From the Canyon Edge -- :-Dustin

Tuesday, March 27, 2012

Some Statistics on mondrian.byobu.co (as a honeypot)

Just following up on my recent post about Piet Mondrian and Byobu...

I had planned on running the guest@mondrian.byobu.co HP/OpenStack instance for just one day, but I've actually kept it running for 3 weeks now!

I compiled a few statistics for you over those 3 weeks.  There have been:
  • 2,405 successful password authentications as the guest user!
  • 308 successful public key authentications as the ubuntu user
    • from 2 different IP addresses which I can confirm are both mine (home and office), whew!
  • 16,002 failed password attempts for the root user
    • seriously, people?
  • 6,813 more failed password attempts for some 4,929 other random invalid users on the system, originating from the following malicious IP addresses, damn you!
    • 108.15.99.40
    • 115.178.77.152
    • 115.238.176.98
    • 118.67.249.136
    • 119.10.114.200
    • 121.14.46.119
    • 123.125.149.134
    • 123.215.30.134
    • 124.238.214.46
    • 176.32.184.75
    • 199.119.204.3
    • 211.91.224.131
    • 216.196.184.5
    • 216.230.144.226
    • 222.174.35.3
    • 60.31.123.54
    • 61.135.199.195
    • 61.50.247.173
    • 68.169.46.31
    • 76.176.60.100
Well that was a fun honeypot :-)  Does anyone know of some fun utilities that I could point at my /var/log/auth.log* for more in depth analysis?

So take this as a lesson....  Make sure you disable password authentication on your servers.  There are automated unsavory types out there, all of the time, constantly poking and prodding at your cloud instances, looking for an easy way in!

:-Dustin

Printfriendly