Welcome to Jam's Site!

The Honeypot:

I got bored so I made a very basic Honeypot (A server designed to lure attackers in order to study their behaviour) and thought it would be fun to document the process and upload the results!

~~~~~~~~~~~~~~~~~~~~

I decided to make a non-interactive server that hosts a fake SSH server, in order to capture data that potential hackers input in order to try and gain access.

These are usually automated scripts that hackers leave running that attempt a wide range of common passwords to gain access to unconfigured or new servers. By default, SSH does not limit the amount of login attempts you can make, so these hackers can try hundreds or thousands of different passwords

This is why it's important to never use default passwords for anything and to make sure your passwords are strong and complex!

~~~~~~~~~~~~~~~~~~~~

I've tried to include links to all resources I used to set this up but let me know if I missed anything

Step 1: Setting up the server!

The aim of a honeypot is to attract as much malicious traffic as possible to study. This means that hackers that know what they're doing could potentially find this server and gain access using more complex methods. Therefore, we don't want to store anything sensitive on our honeypot server, and we definitely don't want to use our home computer.

To host this Linux server, I used Linode, as their servers are very cheap (The one I'm using is less than 1 pence an hour!) and have a lot of promotional schemes running that give you $100 credit.

Once I setup the server on the Linode site, I simply connected to it using the SSH command

And with that we now have access to a server!

Step 2: Changing the SSH port

As we'll be luring attackers in using a fake SSH server, and we still want to connect to our server using the real SSH service, we will need to change the port that the real SSH service is using.

By default, SSH uses port 22, so this will be the port that recieves the most traffic. By following this tutorial, I changed the port value with the sshd_config file to a different number

Now, when using the ssh command to connect to our server, we can use the "-p" command-line option to specifiy which port we want to connect with.

E.g "ssh root@123.123.123 -p 2222" if we changed it to port 2222

Step 3: Setting the trap >:)

Now that the real SSH has been moved to a different port, we can setup our fake SSH server. For this, I used PSHITT (Passwords of SSH Intruders Transderred to Text).

This python script runs a server formatted in the same way that a SSH server is. However, instead of allowing users to connect to the server, this server collects credentials entered by attackers and saves them to a file called "passwords.json"

Now we can collect usernames and passwords our attackers tried, as well as their ip, the service they used to connect and a few other details.

Step 4: Retrieving our data

I wanted to be able to retrieve the data from the server so that I could format it on my home PC. To do this, we can use the "scp" command in a powershell terminal. This allows us to connect to our linux server, and copy a file from the server to our machine.

Now that I have the data on my PC, I created a python script and used pandas and ip2geotools to format the data and use their IPs to work out where the attacks were coming from

(Excuse the messy code, I very much rushed this and hopefully I've improved on it by the time you read this)

Results:

I'll update this bit of the page over time, but here are some graphs and tables to show the results I got from this!

For now I have the top 10 locations the attacks have occured from (the attackers are most likely using vpn servers and these are not their true locations), the top 10 usernames attempted and the top 10 passwords attempted.

This was a fun little project, I may work on this in the future and add more features, and eventually create a more interactive honeypot. I hope this was an interesting read and thank you!

hello :)