At the moment my SSH honeypot isn't getting a large amount of hits, the only interactions thus far have been with what would seem to be port scanners where the connections are made and dropped within a few sections and no user interaction. I have changed the default root password from "123456" to "Password1!" and changed the hostname from "nas3" to "Dev-server" in an effort to disguise it a little bit more.
The flat log files produced by Kippo are a good start, but the later version of Kippo come with the ability to log directly into a MySQL database which will allow for more powerful integration with other data as well as give the ability to extract information more easily, so while I wait for further interactions on my Honeypot, now would be a good time to continue optimisation and automation of the process so I'm set up for the long haul. Luckily the later version of Kippo are ready to log straight to SQL with minimal configuration and instructions are provided on the Kippo project page.
The first step was to set up a database instance for use with Kippo, as I am using the free tier of EC2, Amazon kindly provide a free trial of their RDS (Managed Relational Database Service) as well. I've started out by simply launching an instance and choosing "MySQL Community Edition" as my database engine. This decision to use MySQL over MS SQL Server is based on the fact that Kippo Graph and many other third party add-ons for Kippo have been built for MySQL. I will not go into detail on setting up the database instance as there is already a lot of detailed documentation available from AWS.
Once I had the database set up I was ready to connect from my honeypot server and configure the tables. In order to connect via the command line option, I had to install the MySQL client package:
sudo apt-get install mysql-client-core-5.5
As I set the database up within AWS, my database name "kippodb" and user account were created. So I now just needed to use the sql configuration script provided in the Kippo package to create the required database structure:
mysql -h <database hostname> -u <username> -p kippodb < kippo/doc/sql/mysql.sql
Using the "-p" option with no password will ensure that your mysql database password is not stored in your bash history. You will be prompted to enter the password immediately after hitting enter.
We can then log into the MySQL database and view the tables created by the sql script:
mysql> show tables;
+-------------------+
| Tables_in_kippodb |
+-------------------+
| auth |
| clients |
| downloads |
| input |
| sensors |
| sessions |
| ttylog |
+-------------------+
7 rows in set (0.00 sec)
Once I had the configuration updated and the mysqldb python module installed i just needed to restart Kippo.
kippo@ip-XXX-XX-XX-XX:~/kippo$ ./start.sh
Starting kippo in background...Loading dblog engine: mysql
sudo nmap -sT <hostname or IP> -PN
Host is up (0.032s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
Nmap done: 1 IP address (1 host up) scanned in 6.66 seconds
The flat log files produced by Kippo are a good start, but the later version of Kippo come with the ability to log directly into a MySQL database which will allow for more powerful integration with other data as well as give the ability to extract information more easily, so while I wait for further interactions on my Honeypot, now would be a good time to continue optimisation and automation of the process so I'm set up for the long haul. Luckily the later version of Kippo are ready to log straight to SQL with minimal configuration and instructions are provided on the Kippo project page.
The first step was to set up a database instance for use with Kippo, as I am using the free tier of EC2, Amazon kindly provide a free trial of their RDS (Managed Relational Database Service) as well. I've started out by simply launching an instance and choosing "MySQL Community Edition" as my database engine. This decision to use MySQL over MS SQL Server is based on the fact that Kippo Graph and many other third party add-ons for Kippo have been built for MySQL. I will not go into detail on setting up the database instance as there is already a lot of detailed documentation available from AWS.
Once I had the database set up I was ready to connect from my honeypot server and configure the tables. In order to connect via the command line option, I had to install the MySQL client package:
sudo apt-get install mysql-client-core-5.5
As I set the database up within AWS, my database name "kippodb" and user account were created. So I now just needed to use the sql configuration script provided in the Kippo package to create the required database structure:
mysql -h <database hostname> -u <username> -p kippodb < kippo/doc/sql/mysql.sql
Using the "-p" option with no password will ensure that your mysql database password is not stored in your bash history. You will be prompted to enter the password immediately after hitting enter.
We can then log into the MySQL database and view the tables created by the sql script:
mysql> show tables;
+-------------------+
| Tables_in_kippodb |
+-------------------+
| auth |
| clients |
| downloads |
| input |
| sensors |
| sessions |
| ttylog |
+-------------------+
7 rows in set (0.00 sec)
The next two steps that needed to take place for me to finish the set up and have Kippo logging to MySQL;
- Put the correct configuration and remove the #'s in the kippo.cfg file for the database information:[database_mysql]host = localhostdatabase = kippousername = kippopassword = secret
- I hadn't installed a dependency this is needed in order to have Kippo communicate to the database, so before going any further, ensure to install the following modulesudo apt-get install python-mysqldb
kippo@ip-XXX-XX-XX-XX:~/kippo$ ./start.sh
Starting kippo in background...Loading dblog engine: mysql
Something that is interesting to note is that the text based log files that are configured in the kippo.cfg continue to log data as well as the MySQL database.
So now I wanted to see what and how things were logged in the MySQL database, so i did some simulation testing. Firstly i used an external server to run nmap across the hostname of my honeypot and see what ports were open:
sudo nmap -sT <hostname or IP> -PN
Host is up (0.032s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
Nmap done: 1 IP address (1 host up) scanned in 6.66 seconds
As expected, port 22 was open and listening. Initially I set up a brute force attack against the server using "Ncrack", but as all I really wanted to do was see what happened when interactions were logged, I stopped the brute force attack before it was finished. I did however see each connection in the sessions table and kippo.log.
mysql> select * from sessions;
+----------------------------------+---------------------+---------+--------+----------------+----------+--------+
| id | starttime | endtime | sensor | ip | termsize | client |
+----------------------------------+---------------------+---------+--------+----------------+----------+--------+
| 69a9b2fa2fc111e3a761126fda7def4d | 2013-10-08 02:29:10 | NULL | 1 | xxx.xxx.xxx.xxx | NULL | NULL |
| 6a6fc0582fc111e3a761126fda7def4d | 2013-10-08 02:29:11 | NULL | 1 | xxx.xxx.xxx.xxx | NULL | NULL |
| 6b36d97c2fc111e3a761126fda7def4d | 2013-10-08 02:29:12 | NULL | 1 | xxx.xxx.xxx.xxx | NULL | NULL |
| 6bfd85902fc111e3a761126fda7def4d | 2013-10-08 02:29:13 | NULL | 1 | xxx.xxx.xxx.xxx | NULL | NULL |
+----------------------------------+---------------------+---------+--------+----------------+----------+--------+
4 rows in set (0.00 sec)
Once I had confirmed what I would see from a port scan, I wanted to see the logged session interactions. So using the external server once again I connected with the root username and password;
root@xxx.xxx.xxx.xxx:~# ssh root@myhoneypot
The authenticity of host 'myhoneypot (yy.yy.yy.yy)' can't be established.
RSA key fingerprint is 8b:c0:bb:39:2b:ef:7b:74:bb:bc:14:6a:fa:2c:71:c4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'myhoneypot,yy.yy.yy.yy' (RSA) to the list of known hosts.
Password:
dev-server:~#
After logging in I was able to see the authentication information in the table "auth";
mysql> select * from auth;
+----+----------------------------------+---------+----------+------------+---------------------+
| id | session | success | username | password | timestamp |
+----+----------------------------------+---------+----------+------------+---------------------+
| 1 | c10d91182fc811e3a761126fda7def4d | 1 | root | Password1! | 2013-10-08 03:21:52 |
| 2 | f24288422fc811e3a761126fda7def4d | 1 | root | Password1! | 2013-10-08 03:23:12 |
+----+----------------------------------+---------+----------+------------+---------------------+
2 rows in set (0.00 sec)
Having connected to the server, I then issued some commands to the terminal and viewed the results from the "input" table;
mysql> select * from input;
+----+----------------------------------+---------------------+-------+---------+--------------+
| id | session | timestamp | realm | success | input |
+----+----------------------------------+---------------------+-------+---------+--------------+
| 1 | c10d91182fc811e3a761126fda7def4d | 2013-10-08 03:22:03 | NULL | 1 | exit |
| 2 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:26:12 | NULL | 1 | whoami |
| 3 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:26:17 | NULL | 1 | w |
| 4 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:26:32 | NULL | 1 | ifconfig |
| 5 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:26:39 | NULL | 1 | ls |
| 6 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:26:43 | NULL | 1 | cd / |
| 7 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:26:44 | NULL | 1 | ls |
| 8 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:26:56 | NULL | 1 | cd var |
| 9 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:26:58 | NULL | 1 | ls |
| 10 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:27:04 | NULL | 1 | cd log |
| 11 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:27:05 | NULL | 1 | ls |
| 12 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:27:15 | NULL | 1 | last |
| 13 | f24288422fc811e3a761126fda7def4d | 2013-10-08 03:27:27 | NULL | 1 | last -f btmp |
+----+----------------------------------+---------------------+-------+---------+--------------+
13 rows in set (0.00 sec)
I am now satisfied that the MySQL database has been set up correctly and will begin logging information. My next steps will be;
- Finish configuration of my automated script to collect daily information about sessions; and
- Install kippo-graph or similar to visualise the connections coming in.
While my honeypot isn't seeing a lot of interaction at the moment I am not too worried, once I have completed my tasks to get the honeypot set up and easy to manage I will work on how to entice more bees!
