How To Set Up Kojoney SSH Honeypot On CentOS 5.5
Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.
This tutorial shows how you can compile and install updated version of Kojoney on CentOS 5.5 server.
I do not issue any guarantee that this will work for you!
Pre-Installation
First we must change the default SSH server port on our server because Kojoney must be run as a default SSH server! to capture the attackers!
vi /etc/ssh/sshd_config
Port 22
Change to
Port 2222
And restart the SSH service:
/etc/init.d/sshd restart
And you need gcc and python packages also.
yum install gcc python python-devel
Download Kojoney source package
You need to download latest version of Kojoney source package from http://kojoney.sourceforge.net/.
cd /tmp
wget http://biznetnetworks.dl.sourceforge.net/project/kojoney/kojoney-0.0.4.2.tar.gz
tar -xvf kojoney-0.0.4.2.tar.gz
Optional! : Download Kojoney updated packages
I update some packages in Kojoney and if you like to install these updates, follow these instructions otherwise directly Goto Install Kojoney Server.
I've updated IP-Country and Geography-Countries packages to improve country detection mechanism. I've also updated TwisteConch to add new sections in Kojoney report about the attacks!.These updates are available on Iran Honeynet Project web site.
cd /tmp
wget http://www.honeynet.ir/software/kojoney-update/TwisteConch-0.6.0.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/IP-Country-2.27.tar.gz
wget
http://www.honeynet.ir/software/kojoney-update/Geography-Countries-2009041301.tar.gz
wget http://www.honeynet.ir/software/kojoney-update/kojreport
/bin/cp -vf /tmp/TwisteConch-0.6.0.tar.gz /tmp/kojoney/libs/
/bin/cp -vf /tmp/kojreport /tmp/kojoney/reports/
rm -rfv /tmp/kojoney/reports/ip_country/*
/bin/cp -vf /tmp/IP-Country-2.27.tar.gz /tmp/kojoney/reports/ip_country/
/bin/cp -vf /tmp/Geography-Countries-2009041301.tar.gz /tmp/kojoney/reports/ip_country/
Install Kojoney Server
cd /tmp/kojoney
sh INSTALL.sh
echo "/etc/init.d/kojoney start" >> /etc/rc.local
Start Kojoney Server
/etc/init.d/kojoney start
Log files and Reports
By default kojoney daemon output will be redirected to the file /var/log/honeypot.log. To see the Kojoney logging data use following command.
cat /var/log/honeypot.log
Use the commands 'kojreport' and 'kojreport-filter' tools to get some additional details about attackers as follows:
/usr/share/kojoney/kojreport /var/log/honeypot.log 0 0 1 > /tmp/report.txt
cat /tmp/report.txt
/usr/share/kojoney/kojreport-filter /var/log/honeypot.log '<desired ip address
or date>' 0 0 1 > /tmp/report.txt
cat /tmp/report.txt
How to uninstall
To uninstall it use the script called UNINSTALL.sh distributed with the kojoney package.
cd /tmp/kojoney
sh UNINSTALL.sh
Testing
Connect to Kojoney SSH server on port 22 by using admin as username and admin as password.
ssh 127.0.0.1 -p 22 -l admin
You must see the following banner after successful login.
Welcome to Linux webtest 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux!
Links
The Honeynet Project: http://www.honeynet.org
Honeypot:
http://en.wikipedia.org/wiki/Honeypot_(computing)
Kojoney Project: http://kojoney.sourceforge.net/
Iran Honeynet Project: http://www.honeynet.ir/
CentOS: http://www.centos.org/