Honeypots 🍯

When it comes to server security, it's a common security practice to change the default SSH Port to something other than 22, disallow root login and enforce password less authentication, i.e. only authorize SSH access only via keys.

But I was actually curious to see as to why this was the case. I checked out the audit.log on my personal server and was shocked at the number of failed login attempts to my server. Immediately I thought to myself why not collect some of this data, front it with an API and make beautiful charts out of it. And viola this blog post is the product of the same. It also aims to showcase why server security shouldn't be taken lightly.

I checked out the various honeypot projects which were out there and cowrie immediately stood out for me. It was simple enough, had a dockerized version, cowrie-docker, and best of all it spewed out logs in JSON format. This meant less headache for me to parse the logs. So I immediately deployed it to my kubernetes cluster, and mapped the input port of the cowrie container (default 2222) to 22 port on the host using the hostPort directive.

I let this setup run for a few days to collect some data and started focussing on the next thing in line, which was to write an API to parse these logs. While collecting this data I realized it was gathering around 100 MBs of data per day. Now Python is usually my default language of choice when writing code due to its sheer simplicity and pseudo code like syntax, but this time around I didn't want to use it as it wouldn't be performant enough, so I picked Golang to implement the API. I wrote a simple parser in Golang to crunch the logs and get the 10 top usernames and the top 10 passwords using which attackers were trying to get into the server.

root seems to be the most used password, which is not really surprising, given a huge percentage of servers running today run on linux or freebsd, and they all have the root user, so targeting it makes sense. This is the reason one should modify their SSH config to not allow root logins and have a separate user who is a part of the wheel group / has sudo privileges to access the server.

Now analyzing the passwords chart also tells us a few things. admin seems to be the most attempted password on the list. Seriously!? Are people still using admin to protect their servers. Also given the huge number of attacks one should not use a password for loggin into the server, since they can be brute forced. If you look at the graph there are a lot of 1, 123, 1234 and so on passwords. These seem to be attempts at brute forcing into the server using all possible combinations. This is the reason one should prevent password less logins and only use SSH Keys for authentication.

Given I also had the source IP of the attack I could map it to a Country, and find out the top 10 countries I was getting attacked from. I used the Geolite2 database to map an IP to a country. At the time of writing this Ireland seems to be the most aggressive county. Not sure if it has any corelation to the country I've hosted my server in (Nuremberg, Germany). But I'm sure thing it'll keep on changing as time progresses.

Finally I wrote a simple server in Go using the gin framework to expose the API, so that I could query it from this blog post and display it. I'm using react-chartjs-2 which uses chart.js in the backend to make these wonderful charts. The data is fetched in real time from my server. But I figured that parsing the data on every API call is unnecessarily time consuming and CPU intensive, so I decided to cache the data into redis and parse the new logs once a day. So if you visit tomorrow you might see some other countries topping the chart.

Some footnotes, I should probably do an analysis on the number of login attempts on the new SSH port that I've set. That would support the theory about changing the SSH port leads to lesser attacks. Some other day I guess.