What I Learned After Using an SSH Honeypot for 7 Days

Torrey Betts / Monday, March 28, 2016

How Did This Idea Come About?

The idea of using a honeypot to learn about potential attackers came to me while chatting with a friend that had exposed his SSH port to log into while away from home. He had mentioned that Chinese IPs had been attempting to gain access. These attacks reminded me of when broadband internet was introduced and there was quite a few firewall software apps protecting internet users. In these apps, when specific incoming traffic took place a popup dialog would alert you to a possible attack. Today's internet is a lot more advanced with several new attack vectors and running an SSH honeypot would be a great opportunity to get up to speed about the attacks and attackers affecting the internet.

What Honeypot to Use?

Honeypots are classified into 3 different categories:

  • Low Interaction - simulates services and vulnerabilities for collecting information and malware but doesn't present a usable system for the attacker to interact with
  • Medium Interaction - imitates a production service in a very controlled environment that allows some interaction from an attacker
  • High Interaction - imitates a production service where attackers can have a free for all until the system is restored

When chosing a honeypot I wanted something where I could not only see the attackers IP but what they are doing to a system. I also didn't want to expose a full blown system to the world where it could be used to hack my internal network or potentially be used for external attack. Going with this premise I chose Kippo. Kippo is the most popular medium interaction SSH honeypot designed to log brute force attacks, and most importantly, the entire shell interaction performed by the attacker.

How Did the Week Progress?

Within the first hour of exposing SSH port 22, I had login attempts taking place from all over the world. The more time that had passed had me thinking about the popularity of Kippo and given the fact it hasn't been updated in a while, it's most likely detectable and lacking simulated features used by attackers. A quick web search confirmed all these suspicions, so I replaced Kippo with Cowrie. Cowrie is directly based off of Kippo with several important updates that include:

  • SFTP and SCP support for file upload
  • Support for SSH exec commands
  • Logging of direct-tcp connection attempts (SSH proxying)
  • Logging in JSON format for easy processing in log management solutions
  • Many more additional commands and most importantly, a fix for the previous Kippo detection

The switch went real smooth as Cowrie is basically a drop in replacement for Kippo and scripts like Kippo-Graph work with it. In addition to switching to Cowrie, I had updated the included fs.pickle file to not be the out-of-the box file system you get by default.

As the week progressed the honeypot continued to rack up login attempts, a few successful, but most were not successful. Because of this I had added a few of the more common username/password combinations to hopefully entice attackers to interact with the honeypot.

What Did the Statistics Look Like?

Over the course of a week there was a total of 1465 login attempts, which resulted in 1374 failed attempts and 91 successful attempts. Additionally, all these attempts are a combination of 113 unique IP addresses.

Top 10 Usernames

Top 10 Usernames

Top 10 Passwords

Top 10 Passwords

Top 10 Combinations

Top 10 Combinations

Top Connections Per Country

Top Connections Per Country

(KR = South Korea, US = United States, RU = Russia, TN = Tunsia, VN = Vietnam, UA = Ukraine, CN = China, FR = France)

What Information Have I Learned?

The major take away from this experience is that most of the login attempts appear to be automated through use of some tool or by way of botnet. Evidence of this comes from the fact that login attempt sessions use origin identifying passwords and repeating passwords tried day after day. Additionally, by doing a CBL lookup of for example the top connection in my honeypot returns the following text.

CBL Lookup Text

Attackers are also targeting exposed Raspberry Pi's and Ubiquiti routers as shown in the statistics. Both of these devices have factory default logins that are easily taken advantage of when not updated.

Unfortunately, in the 7 days that this honeypot ran there was not any notable interactions. Typically the most common types of attacks once an attacker gets inside SSH are botnet connections, irc bouncers or anything that allows an attacker remote control and interaction.

Reference Links

The reference links below are related to this blog post. If you're interested in more information about other honeypots available and setting one up, learn more at this link.

SSH Honeypots: KippoCowrie

Scripts: Kippo-GraphKippo-Scripts

By Torrey Betts