From 57e3feda74abb925210919347f34fcceadfd0b26 Mon Sep 17 00:00:00 2001
From: Thomas Bereknyei <tomberek@gmail.com>
Date: Sat, 11 Jan 2014 17:15:11 -0500
Subject: Adds kippo SSH honeypot

---
 nixos/modules/services/networking/kippo.nix | 115 ++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 nixos/modules/services/networking/kippo.nix

(limited to 'nixos/modules/services/networking/kippo.nix')

diff --git a/nixos/modules/services/networking/kippo.nix b/nixos/modules/services/networking/kippo.nix
new file mode 100644
index 00000000000..76dd66013ba
--- /dev/null
+++ b/nixos/modules/services/networking/kippo.nix
@@ -0,0 +1,115 @@
+# NixOS module for kippo honeypot ssh server
+# See all the options for configuration details.
+#
+# Default port is 2222. Recommend using something like this for port redirection to default SSH port:
+# networking.firewall.extraCommands = ''
+#      iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222'';
+#
+# Lastly: use this service at your own risk. I am working on a way to run this inside a VM.
+{ pkgs, config, ... }:
+with pkgs.lib;
+let
+  cfg = config.services.kippo;
+in
+rec {
+  options = {
+    services.kippo = {
+      enable = mkOption {
+        default = false;
+        type = types.uniq types.bool;
+        description = ''Enable the kippo honeypot ssh server.'';
+      };
+      port = mkOption {
+        default = 2222;
+        type = types.uniq types.int;
+        description = ''TCP port number for kippo to bind to.'';
+      };
+      hostname = mkOption {
+        default = "nas3";
+        type = types.string;
+        description = ''Hostname for kippo to present to SSH login'';
+      };
+      varPath = mkOption {
+        default = "/var/lib/kippo";
+        type = types.string;
+        description = ''Path of read/write files needed for operation and configuration.'';
+      };
+      logPath = mkOption {
+        default = "/var/log/kippo";
+        type = types.string;
+        description = ''Path of log files needed for operation and configuration.'';
+      };
+      pidPath = mkOption {
+        default = "/run/kippo";
+        type = types.string;
+        description = ''Path of pid files needed for operation.'';
+      };
+      extraConfig = mkOption {
+        default = "";
+        type = types.string;
+        description = ''Extra verbatim configuration added to the end of kippo.cfg.'';
+      };
+    };
+
+  };
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs.pythonPackages; [
+      python twisted pycrypto pyasn1 ];
+
+    environment.etc."kippo.cfg".text = ''
+        # Automatically generated by NixOS.
+        # See ${pkgs.kippo}/src/kippo.cfg for details.
+        [honeypot]
+        log_path = ${cfg.logPath}
+        download_path = ${cfg.logPath}/dl
+        filesystem_file = ${cfg.varPath}/honeyfs
+        filesystem_file = ${cfg.varPath}/fs.pickle
+        data_path = ${cfg.varPath}/data
+        txtcmds_path = ${cfg.varPath}/txtcmds
+        public_key = ${cfg.varPath}/keys/public.key
+        private_key = ${cfg.varPath}/keys/private.key
+        ssh_port = ${toString cfg.port}
+        hostname = ${cfg.hostname}
+        ${cfg.extraConfig}
+    '';
+
+    users.extraUsers = singleton {
+      name = "kippo";
+      description = "kippo web server privilege separation user";
+    };
+    users.extraGroups = singleton { name = "kippo"; };
+
+    systemd.services.kippo = with pkgs; {
+      description = "Kippo Web Server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment.PYTHONPATH = "${pkgs.kippo}/src/:${pkgs.pythonPackages.pycrypto}/lib/python2.7/site-packages/:${pkgs.pythonPackages.pyasn1}/lib/python2.7/site-packages/:${pkgs.pythonPackages.python}/lib/python2.7/site-packages/:${pkgs.pythonPackages.twisted}/lib/python2.7/site-packages/:.";
+      preStart = ''
+        if [ ! -d ${cfg.varPath}/ ] ; then 
+            mkdir -p ${cfg.pidPath}
+            mkdir -p ${cfg.logPath}/tty
+            mkdir -p ${cfg.logPath}/dl
+            mkdir -p ${cfg.varPath}/keys
+            cp ${pkgs.kippo}/src/honeyfs ${cfg.varPath} -r
+            cp ${pkgs.kippo}/src/fs.pickle ${cfg.varPath}/fs.pickle
+            cp ${pkgs.kippo}/src/data ${cfg.varPath} -r
+            cp ${pkgs.kippo}/src/txtcmds ${cfg.varPath} -r
+
+            chmod u+rw ${cfg.varPath} -R
+            chmod u+rw ${cfg.pidPath}
+            chown kippo.kippo ${cfg.varPath} -R
+            chown kippo.kippo ${cfg.pidPath}
+            chown kippo.kippo ${cfg.logPath} -R
+            chmod u+rw ${cfg.logPath} -R
+        fi
+      '';
+
+      serviceConfig.ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd -y ${pkgs.kippo}/src/kippo.tac --syslog --rundir=${cfg.varPath}/ --pidfile=${cfg.pidPath}/kippo.pid --prefix=kippo -n";
+      serviceConfig.PermissionsStartOnly = true;
+      serviceConfig.User = "kippo"; 
+      serviceConfig.Group = "kippo"; 
+    };
+};
+}
+
+
-- 
cgit 1.4.1