SSH Login Attempts

11 01 2009

Back with honeypot news! We have launched our honeypot for 5 weeks, and now we have results to show you. In this post I will show you the attempts that attackers make to get into our ssh honeypot server.

The ssh honeypot was fustigated during these 5 weeks. Several attempts were made, about 78227, but no one successful.

Here is the graphic for usernames attempts:

And here is the graphic for password attempts:

Future Work

We will show all the rest of information that we capture on our honeypot in the future. We have discovered great stuff.
I have also done a nice program to generate statistics in Haskell using HaskellCharts, I will talk about that later too.

That’s all for now!




6 responses

11 01 2009

I’d be interested to see what they would attempt to do if they did actually gain access to a privileged account.

11 01 2009
Ulisses Costa

@steve Me too. But that, unfortunately is not possible with those kind of honeypots that I used (low interaction honeypots). That only be possible with the high interaction ones, the real computers honeypots. Anyway, that is incredible hard to trace. But we have some tools that can help us to mount a system like that. Integrit would be a nice tool to try. This create a image of the files that you want, and if some changes occurs it will tell you. But to be completely safe (or with a lot more safeness) we have to send the logs to a remote machine, so that the attacker don’t delete them, we have to compile it with -strict flag, so it don’t depend in none of the others files in the system (attackers may change that too), and with a bit of lucky we can trace some good information about whats going on.

11 01 2009

Nice stuff ulisses.

By the way that distributed integrit hack would be great to see.

21 01 2009
Tracing the attack - Part I « Ulisses Costa Blog

[…] may seem silly but it is still heavily used in services such as SSH. As you can see in your /var/log/auth.log […]

4 07 2009


which honeyd ssh script are you using to detect the login attempts?

Thank you,

4 07 2009
Ulisses Araújo Costa

This data is from a *real machine*, not honeyd! When I was using honeyd, I need to access the machine by SSH, so I allow access just by key, letting open the possibility of access with a normal login. So, this data is from the machine where the honeyd was running. I just use grep, sed and hhoneydstats (a program that I made, not finished yet!) to process the /var/log/auth.log.* files.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: