I have been running Kippo on my server for a couple weeks now, and from it I have a lot of funny logs from people connecting to my server and thinking that they have logged in successfully as root over ssh.
Kippo is an SSH honeypot, according to their website:
Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
Perhaps later I will post a tutorial on how to get kippo installed and secured on a server, but for now this tutorial will focus on how to install Ajaxterm to watch the logs that kippo captures.
Downloaded my modified code here ajaxterm-kippo.zip
When you download the code make sure to modify ajaxterm.py and change the first lines that will look like this:
To match where you have kippo installed and where the necessary files/directories are stored.
Create an unprivileged user
Ajaxterm is a python script that is a webserver in itself, so since it will be accepting outside connections on a specific port it would be good practice to create an unprivileged user to run ajaxterm. This part is optional… but highly recommended.
I set this up on an Ubuntu server, but the commands should work on any distribution of Linux/Unix based operating system.
sudo useradd -s /bin/false honeypot sudo mkdir /home/honeypot sudo chown honeypot /home/honeypot
These commands will create a limited user account named
honeypot that will
have no login shell by default, and no password in the shadow file (so you
can’t login as this user). They will also create a home directory for the
user, and this is where you can store the ajaxterm files.
Making it a service
I created a small init.d script that can be used to start ajaxterm as the
unprivileged user, and also check on the status (if it is running or not).
Just copy the following script to
/etc/init.d/ajaxterm and then you will be
able to start and stop it just like any service.
dave@[daveeddy]:/home/honeypot/ajaxterm/$ sudo service ajaxterm start * Starting Ajax terminal webserver Ajaxterm [ OK ] dave@[daveeddy]:/home/honeypot/ajaxterm/$ sudo service ajaxterm status Ajaxterm :: service is running -- pid 17028