Setting up an EC2 Instance
The first step to setting up the honeypot is to subscribe to Amazon's EC2 service. You'll need to go through the registration and enter a credit card, but they won't charge anything to it. You'll also need to enter a phone number to receive a code in order to verify your identity. I'm not going to walk through that process here, but you can sign up and read more here: http://aws.amazon.com/ec2/
Once your account is created, open up the AWS Management Console. It should look like this:
Click on "EC2". Now, launch an instance by clicking "Launch Instance."
Getting an IP Address
Now, create a new elastic IP for your machine. This will allow your machine to retain a single IP through which attackers can SSH. Click on "elastic IPs" under "Network and Security." Then, allocate a new IP address. In many cases, honeypots will have two network interfaces - one for the attack surface, another for management. Each interface would have a different IP address to separate the attack surface from the management. However, Amazon's free tier allocates only a single elastic IP. Do not create a second IP or you may be charged for additional usage.
Once you have an IP, make sure it is pointing to your running instance.
SSH to the Instance
We can now connect to the instance via SSH. Make sure you are in the folder in which you saved your .pem file from Amazon. Then, ssh using the following command:
ssh -v -i <your-key>.pem ubuntu@ec2-<ip-address>.compute-1.amazonaws.com
"Ubuntu" is the default username for the instance.
Change the SSH Port
To get around the IP address restrictions, we're going to run the management SSH on a non-standard port and the honeypot on the typical port 22. This will allow us to both obscure the management connection and increase the number of attacks seen by the honeypot (almost every attacker will try port 22 for SSH first). To change ports, we need to edit the configuration file for the already-running SSH server and then restart the service. Do this carefully or you may lose access to your machine.
Begin by editing your SSH config file located here: /etc/ssh/sshd_config
At the very top of the file are the following lines:
# What ports, IPs and protocols we listen for
Change this port number to something between 49152 and 65535. Make sure you write it down and do not forget the port number you selected.
Now, restart the SSH service by running:
When you run this command you will likely be disconnected from your machine. Hopefully you "restarted" and didn't "stop."
You will now need to edit the Amazon security rules within your AWS console to allow your new port on inbound connections. To do this, click "Security Groups" under "Network & Security." Then, click on the "quick-start-1" group and then the "Inbound" tab. Add your new port number and be sure to apply the changes.
You can see that my port is 50683 in this case.
Now, reconnect to the machine by running the following command. Note the added -p parameter to specify the port number.
ssh -v -i <your-key>.pem ubuntu@ec2-<ip-address>.compute-1.amazonaws.com -p <port>
*Note: you can create an SSH configuration so you don't need to specify all these options for every connection but that is beyond the scope of this guide.
Hopefully you have reconnected to your machine. SSH is now running on a port other than 22 which will allow us to use the standard SSH port for our honeypot.
We can now install Kippo and begin configuring our honeypot. I am not going to re-write a guide for the installation process as it is well-documented and many guides already exist. This is a great guide, written for CentOS, but the process is very similar: http://www.howtoforge.com/how-to-set-up-kippo-ssh-honeypot-on-centos-5.5
*Note that you should not need to update Python. Also, when downloading the Kippo source, be sure to use the latest version as this guide is a bit old. Finally, you will need to add the IPTABLES rule to redirect port 22 traffic to port 2222.
Once everything is installed and running, you should be able to issue the command:
and be logged into your honeypot.
One of the best parts of Kippo is that it logs every interaction an attacker has with the system. These logs are saved in /home/kipuser/kippo/log/
*kipuser may be replaced with the username of the kippo user you created.
To replay the logs, copy the file "playlog.py" from kippo/utils into the kippo/log/tty folder, then issue the command:
sudo python playlog.py <log-name>.log 0
This will replay the attacker's interaction with the system.