From the Canyon Edge -- :-Dustin

Tuesday, March 27, 2012

Some Statistics on mondrian.byobu.co (as a honeypot)

Just following up on my recent post about Piet Mondrian and Byobu...

I had planned on running the guest@mondrian.byobu.co HP/OpenStack instance for just one day, but I've actually kept it running for 3 weeks now!

I compiled a few statistics for you over those 3 weeks.  There have been:
  • 2,405 successful password authentications as the guest user!
  • 308 successful public key authentications as the ubuntu user
    • from 2 different IP addresses which I can confirm are both mine (home and office), whew!
  • 16,002 failed password attempts for the root user
    • seriously, people?
  • 6,813 more failed password attempts for some 4,929 other random invalid users on the system, originating from the following malicious IP addresses, damn you!
    • 108.15.99.40
    • 115.178.77.152
    • 115.238.176.98
    • 118.67.249.136
    • 119.10.114.200
    • 121.14.46.119
    • 123.125.149.134
    • 123.215.30.134
    • 124.238.214.46
    • 176.32.184.75
    • 199.119.204.3
    • 211.91.224.131
    • 216.196.184.5
    • 216.230.144.226
    • 222.174.35.3
    • 60.31.123.54
    • 61.135.199.195
    • 61.50.247.173
    • 68.169.46.31
    • 76.176.60.100
Well that was a fun honeypot :-)  Does anyone know of some fun utilities that I could point at my /var/log/auth.log* for more in depth analysis?

So take this as a lesson....  Make sure you disable password authentication on your servers.  There are automated unsavory types out there, all of the time, constantly poking and prodding at your cloud instances, looking for an easy way in!

:-Dustin

4 comments:

  1. If you want to do interesting analysis for your logs, you could use picviz: http://www.picviz.com/sections/opensource/picviz.html

    ReplyDelete
  2. I'm using a combination of fail2ban+fail2sql w/ a 'scanned' field inserted into the db (sql field default '0') to write failed attempts into a db.

    Pull out all the unique IP entries with a '0' in the 'scanned' field and run them through whatever fingerprinting tools you want w/ a cronjob...dump output into the db and shame publicly with php. :)

    ReplyDelete
  3. I use denyhosts for that, works fine for me.

    ReplyDelete
  4. Re the lesson, I'm gonna be the skeptic here. What are we afraid of? If you are using SHA512 passwords in linux and they are not stupidly chosen, nobody is ever going to hack them. Thoughts?

    ReplyDelete

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin

Printfriendly