How To Set Up Kojoney SSH Honeypot On CentOS 5.5

Want to support HowtoForge? Become a subscriber!
 
Submitted by poustchi (Contact Author) (Forums) on Fri, 2010-10-01 17:43. :: CentOS | Linux | Security | Security

How To Set Up Kojoney SSH Honeypot On CentOS 5.5

Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.

In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.

This tutorial shows how you can compile and install updated version of Kojoney on CentOS 5.5 server.

I do not issue any guarantee that this will work for you!

 

Pre-Installation

First we must change the default SSH server port on our server because Kojoney must be run as a default SSH server! to capture the attackers!

vi /etc/ssh/sshd_config

Port 22

Change to

Port 2222

And restart the SSH service:

/etc/init.d/sshd restart

And you need gcc and python packages also.

yum install gcc python python-devel

 

Download Kojoney source package

You need to download latest version of Kojoney source package from http://kojoney.sourceforge.net/.

cd /tmp
wget http://biznetnetworks.dl.sourceforge.net/project/kojoney/kojoney-0.0.4.2.tar.gz
tar -xvf kojoney-0.0.4.2.tar.gz

 

Optional! : Download Kojoney updated packages

I update some packages in Kojoney and if you like to install these updates, follow these instructions otherwise directly Goto Install Kojoney Server.

I've updated IP-Country and Geography-Countries packages to improve country detection mechanism. I've also updated TwisteConch to add new sections in Kojoney report about the attacks!.These updates are available on Iran Honeynet Project web site.

cd  /tmp
wget http://www.honeynet.ir/software/kojoney-update/TwisteConch-0.6.0.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/IP-Country-2.27.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/Geography-Countries-2009041301.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/kojreport

/bin/cp -vf /tmp/TwisteConch-0.6.0.tar.gz /tmp/kojoney/libs/
/bin/cp -vf /tmp/kojreport /tmp/kojoney/reports/
rm -rfv /tmp/kojoney/reports/ip_country/*
/bin/cp -vf /tmp/IP-Country-2.27.tar.gz /tmp/kojoney/reports/ip_country/
/bin/cp -vf /tmp/Geography-Countries-2009041301.tar.gz /tmp/kojoney/reports/ip_country/

 

Install Kojoney Server

cd /tmp/kojoney
sh INSTALL.sh
echo "/etc/init.d/kojoney start" >> /etc/rc.local

 

Start Kojoney Server

/etc/init.d/kojoney start 

 

Log files and Reports

By default kojoney daemon output will be redirected to the file /var/log/honeypot.log. To see the Kojoney logging data use following command.

cat /var/log/honeypot.log

Use the commands 'kojreport' and 'kojreport-filter' tools to get some additional details about attackers as follows:

/usr/share/kojoney/kojreport /var/log/honeypot.log 0 0 1 > /tmp/report.txt
cat  /tmp/report.txt

/usr/share/kojoney/kojreport-filter /var/log/honeypot.log '<desired ip address or date>' 0 0 1 > /tmp/report.txt
cat  /tmp/report.txt

 

How to uninstall

To uninstall it use the script called UNINSTALL.sh distributed with the kojoney package.

cd /tmp/kojoney
sh UNINSTALL.sh

 

Testing

Connect to Kojoney SSH server on port 22 by using admin as username and admin as password.

ssh 127.0.0.1 -p 22 -l admin

You must see the following banner after successful login.

Welcome to Linux webtest 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux!

 

Links

The Honeynet Project: http://www.honeynet.org
Honeypot: http://en.wikipedia.org/wiki/Honeypot_(computing)
Kojoney Project: http://kojoney.sourceforge.net/
Iran Honeynet Project: http://www.honeynet.ir/
CentOS: http://www.centos.org/


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.