Tuesday, February 15, 2011

Setting up Kippo on an AWS Linux Micro Instance

I came across a medium interaction honeypot named Kippo recently. It is written in Python and relies on the Twisted framework for most of its networking. I signed up for the free AWS micro instance (http://aws.amazon.com/free/)and was thinking of moving my blog over to it. However, the last thing I wan to do when I get home is administer my own server. So I decided I might take advantage of the micro instance by running a honeypot on it. I have done honeypot research in the past for my Masters degree and have always liked studying the bots and skiddies that break in.

The micro instance is running a stock 10GB AWS Linux image. I am running ami-08728661 like other micro instances it is a boot from EBS ami. AWS Linux is built on Red Hat sources so it is really a lot like running a CentOs server (without the huge repo). AWS Linux has a smaller repo and the instance itself is really stripped down. I think this is great from a security perspective. However, when it came to installing Kippo there were a few packages that were missing. Most notably Twisted.

Download the latest version of Twisted at:

In order to install Twisted there are a few python module dependencies that need to be met. The easiest way to install these modules is to use python-setuptools easy_install. So from a command prompt run:

Another package that is needed is python-devel so run:

Now install the needed python modules pycrypto and pyasn1


Now you can install Twisted first un bzip and un tar the bundle:

Enter into the Twisted directory:

Now run the python setup script:

Once Twisted is installed it is time to get Kippo and get it running. You can download Kippo from:

I used wget to pull it down:

Ungzip the package:

Now you can move the Kippo driectory to wherever you want I chose to move it to the /opt directory:

By default Kippo runs on port 2222 so in order to have ssh access to your server I suggest moving the ssh port to another higher port. You can make this change in your /etc/ssh/sshd_conf file. Once you change the port you connect to restart the ssh server with:

Reconnect to your micro instance on the new ssh port.

Now you can use IPTables to redirect all traffic to port 22 to port 2222 by using the following IPTables command:

Now everything should be in place. Make sure you do not run Kippo as root. Now you can run the start.sh script in the kippo-0.5 directory.

If everything works correctly you should now see kippo running. Now try to connect to your new honeypot and verify it works.

Take a look at the kippo.cfg file to get a good idea about all of the configuration options. You can also add more commands. However, that will have to wait for another blog post. Have fun and be safe. If you et any interesting results please don't hesitate to share them with me.

No comments: