Statistics for 24 hours after installing the honeypot on the Digital Ocean node in Singapore
Pew Pew! Let's start right away with the attack map
Our super cool map shows the unique ASNs that connected to our Cowrie honeypot in 24 hours. Yellow represents SSH connections and red represents Telnet. Such animations often impress the company's board of directors, allowing them to secure more funding for security and resources. However, the map has some value, clearly demonstrating the geographic and organizational spread of attack sources on our host in just 24 hours. The animation does not reflect the volume of traffic from each source.
What is a Pew Pew Card?
Pew Pew Map - Is , usually animated and very beautiful. It's a fashionable way to sell your product, notorious for being used by Norse Corp. The company ended badly: it turned out that beautiful animations were their only advantage, and for analysis they used sketchy data.
Made with Leafletjs
For those who want to develop an attack map for the big screen in the operations center (your boss will love it), there is a library . Combine it with the plugin , Maxmind GeoIP service β .
WTF: What's a Cowrie Honeypot?
A honeypot is a system that is placed on a network specifically to lure intruders. Connections to the system are usually illegal and allow you to detect an intruder using detailed logs. The logs store not only the usual connection information, but also session information that reveals technique, tactics and procedures (TTP) attacker.
designed for SSH and Telnet connection records. These honeypots are often posted online to track the tools, scripts, and hosts of the attackers.
My message to companies that think they're not being attacked is "You're not good at searching."
β James Snook
What's in the logs?
Total number of connections
There have been multiple connection attempts from many hosts. This is normal, because the attacking scripts have a list of credentials and they try several combinations. Honeypot Cowrie is configured to accept certain username/password combinations. This is configured in user.db file.
Geography of attacks
Based on Maxmind geolocation data, I counted the number of connections from each country. Brazil and China lead by a wide margin, and there is often a lot of noise from scanners from these countries.
Network block owner
An examination of network block owners (ASNs) can reveal organizations with a large number of attacking hosts. Of course, in such cases, you should always remember that many attacks come from infected hosts. It is reasonable to assume that most intruders are not so stupid as to scan the Net from a home computer.
Open ports on attacking systems (Shodan.io data)
Running the IP List Through Superb quickly determines systems with open ports and what are these ports. The figure below shows the concentration of open ports by country and organization. It would be possible to identify blocks of compromised systems, but within small sample there is nothing outstanding, except for a large number 500 open ports in China.
An interesting finding is a large number of systems in Brazil that have not open 22, 23 or other ports, according to Censys and Shodan. Apparently, these are connections from end user computers.
Bots? Not necessary
Data for ports 22 and 23 that day showed strange. I assumed that most of the scans and password attacks come from bots. The script spreads over open ports, guessing passwords, and copies itself from the new system and continues to spread using the same method.
But here you can see that only a small number of hosts scanning telnet have port 23 open to the outside. This means that the systems are either compromised in some other way, or the attackers run scripts manually.
Home Connections
Another interesting finding was the large number of home users in the sample. By using reverse lookup I identified 105 connections from specific home computers. For many home connections, a reverse DNS lookup shows the hostname with the words dsl, home, cable, fiber, and so on.
Learn and Explore: Raise Your Own Honeypot
I recently wrote a short tutorial on how . As mentioned, in our case we used Digital Ocean VPS in Singapore. For 24 hours of analysis, the cost was literally a few cents, and the time to assemble the system was 30 minutes.
Instead of running Cowrie on the internet and catching all the noise, you can benefit from a honeypot on your local network. Always put a notification if requests are sent to certain ports. This is either an attacker inside the network, or a nosy employee, or a vulnerability scan.
Conclusions
After reviewing the actions of intruders for a day, it becomes clear that it is impossible to identify a clear source of attacks in any organization, country, or even operating system.
The wide distribution of sources indicates that scan noise is constant and not associated with a particular source. Anyone who works on the Internet should make sure that their system has multiple levels of security. Common and effective solution for SSH will move the service to a random high port. This does not eliminate the need for strong password protection and monitoring, but at least it ensures that the logs are not clogged with constant scanning. High port connections are more likely to be targeted attacks that you might be interested in.
Often, open telnet ports are on routers or other devices, so they cannot easily be moved to a high port. ΠΈ is the only way to make sure these services are firewalled or disabled. If possible, you do not need to use Telnet at all, this protocol is not encrypted. If you need it and without it in any way, then carefully control it and use strong passwords.
Source: habr.com