Deploying Kippo with Ansible

Nov 25, 2014

I've been running some instances of Kippo for quite some while now with great results. I recently wrote an Ansible playbook to automate the process of deploying Kippo hosts and also make it scalable. You can find the playbook on my GitHub page, specifically here.

In a nutshell, the playbook will deploy a central database for all the Kippo hosts to log incoming attacks and then deploy a number of Kippo hosts. You can specify which repo to clone Kippo from or do ad-hoc file modifications to files in the repo. For example, I've modified some commands like wget.

A couple of weeks ago, GitHub announced its Student Pack, giving 100$ of credit on DigitalOcean, which I promptly grabbed. Two nights ago, I decided to use the credit on building a small cluster of SSH honeypots, consisting of twelve Kippo hosts. Of course, the whole project was orchestrated using Ansible.

I created thirteen VMs (droplets in DO terms) using the Digital Ocean ansible module, twelve for the Kippo hosts and one for the logging database. I, also, ran a couple of ad-hoc Ansible commands to further configure some settings inside the VMs, and finally used ssh-multi (which I've talked about in my tmux config post) to make sure everything was configured properly.

Results

It's been a little over 48 hours since I set this up, so let's see some early statistics. I used an old script of mine to extract these.

    Total login attempts: 212589 Total unique passwords tried: 17080

That means a little under 4.5k attacks per hour, or 74 attacks per minute, or 1.2 attacks per second with only twelve sensors online. The sensors were spread across the DO network, so I would get different IP ranges and also geographical diversity.

Unfortunately, I didn't get any new samples, just random variants of Elknot, much like the one MalwareMustDie analyzed in the past. I'll probably increase the number of sensors soon enough, which brings me to my next point.

I love the simplicity of Ansible and the ease of adding new hosts to a deployment, once you've written a playbook. All I have to do now to add more hosts in my Kippo "cluster" is:

    ansible-playbook -i new_hosts -t kippo site.yml

and only the Kippo tasks will run, installing and setting up Kippo, ready to attract and log more attacks.

Tags: software security honeypot