There are three general types of Honeypots:
- Low Interaction
- These generally just log break in attempts; the source, destination, username and password that the attacker attempted to use to get in to the machine.
- Very safe
- Medium Interaction
- A small program that runs on a server that provides a very limited contained environment for attackers to break in to and play with. These Honeypots generally log what the user tries to do, capture files, and provide re-playable sessions.
- Mostly safe if done properly
- High Interaction
- These can be anything from entire servers left vulnerable to virtual machines sitting on a network. They generally allow all inbound and outbound connections and are full machine implementations.
- Dangerous, and illegal in some places, as you are knowingly running malware.
The first type of honeypot works well for system administrators that just want to keep an eye on global traffic and perhaps even characteristics of different botnets that have sprung up.
The second type (medium interaction) when implemented properly can be an excellent tool for studying the first part of many hacks, while providing the network relative security.
The third type of honeypot, which allows full connections in and out is incredibly dangerous and irresponsible to run, as any mistake done when implementing them, and even things not seen as mistakes (such as full blown outbound connections) may cause dangers to other servers on the Internet.
Kippo
Kippo is a medium interaction honeypot that is written in Python using the Twisted framework. It provides what appears to attackers to be a Unix/Linux system, and allows those who run it to easily add new "commands" or files to the system through a simple plugin system (beyond the scope of this article).
One of Kippo's greatest benefits is its extensive logging capabilities; entire sessions can be played back and studied at a later time, and all files downloaded by attackers are stored and saved so you can look through them at your leisure.
Kippo should not be run as root (obviously) to avoid any potential breaks in the program from being able to execute code as an administrator. It can still be set up in three easy steps however:
- Download and extract kippo as a user (probably best if you create a new one for the kippo server)
- Add a line like the following to your crontab, this will make sure kippo reboots when the server does:
@reboot cd /home/username/kippo-0.5/; ./start.sh
- Port forward your SSH port to 2222 (where kippo lives)
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222
- Start kippo by running "start.sh" in the extracted directory
- (Optional) Save your iptables configuration to be re-set up after reboot: http://www.debian-administration.org/articles/445
