A little more than a month ago I setup a SSH honeypot on a cloud server. My purpose with this was to log everything that tried and connected to the honeypot and dig into the logs pull some interesting data. While doing my initial search, I found Kippo to be good enough for my purposes. Kippo is a SSH honeypot that will log any SSH interactions but will also provide a sandboxed shell for anyone who managed to successfully login to the honeypot.

##Geting Started

To get started, I setup a cloud server and ran Kippo on a non-root user. By default Kippo runs on port 2222 and if you want to run it on port 22, it's recommended to do port translation. Since most of the bots that try to brute force their way into public SSH logins do so through port 22, I used these iptables rules to make the port translation:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222
iptables -A INPUT -i eth0 -p tcp --dport 2222 -j ACCEPT

I also made sure to move my normal SSH server to something else besides 22 and open that port on iptables.

##Log Results

I found some interesting things from all the logs,

Top 100 unique users, with the number of times the user was used.

[root@honeypot kippo-log]# grep 'login attempt' kippo-big.log | awk '{print $9}' | grep -Po "(?<=\[)(.*?)(?=\/)" | sort -n | uniq -c | sort -nr | head -n100
  36747 root
    490 bin
    414 oracle
    336 test
    278 nagios
    227 teamspeak
    220 guest
    161 postgres
    154 user
    129 admin
    105 deathrun
     90 ftpuser
     78 ftp1
     76 git
     73 mysql
     71 weblogic
     57 web
     57 alex
     52 student
     49 tomcat
     48 ubuntu
     48 temp
     46 michael
     45 victoria
     42 tester
     42 caroline
     41 apache
     40 info
     40 backup
     39 testing
     39 ftpguest
     39 claire
     38 toor
     38 students
     36 amanda
     36 a
     34 hadoop
     34 gnats
     33 user1
     33 mp3
     33 cyrus
     32 ucpss
     32 monica
     31 sarah
     31 john
     31 avahi
     30 news
     30 anna
     28 www-data
     28 www
     28 nobody
     27 jordan
     27 alexandra
     26 master
     26 julia
     26 elizabeth
     25 victor
     25 vic
     25 trinity
     25 postfix
     25 nicole
     25 naomi
     25 morgan
     25 emma
     25 edith
     24 test1
     24 svn
     24 sophie
     24 plesk
     24 patricia
     24 natalie
     24 maryse
     24 louise
     24 jessica
     24 jasmine
     24 isabella
     24 irc
     24 grace
     24 erin
     24 emilie
     24 diane
     24 clara
     24 charlotte
     24 adm
     24 abigail
     23 zoe
     23 webmaster
     23 taylor
     23 sys
     23 sydney
     23 support
     23 riley
     23 rebecca
     23 rainer
     23 paige
     23 mia
     23 madison
     23 lauren
     23 kate
     23 joan

Top 100 unique passwords, with the number of times the password was used.

[root@honeypot kippo-log]# grep 'login attempt' kippo-big.log | awk '{print $9}' | grep -Po "(?<=\/)(.*?)(?=\])" | sort -n | uniq -c | sort -nr | head -n100
    654 123456
    225 1234
    219 password
    171 123
    150 abc123
    147 12345
    135 qwerty
    121 test
    116 -
    111 1q2w3e
    106 111111
    105 oracle
    104 redhat
    103 root
    100 1qaz2wsx
     97 abcd1234
     91 123456789
     86 test123
     86 1
     85 12345678
     82 123123
     75 1q2w3e4r
     67 postgres
     65 changeme
     64 000000
     62 ubuntu
     62 rootroot
     62 asdfgh
     60 pa$$w0rd
     57 654321
     56 nagios
     56 1234567
     55 p@ssw0rd
     55 passw0rd
     55 123321
     54 whathefuck
     54 admin
     53 oracle123
     52 root123
     52 master
     51 q1w2e3r4
     50 guest
     49 987654321
     49 123qwe
     47 user
     47 root1234
     47 1qaz2wsx3edc
     46 admin123
     45 1234qwer
     44 passwd
     44 mysql
     44 1q2w3e4r5t
     44 12
     43 112233
     42 !qaz@wsx#edc
     42 121212
     41 test12345
     41 qwerty123
     41 backup
     40 !QAZ2wsx
     40 P@ssw0rd
     40 a
     40 11223344
     39 pa55w0rd
     38 administrator
     38 1234567890
     37 weblogic
     37 teamspeak
     37 root01
     35 zxcvbnm
     35 password123
     35 pass
     35 apache
     35 12344321
     34 zaq12wsx
     34 server
     34 root123456
     34 r00t
     34 qwe123
     34 !qaz@wsx
     34 54321
     34 1qaz2wsx3edc4rfv
     33 roottoor
     33 cisco
     33 888888
     32 toor
     32 root1
     32 gnats
     32 asdfghjkl
     32 0987654321
     31 qazwsx12
     31 cisco123
     31 avahi
     31 abcdef
     31 1qa2ws3ed
     31 123abc
     30 test1234
     30 root12345
     30 1qazxsw2
     30 00000000

I intended for this blog post to contain more insightful information on the kind of attacks and the root kits that were being downloaded on the server, but I lost the logs.