Saturday, March 22, 2014

Installing Kippo HoneyPot on a CentOS cPanel Server

There are a lot of guides out there that advise you on how to install kippo on Ubuntu and Debian servers but very few complete guides on how to get Kippo HoneyPot working with a CentOS WHM/cPanel server.

This tutorial assumes the following:

1) You have root
2) Its CentOS 6.4 with WHM/cPanel installed


Phase 1. Change the default SSH port

First think you need to do is change the default port you SSH in on. You should be doing this by default for security reasons. Its stops 99% of SSH brute force hacking attempts.

To do this you need to edit:

# nano /etc/ssh/sshd_config

You need to change the default to a high number random port:

Port 26903

Save the file and restart you SSH service. You may need to relogin.

Phase 2 - Create a user for kippo.

I want to be able to look at graphs, so I create a user in WHM. The username I create is also going to be the username that runs the Kippo HoneyPot. Once the user is created in cPanel, login to cPanel and create a MySQL database and a MySQL username. Add the user to the database. It is advisable you download a copy of Kippo and using PHPMyAdmin import the sql file that comes with Kippo (You can find the sql file in the doc directory).

Phase 3 - Install requirements

As root, install Twisted packages
# yum install twisted

When I tried to run Kippo with a MYSQL database connection, I kept getting the following error:

"Failed to load application: No module named MySQLdb". When I tried installing the package through yum I got, "No package MySQL-python available.". So what I did was download the file directly :

https://pypi.python.org/pypi/MySQL-python/1.2.5

Unzip the file:

# unzip MySQL-python-1.2.5.zip

And run the following commands:

#  cd MySQL-python-1.2.5
#  python setup.py build
#  python setup.py install

Phase 4- Download and configure Kippo

SSH into your server as your Kippo username. Download Kippo (be sure to download the latest version) :

# wget https://kippo.googlecode.com/files/kippo-0.8.tar.gz

Unzip the file:

# tar -xvf kippo-0.8.tar.gz
# cd kippo-0.8

Then you need to edit your Kippo config file

# nano kippo.cfg

Most of the default configuration settings should be fine. However you are going to want to change the mysql settings to reflect the mysql username and database you created in cPanel earlier. Save the file and you should be ready to run kippo.

Assuming you did everything I recommended you should get something like this:

# ./start.sh
Starting kippo in background...Removing stale pidfile /home/kippouser/kippo/kippo.pid
/usr/lib64/python2.6/site-packages/twisted/conch/ssh/keys.py:13: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
  import sha, md5
/usr/lib64/python2.6/site-packages/twisted/conch/ssh/keys.py:13: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import sha, md5
Loading dblog engine: mysql
Congradulations! Kippo should be running.
# ps -ax | grep "kippo"
 484614 pts/2    S      0:00 su kippo
 484660 ?        Sl     0:00 /usr/bin/python /usr/bin/twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
 485746 pts/2    S+     0:00 grep kippo

Phase 5 - Firewall redirection

We have Kippo running but right now its only running on port 2222. Since we changed the default port earlier we can now use that port. So what we want to do is create a firewall rule that redirects port 22 to port 2222. As root you do this by running the following command:

# iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222

It is important the eth0 is the network interface you want to run Kippo on.

Phase 6 - Graphs

If you are like me and want cool graphs to quickly get an overview on what is happening with your honeypot, you can download kippo-graphs:

http://bruteforce.gr/kippo-graph

Install it in your public_html directory and change the config file so it points to where you have kippo and be sure to include the MySQL database credentials you created earlier. Browsing to that directory should display some useful graphs:














4 comments:

  1. you can't install mysql packages with yum on cpanel because cpanel adds a mysql* line to the exclude line in /etc/yum.conf.

    ReplyDelete
  2. BlueHost is ultimately one of the best web-hosting company for any hosting services you require.

    ReplyDelete