honeypot на Debian 7 ( kippo )

1. Устанавливаем необходимое

apt-get install python-twisted authbind

2. Создаем пользователя и необходимые для работы каталоги и файлы

adduser kippo

touch /etc/authbind/byport/22
chown kippo:kippo /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22

cd /home/kippo

su kippo

3. Тянем себе honeypot

svn checkout http://kippo.googlecode.com/svn/trunk/ ./kippo

4. Меняем конфиги
mv kippo.cfg.dist kippo.cfg

Далее меняем в конфиге kippo.cfg порт с 2222 на 22

Далее меняем в start.sh

— twistd -y kippo.tac -l log/kippo.log —pidfile kippo.pid
+ authbind —deep twistd -y kippo.tac -l log/kippo.log —pidfile kippo.pid

5. Запускаем kippo :

./start.sh


kippo@XXX:~/kippo$ ./start.sh
Starting kippo in background...Generating RSA keypair...
done.

6. Далее можем только проверять логи в /home/kippo/kippo/log/kippo.log

После того, как пароль сбрутят ( стандартный пароль 123456 ) злоумышленник попадет в своеобразную виртуальную оболочку, через которую не сможет увидеть любую важную информацию и каждый его шаг будет залоггирован. Вот часть лога :

2013-11-20 18:03:46+0400 [SSHService ssh-userauth on HoneyPotTransport,0,xx.xx.xx.xx] login attempt [root/123456] succeeded
2013-11-20 18:03:46+0400 [SSHService ssh-userauth on HoneyPotTransport,0,xx.xx.xx.xx] root authenticated with keyboard-interactive
2013-11-20 18:03:46+0400 [SSHService ssh-userauth on HoneyPotTransport,0,xx.xx.xx.xx] starting service ssh-connection
2013-11-20 18:03:46+0400 [SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] got channel session request
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] channel open
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] pty request: xterm (24, 80, 0, 0)
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Terminal size: 24 80
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] getting shell
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Opening TTY log: log/tty/20131120-180346-4421.log
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] /etc/motd resolved into /etc/motd
2013-11-20 18:03:48+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] CMD: ls
2013-11-20 18:03:48+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Command found: ls
2013-11-20 18:03:49+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] CMD: ls -la
2013-11-20 18:03:49+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Command found: ls -la
2013-11-20 18:03:56+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] CMD: ls /
2013-11-20 18:03:56+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Command found: ls /
2013-11-20 18:04:03+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] CMD: ls /root/
2013-11-20 18:04:03+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Command found: ls /root/
2013-11-20 18:04:06+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] CMD: ls -al /root/

Tags: , , ,

Leave a Reply