A little more than a month ago I setup a SSH honeypot on a cloud server. My purpose with this was to log everything that tried and connected to the honeypot and dig into the logs pull some interesting data. While doing my initial search, I found Kippo to be good enough for my purposes. Kippo is a SSH honeypot that will log any SSH interactions but will also provide a sandboxed shell for anyone who managed to successfully login to the honeypot.
##Geting Started
To get started, I setup a cloud server and ran Kippo on a non-root user. By default Kippo runs on port 2222 and if you want to run it on port 22, it's recommended to do port translation. Since most of the bots that try to brute force their way into public SSH logins do so through port 22, I used these iptables rules to make the port translation:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222
iptables -A INPUT -i eth0 -p tcp --dport 2222 -j ACCEPT
I also made sure to move my normal SSH server to something else besides 22 and open that port on iptables.
##Log Results
I found some interesting things from all the logs,
Top 100 unique users, with the number of times the user was used.
[root@honeypot kippo-log]# grep 'login attempt' kippo-big.log | awk '{print $9}' | grep -Po "(?<=\[)(.*?)(?=\/)" | sort -n | uniq -c | sort -nr | head -n100
36747 root
490 bin
414 oracle
336 test
278 nagios
227 teamspeak
220 guest
161 postgres
154 user
129 admin
105 deathrun
90 ftpuser
78 ftp1
76 git
73 mysql
71 weblogic
57 web
57 alex
52 student
49 tomcat
48 ubuntu
48 temp
46 michael
45 victoria
42 tester
42 caroline
41 apache
40 info
40 backup
39 testing
39 ftpguest
39 claire
38 toor
38 students
36 amanda
36 a
34 hadoop
34 gnats
33 user1
33 mp3
33 cyrus
32 ucpss
32 monica
31 sarah
31 john
31 avahi
30 news
30 anna
28 www-data
28 www
28 nobody
27 jordan
27 alexandra
26 master
26 julia
26 elizabeth
25 victor
25 vic
25 trinity
25 postfix
25 nicole
25 naomi
25 morgan
25 emma
25 edith
24 test1
24 svn
24 sophie
24 plesk
24 patricia
24 natalie
24 maryse
24 louise
24 jessica
24 jasmine
24 isabella
24 irc
24 grace
24 erin
24 emilie
24 diane
24 clara
24 charlotte
24 adm
24 abigail
23 zoe
23 webmaster
23 taylor
23 sys
23 sydney
23 support
23 riley
23 rebecca
23 rainer
23 paige
23 mia
23 madison
23 lauren
23 kate
23 joan
Top 100 unique passwords, with the number of times the password was used.
[root@honeypot kippo-log]# grep 'login attempt' kippo-big.log | awk '{print $9}' | grep -Po "(?<=\/)(.*?)(?=\])" | sort -n | uniq -c | sort -nr | head -n100
654 123456
225 1234
219 password
171 123
150 abc123
147 12345
135 qwerty
121 test
116 -
111 1q2w3e
106 111111
105 oracle
104 redhat
103 root
100 1qaz2wsx
97 abcd1234
91 123456789
86 test123
86 1
85 12345678
82 123123
75 1q2w3e4r
67 postgres
65 changeme
64 000000
62 ubuntu
62 rootroot
62 asdfgh
60 pa$$w0rd
57 654321
56 nagios
56 1234567
55 p@ssw0rd
55 passw0rd
55 123321
54 whathefuck
54 admin
53 oracle123
52 root123
52 master
51 q1w2e3r4
50 guest
49 987654321
49 123qwe
47 user
47 root1234
47 1qaz2wsx3edc
46 admin123
45 1234qwer
44 passwd
44 mysql
44 1q2w3e4r5t
44 12
43 112233
42 !qaz@wsx#edc
42 121212
41 test12345
41 qwerty123
41 backup
40 !QAZ2wsx
40 P@ssw0rd
40 a
40 11223344
39 pa55w0rd
38 administrator
38 1234567890
37 weblogic
37 teamspeak
37 root01
35 zxcvbnm
35 password123
35 pass
35 apache
35 12344321
34 zaq12wsx
34 server
34 root123456
34 r00t
34 qwe123
34 !qaz@wsx
34 54321
34 1qaz2wsx3edc4rfv
33 roottoor
33 cisco
33 888888
32 toor
32 root1
32 gnats
32 asdfghjkl
32 0987654321
31 qazwsx12
31 cisco123
31 avahi
31 abcdef
31 1qa2ws3ed
31 123abc
30 test1234
30 root12345
30 1qazxsw2
30 00000000
I intended for this blog post to contain more insightful information on the kind of attacks and the root kits that were being downloaded on the server, but I lost the logs.