Honeypots are rad. Their uses are varied, but I’ve used my own mostly for research (and entertainment.) It’s been running for over a year now, and I thought it would be worthwhile (and interesting) to summarize my findings.
Pretty fun to see those… especially the drunken typist. A quick question: Did you just leave your root password blank? (is that what you mean by an “open port 22”?) If not, how were these guys able to log in as root?
Yeah, the drunken typist has oddly been my favorite. 
In short, root logins were “left open” by having the honeypot listen on port 22 with a weak password.
In more detail: I definitely wanted to have kippo running unprivileged, but that means that it’s unable to bind to port :22 on the host (yeah, there are some special flags you can tack onto binaries to enable these sort of capabilities, but I didn’t want to get too fancy.) The following IPTables rule reroutes incoming port 22 to a different listening port:
-A PREROUTING -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222
Weak credentials are kind of tricky. I’ve found that a simple password like “root” makes crackers wary of the box (“That looks a little too open…”) but setting the root password to something like “password1234” is just enough above the “stupidly guessable” threshold that brute forcers will bite.
I know this thread is like 2 years old… but, I was wondering how you film the hackers in the honeypot? I have my honey pot setup, but I’m not sure the best way to record the actions of the person on the other side…
Hi! It’s been a while but there are a few places I can point you:
Kippo has a utility that it ships with that enables you to playback the logs that it records - checkout the util/playlog.py utility in the kippo github repo (not sure what options you might have if you’re not using kippo).
In order to record and reproduce the logs here, I piped the output of playlog.py into asciinema using it to record the output. At that point it’s just a matter of embedding the asciinema recording.
Hope that helps!
Hey! Great post. It was a little hard to follow though, because all the asciinema recordings have been archived and I can’t see them (asciinema made a change recently where all recordings that aren’t attached to an account are automatically archived after 7 days).
@sbrl thank you for catching that! I’ve had the recordings restored by Asciinema, and also retrieved them to host them purely locally to avoid this situation in the future. Let me know if any of the recordings continue to fail to render.
Hey, thanks!
Re-reading it with the asciinema recordings, it’s pretty hilarious. Thanks for sharing! Once I’ve got a proper setup going (inspired by your going completely overboard post!), I’d like to perhaps look at something like this.
In more detail: I definitely wanted to have kippo running unprivileged, but that means that it’s unable to bind to port :22 on the host
I do this on for my Gitea instance:
setcap 'cap_net_bind_service=+ep' path/to/binary
I’ve got it as a little shell script that I re-execute every time it updates. Thinking about it, I could use a systemctl edit service_name and add an ExecStartPre= line to it for the same effect.