SSH honeypot on Debian Linux

Alex, December 8, 2015 07:45
A couple of years ago I started moving SSH on all of my servers to different ports to make it a little bit harder for automated brute force attacks. A simple port scan would reveal the new port but I have seen a drop in break in attempts of 99.999%. Out of curiosity, now I want to install a logging SSH daemon on the default port to see what is actually happening there.

Kippo

Kippo is a SSH honeypot tool written in Python that can log brute force attacks. It can also log the shell interaction performed by the attacker. A quick how-to-install-kippo on a debian linux system.

Dependencies

# apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted 
# apt-get install git authbind
#

Kippo User

You need to set up a user that runs the kippo program. I chose “kip”. We will run the Kippo tool as “kip” and not as root.
# adduser kip
Adding user `kip' ...
Adding new group `kip' (1001) ...
Adding new user `kip' (1001) with group `kip' ...
Creating home directory `/home/kip' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for kip
Enter the new value, or press ENTER for the default
        Full Name [Kip User]: Kippo User
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y
#
To allow our kip user to bind to port 22, we need to give it permission to so. Only root is allowed to bind to ports below 1024. I will use the authbind tool for this.
touch /etc/authbind/byport/22
chown kip /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22

Installing Kippo

We are now ready to install Kippo. I will do that as user “kip”.
# su kip
$ cd /home/kip
$ git clone https://github.com/desaster/kippo.git
$ cd kippo
$ cp kippo.cfg.dist kippo.cfg
And modify the kippo.cfg to your liking. The default port is set to 2222 so change that to 22. To get kippo binding to port 22 as a normal user modify the start.sh script:
authbind --deep  twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid
Now you are ready to start kippo by ./start.sh. You can add this script to your system start up scripts (/etc/rc.local or similar) to have it start every time the server boots. You can edit valid login+password combinations in the kippo/data/userdb.txt file. Now we just wait for break in attempts. As soon as there are results I will post them here.

Quick Update

Update: Dec 10, 2015. The Kippo SSH honeypot has been running for a couple of days now and there have been 439 failed attempts to login. The most popular credentials are listed below:
AttemptsLoginPassword
17adminadmin
16rootroot
16adminpassword
15ubntubnt
14supportsupport
14admin
13testtest
11root
11guestguest
10rootwubao
9useruser
7support
6ubnt
6test
5user
5guest
4rootpassword
4rootadmin
4root12345
4PlcmSpIpPlcmSpIp
3rootserver
3piraspberry
3oracleoracle
3nagiosnagios
3monitormonitor
3gitgit
3ftpuserftpuser
3ftpftp
3ftp
3demodemo
3billbill
3administratoradmin
3admin1234
2webmasterwebmaster
2vyattavyatta
2user1user1
2user12345
2tomcattomcat
2salessales
2rootpfsense
2rootalpine
2infoinfo
2helpdeskhelpdesk
2ftptpuser
2ftp123456
2bobbob
2anonymousanonymous
2administratoradministrator
2administrator
2adamadam
21234512345
1wwwwww
1webmaster
1vyatta
1visitorvisitor
1uucpuucp
1usernamepassword1
1usernamepassword
1user3user3
1user2user2
1user1123456
1user1
1useruser2
1useruser123
1useruser12
1useradmin
1user1234
1uploaderuploader
1uploadupload12
1uploadupload
1ubnt1ubnt1
1tomcat
1thomasthomas
1testusertestuser
1testtesttesttest
1tester123tester123
1testertester123
1testertester12
1testertester
1tester12345
1test3test3
1test2test2
1test1test
1test1123456
1test112345
1testtesttest
1testtest12345
1testqwerty
1testpassword
1testabc123
1test12345
1test123123123123
1test123123123
1test123123
1test123
1temp2temp2
1temp1temp123
1temp1temp1
1temp1temp
1temp1123456
1temp112345
1temp11234
1temptemp1
1temp123456
1temp12345
1temp1234
1svnsvn
1stevesteve
1spamspam
1shopshop
1serviceservice
1salessales123
1sales
1root1root1
1roott0talc0ntr0l4!
1rootsuperuser
1rootroot123
1rootroot12
1rootroot1
1rootpublic
1rootpass123
1rootpass
1rootoperator
1rootdefault
1rootadmin1234
1rootadmin123
1rootadmin12
1rootadmin1
1rootabc123
1root987654321
1root7654321
1root54321
1root123qwe
1root1234567
1root123456
1root123
1raspberryraspberry
1publicpublic
1postfixpostfix
1playplay
1piraspberry123
1pipi
1pi
1oracle
1omegaomega
1officeoffice
1nobodynobody
1nagios
1mysqlmysql
1monitor
1marketingmarketing
1managermanager
1mailmanmailman
1lpdlpd
1logoutlogout
1loglog
1librarylibrary
1jonhpassword
1infopassword1
1infoinfo12
1infoinfo1
1info
1helpdesk
1guesttest
1git
1ftpuserpassword
1ftpuserftpuser123
1ftpuserasteriskftp
1ftpuser123456
1ftpuser
1ftpftpuser
1ftpftp123
1ftpftp12
1ftp12345678
1ftp12345
1ftp1234
1ftp123
1faxfax
1demo
1defaultdefault
1daemondaemon
1daemon123456
1daemon12345
1daemon1234
1daemon123
1companycompany
1bookbook
1bob
1binbin
1bill
1backupsbackups
1backupbackup123
1backupbackup12
1backupbackup
1anonymous
1admin3admin
1admin2admin2
1admin1admin1
1adminuucp
1admintest
1adminroot
1adminpassword6
1adminpassword5
1adminpassword3
1adminpassword2
1adminpassword1
1adminmanager
1admindefault
1adminadmin3
1adminadmin2
1adminadmin1234
1adminadmin123
1adminadmin12
1admin123456789
1admin12345678
1admin1234567
1admin123456
1admin12345
1admin123123
1admin123
1admin12
1adam
1PlcmSpIp
112345
If your login and password combination is listed above you WILL get hacked. You should not be allowed to have a shell account if you think any of these passwords is a valid password anyway.