|
Most if not all of the handlers run honeypots, sinkholes, SPAM traps, etc in various locations around the planet. As many of you are aware they are a nice tool to see what is going on on the Internet at a specific time. Setting up a new server the other day it was interesting to see how fast it was touched by evilness. Initially it wasn't even intended as a honeypot, but it soon turned into one when "interesting" traffic started turning up. Now of course mixing business (servers original intended use) and pleasure (honeypot) aren't a good thing, so honeypot it is. It was quite disheartening to see how fast evilness turned up:
Which got me thinking about a few things and hence this post. There are two things I'm interested in firstly when running Honeypots what do you use? There are some great resources and different tools, so what works for you. This one I just set up using the 404 project components from this site. I used Kippo for 2222 and for the rest I used actual product configured to bounce pretty much every request. It doesn't get me exactly what they are doing, but it gives me a first indication, plus I ran out of time :-( The second thing I'd like to know is, when you set up the Honeypot for the first time how long did it take to get a hit? On our site we have a survival time. It would be interesting to know what the survival time for SSH, FTP, telnet, proxies etc is. So the next time you set up a honey pot, or if you still have the logs going back that far take a look and share. SSH with a default password less than 2 minutes. What are your stats? Cheers Mark (PS if you are going to set one up, make sure you fully understand what you are about to do. You are placing a deliberately vulnerable device on the internet. Depending on your location you may be held liable for stuff that happens (IANAL). It it gets compromised, make sure it is somewhere where it can't hurt you or others. )
|
Mark 392 Posts ISC Handler Nov 13th 2013 |
| Thread locked Subscribe |
Nov 13th 2013 8 years ago |
|
I promise I'm not trying to drive traffic to our blog, but my colleague Jay Jacobs here at Verizon had a series of blog posts on "Opportunistic Attacks" and how quickly systems are hit by evilness. The last link is a short youtube video where he visualized the information from his honeypot.
http://www.verizonenterprise.com/security/blog/index.xml?postid=1587 http://www.verizonenterprise.com/security/blog/?postid=1589 http://www.verizonenterprise.com/security/blog/?postid=1593 http://www.verizonenterprise.com/security/blog/index.xml?postid=1600 http://www.youtube.com/watch?v=mGr1GpV-YcE Enjoy! Chris |
Christopher 1 Posts |
| Quote |
Nov 13th 2013 8 years ago |
|
I think it largely depends on what your IP address was used for before ... IHMO it hardly can be generalized.
|
gebhard 7 Posts |
| Quote |
Nov 14th 2013 8 years ago |
|
Very true. The IP could have been used for other purposes and traffic you are seeing are leftovers from a previous owner. In fact one of the other servers I run has that exact issue. It is one of the issues in a VPS world where servers are reallocated when someone pays a bill.
One reason why more data might help sort it out, but then when you think about it, it could still be quite valid information as we move more towards a VPS type of environment. With the IPv4 allocation gone you'd be hard pressed finding a IPv4 address without history. M |
Mark 392 Posts ISC Handler |
| Quote |
Nov 14th 2013 8 years ago |
|
What happens if your honeypot is IPv6 only? Does it essentially "Disappear" into the vast void of IPv6?
Paul |
PaulOutBox 7 Posts |
| Quote |
Nov 14th 2013 8 years ago |
|
I've run a Kippo honeypot (on a Raspberry Pi) for a number of months. I started running it after reviewing all the port 22 hits in our logs. Oh, this is on a residential cable modem connection.
Last week our ISP reconfigured things -- changing our IP from 76.xx.xx.xx to 69.xx.xx.xx. As I noted in a blog post, for the honeypot, it was like moving to a new town and starting over as a virgin! I also run another hack on our home network that tracks network downtimes, so I know when the IP change occurred. We came up on the new IP address at 03:03 (AM, local time). First port 22 hit recorded at 04:50 with a login attempt to root with password=admin While our "new" IP address may have been used by someone else previously, it's still in a residential block! |
k6rtm 3 Posts |
| Quote |
Nov 14th 2013 8 years ago |
|
Hello Mark,
Great article and this is definitively a very interesting topic! Some time ago I had deployed a Kippo Honeypot and wrote about the experience here: http://countuponsecurity.com/2012/12/07/deception-techniques/. After that since it could be used to gather intelligence trough the knowledge and information that one could obtain by observing, analyzing and investigating it. I illustrate the "intel" you could gain using the facts captured from a Kippo Honeypot during the first 20 days here: http://countuponsecurity.com/2012/12/26/honeypot-captures-bad-villain/?relatedposts_exclude=427 Following that article and learning some interesting things I wrote about the Evilness economical incentive to use and exploit bots for spam, phishing, DoS extortion and other attacks detailing a step-by-step illustration on Evilness grow their Botnets business model by exploiting bad passwords via SSH bruteforce here: http://countuponsecurity.com/2013/01/02/step-by-step-bot-infection-process-exploiting-bad-password/ ... Cheers, Luis |
k6rtm 2 Posts |
| Quote |
Nov 14th 2013 8 years ago |
|
Reminds me of the nimda days, before we had a firewall. I had a windows server get infected while I was building it.
|
John 88 Posts |
| Quote |
Nov 14th 2013 8 years ago |
|
That's too funny... same thing happened to me with Code Red!
|
John 7 Posts |
| Quote |
Nov 14th 2013 8 years ago |
|
I set up a kippo honeypot using a raspberry pi on my home network, it took a day or so for the first brute force attack. I've had it up since August and I've only had about 12 people actually get in and didn't get any serious malicious intent until last week. So your milage may vary. I did have someone try to infect it with an interesting piece of linux malware last week, it's been submitted to a few malware analysis sites since then so it is worth keeping a little honeypot up even if it's boring for a while.
|
sforslev 4 Posts |
| Quote |
Nov 14th 2013 8 years ago |
|
HoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages
http://sourceforge.net/projects/honeydrive/ |
Sanesecurity 21 Posts |
| Quote |
Nov 15th 2013 8 years ago |
|
good article.
|
Sanesecurity 4 Posts |
| Quote |
Jan 1st 2014 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
