Poking the Bear – Running a SSH Honeypot
Decided I would set up a SSH honeypot, for a bunch of reasons, and not only to poke the bear.
If you’re not familiar with what a ssh honeypot is, it is a “virtual” environment setup to replicate a ssh server, and once in, it replicates the basic look and feel of a server you would ssh into. In my example, it gives the basic outward appearance of a Debian server. Once the “bad guy” logs in, it logs all his activity, everything he tries to put on the server, everything he tries to take off the server, and it logs all the commands that he types (or has scripted out). I’m extremely interested to see what these “bad guys” are doing.
I can’t say for certain why I wanted to setup a honeypot server, more than I want to see what an attacker would do, once he gets inside the system. In the day that I’ve had the server up, that password has been guessed several times, however, no attacks have been made against the server, no login besides the initial brute force connect, to attempt to break-in to the server. So nothing really to report on, as of yet; but I am truly interested in the attacks that occur against my server, after someone logs in, and starts doing something.
There is also another pretty good looking utility to go along with the Kippo SSH honeypot, called Kippo-Graph, which presents me with the data from the honeypot, in a nice, easy to read web page format. It also has a nice little interface that steps through all the commands the “bad guy” types, and displays it with amazing detail. So, I’m also pretty excited about that.
I will report back, once I have some solid data collected, and something more happens besides the initial brute force attempt. Here’s to running an ssh honeypot. . .
It should be noted, that it would make sense to have a pretty good idea what you’re getting into, when you’re setting up a ssh honeypot. As in the title, I’m not simply doing it to poke the bear, but I want to gain the understanding of what an attacker is doing, once they see an available ssh host (ssh honeypot).