Over the last three episodes, I have demonstrated how to setup a Kippo SSH honeypot and briefly highlighted the basic configurations and capabilities of it. In my final episode of the Kippo series, I will be looking into the analysis of logs captured by your honeypot.
I’ve highlighted in the first episode that Kippo allows you to log data captured into a database. You can analyse the data captured by looking into the relevant tables. Or you can enable text-based logging on your Kippo configuration file, kippo.cfg, and analyse it using tools such as Splunk.
However, I will want to dedicate the reminding of this episode to Kippo-Graph – a full featured script to visualise statistics from a Kippo SSH honeypot.
Resolving Dependencies
If you have not followed the first episode and installed Apache2, get it now by running:
If you already have Apache2 running in your machine, restart it:
Grab a Copy of Kippo-Graph
Now, grab a copy of Kippo-Graph from BruteForce Lab and place it in your web server.
Database Configuration
Kippo-Graph visualise statistics from your Kippo SSH honeypot by accessing data from your MySQL database. You will need to configure your Kippo-Graph so it can gain access to your database.
Using Kippo-Graph
Now, browse into your Kippo-Graph web page and you will realise that the statistics are not updated in real time. You will have to manually click on the link “GENERATE_THE_KIPPO_GRAPHS();” before any results are visualised.
But before you can run that script, modify the permission so you can run it.
With everything set, generate your Kippo-Graphs and let the visualisation magic begins! Kippo-Graph currently shows 24 charts:
- Top 10 passwords attempted
- Top 10 usernames attempted
- Top 10 username-password combinations (bar chart)
- Top 10 username-password combinations (pie chart)
- Overall success ratio
- Most successful logins per day (Top 20)
- Successes per day
- Successes per week
- Number of connections per unique IP (Top 10)
- Number of connections per unique IP (Top 10)
- Successful logins from same IP (Top 20)
- Most probes per day (Top 20)
- Probes per day
- Probes per week
- Top 10 SSH clients
- Number of connections per country
- Number of connections per unique IP (Top 10) + Country Codes (bar chart)
- Number of connections per unique IP (Top 10) + Country Codes (pie chart)
- Human activity busiest days (Top 20)
- Human activity per day
- Human activity per week
- Top 10 input (overall)
- Top 10 successful input
- Top 10 failed input
–
- Part 01: Getting Started
- Part 02: User & Password Management
- Part 03: A Sticky Honeypot
- Part 04: Kippo-Graph
–
Kudos to Ioannis Koniaris (Ion) for writing such an amazing piece of work.
