SSH Honeypots (Ab)used as Proxy
$ ssh -L 8443:192.168.254.10:443 user@192.168.254.2
$ ssh -D 8080 user@192.168.254.10
Event | Hits |
cowrie.direct-tcp.request | 24242 |
cowrie.direct-tcp.data | 22967 |
cowrie.log.open | 15130 |
cowrie.log.closed | 14679 |
cowrie.session.connect | 13882 |
cowrie.session.closed | 13877 |
cowrie.command.success | 11563 |
cowrie.client.version | 9019 |
cowrie.login.success | 8652 |
cowrie.command.failed | 3948 |

Country | Hits |
Germany | 22405 |
Russia | 1295 |
United States | 267 |
Argentina | 76 |
France | 51 |
Switzerland | 35 |
Netherlands | 26 |
Ukraine | 20 |
India | 16 |
Iran | 16 |

TCP Ports | Hits |
80 | 31431 |
25 | 1428 |
587 | 383 |
443 | 271 |
465 | 160 |
110 | 30 |
143 | 13 |
1101 | 4 |
1102 | 4 |
89 | 1 |
If we analyze the relations between the honeypots, sources and destinations, we see that some destinations (blue) were targeted by more than one attacker (green) connected on different honeypots (red):

- www.google-analytics.com
- tags.tagcade.com (an ads tag management system)
Some people trying to abuse those services? Feel free to share your findings if you also detected such kind of activity!
To conclude: attackers are not only scanning the Internet to find vulnerable hosts and turn them in bots. They are also looking for ways to hide themselves to perform (maybe) more complex or dangerous attacks.
And keep in mind that if you allow users to SSH to systems that can access the Internet, they can be used as a solution to bypass classic controls in place!
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key