Lessons learned from running my honeypot

So… I’ve been running my ssh/http honeypot for almost a month now. While
I’m not really ready to release all my reports to the intar-webs yet,
there are some lessons that are readily apparent. And sadly, these
are the same lessons everyone else has been screaming about for the
last dozen years.

SSH lessons


  1. Don’t allow root to ssh into your server. Make sure your
    /etc/ssh/sshd_config has “PermitRootLogin no” set.

  2. Don’t use stupid passwords. Passwords like “password”,
    “admin”, and “123456” and their assorted variations are the
    top passwords that ssh brute force attacks try.

  3. Longer passwords are better than shorter passwords. Well over
    95% of the passwords tried are 8 characters or less.

  4. Don’t keep the default passwords for any software you install.
    Looking at Google for the passwords tried shows that many of them
    are default passwords for one piece of software or another.

  5. Don’t keep the default passwords for any hardware (including
    routers). They keep trying “admin” accounts with the password
    “admin” which was a default for older home routers.

Webserver lessons


  1. Patch bash! They keep trying ShellShock attacks against my
    honeypot, so they must be suceeding enough of the time to make
    it worth their while.

  2. Patch PHP! The second most common attack is against old PHP
    exploits.

  3. Don’t install things into their default directories on the
    webserver. Most attacks are against default scripts that get
    put into the cgi-bin directory. Even renaming cgi-bin to CGI-BIN
    and changing your httpd.conf file to reflect that change eliminates
    more than 95% of the attacks. Close after that are phpMyAdmin.
    webtools, ccbill, cgibin (no dash), and /mail. Rename those
    directories and even if you’re vulnerable, they probably won’t
    find you quickly.


What are they trying to run?


  1. Number one thing they are trying to run is the Atrix IRC worm.
    This is an IRC bot that lets them attack other servers, AND can
    give them the ability to run commands on your server as whatever
    UID is running httpd.

  2. bash. yes, bash. There’s an option in bash to open a network
    connection to the outside world. This lets them telnet to whatever
    port they decided to use and have a bash shell on your server to
    run whatever they want to.

  3. ssh brute force scripts. These try to login to other servers
    and then report the successfull attempts back to another server.

  4. ONE instance of a rootkit. Why? I have no idea. I assume
    the other attacks are precursors to downloading and running a
    rootkit on your server.

Advertisements

IP Address Obfuscation and modification with sed

I’m working on a logfile analyzer for a honeypot. One of the things
I’m interested in is copying the report files to a public website so
that others can see it too.

But, there are some potential privacy issues involved. Since I’m doing
an analysis on where the attacks are coming from, and reporting on them,
I don’t think I want to share the exact IP address that the ssh probes
came from. So how do I do that? Well, I could use Perl, but the analyzer
is a “Big-Ass Shell Script” so I want to minimize how often I run Perl.
The IP addresses are hidden in other lines of text so I can’t use Awk (That
would be too simple. So I have to use Sed.

For the record, I’m running this on Linux, Fedora Core 20 to be exact.
Thinking this would be easy was a mistake. It took me almost an hour
of mucking about before I had a working sed expression. Once I figured
out I NEEDED to use the “-r” option (which is “use extended regular
expressions in the script”) then things finally started falling into
place.

The following sed expression returns the IP address just as it came in.


echo 92.168.133.1 |\
sed -r ‘s/([0-9]{1,3}\.)([0-9]{1,3}\.)([0-9]{1,3}\.)([0-9]{1,3})/\1\2\3\4/’

And the output is

92.168.133.1

And THIS sed expression replaces the second octed with the word “FOO”.
Please note the “.” after the word “FOO”. That’s part of what gets
substituted in.


echo 92.168.133.1 |\
sed -r ‘s/([0-9]{1,3}\.)([0-9]{1,3}\.)([0-9]{1,3}\.)([0-9]{1,3})/\1FOO.\3\4/’

And the output is

92.FOO.133.1

And in this example, I am reversing the IP address.


echo 92.168.133.1 |\
sed -r ‘s/([0-9]{1,3}\.)([0-9]{1,3}\.)([0-9]{1,3}\.)([0-9]{1,3})/\4\3\2\1/’

And the output is (Please note that we have a trailing “.” at the end of the
IP address. I leave removing the trailing “.” as an exercise for the reader.)

1.133.168.92.

Soooooo, What’s the sed expression really doing? Let’s break it apart
into different lines so it’s easier to understand.

Start sed using extended regular expressions


sed -r

Single quote to start the expression, and “s” says to do a substitution.

‘s

The start of the search expression.

/

This is the first “remembered” pattern. The open parenthesis and the
close parenthesis mark the start and end of the remembered pattern.
The “[0-9]” means all the characters between 0 and 9. The “{1,3}”
means the PRIOR pattern 1, 2, or 3 times only. This means “x” doesn’t
match, but “1”, “11”, and “111” match. The “\.” means literally a single
period. It’s backslashed to mean a period. Without the backslash, a
single period means “match any single character”.

([0-9]{1,3}\.)

This is the second “remembered” pattern.

([0-9]{1,3}\.)

This is the third “remembered” pattern.

([0-9]{1,3}\.)

This is the fourth “remembered” pattern. Please note there is NO trailing
“.” character.

([0-9]{1,3})/

Print the first “remembered” pattern.

\1

Print the second “remembered” pattern.

\2

Print the third “remembered” pattern.

\3

Print the fourth “remembered” pattern.

\4

And finally, a final backslash and a single quote to show the end of
the sed expression.

/’

So what can we do with this? In the expression, instead of printing
all four remembered patterns, we can print other things by replacing
the “\#” with something else. So instead of “\1\2\3\4”, we could have
“\1\2\3127” which would print out 92.168.133.127. Patterns are
SINGLE digits(1 through 9), so \3127 doesn’t mean the 3,127th pattern, but means
print the third pattern (\3), followed by the other text.

What are the problems with this expression? Well, it doesn’t explicitly
deal with true IP addresses. A true IP address goes from 0.0.0.0 to
255.255.255.255. This pattern I made goes from 0.0.0.0 to 999.999.999.999.
For what I need to do, this is close enough.

Now, I need to obfuscate URLs. The same deal applies.


echo “http://www.foo/x” |sed -r ‘s/(http:\/\/..+)(.+)/http:\/\/HIDDEN\/\2/’

returns

http://HIDDEN/x

And I did it again with FTP.


echo “ftp://www.foo/x” |sed -r ‘s/(ftp:\/\/..+)(.+)/ftp:\/\/HIDDEN\/\2/’

returns

ftp://HIDDEN/x

Thanks to http://www.grymoire.com/Unix/Sed.html which was a great
help in remembering how to use sed.