Yeah, the drunken typist has oddly been my favorite.
In short, root logins were “left open” by having the honeypot listen on port 22 with a weak password.
In more detail: I definitely wanted to have kippo running unprivileged, but that means that it’s unable to bind to port :22 on the host (yeah, there are some special flags you can tack onto binaries to enable these sort of capabilities, but I didn’t want to get too fancy.) The following IPTables rule reroutes incoming port 22 to a different listening port:
-A PREROUTING -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222
Weak credentials are kind of tricky. I’ve found that a simple password like “root” makes crackers wary of the box (“That looks a little too open…”) but setting the root password to something like “password1234” is just enough above the “stupidly guessable” threshold that brute forcers will bite.