LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

No, 'airforce' is Not a Good Password: Check Out This Honeypot

Hacker in his LairLowEndTalk member @htop recently shared the results of a honeypot that’s been setup.

I found this post quite interesting:The machine is being blasted almost every second.  So, I wrote one myself, put it on the machine to collect other people’s attack behaviors. And wrote a simple web page for display, which is equivalent to a simple honeypot application. It seems that the effect is really outstanding.

A “honeypot” is a fake server, app, or system that looks legit but is actually gaslighting a potential attacker.  Honeypots have many applications.  For example, appearing-to-be-vulnerable servers, apps, email accounts, etc. can act as canaries for new attacks, vulnerabilities, or spam.

In this case, @htop modified the sshd binary in order to capture passwords.  Normally, sshd does not record failed logins (trivia: Linux circa 0.1 logged failed users and the passwords they tried to use in syslog!).  All failed attempts are then published on this web page.

If you’ve ever run a server, you probably have seen many failed logins in your syslog.  Script kiddies will try hundreds/thousands/millions of IPs to see if any have accounts with poor passwords.  There are different ways to combat this: turning off password authentication is the best, but you can also use fail2ban to limit attackers to only a few failed attempts before their IP is blocked.  Changing the ssh port does not increase security but is often done to reduce log spam.

Looking at @htop’s collected data, we see the usual bad passwords being tried.  “manager123”, “sysop”, “qwerty123!”, “00000000”, etc.  I haven’t seen a “monkey1” go by yet but I’m sure it will.



No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *