Results of the Chameleon honeypot experiment – what we learned about hacker attacks in 24 hours

We are in mClouds We constantly test various utilities and tools that help improve the security of our systems. Recently, we placed the Chameleon honeypot from qeeqbox in a test environment and tested several different services.

Thanks to honeypot, we determined the geographical distribution of attacks and found out which logins and passwords the attackers used most often. In this article, we share the results of testing and tell how we protected ourselves from brute force.

The purpose of testing and capabilities of honeypot Chameleon

When we launched the honeypot, we primarily wanted to get an in-depth analysis of cyberattacks. We chose Chameleon because it is a comprehensive solution that includes 19 traps at once, simulating various services, including:

  • protocol for remote access to SSH servers;

  • Remote Desktop Protocol (RDP);

  • TELNET text protocol for remote access;

  • a system for converting domain names into DNS IP addresses;

  • Microsoft SQL Server, PostgreSQL and MySQL database management systems;

  • FTP file transfer protocol;

  • Elastic search and analytics platform;

  • SOCKS5 proxy protocol and others.

With the help of Chameleon from qeeqbox, we collected information about the methods and tools that attackers use to hack systems: types of attacks, exploits used, popular vulnerabilities, as well as sets of logins and passwords. Based on this data, we were able to:

1. Analyze the attacks in detail. Collect logs, monitor traffic, track how hackers picked passwords and performed other malicious actions. And at the same time, understand which service is most often attacked in order to secure it.

2. Simulate various attack scenarios and test the effectiveness of defense mechanisms. This approach is especially useful when implementing new technologies or protection methods. You can evaluate their performance in advance and identify possible shortcomings, so as not to put out “fires” in the real system later.

3. Obtain data on the geographic location of attacking IP addresses and see which regions are generating the most threats.

Inside the Trap. Features of the Test Network for Hacking

For the test, we used FTP, SSH, TELNET, MSSQL, PosgreSQL, MySQL, DNS, Elastic, SOCKS5. These services are a real bait for a hacker, as they provide access to system functions and important data.

Honeypot Chameleon is a pre-configured solution that already includes:

  • Containerization. Services are automatically launched in Docker containers – this not only increases security, but also makes it easier to manage and scale the network.

  • Data visualization and analysis. The solution already includes Grafana, a powerful data visualization tool. Grafana monitors activity on all traps in real time, tracks authorization attempts, analyzes attacker IP addresses, and collects statistics on logins and passwords for brute force.

    The Grafana panel contains various graphs and diagrams. You can see the number of hacks for each service, the geographical distribution of attackers, the frequency of use of certain logins and passwords.

Each honeypot was configured to automatically recover after a successful or partial attack, allowing us to keep the network active even if attackers were trying to make changes to the service.

As soon as we opened access to the test network, we registered the first hacker activity almost immediately. From such a lightning-fast reaction, we realized that this honeypot imitates a real system quite successfully.

Test results. What our honeypot showed

The attack began three minutes after the ports were published, and in just 24 hours of operation, the honeypot recorded 1,411 attempts to brute-force credentials. This demonstrates the high activity of bots and attackers who constantly scan the Internet for open ports and vulnerable services.

The most attacked services

  • Microsoft SQL Server – 775 attempts.

    The service's widespread and important corporate nature likely played a big role. Most hacker attacks involved brute-forcing passwords for the “sa” account.

  • SSH (Secure Shell) – 630 attempts.

    SSH is a standard protocol for remote access, and its popularity among attackers is easy to understand. Attackers tried their best to guess passwords for accounts with administrative rights.

Elastic took only five attempts. And the least attacked service was FTP (File Transfer Protocol) – it was hacked only once.

Number of hacking attempts by servers

Number of hacking attempts by servers

Other services were not hacked, which may indicate that hackers are specifically hacking the services they need, and not just everything.

During the honeypot operation, we recorded 219 unique logins and 351 unique passwords for brute force.

Most used logins

  • sa – 775. The “sa” login is the default administrator account in Microsoft SQL Server, making it a prime target for attackers.

  • root — 136. Often used on UNIX-like systems.

  • admin — 81. Universal login for various systems.

Frequency of login usage

Frequency of login usage

Most used passwords

  • Among the digital passwords, these are “123456” – 51 attempts and “12345678” – 32 attempts.

  • Of the letters, the most common is password – 40 attempts.

Frequency of password use

Frequency of password use

The data confirms that attackers continue to use dictionaries with the most common logins and passwords, hoping for weak protection of target systems.

Surprisingly, there were no bruteforce attacks on RDP. We rechecked the connection – there was a connection, but it threw a message about an unsuccessful connection into the log. Apparently, RDP bruteforcers were asleep during those 24 hours.

Geographical Analysis of Attackers: Where the Most Active Hackers Came From

Analysis of the attacking IP addresses showed that they were distributed across several countries.

USA — 37 IP addresses. Interestingly, many of the IP addresses in the US are concentrated in three main locations. Most likely, a botnet was involved in the brute force, or the hackers used a VPN.

France — 10 IP addresses.

China — 8 IP addresses. China came in third place in terms of the number of addresses, but the most active hacker was from this country. A hacker with the IP address 218.75.124.157 persistently tried to gain access to Microsoft SQL Server using the login “sa” and a dictionary of passwords.

Our solution for protection against brute force is the fail2ban utility

To prevent brute force attacks, we decided to use the free fail2ban utility. It allows you to block connections via SSH and to the MS SQL server if the credentials are entered incorrectly more than three times. The blocking period is 24 hours.

If you want to repeat it, here's how to do it.

Install fail2ban.

Sudo apt install fail2ban:

Perform the setup. Open the file /etc/fail2ban/jail.conf and add the blocks responsible for blocking:

Ssh:

[sshd]
enabled = true
logpath = /var/log/honeypots/ssh.log
filter = ssh
port = 22
maxretry = 3
findtime = 1h
bantime = 1d

Mssqld:

[mssqld]
enabled = true
logpath = /var/log/honeypots/mssql.log
maxfailures = 3
findtime = 1h
bantime = 1d
filter = mssqld-auth
port = 1433
action = iptables-allports
backend=polling

Create filters to catch logs.

For ssh – /etc/fail2ban/filters.d/ssh.conf

[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex ="host" : "<HOST>" "status : failed"]
ignoreregex =

For mssql — /etc/fail2ban/filters.d/mssqld-auth.conf:

[INCLUDES]
before = common.conf
[Definition]
_daemon = mssqld
failregex = Login failed for user .* \[CLIENT: <HOST>\]
ignoreregex =

Restart fail2ban. The service will now block brute force connections.

Honeypot Chameleon helped us quickly analyze attacks and see how attackers might behave. As testing showed, brute force is still one of the main methods for hackers to gain access to services, despite the fact that it requires significant computing resources.

What honeypots do you use?

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *