Kippo-GraphをインストールしてCowrieのログを可視化する

Tue Aug 16, 2016 in server using tags jessie , cowrie , kippo-graph

Kippo-Graphの公式(Kippo-Graph - BruteForce Lab’s Blog)を参考にKippo-Graphをインストールするまでのメモです。

MySQLのインストールと初期設定

MySQLをインストールする。

インストール途中でMySQLのrootアカウントのパスワードを求められるので、適宜設定する。

$ sudo apt-get update
$ sudo apt-get install mysql-server

MySQLのセキュア設定

$ mysql_secure_installation




NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!


In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

You already have a root password set, so you can safely answer 'n'.

Change the root password? [Y/n] n
 ... skipping.

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
ERROR 1008 (HY000) at line 1: Can't drop database 'test'; database doesn't exist
 ... Failed!  Not critical, keep moving...
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...



All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

MySQLの初期設定

$ sudo vi /etc/mysql/my.cnf
[mysqld]
character-set-server=utf8
collation-server=utf8_general_ci
skip-character-set-client-handshake
default-storage-engine=InnoDB
innodb_file_per_table
innodb_buffer_pool_size=256M
skip-name-resolve

[mysqldump]
default-character-set=utf8

[mysql]
default-character-set=utf8

MySQLの再起動

$ sudo systemctl restart mysql

Cowrieのログ出力先を変更

Cowrie用データベースの作成

$ mysql -uroot -p
Enter password:
mysql> create database cowrie character set utf8 collate utf8_bin;
mysql> grant all privileges on cowrie.* to cowrie@localhost identified by 'cowrie_password';
mysql> quit

$ cd ${COWRIE_INSTALL_DIR}
$ cat doc/sql/mysql.sql | mysql -ucowrie -p cowrie

CowrieのログをMySQLのデータベースに出力する。

$ cd ${COWRIE_INSTALL_DIR}
$ vi cowrie.cfg
↓コメントアウト
#[iutput_jsonloi]
#logfile = log/cowrie.json

#[output_mysql]
#host = localhost
#database = cowrie
#username = cowrie
#password = secret
#port = 3306
[output_mysql]
host = localhost
database = cowrie
username = cowrie
password = cowrie_password
port = 3306

Cowrieの再起動

$ ./stop.sh
$ ./start.sh

Apache2のインストール

Apache2をインストールする。

$ sudo apt-get install apache2

Apache2のセキュリティ設定。

$ sudo vi /etc/apache2/conf-available/security.conf
ServerTokens Prod
ServerSignature Off

Apache2の文字コード設定。

$ sudo vi /etc/apache2/conf-available/charset.conf
#AddDefaultCharset UTF-8

Apache2のServerName設定。

$ sudo sh -c "echo ServerName ${HOSTNAME} > /etc/apache2/conf-available/fqdn.conf"
$ sudo a2enconf fqdn

Apache2の再起動。

$ sudo apachectl configtest
$ sudo systemctl restart apache2

Kippo-Graphのインストール

関連パッケージのインストール。

$ sudo apt-get install libapache2-mod-php5 php5-mysql php5-gd php5-curl
$ sudo apt-get install dnsutils
$ sudo systemctl restart apache2

Kippo-Graphのインストール。

$ wget http://bruteforce.gr/wp-content/uploads/kippo-graph-1.5.1.tar.gz
$ sudo tar zxvf kippo-graph-1.5.1.tar.gz -C /usr/share
$ sudo vi /etc/apache2/conf-available/kippo-graph.conf
<IfModule mod_alias.c>
    Alias /kippo-graph /usr/share/kippo-graph-1.5.1
</IfModule>
$ sudo a2enconf kippo-graph
$ sudo apachectl configtest
$ sudo systemctl restart apache2

Kippo-Graphの設定。

$ sudo chmod 777 /usr/share/kippo-graph-1.5.1/generated-graphs/
$ sudo cp -p /usr/share/kippo-graph-1.5.1/config.php.dist /usr/share/kippo-graph-1.5.1/config.php
$ sudo vi /usr/share/kippo-graph-1.5.1/config.php
define('DB_HOST', 'localhost');
define('DB_USER', 'cowrie');
define('DB_PASS', 'cowrie_password');
define('DB_NAME', 'cowrie');
define('DB_PORT', '3306');

Kippo-Graphの修正

KippoとCowrieのデータベースのテーブル構造の違いにより一部動かない機能(KIPPO-PLAYLOG)があった。

PLAYLOGを再生するために以下のファイルを修正。一応、PLAYLOGが再生できるようになったが、他の部分に影響がないかは不明。。。試すとしても自己責任でお願いします。

class/KippoPlayLog.class.phpの修正

$ cd /usr/share/kippo-graph-1.5.1
$ sudo cp -p class/KippoPlayLog.class.php class/KippoPlayLog.class.php.org
$ sudo vi class/KippoPlayLog.class.php
$ diff class/KippoPlayLog.class.php.org class/KippoPlayLog.class.php
21c21
<             SELECT ttylog.session, timestamp, ROUND(LENGTH(ttylog)/1024, 2) AS size
---
>             SELECT ttylog.session, timestamp, ROUND(size/1024, 2) AS size

include/play.phpの修正

$ cd /usr/share/kippo-graph-1.5.1
$ sudo cp -p include/play.php include/play.php.org
$ sudo vi include/play.php
$ diff play.php.org play.php
70c70
<                 $log = base64_encode($row['ttylog']);
---
>                 $log = base64_encode(file_get_contents($row['ttylog']));

ttylogへのシンボリックリンク作成

$ cd /usr/share/kippo-graph-1.5.1/include
$ sudo ln -s ${COWRIE_INSTALL_DIR}/log/ log
$ sudo chgrp www-data /home/cowrie/cowrie/log/tty/
$ sudo chmod g+s /home/cowrie/cowrie/log/tty/

Cowrie起動スクリプトの修正

$ sudo su - cowrie
$ cd ${COWRIE_INSTALL_DIR}/
$ cp -p start.sh start.sh.org
$ vi start.sh
$ diff start.sh.org start.sh
31c31
<     twistd $XARGS -l log/cowrie.log --umask 0077 --pidfile cowrie.pid cowrie
---
>     twistd $XARGS -l log/cowrie.log --umask 0027 --pidfile cowrie.pid cowrie
33c33
<     authbind --deep twistd $XARGS -l log/cowrie.log --umask 0077 --pidfile cowrie.pid cowrie
---
>     authbind --deep twistd $XARGS -l log/cowrie.log --umask 0027 --pidfile cowrie.pid cowrie

Cowrieの再起動

$ ./stop.sh
$ ./start.sh

以上