A low interaction honeypot (as Kippo) tries to mine a real service. Errors included. Unfortunately this is not always possible, which makes the trap detectable by human and some scan softwares.
Kippo uses Twisted conch, which doesn’t act always like a real OpenSSH server. One of the major issues is related to malformed data at connection that can disclose Kippo easily because Twisted responds to the client with:
[protocolbytes] bad packet length [protocolbytes]
With a real OpenSSH server, the client receives only this message:
But don’t worry (be happy), you will not be detected again! Apply this patch and the “bad response” will be intercepted and substituted with the right message.It’s just a workaround, but it works!