LowEndTalk member @htop recently shared the results of a honeypot that’s been setup.
I found this post quite interesting:The machine is being blasted almost every second. So, I wrote one myself, put it on the machine to collect other people’s attack behaviors. And wrote a simple web page for display, which is equivalent to a simple honeypot application. It seems that the effect is really outstanding.
A “honeypot” is a fake server, app, or system that looks legit but is actually gaslighting a potential attacker. Honeypots have many applications. For example, appearing-to-be-vulnerable servers, apps, email accounts, etc. can act as canaries for new attacks, vulnerabilities, or spam.
In this case, @htop modified the sshd binary in order to capture passwords. Normally, sshd does not record failed logins (trivia: Linux circa 0.1 logged failed users and the passwords they tried to use in syslog!). All failed attempts are then published on this web page.
If you’ve ever run a server, you probably have seen many failed logins in your syslog. Script kiddies will try hundreds/thousands/millions of IPs to see if any have accounts with poor passwords. There are different ways to combat this: turning off password authentication is the best, but you can also use fail2ban to limit attackers to only a few failed attempts before their IP is blocked. Changing the ssh port does not increase security but is often done to reduce log spam.
Looking at @htop’s collected data, we see the usual bad passwords being tried. “manager123”, “sysop”, “qwerty123!”, “00000000”, etc. I haven’t seen a “monkey1” go by yet but I’m sure it will.
Related Posts:
- LowEndBoxTV: Free Power Toys for Your Linux Server! - October 4, 2024
- Happy Halloween from MangoMail!Get 3 Months FREE Email Hosting on New Signups! - October 3, 2024
- LowEndBoxTV: Stop Losing Your WordPress Data! Backup Your WordPress Easily for FREE! - October 2, 2024
Leave a Reply