DEV Community

Cover image for SSH Attackers VS Honeypots
Jacqueline Wisdom
Jacqueline Wisdom

Posted on

SSH Attackers VS Honeypots

The following is a classic tale of good versus evil.

Ever since the advent of networking technology, there have been malicious parties trying to intercept the private and valuable information that it transports. All sorts of networking technologies are regularly targeted by attackers, with many attacks carefully tailored to that technologies' weaknesses.

But as attacks become more deceptive and sophisticated, so does cybersecurity. In this blog, I will hone in on SSH attacks and SSH honeypots used to counteract these attacks.

What is SSH?

Encryption of data between SSH client and server

SSH stands for Secure Shell. An SSH allows users or administrators to securely access or control another computer remotely.

Before SSH, Telnet protocol was the leading technology used to for communication between computers across long distances. Telnet allows for two-way communication between a client and server via command line interface. However, any information transported using Telnet is easily intercepted by hackers.

SSH was introduced as a secure alternative. All information passed between computers using SSH is encrypted. Even if information transported via SSH is intercepted, is protected because of the encryption. Because of this useful security, many developers now favor SSH instead of Telnet.

Is it really secure? SSH Attacks

Unfortunately, as cybersecurity techniques and practices advance, so do those of attackers.

SSH shells are not completely air-tight or infallible, and can be the subject of brute-force attacks. SSH doesn't have a built-in mechanism to stop malicious parties from spamming commonly used username and password combinations until the shell is broken into.

Brute force SSH attack

There are many approaches to preventing SSH attacks. Developers can manually adjust their SSH settings to limit authentication attempts, use third party security tools to monitor and block repeated attempts, or implement two-factor authorization. These are all ways of blocking SSH attacks.

What is a honeypot?

Although the above approaches are all good practice, perhaps the most fun approach is fighting deception with deception.

Fighting fire with fire

A honeypot is a system used to deceive attackers. Honeypots are designed to appear to be vulnerable computers or networks, in order to entice hackers into attacking them.

In reality, honeypots contain no real valuable or private information for the hackers to access. Instead, their real purpose is to alert the honeypot owner of malicious activity, waste the hackers time or resources and, most importantly, gather information on how hackers operate.

SSH Honeypots

There are numerous open-source honeypots already created online, for various kinds of technologies. All the different features of honeypots are clever, inventive and amusingly diabolical. To illustrate these epic features, let's take a look at the following SSH honeypots.

Kippo

Kippo is a medium interactive honeypot that engages and responds to attackers. Although Kippo is older and somewhat dated, it has great features and is a good illustration of the inventive ways honeypots can be used to troll attackers.

Kippo emulates a real shell and has an entire fake file structure, to convince attackers that they have broken in. Attackers can cd into, create and remove files. Kippo also has a fake disconnect feature, where hackers can ctrl + d "out" of the shell. Kippo only pretends to disconnect, but really stays connected to continue impeding the efforts of the hacker.

Perhaps the greatest feature of Kippo is that it logs the entire attack. Every command entered by the attacker is logged and the owner of the honeypot can view the interaction at any time.

Kippo honeypot trolling attacker

Above is a Kippo honeypot foiling an attacker. For your entertainment, here is the full log of Kippo VS a real SSH attack.

Hellpot

Hellpot is an endless honeypot that sends a never ending stream of data to the attackers. The data is intentionally created to look like real data from a website, so that hackers will sink their time and or resources into the attack.

But the data stream will never end, and there is no real private information to be stolen. In reality, the data is generated from random chunks of The Birth of Tragedy (Hellenism and Pessimism) by Friedrich Nietzsche; a covert nod to the fate of the hackers, who will be left questioning their choices and even their very existence.

T-Pot

Finally, there is the powerful and awe-inspiring T-Pot. T-Pot is a platform that includes over 20 different honeypots and dashboards that give detailed information about any incoming attacks.

TPot word cloud

These dashboards have an array of cool features: word clouds of your hackers most frequently used username and password combinations, lists of your hackers IP addresses, and world maps that visualize the location of your attackers in real-time.

Attacks on world map

Conclusion

In conclusion, honeypots are one of the many approaches one can take in dealing with the ongoing threat of cyber attacks. Honeypots can be made for almost any kind of tech that attackers target. They allow us to not only waste the time and resources of attackers, but also gather valuable information about the techniques that attackers use, in order to better protect against such attacks in the future.

Sources

Top comments (0)