#ro0ted #OpNewblood What the Blackhats dont want you to know: How to install Kippo SSH Honeypot on a VPS
Doing two tutorials based on Kippo SSH Honeypot. There’s two ways to set Kippo up. Well three ways but we will only discuss two. The first way use a VPS. The second use the honeydrive distro. This tutorial will be VPS based. I’ve been really busy lately so I didn’t have enough time to post the using part. This is just how to set it up. Post Part 2 Tonight. -https://twitter.com/ro0ted/
Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up+
I’m using an offshore Ubuntu 14.04 Server for example done in this tutorial.
If you don’t have one…You are going to want to buy one. Yes good shit isn’t free. Check out the link I put for the Cloud VPS it’s 5 bucks a month. Putty’s Free. This is a Windows Tutorial.
Download Putty (listed above).
Open Puttygen>Click Generate>move your mouse around the blank space.
Then copy the public key to the clipboard, save the public/private key.
Go to digital ocean control panel click SSH Keys.
Copy n paste the public key from Puttygen to Control Panel.
Now open Putty.
Now once you are in Auth,
In RLogin enter Root. Now you can connect to your server without ever entering a key. Minimize this window go to Create Droplet to make your server.
Edit yours how you want just make sure you don’t enable Ipv6/Private Networking. Pick any Linux Distro Debian is more stable than all of them. Click SSH Key before clicking create droplet. Then go to droplets left side menu.
Copy n paste ip in droplets to your putty. Click open. Should work flawlessly. If it does ask for a pass phrase ex: Passphrase for RSA-Key”” that means you put phrase in puttygen. If it says password for root, you did something wrong.
sudo apt-get dist-upgrade
sudo apt-get upgrade
sudo apt-get update
Change the default port from 22 to 1984. when Linux uses port 22 it requires Root.
Hit ctrl + X. Select Y.
restart the SSH service so it is not bound to port 22 anymore. Type:
service ssh restart
Make sure it’s listening for 1984 type:
netstat -ant | grep 1984
Next we are going to use UFW to make sure port 22 & port 1984 only get accessed from our own Home network address.
apt-get install ufw
ufw allow ssh
ufw allow from 127.0.0.1 to any port 1984
Replace 127.0.0.1 with your real IP Address of your home network. Not your VPN or Server IP. YOUR REAL ONE.
Kippo is python based meaning we gotta get the right libraries.
apt-get -y install python-dev openssl python-openssl python-pyasn1 python-twisted git python-pip supervisor authbind
You know how in IRC there’s bots (not talking about botnets) that do certain things and maintain your server in different ways? Well we need to create a non root user who will run out honeypot, call him kippo, nothing else.
useradd -d /home/kippo -s /bin/bash -m kippo
Password Protect it, type:
Install Kippo SSH Honeypot
git clone https://github.com/threatstream/kippo
mv kippo.cfg.dist kippo.cfg
sed -i ‘s/ssh_port = 1984/ssh_port = 22/g’ kippo.cfg
sed -i ‘s/hostname = Putfakenamehere/hostname = db01/g‘ kippo.cfg
sed -i ‘s/ssh_version_string = SSH-2.0-OpenSSH_5.1p1 Debian-5/ssh_version_string = SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5/g’ kippo.cfg
Fix permissions for kippo
chown -R kippo:users /opt/kippo
chown kippo /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22
cat >> /opt/kippo/kippo.cfg <<EOF
|server = $HPF_HOST|
|port = $HPF_PORT|
|identifier = $HPF_IDENT|
|secret = $HPF_SECRET|
|debug = false|
Setup kippo to start at boot
sed -i ‘s/twistd -y kippo.tac -l log\/kippo.log –pidfile kippo.pid/su kippo -c “authbind –deep twistd -n -y kippo.tac -l log\/kippo.log –pidfile kippo.pid”/g’ /opt/kippo/start.sh
Config for supervisor
cat > /etc/supervisor/conf.d/kippo.conf <<EOF
Now we know how to set it up. Very long process. But it’s not done yet. I’ll show you how deadly it is for the hacker; Tables turn now son gonna wish you never tried to brute force that SSH login. lol Been really busy but I’ll try to post part 2 tonight.
(Visited 693 times, 1 visits today)
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.