How To Set Up Kojoney SSH Honeypot On CentOS 5.5
Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.
This tutorial shows how you can compile and install updated version of Kojoney on CentOS 5.5 server.
I do not issue any guarantee that this will work for you!
First we must change the default SSH server port on our server because Kojoney must be run as a default SSH server! to capture the attackers!
And restart the SSH service:
And you need gcc and python packages also.
yum install gcc python python-devel
Download Kojoney source package
You need to download latest version of Kojoney source package from http://kojoney.sourceforge.net/.
tar -xvf kojoney-0.0.4.2.tar.gz
Optional! : Download Kojoney updated packages
I update some packages in Kojoney and if you like to install these updates, follow these instructions otherwise directly Goto Install Kojoney Server.
I've updated IP-Country and Geography-Countries packages to improve country detection mechanism. I've also updated TwisteConch to add new sections in Kojoney report about the attacks!.These updates are available on Iran Honeynet Project web site.
/bin/cp -vf /tmp/TwisteConch-0.6.0.tar.gz /tmp/kojoney/libs/
/bin/cp -vf /tmp/kojreport /tmp/kojoney/reports/
rm -rfv /tmp/kojoney/reports/ip_country/*
/bin/cp -vf /tmp/IP-Country-2.27.tar.gz /tmp/kojoney/reports/ip_country/
/bin/cp -vf /tmp/Geography-Countries-2009041301.tar.gz /tmp/kojoney/reports/ip_country/
Install Kojoney Server
echo "/etc/init.d/kojoney start" >> /etc/rc.local
Start Kojoney Server
Log files and Reports
By default kojoney daemon output will be redirected to the file /var/log/honeypot.log. To see the Kojoney logging data use following command.
Use the commands 'kojreport' and 'kojreport-filter' tools to get some additional details about attackers as follows:
/usr/share/kojoney/kojreport /var/log/honeypot.log 0 0 1 > /tmp/report.txt
/usr/share/kojoney/kojreport-filter /var/log/honeypot.log '<desired ip address or date>' 0 0 1 > /tmp/report.txt
How to uninstall
To uninstall it use the script called UNINSTALL.sh distributed with the kojoney package.
Connect to Kojoney SSH server on port 22 by using admin as username and admin as password.
ssh 127.0.0.1 -p 22 -l admin
You must see the following banner after successful login.
Welcome to Linux webtest 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux!
The Honeynet Project: http://www.honeynet.org
Kojoney Project: http://kojoney.sourceforge.net/
Iran Honeynet Project: http://www.honeynet.ir/