From 57e3feda74abb925210919347f34fcceadfd0b26 Mon Sep 17 00:00:00 2001 From: Thomas Bereknyei Date: Sat, 11 Jan 2014 17:15:11 -0500 Subject: [PATCH] Adds kippo SSH honeypot --- nixos/modules/module-list.nix | 1 + nixos/modules/services/networking/kippo.nix | 115 ++++++++++++++++++++ pkgs/servers/kippo/default.nix | 65 +++++++++++ pkgs/top-level/all-packages.nix | 2 + 4 files changed, 183 insertions(+) create mode 100644 nixos/modules/services/networking/kippo.nix create mode 100644 pkgs/servers/kippo/default.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 7f8d7172dc4d..c8f45014ece6 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -168,6 +168,7 @@ ./services/networking/ifplugd.nix ./services/networking/iodined.nix ./services/networking/ircd-hybrid/default.nix + ./services/networking/kippo.nix ./services/networking/minidlna.nix ./services/networking/nat.nix ./services/networking/networkmanager.nix diff --git a/nixos/modules/services/networking/kippo.nix b/nixos/modules/services/networking/kippo.nix new file mode 100644 index 000000000000..76dd66013ba7 --- /dev/null +++ b/nixos/modules/services/networking/kippo.nix @@ -0,0 +1,115 @@ +# NixOS module for kippo honeypot ssh server +# See all the options for configuration details. +# +# Default port is 2222. Recommend using something like this for port redirection to default SSH port: +# networking.firewall.extraCommands = '' +# iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222''; +# +# Lastly: use this service at your own risk. I am working on a way to run this inside a VM. +{ pkgs, config, ... }: +with pkgs.lib; +let + cfg = config.services.kippo; +in +rec { + options = { + services.kippo = { + enable = mkOption { + default = false; + type = types.uniq types.bool; + description = ''Enable the kippo honeypot ssh server.''; + }; + port = mkOption { + default = 2222; + type = types.uniq types.int; + description = ''TCP port number for kippo to bind to.''; + }; + hostname = mkOption { + default = "nas3"; + type = types.string; + description = ''Hostname for kippo to present to SSH login''; + }; + varPath = mkOption { + default = "/var/lib/kippo"; + type = types.string; + description = ''Path of read/write files needed for operation and configuration.''; + }; + logPath = mkOption { + default = "/var/log/kippo"; + type = types.string; + description = ''Path of log files needed for operation and configuration.''; + }; + pidPath = mkOption { + default = "/run/kippo"; + type = types.string; + description = ''Path of pid files needed for operation.''; + }; + extraConfig = mkOption { + default = ""; + type = types.string; + description = ''Extra verbatim configuration added to the end of kippo.cfg.''; + }; + }; + + }; + config = mkIf cfg.enable { + environment.systemPackages = with pkgs.pythonPackages; [ + python twisted pycrypto pyasn1 ]; + + environment.etc."kippo.cfg".text = '' + # Automatically generated by NixOS. + # See ${pkgs.kippo}/src/kippo.cfg for details. + [honeypot] + log_path = ${cfg.logPath} + download_path = ${cfg.logPath}/dl + filesystem_file = ${cfg.varPath}/honeyfs + filesystem_file = ${cfg.varPath}/fs.pickle + data_path = ${cfg.varPath}/data + txtcmds_path = ${cfg.varPath}/txtcmds + public_key = ${cfg.varPath}/keys/public.key + private_key = ${cfg.varPath}/keys/private.key + ssh_port = ${toString cfg.port} + hostname = ${cfg.hostname} + ${cfg.extraConfig} + ''; + + users.extraUsers = singleton { + name = "kippo"; + description = "kippo web server privilege separation user"; + }; + users.extraGroups = singleton { name = "kippo"; }; + + systemd.services.kippo = with pkgs; { + description = "Kippo Web Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment.PYTHONPATH = "${pkgs.kippo}/src/:${pkgs.pythonPackages.pycrypto}/lib/python2.7/site-packages/:${pkgs.pythonPackages.pyasn1}/lib/python2.7/site-packages/:${pkgs.pythonPackages.python}/lib/python2.7/site-packages/:${pkgs.pythonPackages.twisted}/lib/python2.7/site-packages/:."; + preStart = '' + if [ ! -d ${cfg.varPath}/ ] ; then + mkdir -p ${cfg.pidPath} + mkdir -p ${cfg.logPath}/tty + mkdir -p ${cfg.logPath}/dl + mkdir -p ${cfg.varPath}/keys + cp ${pkgs.kippo}/src/honeyfs ${cfg.varPath} -r + cp ${pkgs.kippo}/src/fs.pickle ${cfg.varPath}/fs.pickle + cp ${pkgs.kippo}/src/data ${cfg.varPath} -r + cp ${pkgs.kippo}/src/txtcmds ${cfg.varPath} -r + + chmod u+rw ${cfg.varPath} -R + chmod u+rw ${cfg.pidPath} + chown kippo.kippo ${cfg.varPath} -R + chown kippo.kippo ${cfg.pidPath} + chown kippo.kippo ${cfg.logPath} -R + chmod u+rw ${cfg.logPath} -R + fi + ''; + + serviceConfig.ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd -y ${pkgs.kippo}/src/kippo.tac --syslog --rundir=${cfg.varPath}/ --pidfile=${cfg.pidPath}/kippo.pid --prefix=kippo -n"; + serviceConfig.PermissionsStartOnly = true; + serviceConfig.User = "kippo"; + serviceConfig.Group = "kippo"; + }; +}; +} + + diff --git a/pkgs/servers/kippo/default.nix b/pkgs/servers/kippo/default.nix new file mode 100644 index 000000000000..cadf6e716917 --- /dev/null +++ b/pkgs/servers/kippo/default.nix @@ -0,0 +1,65 @@ +# This is the installation portion of kippo. +# This is somewhat jumbled together. There is no "easy_install" for kippo, +# and there isn't a way to regenerate the twistd plugin cache. +# +# Use the services.kippo options to properly configure if on NixOS. +# On other platforms there is a problem with hardcoded paths. +# Your best bet is to change kippo source to customise +# or manually copy the proper filesystems. +# At a minimum the following are required in /var/lib/kippo: +# honeyfs/ +# fs.pickle +# data/ +# txtcmds/ +# +# There is also benefit in preparing /var/log/kippo +# tty/ +# dl/ +# +# Most of these files need read/write permissions. +# +# Read only files: kippo.tac and kippo.cfg +# +# Execution may look like this: +# twistd -y kippo.tac --syslog --pidfile=kippo.pid +# +# Use this package at your own risk. + +{stdenv, pkgs, config, fetchurl, ... }: + +stdenv.mkDerivation rec { + name = "kippo-${version}"; + version = "0.8"; + src = fetchurl { + url = "https://kippo.googlecode.com/files/kippo-${version}.tar.gz"; + sha1 = "f57a5cf88171cb005afe44a4b33cb16f825c33d6"; + }; + buildInputs = with pkgs.pythonPackages; [ pycrypto pyasn1 twisted ]; + installPhase = '' + substituteInPlace ./kippo.tac --replace "kippo.cfg" "$out/src/kippo.cfg" + substituteInPlace ./kippo.cfg --replace "log_path = log" "log_path = /var/log/kippo" \ + --replace "download_path = dl" "download_path = /var/log/kippo/dl" \ + --replace "contents_path = honeyfs" "filesystem_file = /var/lib/kippo/honeyfs" \ + --replace "filesystem_file = fs.pickle" "filesystem_file = /var/lib/kippo/fs.pickle" \ + --replace "data_path = data" "data_path = /var/lib/kippo/data" \ + --replace "txtcmds_path = txtcmds" "txtcmds_path = /var/lib/kippo/txtcmds" \ + --replace "public_key = public.key" "public_key = /var/lib/kippo/keys/public.key" \ + --replace "private_key = private.key" "private_key = /var/lib/kippo/keys/private.key" + mkdir -p $out/bin + mkdir -p $out/src + mv ./* $out/src + mv $out/src/utils/* $out/bin + ''; + + meta = { + homepage = https://code.google.com/p/kippo; + description = "SSH Honeypot"; + longDescription = '' + Default port is 2222. Recommend using something like this for port redirection to default SSH port: + networking.firewall.extraCommands = ''' + iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222''' ''; + license = stdenv.lib.licenses.bsd3; + platforms = pkgs.stdenv.lib.platforms.linux; + maintainers = pkgs.stdenv.lib.maintainers.tomberek; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index cb06beee0435..6b612ff96071 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1225,6 +1225,8 @@ let logstash = callPackage ../tools/misc/logstash { }; + kippo = callPackage ../servers/kippo { }; + klavaro = callPackage ../games/klavaro {}; minidlna = callPackage ../tools/networking/minidlna {