CentOS release 6.2 (Final) Linux www.centos.com 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64 x86_64 x86_64 GNU/Linux 

cd /home/ wget https://codeload.github.com/desaster/kippo/zip/master unzip master yum install twisted python-zope-interface python-pyasn1 mv kippo-master kippo useradd kippo chown -R kippo:kippo cd kippo cp kippo.cfg.dist kippo.cfg 

iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222 

yum install mysql mysql-server /etc/init.d/mysqld start mysql -uroot  create database kippo; GRANT ALL ON kippo.* to 'kippo'@'localhost' identified by 'kippo'; 

[database_mysql] host = localhost database = kippo username = kippo password = kippo port = 3306   mysql -ukippo -p -Dkippo < /home/kippo/doc/sql/mysql.sql 

yum -y install python-devel mysql-devel wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz tar -zxvf setuptools-0.6c11.tar.gz cd setuptools-0.6c11 python2.6 setup.py build python2.6 setup.py install wget https://pypi.python.org/packages/source/M/MySQL-python/MySQL-python-1.2.5.zip Unzip MySQL-python-1.2.5.zip Cd MySQL-python 

mysql_config = /usr/lib64/mysql/mysql_config  python2.6 setup.py build python2.6 setup.py install 

yum install httpd php php-mysql php-gd php-curl 

wget http://bruteforce.gr/wp-content/uploads/kippo-graph-1.2.tar.gz tar -zxf kippo-graph-1.2.tar.gz  mv kippo-graph-1.2 /var/www/html/kippo cd /var/www/html/kippo cp config.php.dist config.php  vim config.php 

define('DIR_ROOT', '/var/www/html/kippo');   define('DB_HOST', 'localhost'); define('DB_USER', 'kippo'); define('DB_PASS', 'kippo'); define('DB_NAME', 'kippo'); define('DB_PORT', '3306');  

chmod 777 /var/www/html/kippo/generated-graphs/ /etc/init.d/http start su - kippo ./start.sh 

kippo.cfg: ========================================================== [honeypot]  # IP addresses to listen for incoming SSH connections. # # (default: 0.0.0.0) = any address #ssh监听的地址,可以设置多个监听ip,每个ip之间用空格隔开 #ssh_addr = 0.0.0.0  # Port to listen for incoming SSH connections. # # (default: 2222) #监听的端口,默认是2222,需要kippo运行在普通用户下,是不能够使用22端口,需要用iptables做一个简单的端口转发,转发到22端口 #只能监听一个端口 ssh_port = 2222  # Hostname for the honeypot. Displayed by the shell prompt of the virtual # environment. # # (default: svr03) #主机名 hostname = svr03  # Directory where to save log files in. # # (default: log) #存放日志的路径 log_path = log  # Directory where to save downloaded (malware) files in. # # (default: dl) #蜜罐中执行下载命令默认下载文件保存的目录 download_path = dl  # Maximum file size (in bytes) for downloaded files to be stored in 'download_path'. # A value of 0 means no limit. If the file size is known to be too big from the start, # the file will not be stored on disk at all. # #限制下载文件的大小,默认是0,不限制 # (default: 0) #download_limit_size = 10485760  # Directory where virtual file contents are kept in. # # This is only used by commands like 'cat' to display the contents of files. # Adding files here is not enough for them to appear in the honeypot - the # actual virtual filesystem is kept in filesystem_file (see below) # # (default: honeyfs) #配置文件的存放的地方,默认下面有etc和proc两个 contents_path = honeyfs  # File in the python pickle format containing the virtual filesystem. # # This includes the filenames, paths, permissions for the whole filesystem, # but not the file contents. This is created by the createfs.py utility from # a real template linux installation. # # (default: fs.pickle) #记录一些文件,路径和权限的配置文件,用来模拟linux环境 filesystem_file = fs.pickle  # Directory for miscellaneous data files, such as the password database. # # (default: data_path) #一些数据存放的地方,例如lastlog,ssh的key和允许登陆的账户和密码修改过的root密码 data_path = data  # Directory for creating simple commands that only output text. # # The command must be placed under this directory with the proper path, such # as: #   txtcmds/usr/bin/vi # The contents of the file will be the output of the command when run inside # the honeypot. # In addition to this, the file must exist in the virtual # filesystem {filesystem_file} # # (default: txtcmds) #一些简单的命令,纯文字组成,只是用来做简单的输出 txtcmds_path = txtcmds  # Public and private SSH key files. If these don't exist, they are created # automatically. #ssh认证key存放的地方 rsa_public_key = data/ssh_host_rsa_key.pub rsa_private_key = data/ssh_host_rsa_key dsa_public_key = data/ssh_host_dsa_key.pub dsa_private_key = data/ssh_host_dsa_key  # Enables passing commands using ssh execCommand # e.g. ssh root@localhost <command> # # (default: false) #是否支持 ssh root@localhost <command>这种命令的执行,默认是false的 exec_enabled = true  # IP address to bind to when opening outgoing connections. Used exclusively by # the wget command. # # (default: not specified) #ssh数据包发出去的地址 #out_addr = 0.0.0.0  # Sensor name use to identify this honeypot instance. Used by the database # logging modules such as mysql. # # If not specified, the logging modules will instead use the IP address of the # connection as the sensor name. # # (default: not specified) #sensor_name=myhostname  # Fake address displayed as the address of the incoming connection. # This doesn't affect logging, and is only used by honeypot commands such as # 'w' and 'last' # # If not specified, the actual IP address is displayed instead (default # behaviour). # # (default: not specified) #fake_addr = 192.168.66.254  # SSH Version String # # Use this to disguise your honeypot from a simple SSH version scan # frequent Examples: (found experimentally by scanning ISPs) # SSH-2.0-OpenSSH_5.1p1 Debian-5 # SSH-1.99-OpenSSH_4.3 # SSH-1.99-OpenSSH_4.7 # SSH-1.99-Sun_SSH_1.1 # SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1 # SSH-2.0-OpenSSH_4.3 # SSH-2.0-OpenSSH_4.6 # SSH-2.0-OpenSSH_5.1p1 Debian-5 # SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901 # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5 # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6 # SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 # SSH-2.0-OpenSSH_5.5p1 Debian-6 # SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1 # SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2 # SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 # SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 # SSH-2.0-OpenSSH_5.9 # # (default: "SSH-2.0-OpenSSH_5.1p1 Debian-5") #ssh的banner信息 ssh_version_string = SSH-2.0-OpenSSH_5.1p1 Debian-5  # Banner file to be displayed before the first login attempt. # # (default: not specified) #第一次登陆上后,显示的banner信息,默认是不指定 #banner_file =  # Session management interface. # # This is a telnet based service that can be used to interact with active # sessions. Disabled by default. # # (default: false) interact_enabled = false # (default: 5123) interact_port = 5123   #mysql的支持模块,sql文件在doc/sql/mysql.sql # MySQL logging module # # Database structure for this module is supplied in doc/sql/mysql.sql # # To enable this module, remove the comments below, including the # [database_mysql] line.  #数据库的配置文件 #[database_mysql] #host = localhost #database = kippo #username = kippo #password = secret #port = 3306  #XMPP 的日志文件 # XMPP Logging # # Log to an xmpp server. # For a detailed explanation on how this works, see: <add url here> # # To enable this module, remove the comments below, including the # [database_xmpp] line.  #[database_xmpp] #server = sensors.carnivore.it #user = anonymous@sensors.carnivore.it #password = anonymous #muc = dionaea.sensors.carnivore.it #signal_createsession = kippo-events #signal_connectionlost = kippo-events #signal_loginfailed = kippo-events #signal_loginsucceeded = kippo-events #signal_command = kippo-events #signal_clientversion = kippo-events #debug=true  #默认日志以简单的文本方式存放 # Text based logging module # # While this is a database logging module, it actually just creates a simple # text based log. This may not have much purpose, if you're fine with the # default text based logs generated by kippo in log/ # # To enable this module, remove the comments below, including the # [database_textlog] line.  #[database_textlog] #logfile = kippo-textlog.log 

vim /home/kippo/kippo/core/dblog.py 

def nowUnix(self):   """return the current UTC time as an UNIX timestamp"""     #原系统用的时区是0时区的     #return int(time.mktime(time.gmtime()[:-1] + (-1,)))     #return int(time.mktime(time.gmtime()[:-1] + (-1,))) + 28800     return int(time.time()) 

http://www.sigma.ws/