A while back I decided that I would put up a SSH honeypot again. I had played a bit with Kojoney a couple of years ago. But I ran into kippo which I installed on a raspberry pi; I fixed the firewall setting to map port 22 to my neat little honeypot. And as I expected, it didn’t take long for the first attempts to login occur. Here is a bit of a sum up of the results.

Origins
80% of the attempts is from an IP address hosted in China. Of which 19% are from a single IP address. The remainder are from Great Brittain, Spain, Chili, Japan, France, Mexico, Taiwan, Ukraine, Russia, Canada, Germany. The rest are less than 1%. Some IP ranges also keep reappearing, but different hosts all together. Either that is an ISP with a DHCP that changes IP addresses frequently, or has a couple of botnets running among its clients to do its scanning.

I only saw IPv4 host connect; IPv6 was completely ignored or so it seems. I would have expected at least a few scans to appear, since the use of IPv6 is slowly rising, and awareness is really low. But that didn’t happen at all.

Scan types
I noticed two distinct patterns, as expected actually. One is port scans – only a single attempt to connect to port 22 but no login from an IP address. And a bruteforce on the username and password combination. This usually has usually a couple of hundred attempted logins. Unfortunaltely, I didn’t see any one trying to log in actually and do something. Perhaps the connections is established too slow for automated scans on the raspberry pi.

User names
Considering the bruteforce attempts, the most common username by far is “root”. It counts for roughly 95%. I presume they are looking for unsecured Linux based systems, such as NAS boxes, routers, media centres and so on. The second most common username was admin, about 3%. This one is commonly used for many small devices, modems, printers, and for NAS boxes, routers, media centres as well. Some other users were test, user, guest, ftpuser, mysql, tester, apache, alex. Some of these are obvious “system” accounts on Linux systems, that should not allow a log in anyway. Some are default or guest users that should be disabled. But apparently it is worthwhile to scan them. So there must still be systems with these accounts enabled.

The last one – alex – is a bit funny tho. There were a bit more funny names but the occurances were much less frequent, such as gandalf, anke, Abel, amber, ahlam, fluffy, batman, baritone. I’m not sure where these come from; it seems like some one might have misconfigured the scan tool, swapping common passwords for usernames. Some more possibly incorrect configurations appear from entries like root/tphipps3TZ^JJ, root/3TZ^JJ, admin/rst_login.., root/[url=mailto:!@#$]!@#$[, admin/”12345. Although the last two may also be some more specific attacks, to do with something like a buffer overflow or a (misplaced) cross-site scripting attempt.

I expected some more attempts on things like toor, r00t, Adminstator, guest, ftp, and such, as those at least once were common user accounts. But apparently those are not in vogue any more.

Passwords
The most common passwords are also quite clear: password, 123456 and the number one, admin. root/admin is also the most common combination of username and password found. Many of the more expected passwords were in the top too, including root, Password1, Password123, passw0rd and P@ssw0rd. More oddly is huaway123. Possibly the default password for some Huaway devices such as DSL modems. Variations on “password” are also really very common, as are variations on admin. I didn’t quite expect a lot of patterns like a1s2d3f4, 1qaz2wsx, !qaz@wsx but they seem like easy to remember passwords that bypass most complexity checks (you know like you need at least an upper case letter, a lower case letter, a number and a non-alphanumeric character and use at least 8 characters).

There must also be X-files fans around those scanners, trustno1 was also used 71 times. Which means that it’s slightly more popular than secret with just 70 attempts. Further more there seem to be quite some odd entries, for example some contain a domain name such as www.qq.com, www.dns06.com or hnip168.com. And then there are tons of entries that are only used a few times, that do not appear to come from a dictionary. They are not common words, names, or patters or modifications thereof. These are passwords like wztelecom2008easyget, qinshou934107, timmermansCsvTimmermans1, or even some (semi-)random patters *^8mX*DPvK5n3TY$GmK, #x4%a68k3l5q0d7x1z9d0z, jvdijken!numlock, or even passphrases like JohnHeeftEenCobra, or Wijwetenhoehetmoet! (both happen to be Dutch phrases). Those don’t seem to look like typical dictionary words. So I guess those are obtained from lists passwords stolen from companies that stored passwords in the clear or with weak encryption. Considering the number of such password lists stolen, that isn’t unlikely.

Success rate
Eventually, the success rate of a scan is relatively low. About 0.5% of the login attempts happens to succeed, and I really chose a weak username and password combination, but not the weakest. But then again, nearly daily, and sometimes more than once, some one actually cracked the username password combination. And the number of probes per day varies a lot. Sometimes none or just one. Others more than 3000.

Scan clients
Most scan clients used the libssh2 1.4.3 implementation, which is a client-side C library implementing the SSH2 protocol. Apparently not the one used by common ssh tools like openssh, but this one is common for use in scripting languages as python and php. Possibly the scanners use such scripting languages or more like compile it into their own tool sets.

So what can be learnt from this

1. Be prepared to get scanned a lot if you use SSH. And take appropriate measures to secure your system. I expect the same actually for other commonly problematic protocols, such as HTTP, SMTP and DNS.
2. Don’t use a common username to login to your devices, especially root and admin accounts should never be used. And making accounts that have unlimited authorisations is a bad idea anyway. Better yet, use a rather uncommon name as a normal user, generally most first names seem to be fine except the really common ones, and so are initials, even the well-known such as dnr or rms do not seem to be used these days in the scanning business. Then use a tool like sudo for administrative purposes. Unfortunately many cheap devices don’t come configured this way and the only login is root.
3. With passwords, basically there doesn’t seem to be a single good strategy for chosing passwords. Using a tool like keepass with unique and random passwords seems to be the safest bet, but are cumbersome in some ways. Reusing passwords definitely seems like a bad idea, especially for important accounts (such as banking).
4. I never run ssh on port 22 if I don’t have to. SSH login attempts to other, especially high ports are very rare. And a tool like Fail2Ban might help a lot to thwart login attempts. And besides that, many devices don’t need to be on the internet anyway. But if you do put them on the internet, be aware that you’d get lots of visits, and so a weak password or a vulnerabitily in the ssh implementation may open up you box easily. I some how expect it to become even more problematic when IPv6 becomes more common on consumer internet connections, as more devices get connected directly to the internet, and leaving the owner largely unaware of it.