In this diary I will talk about how to configure kippo honeypot and how to submit your kippo’s log to SANS Dshield . If you are planning to run your kippo behind router/firewall then you have to set a static IP address for your sensor: If you are using Debian Linux , you add the following lines to : /etc/network/interfaces
Then you have to configure the DNS settings in the: /etc/resolv.conf In my case I will use my router as a DNS server
Then we have to change the default ssh port from 22 to something else, to do so you have to modify the
Then locate
To something similar to this:
Now install kippo's dependencies:
Then create a user name for kippo
Now we will install authbind to allow kippo to listen on port 22 (if it’s not already installed)
Then create a new file with touch command:
Now change the owner to kippo user
Now change the permissions of the file
Now su to kippo user and download and install kippo:
Now cd to kippo directory Copy kippo.cfg.dist to kippo.cfg and change the listening port from 2222 to 22
To
The last step in configuring kippo is to modify start.sh to start kippo using authbind In the start.sh file change the following
To
If you are planning to expose your honeypot to the internet ,don’t forget to configure port forwarding or dmz at your router/firewall. Now you can start kippo by typing
All the attempts will be stored in log/kippo.log file Finally what is the point of having your own Honeypot if you will not share your logs with the community, we have a ready script that can submit your logs to SANS ISC. You can download the script from the following link https://isc.sans.edu/clients/kippo/kippodshield.pl Then on line 33 and line 34 you have to provide your numeric userid and your authentication key, which you can obtain from you SANS ISC portal under my account section To send you logs type the following
You can use crontab to schedule kipposhield.pl to run every day and submit your logs to dshield . |
Basil 60 Posts ISC Handler Apr 19th 2016 |
||||||||||||||||||
Thread locked Subscribe |
Apr 19th 2016 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!