Malicious SSH login attempts have been appearing in some administrators’ logs for several years. This article revisits the use of honeypots to analyze malicious SSH login attempts and see what can be learned about this activity. The article then offers recommendations on how to secure one’s system against these attacks.
Using honeypots for research
The New Zealand Honeynet Alliance is a research organization and member of the Honeynet Alliance, which is dedicated to improving the security of computer systems and networks by researching the behavior, tactics, and tools of black hat hackers through the use of honeypot technology. Honeypots are computer systems whose value lies in their openness to attack and compromise, allowing the researcher to analyze malicious activity on the system.
We have set up such a system at the Victoria University of Wellington to investigate malicious activity that occurs on a university network in New Zealand. This system was a high interaction honeypot that an attacker can interact with like any other system on the network. As far as the attacker is concerned, there should be no discernible difference between the honeypot and other computer systems. However, it is closely monitored through the Honeynet Alliance Roo honeywall that captures all network traffic flowing to and from the honeypot. In addition, system events are recorded on the honeypot itself via its logging facility.
The honeypot ran a standard server configuration of RedHat 9 with a Secure Shell (SSH) server that was accessible via the public Internet. SSH is a program that allows a user to log into another computer over a network via an encrypted channel. After we encountered malicious SSH login attempts in previous setups, we configured our honeypot to allow for additional data collection. We patched the SSH server to record the password along with the account name that was used in the login attempt. The honeypot was brought online on July 11, 2006 and taken offline on August 1, 2006, after 22 full days. The honeypot was attacked numerous times during this period with login attempts on SSH. We take a closer look at the data to determine the tactics of the attackers and to make recommendations to improve security around SSH.
In an additional configuration of the honeypot, which ran from June 28 to July 4, we added the Sebek module that records key strokes of the attacker once the system has been compromised. We configured several user accounts with commonly used passwords. After a few days, an attacker successfully compromised the system. The analysis of this attack and subsequent attacks are presented in this paper and provide us with further insight into how the malicious SSH login attempts are used to compromise systems.