Some systems are specifically meant to be hacked. The little experiment I describe in this article shows that a system is found quite soon after being connected to the Internet.
Security experts tell us that external access to servers (directly connecting them to the Internet) is insecure. However, security departments sometimes deliberately set up systems to be targeted by attackers. These so-called honeypots are used to uncover possible hacker activity going on in the companies network. Besides this business use, a similar setup can be done out of interest or for fun as well.
A commonly used protocol used to connect to computer systems is ssh. Whether it is safe to connect it to the open internet, even when taking specific precautions, is disputed. But how long will it take before such a system will be compromised? To find out, I deployed the Cowrie SSH honeypot on an Amazon EC2 instance, with the mocked ssh service on port 2222 directly reachable from the Internet.
As nothing on the Internet is referring to this server, it can only be found by scanning IP and port ranges. Using a signed SSL certificate with a domain name would probably make it easier to find specific targeted attacks. However, as the image below shows, it took only a few hours before the first connection attempt arrived at our exposed ssh port.
The chart shows the source IP address (unreadable) on the vertical axis and the moment of first connection on the horizontal axis. The size of the dot is relative to the number of connection attempts from that specific source address. The total amount of connection attempts was over 3,600 during these five days, originating from 37 different source addresses.
The map below shows the location of the source addresses, according to ipstack. Again, the size of the dot corresponds to the number of connection attempts from that location. We see connections are coming in from all over the world. However, chances to find our hacker at that location are small, as VPN and other obfuscation techniques are widely used when misbehaving on the Internet.
The honeypot SSH server is protected by username/password credentials. Several commonly used username/password combinations are granting access. Once logged in a shell is emulated, allowing commands to be entered, imitating the command result.
During the testing period, three attackers managed to pass the login prompt by guessing the right password. Once connected the intruders were using the uname command to check the type of operating system and version. None of the intruders came back for more.
Considering this, I would think twice before connecting any server directly to the Internet. It doesn't take long before the first automated hacker-operated scanner comes by to knock on your ports. Then you'd better make sure to keep them closed!
Lead image by Magda Ehlers@Pexels, other images were created from log analysis using Dataiku.