What is a honeypot?

A honeypot is a system that acts as if it was serving services to clients. A honeypot can impersonate multiple well known services like for example POP, IMAP, SMTP, Telnet, SMTP and SSH. All a honeypot will do is listen on open ports and serve up a login prompt. If something tries to login it will output the source IP address, the username used and the password used into a log file.

You use a honeypot to catch scripts or attackers trying to break into systems. A honeypot server usually has no DNS records attached to it and is not referenced anywhere. This way you know that everyone or everything that tries to login to your honeypot has ended up there by using one form of reconnaissance.

Why would I need one?

Adversaries are constantly changing the sources of their attacks. Running your own honeypot(s) will give you insight onto who are hitting your network. It provides you with zero-day information that is relevant to your environment.

Our setup

At aaZoo we run a Security Operations Center and do managed firewall services for our customers. We have setup a honeypot system to provide our customers with additional protection and insight. We use automatic blacklisting to stop potential breaches. Our customers get a free subscription to our own blacklist in addition to the vendor generated blacklists when they buy their security services from us.

Diagram of our honeypot architecture

We continually monitor the systems and use the ELK Stack (Elasticsearch, Logstash and Kibana) to display relevant events and provide us with operational insight into the attacks that are targeted at our network.

Dashboard for honeypot statistics, showing data for the last 90 days

Results

The dashboard shows that in the last 90 days we detected 12000 unique source IP addresses trying to login to our system. The tag cloud shows the top 3 countries with systems that are trying to breach our systems are Iran, China and Russia.

One thing that I find particularly interesting is the usernames and the passwords that our adversaries are trying out.

Diagram of top 25 usernames

The top 3 usernames tried consists of the usual suspects: root, admin and guest. Default accounts for a lot of systems. We also see less commonly used usernames as telecomadmin and telnetadmin. And also some more specifically targeted like e8ehome and e8telnet which are used as default passwords in China made DSL routers.

Diagram depicting the top 25 passwords

The password section of our dashboard is the most interesting, it shows common passwords (WHO IS USING THOSE ANYMORE?!?!) as: system, admin, 12345 and ofcourse password. It also displays a common use of aquario which seems to be a default password of Aquario routers and OxhlwSG8 which is a default password for IP Cameras.

Conclusion

If you analyze the usernames and passwords that are being tried it looks like adversaries are actively scanning for embedded (or Internet of Things) devices like DSL modems, IP Camera's, etc. Most likely to turn those into botnets.

Why would they be targeting those? Most consumer devices never get their default admin username or passwords changed. Also more and more computing devices like laptops and phones are hardened and protected with some kind of anti-virus or anti-malware solution. Have you ever seen an IP camera or DSL modem with a virus scanner?

Change your default passwords people!