NOTE : Kippo support in SURFids is still in beta phase. This document is mainly intended for people that want to help testing Kippo along with SURFids.
cd /opt/ svn checkout http://kippo.googlecode.com/svn/trunk/ kippo
apt-get install python-crypto python-twisted python-twisted-conch python-twisted-web python-zopeinterface python-psycopg2
Open up the config file /opt/kippo/kippo.cfg. Add the following section to the config file:
[database_surfids] # Database settings host = localhost database = idsserver username = nepenthes password = pass port = 5432 # ssh listen port, this is the port that gets logged # as destination port sshport = 22 # Don't change this, determines honeypot type (Kippo = 7) atype = 7 # 0 = Possible Malicious Attack # 1 = Malicious Attack # Set the severity of a failed SSH login failedlogin = 1 # Set the severity of a successful SSH login successlogin = 1
You can modify failedlogin and successlogin to your liking.
We need to download the SURFids module for Kippo:
cd /opt/kippo/kippo/dblog/ wget http://ids.surfnet.nl/downloads/kippo-surfids.py mv kippo-surfids.py surfids.py
We will also have to redirect the port 22 traffic to our honeypot with iptables. If you are using remote sensors with the tunnel server:
iptables -A PREROUTING -d ! <eth0 address> -t nat -i eth0 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222
Replace <eth0 address> with your main interface address where your normal SSH daemon is listening. This will make sure you will still be able to connect to your machine via regular SSH.
If your main interface is not eth0, use the address from your main interface where your normal SSH daemon is listening.
If you only have the server as 1 sensor (make sure you setup your SSH daemon on port 222 first, so you will still be able to connect to the server):
iptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222