pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / kippo.nix
at 21.11-pre 4.3 kB view raw
1# NixOS module for kippo honeypot ssh server 2# See all the options for configuration details. 3# 4# Default port is 2222. Recommend using something like this for port redirection to default SSH port: 5# networking.firewall.extraCommands = '' 6# iptables -t nat -A PREROUTING -i IN_IFACE -p tcp --dport 22 -j REDIRECT --to-port 2222''; 7# 8# Lastly: use this service at your own risk. I am working on a way to run this inside a VM. 9{ config, lib, pkgs, ... }: 10with lib; 11let 12 cfg = config.services.kippo; 13in 14{ 15 options = { 16 services.kippo = { 17 enable = mkOption { 18 default = false; 19 type = types.bool; 20 description = "Enable the kippo honeypot ssh server."; 21 }; 22 port = mkOption { 23 default = 2222; 24 type = types.int; 25 description = "TCP port number for kippo to bind to."; 26 }; 27 hostname = mkOption { 28 default = "nas3"; 29 type = types.str; 30 description = "Hostname for kippo to present to SSH login"; 31 }; 32 varPath = mkOption { 33 default = "/var/lib/kippo"; 34 type = types.path; 35 description = "Path of read/write files needed for operation and configuration."; 36 }; 37 logPath = mkOption { 38 default = "/var/log/kippo"; 39 type = types.path; 40 description = "Path of log files needed for operation and configuration."; 41 }; 42 pidPath = mkOption { 43 default = "/run/kippo"; 44 type = types.path; 45 description = "Path of pid files needed for operation."; 46 }; 47 extraConfig = mkOption { 48 default = ""; 49 type = types.lines; 50 description = "Extra verbatim configuration added to the end of kippo.cfg."; 51 }; 52 }; 53 54 }; 55 config = mkIf cfg.enable { 56 environment.systemPackages = with pkgs.pythonPackages; [ 57 python pkgs.kippo.twisted pycrypto pyasn1 ]; 58 59 environment.etc."kippo.cfg".text = '' 60 # Automatically generated by NixOS. 61 # See ${pkgs.kippo}/src/kippo.cfg for details. 62 [honeypot] 63 log_path = ${cfg.logPath} 64 download_path = ${cfg.logPath}/dl 65 filesystem_file = ${cfg.varPath}/honeyfs 66 filesystem_file = ${cfg.varPath}/fs.pickle 67 data_path = ${cfg.varPath}/data 68 txtcmds_path = ${cfg.varPath}/txtcmds 69 public_key = ${cfg.varPath}/keys/public.key 70 private_key = ${cfg.varPath}/keys/private.key 71 ssh_port = ${toString cfg.port} 72 hostname = ${cfg.hostname} 73 ${cfg.extraConfig} 74 ''; 75 76 users.users.kippo = { 77 description = "kippo web server privilege separation user"; 78 uid = 108; # why does config.ids.uids.kippo give an error? 79 }; 80 users.groups.kippo.gid = 108; 81 82 systemd.services.kippo = with pkgs; { 83 description = "Kippo Web Server"; 84 after = [ "network.target" ]; 85 wantedBy = [ "multi-user.target" ]; 86 environment.PYTHONPATH = "${pkgs.kippo}/src/:${pkgs.pythonPackages.pycrypto}/lib/python2.7/site-packages/:${pkgs.pythonPackages.pyasn1}/lib/python2.7/site-packages/:${pkgs.pythonPackages.python}/lib/python2.7/site-packages/:${pkgs.kippo.twisted}/lib/python2.7/site-packages/:."; 87 preStart = '' 88 if [ ! -d ${cfg.varPath}/ ] ; then 89 mkdir -p ${cfg.logPath}/tty 90 mkdir -p ${cfg.logPath}/dl 91 mkdir -p ${cfg.varPath}/keys 92 cp ${pkgs.kippo}/src/honeyfs ${cfg.varPath} -r 93 cp ${pkgs.kippo}/src/fs.pickle ${cfg.varPath}/fs.pickle 94 cp ${pkgs.kippo}/src/data ${cfg.varPath} -r 95 cp ${pkgs.kippo}/src/txtcmds ${cfg.varPath} -r 96 97 chmod u+rw ${cfg.varPath} -R 98 chown kippo.kippo ${cfg.varPath} -R 99 chown kippo.kippo ${cfg.logPath} -R 100 chmod u+rw ${cfg.logPath} -R 101 fi 102 if [ ! -d ${cfg.pidPath}/ ] ; then 103 mkdir -p ${cfg.pidPath} 104 chmod u+rw ${cfg.pidPath} 105 chown kippo.kippo ${cfg.pidPath} 106 fi 107 ''; 108 109 serviceConfig.ExecStart = "${pkgs.kippo.twisted}/bin/twistd -y ${pkgs.kippo}/src/kippo.tac --syslog --rundir=${cfg.varPath}/ --pidfile=${cfg.pidPath}/kippo.pid --prefix=kippo -n"; 110 serviceConfig.PermissionsStartOnly = true; 111 serviceConfig.User = "kippo"; 112 serviceConfig.Group = "kippo"; 113 }; 114}; 115} 116 117