分类: LINUX
2011-11-10 14:03:33
检查服务器安全日志发现不少的ssh登录尝试,后来把端口改了,试探明显少了,但是还有些不甘心,一直想用honeyd做下陷阱,但是honeyd有些重量级了更适合做honeynet,只是想找个fake ssh server并记录下密码尝试的记录用于分析,所以也就没有进展。
读google reader订阅无意中发现了一款软件kippo,一下子就被吸引了,开工。以下是在虚拟机环境上的安装和测试。
先下载:
[root@localhost ~]# wget
--2011-11-17 04:18:09--
Resolving kippo.googlecode.com... 74.125.127.82
Connecting to kippo.googlecode.com|74.125.127.82|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
googlecode经常受到功夫网的骚扰,没办法,樊强拿到。
解压
[root@localhost ~]# tar xfvz kippo-0.5.tar.gz
kippo-0.5/
kippo-0.5/dl/
kippo-0.5/utils/
安装依赖包
[root@localhost kippo-0.5]# yum install python-twisted-core
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package python-twisted-core.i386 0:8.1.0-1.el5.rf set to be updated
--> Processing Dependency: python-zope-interface for package: python-twisted-cor e
--> Processing Dependency: pyOpenSSL for package: python-twisted-core
--> Running transaction check
---> Package pyOpenSSL.i386 0:0.6-2.el5 set to be updated
---> Package python-zope-interface.i386 0:3.0.1-1.el5.rf set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
python-twisted-core i386 8.1.0-1.el5.rf rpmforge 2.5 M
Installing for dependencies:
pyOpenSSL i386 0.6-2.el5 base 128 k
python-zope-interface i386 3.0.1-1.el5.rf rpmforge 239 k
Transaction Summary
================================================================================
Install 3 Package(s)
Upgrade 0 Package(s)
Total download size: 2.9 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): pyOpenSSL-0.6-2.el5.i386.rpm | 128 kB 00:03
(2/3): python-zope-interface-3.0.1-1.el5.rf.i386.rpm | 239 kB 00:04
(3/3): python-twisted-core-8.1.0-1.el5.rf.i386.rpm | 2.1 MB 11:30 ...
-------------------------------------------------------------------------------
Total 4.1 kB/s | 2.9 MB 12:08
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : python-zope-interface 1/3
Installing : pyOpenSSL 2/3
Installing : python-twisted-core 3/3
Installed:
python-twisted-core.i386 0:8.1.0-1.el5.rf
Dependency Installed:
pyOpenSSL.i386 0:0.6-2.el5 python-zope-interface.i386 0:3.0.1-1.el5.rf
Complete!
[root@localhost kippo-0.5]# yum install python-crypto.i386
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package python-crypto.i386 0:2.0.1-1.el5.rf set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
python-crypto i386 2.0.1-1.el5.rf rpmforge 335 k
Transaction Summary
================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
报错
[root@localhost kippo-0.5]# ./start.sh
Starting kippo in background...Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/twisted/application/app.py", line 614, in run
runApp(config)
File "/usr/lib/python2.4/site-packages/twisted/scripts/twistd.py", line 23, in runApp
_SomeApplicationRunner(config).run()
File "/usr/lib/python2.4/site-packages/twisted/application/app.py", line 330, in run
self.application = self.createOrGetApplication()
File "/usr/lib/python2.4/site-packages/twisted/application/app.py", line 416, in createOrGetApplication
application = getApplication(self.config, passphrase)
---
File "/usr/lib/python2.4/site-packages/twisted/application/app.py", line 427, in getApplication
application = service.loadApplication(filename, style, passphrase)
File "/usr/lib/python2.4/site-packages/twisted/application/service.py", line 3 68, in loadApplication
application = sob.loadValueFromFile(filename, 'application', passphrase)
File "/usr/lib/python2.4/site-packages/twisted/persisted/sob.py", line 214, in loadValueFromFile
exec fileObj in d, d
File "kippo.tac", line 15, in ?
from twisted.conch.ssh import factory, keys
exceptions.ImportError: No module named conch.ssh
很奇怪,from twisted.conch.ssh import factory,key时候出错,但是显然已经安装了twisted了啊。
解决方法:
去 单独下载conch包安装
[root@localhost kippo-0.5]# wget
--2011-11-17 05:26:37--
Resolving twistedmatrix.com... 66.35.39.65
Connecting to twistedmatrix.com|66.35.39.65|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 209673 (205K) [application/x-tar]
Saving to: `TwistedConch-11.0.0.tar.bz2'
100%[===========================================================================>] 209,673 38.8K/s in 5.3s
2011-11-17 05:26:44 (38.8 KB/s) - `TwistedConch-11.0.0.tar.bz2' saved [209673/209673]
[root@localhost kippo-0.5]# tar xfv TwistedConch-11.0.0.tar.bz2
TwistedConch-11.0.0/LICENSE
TwistedConch-11.0.0/doc/
TwistedConch-11.0.0/doc/benchmarks/
TwistedConch-11.0.0/doc/benchmarks/buffering_mixin.py
TwistedConch-11.0.0/doc/benchmarks/README
TwistedConch-11.0.0/doc/examples/
[root@localhost kippo-0.5]# cd TwistedConch-11.0.0
[root@localhost TwistedConch-11.0.0]# python setup.py install
running install
running build
running build_py
继续出错
[root@localhost kippo-0.5]# ./start.sh
Starting kippo in background...Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/twisted/application/app.py", line 614, in run
runApp(config)
File "/usr/lib/python2.4/site-packages/twisted/scripts/twistd.py", line 23, in runApp
_SomeApplicationRunner(config).run()
File "/usr/lib/python2.4/site-packages/twisted/application/app.py", line 330, in run
self.application = self.createOrGetApplication()
File "/usr/lib/python2.4/site-packages/twisted/application/app.py", line 416, in createOrGetApplication
application = getApplication(self.config, passphrase)
---
File "/usr/lib/python2.4/site-packages/twisted/application/app.py", line 427, in getApplication
application = service.loadApplication(filename, style, passphrase)
File "/usr/lib/python2.4/site-packages/twisted/application/service.py", line 368, in loadApplication
application = sob.loadValueFromFile(filename, 'application', passphrase)
File "/usr/lib/python2.4/site-packages/twisted/persisted/sob.py", line 214, in loadValueFromFile
exec fileObj in d, d
File "kippo.tac", line 15, in ?
from twisted.conch.ssh import factory, keys
File "/usr/lib/python2.4/site-packages/twisted/conch/ssh/factory.py", line 16, in ?
from twisted.conch.ssh import keys
File "/usr/lib/python2.4/site-packages/twisted/conch/ssh/keys.py", line 20, in ?
from pyasn1.type import univ
exceptions.ImportError: No module named pyasn1.type
Failed to load application: No module named pyasn1.type
没错啊,依赖包都已经装了的?
继续安装依赖包,作者要不要更新下自己的网页了。
[root@localhost kippo-0.5]# yum install python-pyasn1
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package python-pyasn1.noarch 0:0.0.12a-1.el5.rf set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================
Installing:
python-pyasn1 noarch 0.0.12a-1.el5.rf rpmforge 75 k
Transaction Summary
=====================================================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
好了
[root@localhost kippo-0.5]# ./start.sh
Starting kippo in background...ERROR: You must not run kippo as root!
Unhandled Error
但是不能以root用户运行,配置默认是2222端口,但是我想让22端口开放啊,好吧,算我jian了一把。
运行
iptables -A PREROUTING -d 10.107.30.249 -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222
也就是说只要访问本机22端口的,都给他送到2222去,因为非root用户是没有权限使用1024以下端口的。
接着添加个root账户。
[root@localhost utils]# ./passdb.py ../data/pass.db add root
[root@localhost utils]# ./passdb.py ../data/pass.db list
root
运行start.sh
然后如果诱捕到猎物的话,就可以到log里面看了,除了kippo.log可以看到登录都用了什么帐号和密码,还可以回放整个猎物登录之后的操作,很有意思。作者也很幽默,比如进入主机之后经常会做的一个useradd的动作,搞的非常令人抓狂.
./playlog.py -m 1 -b ../log/tty/20111117-064205-3271.log 0 (字母重复是因为使用了 –b参数,就是现实输入和输出的内容)。
sales:/etc# uusseerraadddd ffuucckkmmee
Adding user `fuckme' ...
Adding new group `fuckme' (1001) ...
Adding new user `fuckme' (1001) with group `fuckme' ...
Creating home directory `/home/fuckme' ...
Copying files from `/etc/skel' ...
Password: fuck
Password again: fuck
Changing the user information for fuckme
Enter the new value, or press ENTER for the default
Username []: wwhhoo
Full Name []: eellssee
Room Number []: 111111
Work Phone []: 111111
Home Phone []: 111111
Mobile Phone []: 111111
Country []: 1111
City []: 1111
Language []: 1111
Favorite movie []: 1111
Other []: 1111
Is the information correct? [Y/n] YY
Ok, starting over
Changing the user information for fuckme
Enter the new value, or press ENTER for the default
Username []: wwhhoo
Full Name []: wwhhoo
Room Number []: 1111
Work Phone []: 1111
Home Phone []: 1111
Mobile Phone []: 11
Country []: 11
City []: 11
Language []: 11
Favorite movie []: 11
Other []: 11
Is the information correct? [Y/n] YY
Ok, starting over
Changing the user information for fuckme
Enter the new value, or press ENTER for the default
Username []: nn
Full Name []: nn
Room Number []: ff
Work Phone []: 22
Home Phone []: 33
Mobile Phone []: 11
Country []: 22
33 City []:
Language []: 33
Favorite movie []: 33
Other []: 33
Is the information correct? [Y/n] nn
Ok, starting over
Changing the user information for fuckme
Enter the new value, or press ENTER for the default
Username []:
Must enter a value!
Username []:
Must enter a value!
Username []: ^C
说实话,这个软件其实挺残忍的,这让我想起了一个动物掉进了陷阱,然后周围还有很多的出口,但是都是假的,任凭猎物怎么样挣扎也出不去,但是还一直有希望,但是直到最后一刻,才意识到这tmd是个陷阱,会不会招致更猛烈的报复性攻击,如做ddos,所以最终在生产上还是想做的人道一些,把passwd.db清空得了,只记录下登录尝试做分析。
