Installing Kippo

BETA
BETA
BETA
BETA

NOTE : Kippo support in SURFids is still in beta phase. This document is mainly intended for people that want to help testing Kippo along with SURFids.

cd /opt/
svn checkout http://kippo.googlecode.com/svn/trunk/ kippo

apt-get install python-crypto python-twisted python-twisted-conch python-twisted-web python-zopeinterface python-psycopg2

Open up the config file /opt/kippo/kippo.cfg. Add the following section to the config file:

[database_surfids]
# Database settings
host = localhost
database = idsserver
username = nepenthes
password = pass
port = 5432

# ssh listen port, this is the port that gets logged
# as destination port
sshport = 22

# Don't change this, determines honeypot type (Kippo = 7)
atype = 7

# 0 = Possible Malicious Attack
# 1 = Malicious Attack

# Set the severity of a failed SSH login
failedlogin = 1

# Set the severity of a successful SSH login
successlogin = 1

You can modify failedlogin and successlogin to your liking.

We need to download the SURFids module for Kippo:

cd /opt/kippo/kippo/dblog/
wget http://ids.surfnet.nl/downloads/kippo-surfids.py
mv kippo-surfids.py surfids.py

We will also have to redirect the port 22 traffic to our honeypot with iptables. If you are using remote sensors with the tunnel server:

iptables -A PREROUTING -d ! <eth0 address> -t nat -i eth0 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222

Replace <eth0 address> with your main interface address where your normal SSH daemon is listening. This will make sure you will still be able to connect to your machine via regular SSH.
If your main interface is not eth0, use the address from your main interface where your normal SSH daemon is listening.

If you only have the server as 1 sensor (make sure you setup your SSH daemon on port 222 first, so you will still be able to connect to the server):

iptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222