Honeypot analysis - Looking closer at SSH scans (user and passwords used) (opens in new tab)

(blog.sucuri.net)

28 pointsj_lagof16y ago8 comments

8 comments

ddbb16y ago

Good job researching those pesky brute force scans. Is there anyway you can post the complete list with all the data collected instead of just the top 50?

jhancock16y ago

Nice analysis.

[advice for those not doing it right]: if your sshd config allows id/pw login, turn this off and only use kays. Also, move your sshd listener port to something besides 22 to eliminate most of the bot login attempts in your log files.

ddbb16y ago

You know, lots of people talk about using keys instead of passwords... By doing that if you box is compromised, the attacker will get access to ALL your boxes.

So, the best option is to use an encrypted ssh key (so you have the type the pass everytime) or a good/different password for every box.

gchpaco16y ago

When you log in to an ssh host using a public/private key pair, the server only sees the public key. So by breaking and entering the attacker can disable your ability to log in in this fashion (by deleting the key) or can enable you to log in somewhere else (by copying the key, probably useless) but they cannot use that key to log in somewhere else absent modification of the SSH server. And even then I doubt they could get the private key, although they could probably run a MITM attack.

1 more reply

jhancock16y ago

I think what your saying is that even keys need to be managed well. I agree.

bigiain16y ago

I wonder if the lack of root:alpine and mobile:dottie indicates the attack tools are smart enough to know the OS of the box they're attacking, or just a lack of interest in owning jailbroken iPhones?

j / k navigate · click thread line to collapse

8 comments

ddbb16y ago

Good job researching those pesky brute force scans. Is there anyway you can post the complete list with all the data collected instead of just the top 50?

jhancock16y ago

Nice analysis.

ddbb16y ago

You know, lots of people talk about using keys instead of passwords... By doing that if you box is compromised, the attacker will get access to ALL your boxes.

So, the best option is to use an encrypted ssh key (so you have the type the pass everytime) or a good/different password for every box.

gchpaco16y ago

1 more reply

jhancock16y ago

I think what your saying is that even keys need to be managed well. I agree.

bigiain16y ago

I wonder if the lack of root:alpine and mobile:dottie indicates the attack tools are smart enough to know the OS of the box they're attacking, or just a lack of interest in owning jailbroken iPhones?

j / k navigate · click thread line to collapse