Setting up a honeypot with fail2ban, lxc and kippo

Prerequisites:

• a working networking setup where you can nat to the address of the honeypot
• a working fail2ban installation

Setup

• sqlite fail2ban script: i copied this to /root/bin
• change the iptables-allports.conf fail2ban action (usually in /etc/fail2ban/actions.d; i copied it to iptables-allports-local.conf) to iptables-allports-local.conf
• set the jails up jail.conf
• finally set the ssqlite action up (also in /etc/fail2ban/actions.d) sqlite.conf

In my configuration 10.0.0.4 is my lxc container that's running kippo. I ulimit and memlimit it so it doesn't get out of hands.

Lxc honeypot machine

• install a debian base system
• install twisted-python
• add a user for kippo
• install kippo in the user's home
• add kippo to machine startup:

cat << EOF > /etc/rc.local
#!/bin/sh -e
su -c /home/kippo/kippo.sh kippo #assuming the username is 'kippo'
exit 0
EOF

• then kippo.sh:

cat << EOF > /home/kippo/start/sh
#!/bin/sh
cd ~/kippo-0.5 && ./start.sh
EOF
chmod +x /home/kippo/kippo.sh

• install rinetd and configure it to redirect incomming port 22 requests to port 2222 (kippo really hates to listen on port 22)

cat << EOF > /etc/rinetd.conf
# bindadress    bindport  connectaddress  connectport
0.0.0.0 22 0.0.00 2222
# logging information
logfile /var/log/rinetd.log
EOF

Should be done