Deploying Kippo with Ansible

Nov 25, 2014

I've been running some instances of Kippo for quite some while now with great results. I recently wrote an Ansible playbook to automate the process of deploying Kippo hosts and also make it scalable. You can find the playbook on my GitHub page, specifically here.

In a nutshell, the playbook will deploy a central database for all the Kippo hosts to log incoming attacks and then deploy a number of Kippo hosts. You can specify which repo to clone Kippo from or do ad-hoc file modifications to files in the repo. For example, I've modified some commands like wget.

A couple of weeks ago, GitHub announced its Student Pack, giving 100$ of credit on DigitalOcean, which I promptly grabbed. Two nights ago, I decided to use the credit on building a small cluster of SSH honeypots, consisting of twelve Kippo hosts. Of course, the whole project was orchestrated using Ansible.

I created thirteen VMs (droplets in DO terms) using the Digital Ocean ansible module, twelve for the Kippo hosts and one for the logging database. I, also, ran a couple of ad-hoc Ansible commands to further configure some settings inside the VMs, and finally used ssh-multi (which I've talked about in my tmux config post) to make sure everything was configured properly.

Results

It's been a little over 48 hours since I set this up, so let's see some early statistics. I used an old script of mine to extract these.

    Total login attempts: 212589 Total unique passwords tried: 17080

That means a little under 4.5k attacks per hour, or 74 attacks per minute, or 1.2 attacks per second with only twelve sensors online. The sensors were spread across the DO network, so I would get different IP ranges and also geographical diversity.

Unfortunately, I didn't get any new samples, just random variants of Elknot, much like the one MalwareMustDie analyzed in the past. I'll probably increase the number of sensors soon enough, which brings me to my next point.

I love the simplicity of Ansible and the ease of adding new hosts to a deployment, once you've written a playbook. All I have to do now to add more hosts in my Kippo "cluster" is:

    ansible-playbook -i new_hosts -t kippo site.yml

and only the Kippo tasks will run, installing and setting up Kippo, ready to attract and log more attacks.

Tags: software security honeypot
A photo of the author where the face has been replaced with an xD smiley

Sharing my thoughts on Decentralization, Security and Operations.

Blog

About

GitHub

Mastodon

RSS Feed

Recent posts:

Early 2024 updates

Comparing Reticulum and Meshtastic

December 2023 updates

November 2023 updates

My tiny archivemail alternative in Rust

Dionysis Grigoropoulos - Licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Powered by Hugo and the Hugo-HackThePlanet theme.