Honeypot Fun
I had an extra Raspberry Pi laying around, and decided to run cowrie (kippo) SSH honeypot. Mostly because it is very fast to set up, gives you an idea of where attacks are coming from, and also gives a list of usernames and passwords that people are trying. More on the setup of cowrie later.
After putting cowrie online, it took 28 minutes before the first connection. This is actually longer than I expected. Possibly because the IP was up before, but port 22 was not open.
After 12 hours, login attempts from the following addresses:
| Login Attempts | IP Address | Country |
|---|---|---|
| 1 | 146.66.163.107 | Russia |
| 3 | 185.103.252.14 | Russia |
| 9 | 195.154.58.76 | France |
| 18 | 159.122.123.183 | Germany |
| 40 | 117.102.109.18 | Indonesia |
| 41 | 193.201.227.200 | Ukraine |
| 91 | 94.79.5.102 | Russia |
| 126 | 193.201.227.86 | Ukraine |
| 336 | 202.83.25.95 | India |
Remember that the country doesn't actually mean anything. These could be proxies, tor, hacked servers, etc.
The top usernames and passwords are not very surprising.
| Tries | Username / Password |
|---|---|
| 21 | [root/123456] |
| 19 | [root/default] |
| 18 | [admin/support] |
| 18 | [admin/default] |
| 18 | [admin/123123] |
| 8 | [root/admin] |
| 6 | [admin/admin] |
| 5 | [test/test] |
| 5 | [support/support] |
| 5 | [root/qwerty] |
Probably the most interesting thing is that the first attack was that the first attack was trying some sort of buffer-overflow. Although they were connecting to SSH and sending (weird) user/pass combinations, after the connection was rejected they were sending really long strings. I suspect it is some sort of honeypot detection, or it exploits certain versions of SSH? Not sure.
Anyway, for a 1 hour project it is easy and interesting. Definitely something that students could do in an afternoon.
