Hi guys
I've knocked up two small scripts to crawl the logs and generate some
very basic stats. The idea was to anonymously publish those stats
without revealing where the honeypot is. Those would have to go off to
some 'neutral(ish)' place... As for now it goes to a subdomain on
pastebin -
http://kippo.pastebin.com/
First upload from one of my sensors will go up today just after
midnight UTC.
If you would care to share your stats, then the scripts are at
http://groups.google.com/group/kippousers/web/pastebin-stats.tar.gz
Install:
1. Download and unpack content in kippo dir
2. Adjust $kippohome and KIPPOHOME variables in both scripts
3. Add cron job for pastebin.sh to run at 23:59
By default kippo instance is identified by md5 hash of kippo.cfg (you
can tell which one is yours!) and expiry date on posts is set to 1 day
- ideally it would be something like a week or so, but pastebin api
doesn't have such options (just several predefined values) so it's one
day or one month. I'll test it a bit more and go with daily stats to
one month I think...
On that note - daily stats highlighted an interesting situation - at
the moment mine show 130 connections today, 128 with ssh library, no
login attempts, so... does that mean that 2 were just port-scans, 128
were actual ssh sessions (banner grabbing?) and that's it?! If so,
then why I have several hosts doing all those over and over again? If
you have a zombie scanning ports or rather connecting using ssh
library (so you can try to log in), why would you connect over 50
times to the same host? Expecting another banner or what?
What's your guess?
Tomasz
BTW there is more scripts coming soon... sharing is caring ;-)