LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-27-2016, 03:28 AM   #1
Mad_Mike
LQ Newbie
 
Registered: May 2016
Posts: 4

Rep: Reputation: Disabled
Kippo port looking at the wrong port


Hi
I have been trying to install Kippo on a PI 3 all is going really well, I have it running and have Myphpadmin running so I can view the stats via a browser. But, the reason for my question.

I decided to go with "Authbind" to change the port, I changed ssh port 22 to 1984 then restarted the service.

After installing Authbind I configured it so:
touch /etc/authbind/byport/22
chown my_user:my_user /etc/authbind/byport/22
chmod 777 /etc/authbind/byport/22

I must be missing something out because when I run sudo netstat -antp I see it still looking at port 1984, the output looks like this

tcp 0 0 0.0.0.0:1984 0.0.0.0

What am I doing wrong, and is Authbind the right way to go? If anyone can help me or tell me a better way to get this working that would be great, and I would very much appreciate your assistance.

Just so you know, I installed Debian Lite initially and from there installed only the components required to get it running. I did it that way so I could get kippo running first then add other software later to make it look more like a proper networked box.
 
Old 05-28-2016, 12:35 PM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 22,094

Rep: Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442
Not familiar with kippo but will try to help.

From what I can gather kippo is defined as a medium interaction SSH honeypot so it is supposed to look like an actual ssh server and provide a fake filesystem to the attacker. Other network software will not matter and I would not want unnecessary services running or accessible to the internet so not to expose the Pi as a honeypot.

Since you switched the real ssh server to run on port 1984 the output from netstat is expected. I see there are a couple of ways to run kippo. One is using authbind so you can run kippo on a privileged port i.e. < 1024 and the other is to add a firewall rule to redirect ssh traffic from port 22 to the designated kippo port which is defaults to 2222.

Since you are using authbind and kippo is working I assume you switched its port from 2222 to 22. So with the information provided I do not see anything wrong.

Last edited by michaelk; 05-28-2016 at 12:40 PM.
 
Old 05-29-2016, 02:43 PM   #3
Mad_Mike
LQ Newbie
 
Registered: May 2016
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks for your help Michaelk

I understand what you are saying, but I can't see how having that port defined, is of any use.

When I try to connect to ssh port 22 it says that the connection is refused! I can understand why because I have said that from now on, the ssh port is at 1984, but if anyone tried to connect to port 22 in an attempt to hack the box, they could not gain access? I thought the idea behind Authbine was to say when you try to connect to port 22 you will be forwarded to 1984 and in doing so still get a connection to the box in question.
 
Old 05-29-2016, 03:17 PM   #4
michaelk
Moderator
 
Registered: Aug 2002
Posts: 22,094

Rep: Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442Reputation: 4442
Authbind allows non root users to run a service on ports < 1024. The real ssh server runs on 1984 which you don't want the attackers to know about. if a firewall is running on the Pi you need to allow port 1984 and connect

ssh -p 1984 user@pi ( replace with real username an IP address )

If you can not connect on port 22 then either kippo is not running, configured correctly or the firewall is blocking the port.

Last edited by michaelk; 05-29-2016 at 03:29 PM.
 
1 members found this post helpful.
Old 06-08-2016, 03:32 AM   #5
Mad_Mike
LQ Newbie
 
Registered: May 2016
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hi Michaelk
Sorry for the delay in getting back, been really busy of late.
Anyway, I just want to say thanks for the help, you pointed me in the right direction, it was the allow to port 22 that was the one that finally helped me.

I now have a Cowrie honeypot working, everyone is allows to port 22 which then get's redirected to the port I wanted it to go to and that throws it into the cowrie port, it's excellent!!

Coming from Windows I still forget to allow and forget that unless you tell it to do something it won't do anything :O) the more I get into linux the better it gets

Anyway thanks for your help and I really appreciate the time you took in telling me what to do.

Cheers mate.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPtables : ssh port forwarding one port to another port issue routers Linux - Networking 7 08-07-2018 09:41 AM
Closed Port/Port in use when attempting to port forward for server. Tetrad Linux - Networking 2 07-06-2015 12:54 PM
Four-port KVM switch that sends keyboard data to PS2 port and mouse data to USB port Ulysses_ Linux - Hardware 5 06-20-2015 12:16 PM
Tomcat6 stops listening on port 80 when i change from port 8080 to port 80 trongthect Linux - Server 1 07-27-2012 06:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 12:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration