Stats from an SSH Honeypot
I decided to run an ssh honeypot in my Cloud Server on the Internet. While this has been done many times by others, I wanted to see what would happen and share my results.
What is a honeypot?
In computer security, the term honeypot is used to refer to an environment setup that is used to capture malicious activity in a safe manner. You place an attractive target on a network (internal or the Internet) and wait for attacks to come in. Your honeypot then captures data about the attacker and can alert you if someone has been caught in it.
One visual is that of a jar of sticky honey. If someone reaches into the jar, you will notice the contents being disturbed as well as the person having sticky honey on his or her hands.
A security honeypot may have an easy to guess login password or a fake document made to look like real confidential business data.
The honeypot aids a security researcher in understanding what actions an attacker takes so they can develop a behavior profile for detecting attacks against real systems.
I used a Linux cloud server with this modified SSH server software.
I placed the server on the Internet and turned off the firewall. The results of attacks were recorded on disk in a log file.
Start: Tue Sep 11 15:02:26 2018 UTC
End: Wed Sep 19 13:54:16 2018 UTC
Duration: 7 days, 22 hours, 51 minutes and 50 seconds
1,115,930 attempts to guess a password and login to the system.
Top 10 Usernames
Top 10 Passwords
Top 10 Attack Origins
|465||Korea, Republic of|
This was an interesting experiment and shows that putting a server on the Internet results in millions of attacks against it in a very short time.
It behooves us, therefore, to ensure that a server has protections on it from the moment that we connect it to the network.