Comments (3)
A word of warning, bots finding and authenticating to your honeypot might add your IP address to some "hosts worth attacking" lists somewhere. I'd only run it on throwaway, dedicated VPS, or be ready to change the IP address of the host I was running it on once done.
As for gaining access to the attackers system, I don't think it's something worth doing.
- These are probably either compromised hosts or throwaway instances running in compromised cloud accounts, I don't think you'd find anything of interest.
- The attackers are not utilizing SSH channels which would allow gaining control over their clients (e.g. X11). They also don't use standard SSH implementations like OpenSSH. This means that you'd have to find a vulnerability in some unknown SSH implementation to do this.
- It's also probably illegal? Not a lawyer tho so IDK.
from sshesame.
I saw three patterns.
The majority of attackers tried to brute force IMAP, POP3 and SMTP credentials through TCP/IP forwarding. Like, they didn't even open a shell session or execute a command, the just went for some remote mail server and that's it.
Some tried to execute commands to retrieve info about the system (e.g. uname
) and didn't do anything else (probably because the honeypot doesn't respond to these).
There were also attempts to download and execute shell scripts. I've carefully looked at a few, most of them were a bunch of wget
commands downloading a binary compiled for various architectures and executing them. I didn't really look into the binaries themselves, my reverse engineering skills are not that great.
Also, you can very much recreate this yourselves. If you have a host with a public IPv4 address and something listening on port 22, bots will find it. Fire up a few cheap VPS hosts, move openssh to something other than port 22, run this honeypot on port 22 and collect logs over a few weeks or months.
from sshesame.
Ohh... that's interesting. I'm gonna try this on my VPS. I do get many attempts for password login on port 22 on ssh. Never thought about a honeypot to find out who they are. Wonder if you can also deliver a payload to them upon login to gain access to their system.
from sshesame.
Related Issues (20)
- Add support to seperate source IP and port HOT 2
- Add argument to override logging.file configuration
- Create custom commands that the attacker can use?
- Ability to log the IP address of a rejected connection?
- Limit size of log file or rotate
- listen address: 0.0.0.0:2022 doesn't listen on tcp4, only tpc6 HOT 1
- Combine it with ChatGPT or similar HOT 1
- No connections accepted when config is present HOT 5
- Restrict channel requests to channel types they are relevant for
- Handle direct-tcpip channels HOT 1
- Handle session channels
- Somehow test and compare the behavior between sshesame and OpenSSH server HOT 2
- not connecting HOT 6
- Improve logging
- Pressing Ctrl-D to terminate a command terminates the whole session
- Add support for email protocols over direct-tcpip HOT 2
- Support TLS-encrypted protocols over direct-tcpip HOT 2
- field debug not found in type main.loggingConfig HOT 1
- Failed to get config: yaml HOT 6
- More installation methods
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sshesame.