How To Set Up Kojoney SSH Honeypot On CentOS 5.5

Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.

In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.

This tutorial shows how you can compile and install updated version of Kojoney on CentOS 5.5 server.

I do not issue any guarantee that this will work for you!



First we must change the default SSH server port on our server because Kojoney must be run as a default SSH server! to capture the attackers!

vi /etc/ssh/sshd_config

Port 22

Change to

Port 2222

And restart the SSH service:

/etc/init.d/sshd restart

And you need gcc and python packages also.

yum install gcc python python-devel


Download Kojoney source package

You need to download latest version of Kojoney source package from

cd /tmp
tar -xvf kojoney-


Optional! : Download Kojoney updated packages

I update some packages in Kojoney and if you like to install these updates, follow these instructions otherwise directly Goto Install Kojoney Server.

I've updated IP-Country and Geography-Countries packages to improve country detection mechanism. I've also updated TwisteConch to add new sections in Kojoney report about the attacks!.These updates are available on Iran Honeynet Project web site.

cd  /tmp

/bin/cp -vf /tmp/TwisteConch-0.6.0.tar.gz /tmp/kojoney/libs/
/bin/cp -vf /tmp/kojreport /tmp/kojoney/reports/
rm -rfv /tmp/kojoney/reports/ip_country/*
/bin/cp -vf /tmp/IP-Country-2.27.tar.gz /tmp/kojoney/reports/ip_country/
/bin/cp -vf /tmp/Geography-Countries-2009041301.tar.gz /tmp/kojoney/reports/ip_country/


Install Kojoney Server

cd /tmp/kojoney
echo "/etc/init.d/kojoney start" >> /etc/rc.local


Start Kojoney Server

/etc/init.d/kojoney start 


Log files and Reports

By default kojoney daemon output will be redirected to the file /var/log/honeypot.log. To see the Kojoney logging data use following command.

cat /var/log/honeypot.log

Use the commands 'kojreport' and 'kojreport-filter' tools to get some additional details about attackers as follows:

/usr/share/kojoney/kojreport /var/log/honeypot.log 0 0 1 > /tmp/report.txt
cat  /tmp/report.txt

/usr/share/kojoney/kojreport-filter /var/log/honeypot.log '<desired ip address or date>' 0 0 1 > /tmp/report.txt
cat  /tmp/report.txt


How to uninstall

To uninstall it use the script called distributed with the kojoney package.

cd /tmp/kojoney



Connect to Kojoney SSH server on port 22 by using admin as username and admin as password.

ssh -p 22 -l admin

You must see the following banner after successful login.

Welcome to Linux webtest 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux!


The Honeynet Project:
Kojoney Project:
Iran Honeynet Project:

Share this page:

Suggested articles

0 Comment(s)

Add comment