Kippo

I have been running Kippo on my server for a couple weeks now, and from it I have a lot of funny logs from people connecting to my server and thinking that they have logged in successfully as root over ssh.

Kippo is an SSH honeypot, according to their website:

Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.

Kippo

Perhaps later I will post a tutorial on how to get kippo installed and secured on a server, but for now this tutorial will focus on how to install Ajaxterm to watch the logs that kippo captures.

Ajaxterm

On the kippo site, there are links to view logs from the SSH honeypot, and the logs are viewed right in your browser using javascript/ajax so you can watch the attacker as if they were typing in the commands in realtime. After some googling, I found a custom version of ajaxterm that deals specifically with Kippo. I have modified the scripts included with it heavily, basically to strip functionality from ajaxterm, so it won’t accept input from the user of the web browser.

Configuring Ajaxterm-kippo

Downloaded my modified code here ajaxterm-kippo.zip

When you download the code make sure to modify ajaxterm.py and change the first lines that will look like this:

PLAYLOG_UTIL = '/home/honeypot/kippo-0.5/utils/playlog.py'
PLAYLOG_TTY  = '/home/honeypot/kippo-0.5/log/tty/'

To match where you have kippo installed and where the necessary files/directories are stored.

Create an unprivileged user

Ajaxterm is a python script that is a webserver in itself, so since it will be accepting outside connections on a specific port it would be good practice to create an unprivileged user to run ajaxterm. This part is optional… but highly recommended.

I set this up on an Ubuntu server, but the commands should work on any distribution of Linux/Unix based operating system.

sudo useradd -s /bin/false honeypot
sudo mkdir /home/honeypot
sudo chown honeypot /home/honeypot

These commands will create a limited user account named honeypot that will have no login shell by default, and no password in the shadow file (so you can’t login as this user). They will also create a home directory for the user, and this is where you can store the ajaxterm files.

Making it a service

I created a small init.d script that can be used to start ajaxterm as the unprivileged user, and also check on the status (if it is running or not). Just copy the following script to /etc/init.d/ajaxterm and then you will be able to start and stop it just like any service.

dave@[daveeddy]:/home/honeypot/ajaxterm/$ sudo service ajaxterm start
 * Starting Ajax terminal webserver Ajaxterm [ OK ]
dave@[daveeddy]:/home/honeypot/ajaxterm/$ sudo service ajaxterm status
Ajaxterm :: service is running -- pid 17028

#!/usr/bin/env bash
# init script for ajaxterm
# no logging supported

NAME="Ajaxterm"
DESC="Ajax terminal webserver"
PORT=8021
USER="honeypot" # the unprivileged user to run as, if unsure use 'nobody'

PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
DAEMON=/home/honeypot/ajaxterm/ajaxterm.py
PIDFILE=/home/honeypot/ajaxterm/ajaxterm.pid

[[ -x "$DAEMON" ]] || exit 1

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions


case "$1" in
	start)
		log_daemon_msg "Starting $DESC" "$NAME"
		[[ -f "$PIDFILE" ]] || $DAEMON --port=$PORT --daemon --pidfile=$PIDFILE --uid=$USER
		log_end_msg $?
	;;
	stop)
		log_daemon_msg "Stopping $DESC" "$NAME"
		[[ -f "$PIDFILE" ]] && kill "`cat $PIDFILE`"
		msg=$?
		rm -f "$PIDFILE"
		log_end_msg "$msg"
	;;
	status)
		[[ -f "$PIDFILE" ]] && echo "$NAME :: service is running -- pid $(cat "$PIDFILE")" || echo "$NAME :: service is NOT running -- no pid file found"
		exit 0
	;;
	restart|force-reload)
		$0 stop
		sleep 1
		$0 start
	;;
	*)
		echo "Usage: $0 {start|stop|status|restart|force-reload}" >&2
		exit 3
	;;
esac