Some systems are specifically meant to be hacked. The little experiment I describe in this article shows that a system is found quite soon after being connected to the Internet. Security experts tell us that external access to servers (directly connecting them to the Internet) . However, security departments sometimes deliberately set up systems to be targeted by attackers. These so-called are used to uncover possible hacker activity going on in the companies network. Besides this business use, a similar setup can be done out of interest or for fun as well. is insecure honeypots A commonly used protocol used to connect to computer systems is . Whether it is safe to connect it to the open internet, even when taking specific precautions, . But how long will it take before such a system will be compromised? To find out, I deployed the honeypot on an Amazon EC2 instance, with the mocked ssh service on port 2222 directly reachable from the Internet. ssh is disputed Cowrie SSH As nothing on the Internet is referring to this server, it can only be found by scanning IP and port ranges. Using a signed SSL certificate with a domain name would probably make it easier to . However, as the image below shows, it took only a few hours before the first connection attempt arrived at our exposed ssh port. find specific targeted attacks The chart shows the source IP address (unreadable) on the vertical axis and the moment of first connection on the horizontal axis. The size of the dot is relative to the number of connection attempts from that specific source address. The total amount of connection attempts was over 3,600 during these five days, originating from 37 different source addresses. The map below shows the location of the source addresses, according to . Again, the size of the dot corresponds to the number of connection attempts from that location. We see connections are coming in from all over the world. However, chances to find our hacker at that location are small, as VPN and other obfuscation techniques are widely used when misbehaving on the Internet. ipstack The honeypot SSH server is protected by username/password credentials. Several commonly used username/password combinations are granting access. Once logged in a shell is emulated, allowing commands to be entered, imitating the command result. During the testing period, three attackers managed to pass the login prompt by guessing the right password. Once connected the intruders were using the command to check the type of operating system and version. None of the intruders came back for more. uname Considering this, I would think twice before connecting any server directly to the Internet. It doesn't take long before the first automated hacker-operated scanner comes by to knock on your ports. Then you'd better make sure to keep them closed! Lead image by Magda Ehlers@Pexels, other images were created from log analysis using Dataiku.

Amazon

Read My Stories

Too Long; Didn't Read

Questions about cloud security? Get answers here.

A Honeypot Experiment Shows How Long It Takes To Get Hacked

Too Long; Didn't Read

Company Mentioned

Bernie van Veen

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

A Honeypot Experiment Shows How Long It Takes To Get Hacked

Too Long; Didn't Read

Company Mentioned

Bernie van Veen

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES