Using and Extending Kojoney SSH Honeypot

Kojoney (http://kojoney.sourceforge.net/) is a wonderful low interaction SSH honeypot written in Python. Honeypots are systems that are set up in a deliberately vulnerable state in order to capture and observe intruder behaviour. For more information about honeypots see the excellent HoneyNet Project (http://www.honeynet.org/). There are many reasons to run a honeypot, but for the purposes of this discussion we will assume that you want to run a honeypot to observe post compromise behavior in order to fingerprint patterns. This is useful because you can use fingerprints to set up alerting or protective mechanisms that can detect compromise quickly and aid in response. For instance, running a honeypot you might discover that most attackers, after compromising an apache web server, attempt to write a file into the /tmp directory. You can use this information to set up monitoring of the /tmp directory, and alert administrators whenever apache writes new files into /tmp. This can tip off systems administrators to a possible compromise, by alerting them that there is behavior occurring on their system that typically corresponds to post compromise attacker behavior.

http://www.madirish.net/node/242