Hi
I have been trying to install Kippo on a PI 3 all is going really well, I have it running and have Myphpadmin running so I can view the stats via a browser. But, the reason for my question.

I decided to go with "Authbind" to change the port, I changed ssh port 22 to 1984 then restarted the service.

After installing Authbind I configured it so:
touch /etc/authbind/byport/22
chown my_user:my_user /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22

I must be missing something out because when I run sudo netstat -antp I see it still looking at port 1984, the output looks like this

tcp 0 0 0.0.0.0:1984 0.0.0.0

What am I doing wrong, and is Authbind the right way to go? If anyone can help me or tell me a better way to get this working that would be great, and I would very much appreciate your assistance.

Just so you know, I installed Debian Lite initially and from there installed only the components required to get it running. I did it that way so I could get kippo running first then add other software later to make it look more like a proper networked box.

Not familiar with kippo but will try to help.

From what I can gather kippo is defined as a medium interaction SSH honeypot so it is supposed to look like an actual ssh server and provide a fake filesystem to the attacker. Other network software will not matter and I would not want unnecessary services running or accessible to the internet so not to expose the Pi as a honeypot.

Since you switched the real ssh server to run on port 1984 the output from netstat is expected. I see there are a couple of ways to run kippo. One is using authbind so you can run kippo on a privileged port i.e. < 1024 and the other is to add a firewall rule to redirect ssh traffic from port 22 to the designated kippo port which is defaults to 2222.

Since you are using authbind and kippo is working I assume you switched its port from 2222 to 22. So with the information provided I do not see anything wrong.

Thanks for your help Michaelk

I understand what you are saying, but I can't see how having that port defined, is of any use.

When I try to connect to ssh port 22 it says that the connection is refused! I can understand why because I have said that from now on, the ssh port is at 1984, but if anyone tried to connect to port 22 in an attempt to hack the box, they could not gain access? I thought the idea behind Authbine was to say when you try to connect to port 22 you will be forwarded to 1984 and in doing so still get a connection to the box in question.

Authbind allows non root users to run a service on ports < 1024. The real ssh server runs on 1984 which you don't want the attackers to know about. if a firewall is running on the Pi you need to allow port 1984 and connect

ssh -p 1984 user@pi ( replace with real username an IP address )

If you can not connect on port 22 then either kippo is not running, configured correctly or the firewall is blocking the port.

1 members found this post helpful.

Hi Michaelk
Sorry for the delay in getting back, been really busy of late.
Anyway, I just want to say thanks for the help, you pointed me in the right direction, it was the allow to port 22 that was the one that finally helped me.

I now have a Cowrie honeypot working, everyone is allows to port 22 which then get's redirected to the port I wanted it to go to and that throws it into the cowrie port, it's excellent!!

Coming from Windows I still forget to allow and forget that unless you tell it to do something it won't do anything :O) the more I get into linux the better it gets

Anyway thanks for your help and I really appreciate the time you took in telling me what to do.

Cheers mate.