Statistics for 24 hours after installing the honeypot on the Digital Ocean node in Singapore
Pew Pew! Let's start right away with the attack map
Our super cool map shows the unique ASNs that connected to our Cowrie honeypot in 24 hours. Yellow represents SSH connections and red represents Telnet. Such animations often impress the company's board of directors, allowing them to secure more funding for security and resources. However, the map has some value, clearly demonstrating the geographic and organizational spread of attack sources on our host in just 24 hours. The animation does not reflect the volume of traffic from each source.
What is a Pew Pew Card?
Pew Pew Map - Is
Made with Leafletjs
For those who want to develop an attack map for the big screen in the operations center (your boss will love it), there is a library
WTF: What's a Cowrie Honeypot?
A honeypot is a system that is placed on a network specifically to lure intruders. Connections to the system are usually illegal and allow you to detect an intruder using detailed logs. The logs store not only the usual connection information, but also session information that reveals technique, tactics and procedures (TTP) attacker.
My message to companies that think they're not being attacked is "You're not good at searching."
β James Snook
What's in the logs?
Total number of connections
There have been multiple connection attempts from many hosts. This is normal, because the attacking scripts have a list of credentials and they try several combinations. Honeypot Cowrie is configured to accept certain username/password combinations. This is configured in user.db file.
Geography of attacks
Based on Maxmind geolocation data, I counted the number of connections from each country. Brazil and China lead by a wide margin, and there is often a lot of noise from scanners from these countries.
Network block owner
An examination of network block owners (ASNs) can reveal organizations with a large number of attacking hosts. Of course, in such cases, you should always remember that many attacks come from infected hosts. It is reasonable to assume that most intruders are not so stupid as to scan the Net from a home computer.
Open ports on attacking systems (Shodan.io data)
Running the IP List Through Superb
An interesting finding is a large number of systems in Brazil that have not open 22, 23 or other ports, according to Censys and Shodan. Apparently, these are connections from end user computers.
Bots? Not necessary
Data
But here you can see that only a small number of hosts scanning telnet have port 23 open to the outside. This means that the systems are either compromised in some other way, or the attackers run scripts manually.
Home Connections
Another interesting finding was the large number of home users in the sample. By using reverse lookup I identified 105 connections from specific home computers. For many home connections, a reverse DNS lookup shows the hostname with the words dsl, home, cable, fiber, and so on.
Learn and Explore: Raise Your Own Honeypot
I recently wrote a short tutorial on how
Instead of running Cowrie on the internet and catching all the noise, you can benefit from a honeypot on your local network. Always put a notification if requests are sent to certain ports. This is either an attacker inside the network, or a nosy employee, or a vulnerability scan.
Conclusions
After reviewing the actions of intruders for a day, it becomes clear that it is impossible to identify a clear source of attacks in any organization, country, or even operating system.
The wide distribution of sources indicates that scan noise is constant and not associated with a particular source. Anyone who works on the Internet should make sure that their system has multiple levels of security. Common and effective solution for SSH will move the service to a random high port. This does not eliminate the need for strong password protection and monitoring, but at least it ensures that the logs are not clogged with constant scanning. High port connections are more likely to be targeted attacks that you might be interested in.
Often, open telnet ports are on routers or other devices, so they cannot easily be moved to a high port.
Source: habr.com