
Learn from your attackers with a high interactivity SSH Honey Pot - robputt796
https://www.robertputt.co.uk/learn-from-your-attackers-ssh-honeypot/
======
maxander
Was halfway expecting a GPT-2 model trained to act like a bash shell.

~~~
saagarjha
It tried:

> _root ~#_ ps aux | grep btrfs ./bash-4.2.5/bash-4.2.5.bash.bash 377 1011
> root 2 0 9:32 ? 00:00:00 /usr/lib/btrfs/initroot.sh : No such file or
> directory ./bash-4.2.5/bash-4.2.5.bash.bash 377 1006 root 2 0 9:32 ?
> 00:00:00 /usr/lib/btrfs/shm_btrfs_show.sh : No such file or directory
> ./bash-4.2.5/bash-4.2.5.bash.bash 377 1006 root 2 0 9:32 ? 00:00:00 /

------
cmroanirgo
Hug of death? Try:
[https://web.archive.org/web/20200104032004/https://www.rober...](https://web.archive.org/web/20200104032004/https://www.robertputt.co.uk/learn-
from-your-attackers-ssh-honeypot/)

~~~
robputt796
Yes, it seems I did not anticipate such traffic and my autoscaling settings
did not allow the front end web servers pool to expand big enough. It is times
like this I wonder why I switched back to WordPress compared to hosting
statically generated content on S3 + Cloud Front :-(. It should be back now,
apologies.

~~~
robjan
Installing a caching plugin and turning it all the way up should solve most of
your problems. There is no real need for every request to hit the DB.

~~~
robputt796
Hello,

Yep, the site already uses a caching plugin (w3TotalCache) and it is
configured with memcached at the backend. Unfortunately, even with this the
site still makes a couple of DB calls with each page load, but nowhere near as
many as without the caching. Maybe I'll shove varnish in front of it too for
good measure :joy:

~~~
tecleandor
If you're using nginx (haven't checked it) microcaching for a bunch of
seconds, let's say five seconds, can solve most of this problems and you don't
need to add more components.

~~~
robputt796
Nope sorry, still using Apache 2. :-|

~~~
tecleandor
Haven't tried this personally, but it might help you...

[https://portal.cloudunboxed.net/knowledgebase/33/Nginx-
like-...](https://portal.cloudunboxed.net/knowledgebase/33/Nginx-like-
microcaching-using-Apache-modcache.html)

------
3fe9a03ccd14ca5
My experience with kippo was that it basically didn’t work. They’d come in and
run a few commands and then ghost. I figured they had some easy way to find
out if they were inside a honeypot that’s was immediately obvious to me.

~~~
frequentnapper
in this case: check if a directory /home/honssh exists to detect that it's a
honeypot?

~~~
robputt796
I think this would not work because the HonSSH server with the HonSSH user is
hosting a proxy service. The user gets dumped into an actual vanilla looking
Linux host at the backend.

------
cmdshiftf4
I would be interested to see some of the output of captured sessions, although
I'm sure they end up being somewhat mundane - setting up botnet agents, crypto
miners, etc.?

~~~
netsharc
I was expecting that too, but the article turned out to be just a boring
"copy-and-paste these commands" how-to.

------
samstave
Error establishing a database connection

------
dillonmckay
Is this just MiTM’ing a known good instance?

------
nickjamespdx
good linking @cmroanirgo

