pyrox.dev
1# NixOS module for kippo honeypot ssh server
2# See all the options for configuration details.
3#
4# Default port is 2222. Recommend using something like this for port redirection to default SSH port:
5# networking.firewall.extraCommands = ''
6# iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222'';
7#
8# Lastly: use this service at your own risk. I am working on a way to run this inside a VM.
9{ config, lib, pkgs, ... }:
10with lib;
11let
12 cfg = config.services.kippo;
13in
14rec {
15 options = {
16 services.kippo = {
17 enable = mkOption {
18 default = false;
19 type = types.bool;
20 description = ''Enable the kippo honeypot ssh server.'';
21 };
22 port = mkOption {
23 default = 2222;
24 type = types.int;
25 description = ''TCP port number for kippo to bind to.'';
26 };
27 hostname = mkOption {
28 default = "nas3";
29 type = types.string;
30 description = ''Hostname for kippo to present to SSH login'';
31 };
32 varPath = mkOption {
33 default = "/var/lib/kippo";
34 type = types.string;
35 description = ''Path of read/write files needed for operation and configuration.'';
36 };
37 logPath = mkOption {
38 default = "/var/log/kippo";
39 type = types.string;
40 description = ''Path of log files needed for operation and configuration.'';
41 };
42 pidPath = mkOption {
43 default = "/run/kippo";
44 type = types.string;
45 description = ''Path of pid files needed for operation.'';
46 };
47 extraConfig = mkOption {
48 default = "";
49 type = types.lines;
50 description = ''Extra verbatim configuration added to the end of kippo.cfg.'';
51 };
52 };
53
54 };
55 config = mkIf cfg.enable {
56 environment.systemPackages = with pkgs.pythonPackages; [
57 python pkgs.kippo.twisted pycrypto pyasn1 ];
58
59 environment.etc."kippo.cfg".text = ''
60 # Automatically generated by NixOS.
61 # See ${pkgs.kippo}/src/kippo.cfg for details.
62 [honeypot]
63 log_path = ${cfg.logPath}
64 download_path = ${cfg.logPath}/dl
65 filesystem_file = ${cfg.varPath}/honeyfs
66 filesystem_file = ${cfg.varPath}/fs.pickle
67 data_path = ${cfg.varPath}/data
68 txtcmds_path = ${cfg.varPath}/txtcmds
69 public_key = ${cfg.varPath}/keys/public.key
70 private_key = ${cfg.varPath}/keys/private.key
71 ssh_port = ${toString cfg.port}
72 hostname = ${cfg.hostname}
73 ${cfg.extraConfig}
74 '';
75
76 users.extraUsers = singleton {
77 name = "kippo";
78 description = "kippo web server privilege separation user";
79 uid = 108; # why does config.ids.uids.kippo give an error?
80 };
81 users.extraGroups = singleton { name = "kippo";gid=108; };
82
83 systemd.services.kippo = with pkgs; {
84 description = "Kippo Web Server";
85 after = [ "network.target" ];
86 wantedBy = [ "multi-user.target" ];
87 environment.PYTHONPATH = "${pkgs.kippo}/src/:${pkgs.pythonPackages.pycrypto}/lib/python2.7/site-packages/:${pkgs.pythonPackages.pyasn1}/lib/python2.7/site-packages/:${pkgs.pythonPackages.python}/lib/python2.7/site-packages/:${pkgs.kippo.twisted}/lib/python2.7/site-packages/:.";
88 preStart = ''
89 if [ ! -d ${cfg.varPath}/ ] ; then
90 mkdir -p ${cfg.logPath}/tty
91 mkdir -p ${cfg.logPath}/dl
92 mkdir -p ${cfg.varPath}/keys
93 cp ${pkgs.kippo}/src/honeyfs ${cfg.varPath} -r
94 cp ${pkgs.kippo}/src/fs.pickle ${cfg.varPath}/fs.pickle
95 cp ${pkgs.kippo}/src/data ${cfg.varPath} -r
96 cp ${pkgs.kippo}/src/txtcmds ${cfg.varPath} -r
97
98 chmod u+rw ${cfg.varPath} -R
99 chown kippo.kippo ${cfg.varPath} -R
100 chown kippo.kippo ${cfg.logPath} -R
101 chmod u+rw ${cfg.logPath} -R
102 fi
103 if [ ! -d ${cfg.pidPath}/ ] ; then
104 mkdir -p ${cfg.pidPath}
105 chmod u+rw ${cfg.pidPath}
106 chown kippo.kippo ${cfg.pidPath}
107 fi
108 '';
109
110 serviceConfig.ExecStart = "${pkgs.kippo.twisted}/bin/twistd -y ${pkgs.kippo}/src/kippo.tac --syslog --rundir=${cfg.varPath}/ --pidfile=${cfg.pidPath}/kippo.pid --prefix=kippo -n";
111 serviceConfig.PermissionsStartOnly = true;
112 serviceConfig.User = "kippo";
113 serviceConfig.Group = "kippo";
114 };
115};
116}
117
118