This has also tied in with some work travel and responsibilities, but hopefully this week I will get some time to set up Kippo Graph and look at ways of making my server look more enticing and at least warrant a brute force attempt against it!
Monday 28 October 2013
No bees to my honeypot
This has also tied in with some work travel and responsibilities, but hopefully this week I will get some time to set up Kippo Graph and look at ways of making my server look more enticing and at least warrant a brute force attempt against it!
Tuesday 8 October 2013
Enabling MySQL Logging for Kippo
At the moment my SSH honeypot isn't getting a large amount of hits, the only interactions thus far have been with what would seem to be port scanners where the connections are made and dropped within a few sections and no user interaction. I have changed the default root password from "123456" to "Password1!" and changed the hostname from "nas3" to "Dev-server" in an effort to disguise it a little bit more.
The flat log files produced by Kippo are a good start, but the later version of Kippo come with the ability to log directly into a MySQL database which will allow for more powerful integration with other data as well as give the ability to extract information more easily, so while I wait for further interactions on my Honeypot, now would be a good time to continue optimisation and automation of the process so I'm set up for the long haul. Luckily the later version of Kippo are ready to log straight to SQL with minimal configuration and instructions are provided on the Kippo project page.
The flat log files produced by Kippo are a good start, but the later version of Kippo come with the ability to log directly into a MySQL database which will allow for more powerful integration with other data as well as give the ability to extract information more easily, so while I wait for further interactions on my Honeypot, now would be a good time to continue optimisation and automation of the process so I'm set up for the long haul. Luckily the later version of Kippo are ready to log straight to SQL with minimal configuration and instructions are provided on the Kippo project page.
Saturday 5 October 2013
Automating the Kippo review process - Part 1
With time being a commodity I do not have a lot of, it has quickly become apparent that the enthusiasm that I now have for logging in and checking my Kippo honeypot everyday will eventually wane. While Googling around for some ideas on what to look for and running Kippo I came across this blog post "Reviewing Kippo Logs" and the author Andrew Waite has provided his script to provide a daily review of Kippo logs via email, and I will look at customising this script to run on my honeypot.
Friday 4 October 2013
Honeypots for blondes, Part 1
"Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker".
I'm not hiding from the Feds ... I promise!
... otherwise known as "Setting up PuTTY for use with Tor".
Sometimes, just sometimes, you do have something to hide, and in my case right now it's my IP address. There are times when you just don't want your home IP address being logged on a server somewhere, for someone not so very nice to find. This is the case for me as I am setting up a honeypot, and in case of the worst happening (my instance gets p0wned) I don't want my home IP address littered throughout the logs. So, to get around this I am connecting with PuTTY using a Tor proxy to anonymise my IP address. So before any of you start to think up your witty "Tor isn't really anonymous" comments for the sections below .. let me stop you .. I am not using Tor to completely anonymise my actions, but so that the IP address logged on my honeypot system is not my own .. for my own (paranoid) protection. For more information on Tor and internet privacy, you can see their website.
Sometimes, just sometimes, you do have something to hide, and in my case right now it's my IP address. There are times when you just don't want your home IP address being logged on a server somewhere, for someone not so very nice to find. This is the case for me as I am setting up a honeypot, and in case of the worst happening (my instance gets p0wned) I don't want my home IP address littered throughout the logs. So, to get around this I am connecting with PuTTY using a Tor proxy to anonymise my IP address. So before any of you start to think up your witty "Tor isn't really anonymous" comments for the sections below .. let me stop you .. I am not using Tor to completely anonymise my actions, but so that the IP address logged on my honeypot system is not my own .. for my own (paranoid) protection. For more information on Tor and internet privacy, you can see their website.
Subscribe to:
Posts (Atom)