Hacker News new | past | comments | ask | show | jobs | submit login
Learn from your attackers with a high interactivity SSH Honey Pot (robertputt.co.uk)
82 points by robputt796 7 months ago | hide | past | favorite | 19 comments

Was halfway expecting a GPT-2 model trained to act like a bash shell.

It tried:

> root ~# ps aux | grep btrfs ./bash-4.2.5/bash-4.2.5.bash.bash 377 1011 root 2 0 9:32 ? 00:00:00 /usr/lib/btrfs/initroot.sh : No such file or directory ./bash-4.2.5/bash-4.2.5.bash.bash 377 1006 root 2 0 9:32 ? 00:00:00 /usr/lib/btrfs/shm_btrfs_show.sh : No such file or directory ./bash-4.2.5/bash-4.2.5.bash.bash 377 1006 root 2 0 9:32 ? 00:00:00 /

What an extremely fun idea.

Yes, it seems I did not anticipate such traffic and my autoscaling settings did not allow the front end web servers pool to expand big enough. It is times like this I wonder why I switched back to WordPress compared to hosting statically generated content on S3 + Cloud Front :-(. It should be back now, apologies.

Installing a caching plugin and turning it all the way up should solve most of your problems. There is no real need for every request to hit the DB.


Yep, the site already uses a caching plugin (w3TotalCache) and it is configured with memcached at the backend. Unfortunately, even with this the site still makes a couple of DB calls with each page load, but nowhere near as many as without the caching. Maybe I'll shove varnish in front of it too for good measure :joy:

If you're using nginx (haven't checked it) microcaching for a bunch of seconds, let's say five seconds, can solve most of this problems and you don't need to add more components.

Nope sorry, still using Apache 2. :-|

Haven't tried this personally, but it might help you...


My experience with kippo was that it basically didn’t work. They’d come in and run a few commands and then ghost. I figured they had some easy way to find out if they were inside a honeypot that’s was immediately obvious to me.

Yup, Kippo is extremely easy to detect.

Full interaction honeypots based on NAT like this are also detectable if you look at RTT and TTL on packets pre-auth and post-auth.

in this case: check if a directory /home/honssh exists to detect that it's a honeypot?

I think this would not work because the HonSSH server with the HonSSH user is hosting a proxy service. The user gets dumped into an actual vanilla looking Linux host at the backend.

I would be interested to see some of the output of captured sessions, although I'm sure they end up being somewhat mundane - setting up botnet agents, crypto miners, etc.?

I was expecting that too, but the article turned out to be just a boring "copy-and-paste these commands" how-to.

Error establishing a database connection

Is this just MiTM’ing a known good instance?

good linking @cmroanirgo

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact