Brief Experiment With SSH Honeypots

A work discussion about blocking IP addresses based on geolocation sparked my curiosity recently. The belief was that China, Russia, Iran, and North Korea were doing all of the hacking, and since our business has no clients in these countries, its better to just block them from our networks.

I feel that there are better solutions than simply firewalling countries off altogether, and I cannot ever recall ever seeing North Korean IP addresses probing our network. This conversation highlighted one of my pet peeves: people making claims based off of feelings, hearsay, and emotions rather than doing some actual research on the matter. How do they know that China, Russia, Iran, and North Korea are doing “all of the hacking?”

To test this, I wrote a simple ssh honeypot. It listens for incoming connections and poses as a legitimate SSH server. It logs all connections IP addresses and if they try to login with a username/password, it logs these as well. I had some credit on Digital Ocean, so I spun the lowest tiered virtual machine that they had available and left it running overnight. Between 7PM and 5AM, there were roughly 2400 unique entries in my logs.

Getting it set up was easy:

# apt install gcc make libssh-dev geoip-bin ntp
# git clone https://github.com/droberson/ssh-honeypot.git
# cd ssh-honeypot
# ssh-keygen -t rsa -f ssh-honeypot.rsa
# make
# ./bin/ssh-honeypot -d

Within seconds, ssh-honeypot.log was getting some action!

This morning, after it had been running for around 10 hours, I was able to do a few one-liners and gather some observations and statistics:

  • 18 unique IP addresses attempted to login with a username and password.
  • Out of these 18 hosts, 17 simply probed a user or two for username:username as the credentials or a small handful of other weak credentials and moved on.
  • 1 IP from China launched a full-blown dictionary attack against my fake sshd.
  • IP addresses assigned to China accounted for 2084 of these failed login attempts.
  • The top 10 countries in order of frequency: China, France, Pakistan, Germany, Columbia, South Korea, Canada, Brazil, Greece, Turkey.
  • 27 unique IPs probed port 22, but did not attempt logins.
  • Again, China was responsible for a big portion of these probes, accounting for 10/27 of the total.
  • The top 10 countries probing for SSH in order: China, USA, Russia, Brazil, Hong Kong, Singapore, Netherlands, Japan, United Kingdom, and Australia.

The top 10 usernames attempted, along with counts:

  1. root 2102
  2. user 13
  3. support 11
  4. admin 11
  5. ubnt 10
  6. operator 10
  7. 1234 10
  8. 111111 10
  9. svn 9
  10. adm 9

The top 10 passwords tried, along with counts were:

  1. 123456 28
  2. 12345 26
  3. 1234 26
  4. password 13
  5. admin 13
  6. user 10
  7. root 10
  8. svn123 9
  9. support 9
  10. ubnt 8

There were some interesting passwords tried as one-offs (not part of the dictionary attack) that didn’t make a lot of sense:

  • ghegheb0ss
  • rzx!@!*baizhao
  • !!QQAAZZ!!^*$%^&#$%^@
  • @n!md@mP#$@?$&#@!#mTadm!n$@

In closing, I’d like to expand this project a bit. Perhaps automating a weekly report, adding extra nodes, and writing a sniffer to gather statistics on what people are actually scanning for. This was not even a full day’s worth of data, only watching one type of service, on one virtual machine on a well-known provider, so this information is far from definitive. Next Thursday, I should have a more complete data set!

4 thoughts on “Brief Experiment With SSH Honeypots”

  1. Followed your instructions using Ubuntu Server 16.04 on Digial Ocean. I get this error when I try to run ssh-honeypot -d.

    aqxea@Skynet:~/ssh-honeypot$ sudo ./bin/ssh-honeypot -d
    path ssh-honeypot.pid
    ssh-honeypot 0.0.4 by Daniel Roberson started on port 22. PID 6698
    FATAL: ssh_bind_listen(): Binding to 0.0.0.0:22: Address already in use

    Like

    1. This is most likely because you already have sshd running on port 22. Edit sshd_config to run on another port and restart your ssh service. You will have to connect using this port to administer the machine in the future.

      Like

      1. Thanks, changed my port. Did you leave the passphrase empty when ssh-keygen asked for one? I typed in a passphrase and now I see this when I run ssh-honeypot -d

        root@Skynet:~/ssh-honeypot# ./bin/ssh-honeypot -d
        path ssh-honeypot.pid
        root@Skynet:~/ssh-honeypot# ssh-honeypot 0.0.5 by Daniel Roberson started on port 22. PID 8782
        Enter PEM pass phrase:
        FATAL: ssh_bind_listen(): Failed to import private RSA host key

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s