Honeypots for blondes, Part 1

This is the first time I am setting up a honeypot, and I'll be taking my time and going through two different set-ups. Firstly I'll set-up and play around with Kippo, and then once that is up and running I'm going to also install dionaea.

"Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker". 

There wasn't much to setting up Kippo and there are already some great references available "on the line" in order to get it up and running. I used a combination of these two websites to get Kippo up and running on a Ubuntu 13 install;

• http://bruteforce.gr/installing-kippo-ssh-honeypot-on-ubuntu.html
• http://blog.matthewdfuller.com/2012/10/kippo-honeypot-on-amazon-ec2-instance.html

... and now I wait!

Update 12 hours later: Well I didn't have to wait long to get some results, just looking directly at the kippo.log shows the following connection attempts already to the SSH honeypot:

ubuntu@ip-111-11-11-111:/home/kippo/kippo/log$ cat kippo.log
2013-10-04 08:25:25+0000 [-] Log opened.
2013-10-04 08:25:25+0000 [-] twistd 12.3.0 (/usr/bin/python 2.7.4) starting up.
2013-10-04 08:25:25+0000 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2013-10-04 08:25:25+0000 [-] HoneyPotSSHFactory starting on 22
2013-10-04 08:25:25+0000 [-] Starting factory <kippo.core.honeypot.HoneyPotSSHFactory instance at 0x27b5b00>
2013-10-04 12:58:46+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 221.6.96.177:56957 (111-11-11-111:22) [session: 0]
2013-10-04 12:58:54+0000 [HoneyPotTransport,0,221.6.96.177] connection lost
2013-10-04 20:53:32+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 168.61.36.1:1176 (111-11-11-111:22) [session: 1]
2013-10-04 20:53:33+0000 [HoneyPotTransport,1,168.61.36.1] connection lost
2013-10-04 20:53:37+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 168.61.36.1:1176 (111-11-11-111:22) [session: 2]
2013-10-05 01:09:07+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 210.31.177.197:56888 (111-11-11-111:22) [session: 3]
2013-10-05 01:11:11+0000 [HoneyPotTransport,3,210.31.177.197] connection lost
2013-10-05 01:24:31+0000 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 61.174.68.171:37054 (111-11-11-111:22) [session: 4]
2013-10-05 01:24:41+0000 [HoneyPotTransport,4,61.174.68.171] connection lost
ubuntu@ip-111-11-11-111:/home/kippo/kippo/log$

 Unfortunately no records of any interaction in the honeypot logs (tty logs) so I wait some more ...