Hacker News new | past | comments | ask | show | jobs | submit login

I wonder if it would be interesting to load a ssh honeypot that would feed from the logs so it would add the logins and then just dump the ip + input to a file.

Honeypot could basically run in a some sort of isolation layer (like Sandboxie or jails) and then self-destruct after the automated script is gone... and then you slam the door on that user/ip combo for good.

I can't help but think this would be interesting...




One of my university courses offered an opportunity for a project like this and I did it with some classmates.

We started by altering the ssh daemon to disallow all logins over this ssh daemon and to log all the usernames and passwords attempted. After a week we gathered thousands of attempts to brute force into the honeypot. Interestingly enough, the passwords used were a combination of the very commonly used ones but also ones that were clearly from other popped boxes.

After a week or so of this we altered the ssh daemon again. This time it would log all attempts but also grant access on the 3rd attempt no matter what the credentials were. The few bots that managed to get in all tried to install various rootkits on the machine, all of which where targeted at a different distro of Linux than we were using so it mostly just busted up our shells output.

It was a long time ago but a great experience.


Fail2ban [0] bans ip addresses based on failed login attempts (works for more than ssh), minus the isolation layer.

[0]: https://www.fail2ban.org/wiki/index.php/Main_Page


fail2ban should be avoided. It does not support IPv6, so should be considered legacy software.

EDIT: Source: https://github.com/fail2ban/fail2ban/issues/1123

It appears they have moved forward a little in supporting IPv6, but it's still incomplete. It's unacceptable to not support it fully in 2020.


It looks like ipv6 matching is supported since late 2017 (version 10.0 [0]), although the changelog states that "not all ban actions are IPv6-capable now". As for IPv6 capabilities, I don't have any recent experience with the software.

[0]: https://github.com/fail2ban/fail2ban/blob/0.11.1/ChangeLog


With IPv6 every user gets an IPv4 internet worth of addresses for himself which makes fail2ban useless.


Couldn't you just ban the /64 and call it good? It's not like they get a random selection of addresses, they're all going to be the same CIDR. Or am I overlooking something here?


it does more than just scanning iptables logs..


> then just dump the ip + input to a file.

There are people who do just that.. and then try connect back to that IP with the same credentials. Easy way to find some shells..


I think you're talking about something like Kippo: https://www.honeynet.org/projects/old/kippo/


You don't even need a honeypot, simply ban ip addresses for some time after X failed login attempts.


The point of the honeypot is that there's no heuristic causing any delay or elusive attacker being missed (e.g botnet trying once per IP). You don't even need any processing time, nor even complete syn/synack/ack: any TCP connection attempt to that port triggers an instaban.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: