Kippo Honeypot: Identify Attackers

TL;DR

This guide shows you how to find out more about who’s attacking your Kippo honeypot. We’ll focus on getting their IP address and then using that to look up their location and potentially other information.

Steps

1. Confirm You Have Attack Data
   • Kippo logs all attempted logins in a text file. The default location is usually /var/log/kippo/kippo.log.
   • Check this log to see if you have any recent entries. Each line represents an attempt.

     tail -f /var/log/kippo/kippo.log

2. Extract IP Addresses
   • The IP address of the attacker is usually found in the log file, often associated with a failed login attempt. You can use grep to find these.

     grep -oE '([0-9]{1,3}.){3}[0-9]{1,3}' /var/log/kippo/kippo.log | sort | uniq

     This command does the following:

     • grep -oE '([0-9]{1,3}.){3}[0-9]{1,3}' /var/log/kippo/kippo.log: Finds all IP addresses in the log file.
     • sort: Sorts the list of IPs.
     • uniq: Removes duplicate IP addresses, showing only unique attackers.
3. Geolocation using geoiplookup
   • Install geoip-bin if it’s not already installed. This provides the geoiplookup tool.

     sudo apt update && sudo apt install geoip-bin -y

   • Use geoiplookup to find the location of each IP address.

     geoiplookup 

     Replace <IP_ADDRESS> with an actual IP address from your log file. This will give you country, region and city information.

4. Using Online IP Lookup Tools
   • Several websites provide IP lookup services (e.g., IPLocation.net, WhatIsMyIPAddress.com).
   • Copy and paste the IP address into one of these tools to get more detailed information, including ISP (Internet Service Provider) details.
5. Reverse DNS Lookup
   • Use host command to perform a reverse DNS lookup. This can sometimes reveal the hostname associated with the IP address.

     host 

     This might give you clues about the attacker’s organisation or network.

6. WHOIS Lookup
   • Use a WHOIS lookup tool (e.g., DomainTools WHOIS) to find registration information for the IP address block.

     whois 

     This can provide details about the owner of the IP address range, but often this information is obscured by privacy services.

7. Consider cyber security implications
   • Be aware that geolocation data isn’t always accurate. It provides an estimate based on the IP address’s registered location.
   • Don’t rely solely on this information for legal action.
   • Investigate further if you suspect a serious attack.