What You Get After Running an SSH Honeypot for 30 Days

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • UninvitedActivity

    An attempt at creating some kind of auto-updating IP address blocklist

    https://github.com/UninvitedActivity/UninvitedActivity/tree/...

    I'm semi-aware of the futility of blocking IP addresses and networks. I do believe, however, that it can significantly reduce the load on the next layers of security that require computation for pattern matching etc.

    Be aware: there are footguns to be found here.

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • cli

    Official Command Line Interface for the IPinfo API (IP geolocation and other types of IP data) (by ipinfo)

    I (DevRel of IPinfo) run Fail2Ban on a VM as well. Protip use the CLI.

    - The CLI has the `grepip` command that extracts all the IP addresses from a text. You do not have to parse your logs.

    - Analyze your data. After you have extracted your IP addresses from your logs, pipe them to the `summarize`, `map`, and `bulk` commands on the CLI.

    - If you are doing bulk enrichment with the `bulk` command, you can use some kind of CSV query tool like CSVtoolkit, DuckDB, or Python-Pandas.

    - Look into the ASN data. ASN data is always going to be the more interesting IP metadata for honeypots IPs. Summarize the IP addresses with the `summarize` command; it will give you a high-level report. If you want a web-shareable report, make a POST call to that endpoint. Docs: https://ipinfo.io/tools/summarize-ips

    https://github.com/ipinfo/cli

    You can always send your logs to me and ask what I think of them, and if I can find common patterns based on IP metadata. I am running our API and database services 24/7 and enjoy looking at logs. I can suggest firewall configurations based on country and ASN information provided by our free data.

  • I have a utility that parses ssh failed attempts and creates iptables blocklists:

    https://gitlab.com/mtekman/iptables-autobanner

    For those just wanting the blocklist, here is a table of malicious IP addresses, with columns of: address, number of ports tried, number of usernames tried.

    https://upaste.de/bgC

  • self-hosted-mailserver

    A set of ansible scripts, to set up fully functional, self-hosted mailserver

    This reminded me of:

    https://github.com/ajgon/self-hosted-mailserver/blob/master/...

  • where-are-the-scanners

    This tool visualizes the location of the scanners.

    Coincidently, I recently visualized the scanners for fun by plotting them on a globe[1]. It gives a more comprehensive view of the locations and ASNs of the scanners. The demo data is generated from 1 day of logs.

    [1]: https://github.com/simonmysun/where-are-the-scanners

    Amazingly there's no request from same ASN. I believe this is because the VPS provider has a quite strict validation process, e.g. you have to upload a photo of yourself with your ID and your handwritten username, etc. I would suggest we consider the reputation or credibility of the data centesr so that the data centers have the motivation of banning such users. In my case, a lot of the requests were sent from Tencent or Alibaba data centers.

  • zmap

    ZMap is a fast single packet network scanner designed for Internet-wide network surveys.

    A lot of these seem to use zmap (https://github.com/zmap/zmap) or massscan (https://github.com/robertdavidgraham/masscan) for the initial scan.

    Often with default parameters such as zmap setting ip id to 54321, having tcp initial window at 65535, having no SACK bit set and masscan with no SACK bit either, tcp initial window at 1024, tcp maximum segment size 1460 (which is strange to put below initial window size!), (older versions having fixed src port 61000 or 60000 from documentation examples and no MSS set), all of which are extremly uncommon in legitimate traffic and thus easily identified.

    Even those so called "legitimate" scanners (emphasis on the "") seem to use these tools with little or no extra configuration.

  • masscan

    TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

    A lot of these seem to use zmap (https://github.com/zmap/zmap) or massscan (https://github.com/robertdavidgraham/masscan) for the initial scan.

    Often with default parameters such as zmap setting ip id to 54321, having tcp initial window at 65535, having no SACK bit set and masscan with no SACK bit either, tcp initial window at 1024, tcp maximum segment size 1460 (which is strange to put below initial window size!), (older versions having fixed src port 61000 or 60000 from documentation examples and no MSS set), all of which are extremly uncommon in legitimate traffic and thus easily identified.

    Even those so called "legitimate" scanners (emphasis on the "") seem to use these tools with little or no extra configuration.

  • endlessh

    SSH tarpit that slowly sends an endless banner

    It's a tarpit that slowly sends a message to bots to keep them (and their bandwidth, memory, and CPUs) occupied: https://github.com/skeeto/endlessh?tab=readme-ov-file

  • referrer-spam-list

    Community-contributed list of referrer spammers. Comment +1 in any issue or Pull request and the spammer will be added to the list!

    Matomo (self-hosted analytics, used to be called Piwik) maintain a list of referrer spam domains. I use it as a filter list with GoAccess and haven't seen referrer spam for a long time. Worth a look. https://github.com/matomo-org/referrer-spam-list

  • cowrie

    Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

    If you want to try this yourself, although he carefully doesn’t mention his software, it appears he is running the Cowrie honeypot (https://github.com/cowrie/cowrie)

    (Note, I’m the maintainer)

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • How to Set Up a Honeypot for Cyber Attacks

    1 project | dev.to | 14 Oct 2024
  • LZR detects and fingerprints unexpected services running on unexpected ports

    1 project | news.ycombinator.com | 30 Aug 2023
  • Brute.Fail Watch brute force attacks in real time

    3 projects | news.ycombinator.com | 2 Jun 2023
  • Openssh username and password

    1 project | /r/sysadmin | 27 May 2023
  • Potentially millions of Android TVs and phones come with malware preinstalled

    2 projects | news.ycombinator.com | 21 May 2023

Did you konow that C is
the 7th most popular programming language
based on number of metions?