I've mentioned this a few times already and I still think it's one of the most basic and effective things you can and should do if you have a linux server exposed to the internet, yet one of the most overlooked.
It's been a couple of years since I last ran Kippo - a ssh honeypot - so I thought I'd give it another go to see if anything's changed. (For those who don't know, Kippo acts as if it's a ssh server and once the user logs in, presents a fake linux system. It records and logs everything attempted.)
So I exposed port 22 on two public IPs - one from Zen, one from Talktalk, into Kippo. These are consumer IP ranges and dsl low-value lines but I doubt the tools care when it's so cheap for them to scan everything over and over again (in fact the Zen one is currently syncing at 0.3mbit due to a line fault)
Almost one day later, the logs show that there have been 85,596 bruteforce login attempts on the root user (slightly more than one a second) from 73 unique IPs . The biggest country of origin (or at least relay), is Hong Kong, closely followed by China - Âbut there's some American IPs in there too.Â
These are all scripted bot attacks of course. There have been 34 successful logins (that guessed the ridiculously simple passwords). That's not a high success ratio, but a human will be along no doubt to check the valid logins and try to exploit them, or a more advanced automated tool will attempt to take it over and add it to a botnet.
Conclusions:
- Nothing new on ssh, other than the scale is more than it was.Â
Recommendations from a one day sample:
- Move ssh off port 22.Â
- Disable root user logins on ssh.
- Have a really good user password or better, restrict to key logins.
- Use fail2ban with a long timeout.Â
Having ssh exposed on port 22 is not clever. Yes - these are simple bruteforce dictionary attacks and they're nearly all targetting the root user (the only predictable login user). You might think that using fail2ban or similar will protect you - and indeed it does - but it uses resources. At this scale, bandwidth and cpu does show up, and your logs will be munching up drive space too unless you disable them.Â
Kippo also now benefits from Kippo-Graph, which makes for some pretty graphs. (I'd share them, but they take some horsepower to render a couple of pages, like the geolocation, and if several of you hit them at once my server'll go slow. But if anyone has a strong desire to see, let me know privately.)
On other notes, I've seen an uplift in http probes across all exposed ports (http requests started showing up in exim's logs). The ratware and tools are getting better, faster and more widely used.
