SSH Brute Force Attacks
i have been playing around with a simple SSH Honeypot implementation in order to study a little more about Brute Force attacks on SSH Servers. The project is running for some time now and i want to present some of the data collected so far.
In a period of two month from july to september of this year a total of 143 different attackers tried to compromise the Honeypot. In my opinion this is not really much considering the fake SSH daemon was listening on a few thousand IP addresses.
The 143 attackers tried 9150 different usernames, the top 10 is presented in the following picture.
For the different usernames a total of 25973 different passwords were tried. The top 10 is presented in the next picture.
That´s it for now. I didn´t have the time yet to further investigate the collected data, but i post some more information as soon as i have more time.
Installed DenyHosts on a server couple of weeks ago. Works like a charm. I don't have the statistics for username/password combinations but I do know that during these couple of weeks 65 hosts have been added to deny list. So the 143 for thousand of IPs seems a bit low? I got the 65 for a single IP.
Posted by Toomas Römer — 24 Nov 2008, 13:14
Hi,
is it a public SSH Honeypot implementation? Where can I download it? :)
AL
Posted by al — 07 Jul 2009, 21:20
hi,
the current implementation is still experimental, thus there is no public version yet. If get a stable version ready i can share it.
Posted by jan — 08 Jul 2009, 11:17
There a 2 open source ssh honeypots available which i would recomend:
http://kojoney.sourceforge.net/
http://www.digsshlogs.net/ (only in german, sorry) use google tanslation :)
Greetings
Mike
Posted by Mike — 31 Jul 2009, 19:30
thx for the information. my implementation is based on paramiko with a basic shell emulation. German is not a problem...das kann ich eigentlich ganz gut =)
Posted by jan — 13 Aug 2009, 14:20