2014-01-11 17:15:11 -05:00
|
|
|
# NixOS module for kippo honeypot ssh server
|
|
|
|
|
# See all the options for configuration details.
|
|
|
|
|
#
|
|
|
|
|
# Default port is 2222. Recommend using something like this for port redirection to default SSH port:
|
|
|
|
|
# networking.firewall.extraCommands = ''
|
|
|
|
|
# iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222'';
|
|
|
|
|
#
|
|
|
|
|
# Lastly: use this service at your own risk. I am working on a way to run this inside a VM.
|
2014-04-14 16:26:48 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
with lib;
|
2014-01-11 17:15:11 -05:00
|
|
|
let
|
|
|
|
|
cfg = config.services.kippo;
|
|
|
|
|
in
|
2019-08-13 21:52:01 +00:00
|
|
|
{
|
2014-01-11 17:15:11 -05:00
|
|
|
options = {
|
|
|
|
|
services.kippo = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
default = false;
|
2015-06-15 18:10:26 +02:00
|
|
|
type = types.bool;
|
2014-01-11 17:15:11 -05:00
|
|
|
description = ''Enable the kippo honeypot ssh server.'';
|
|
|
|
|
};
|
|
|
|
|
port = mkOption {
|
|
|
|
|
default = 2222;
|
2015-06-15 18:11:32 +02:00
|
|
|
type = types.int;
|
2014-01-11 17:15:11 -05:00
|
|
|
description = ''TCP port number for kippo to bind to.'';
|
|
|
|
|
};
|
|
|
|
|
hostname = mkOption {
|
|
|
|
|
default = "nas3";
|
2019-08-08 22:48:27 +02:00
|
|
|
type = types.str;
|
2014-01-11 17:15:11 -05:00
|
|
|
description = ''Hostname for kippo to present to SSH login'';
|
|
|
|
|
};
|
|
|
|
|
varPath = mkOption {
|
|
|
|
|
default = "/var/lib/kippo";
|
2019-08-08 22:48:27 +02:00
|
|
|
type = types.path;
|
2014-01-11 17:15:11 -05:00
|
|
|
description = ''Path of read/write files needed for operation and configuration.'';
|
|
|
|
|
};
|
|
|
|
|
logPath = mkOption {
|
|
|
|
|
default = "/var/log/kippo";
|
2019-08-08 22:48:27 +02:00
|
|
|
type = types.path;
|
2014-01-11 17:15:11 -05:00
|
|
|
description = ''Path of log files needed for operation and configuration.'';
|
|
|
|
|
};
|
|
|
|
|
pidPath = mkOption {
|
|
|
|
|
default = "/run/kippo";
|
2019-08-08 22:48:27 +02:00
|
|
|
type = types.path;
|
2014-01-11 17:15:11 -05:00
|
|
|
description = ''Path of pid files needed for operation.'';
|
|
|
|
|
};
|
|
|
|
|
extraConfig = mkOption {
|
|
|
|
|
default = "";
|
2016-10-23 19:33:41 +02:00
|
|
|
type = types.lines;
|
2014-01-11 17:15:11 -05:00
|
|
|
description = ''Extra verbatim configuration added to the end of kippo.cfg.'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
environment.systemPackages = with pkgs.pythonPackages; [
|
2016-10-06 12:59:05 +02:00
|
|
|
python pkgs.kippo.twisted pycrypto pyasn1 ];
|
2014-01-11 17:15:11 -05:00
|
|
|
|
|
|
|
|
environment.etc."kippo.cfg".text = ''
|
|
|
|
|
# Automatically generated by NixOS.
|
|
|
|
|
# See ${pkgs.kippo}/src/kippo.cfg for details.
|
|
|
|
|
[honeypot]
|
|
|
|
|
log_path = ${cfg.logPath}
|
|
|
|
|
download_path = ${cfg.logPath}/dl
|
|
|
|
|
filesystem_file = ${cfg.varPath}/honeyfs
|
|
|
|
|
filesystem_file = ${cfg.varPath}/fs.pickle
|
|
|
|
|
data_path = ${cfg.varPath}/data
|
|
|
|
|
txtcmds_path = ${cfg.varPath}/txtcmds
|
|
|
|
|
public_key = ${cfg.varPath}/keys/public.key
|
|
|
|
|
private_key = ${cfg.varPath}/keys/private.key
|
|
|
|
|
ssh_port = ${toString cfg.port}
|
|
|
|
|
hostname = ${cfg.hostname}
|
|
|
|
|
${cfg.extraConfig}
|
|
|
|
|
'';
|
|
|
|
|
|
2019-09-14 19:51:29 +02:00
|
|
|
users.users.kippo = {
|
2014-01-11 17:15:11 -05:00
|
|
|
description = "kippo web server privilege separation user";
|
2014-03-12 03:32:56 -04:00
|
|
|
uid = 108; # why does config.ids.uids.kippo give an error?
|
2014-01-11 17:15:11 -05:00
|
|
|
};
|
2019-09-14 19:51:29 +02:00
|
|
|
users.groups.kippo.gid = 108;
|
2014-01-11 17:15:11 -05:00
|
|
|
|
|
|
|
|
systemd.services.kippo = with pkgs; {
|
|
|
|
|
description = "Kippo Web Server";
|
|
|
|
|
after = [ "network.target" ];
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
2016-10-06 12:59:05 +02:00
|
|
|
environment.PYTHONPATH = "${pkgs.kippo}/src/:${pkgs.pythonPackages.pycrypto}/lib/python2.7/site-packages/:${pkgs.pythonPackages.pyasn1}/lib/python2.7/site-packages/:${pkgs.pythonPackages.python}/lib/python2.7/site-packages/:${pkgs.kippo.twisted}/lib/python2.7/site-packages/:.";
|
2014-01-11 17:15:11 -05:00
|
|
|
preStart = ''
|
2015-08-07 01:01:22 -04:00
|
|
|
if [ ! -d ${cfg.varPath}/ ] ; then
|
2014-01-11 17:15:11 -05:00
|
|
|
mkdir -p ${cfg.logPath}/tty
|
|
|
|
|
mkdir -p ${cfg.logPath}/dl
|
|
|
|
|
mkdir -p ${cfg.varPath}/keys
|
|
|
|
|
cp ${pkgs.kippo}/src/honeyfs ${cfg.varPath} -r
|
|
|
|
|
cp ${pkgs.kippo}/src/fs.pickle ${cfg.varPath}/fs.pickle
|
|
|
|
|
cp ${pkgs.kippo}/src/data ${cfg.varPath} -r
|
|
|
|
|
cp ${pkgs.kippo}/src/txtcmds ${cfg.varPath} -r
|
|
|
|
|
|
|
|
|
|
chmod u+rw ${cfg.varPath} -R
|
|
|
|
|
chown kippo.kippo ${cfg.varPath} -R
|
|
|
|
|
chown kippo.kippo ${cfg.logPath} -R
|
|
|
|
|
chmod u+rw ${cfg.logPath} -R
|
|
|
|
|
fi
|
2015-08-07 01:01:22 -04:00
|
|
|
if [ ! -d ${cfg.pidPath}/ ] ; then
|
|
|
|
|
mkdir -p ${cfg.pidPath}
|
|
|
|
|
chmod u+rw ${cfg.pidPath}
|
|
|
|
|
chown kippo.kippo ${cfg.pidPath}
|
|
|
|
|
fi
|
2014-01-11 17:15:11 -05:00
|
|
|
'';
|
|
|
|
|
|
2016-10-06 13:37:50 +02:00
|
|
|
serviceConfig.ExecStart = "${pkgs.kippo.twisted}/bin/twistd -y ${pkgs.kippo}/src/kippo.tac --syslog --rundir=${cfg.varPath}/ --pidfile=${cfg.pidPath}/kippo.pid --prefix=kippo -n";
|
2014-01-11 17:15:11 -05:00
|
|
|
serviceConfig.PermissionsStartOnly = true;
|
2019-08-08 22:48:27 +02:00
|
|
|
serviceConfig.User = "kippo";
|
|
|
|
|
serviceConfig.Group = "kippo";
|
2014-01-11 17:15:11 -05:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
