User Tools

Site Tools


SSH honeypot – HaaS

From Turris Os version 3.9 onward, the service formerly known as SSH honeypot is integrated into HaaS – Honeypot as a Service. HaaS is a publicly available service and it can also be employed by users, who do not have a Turris router. More information on HaaS can be found directly on the HaaS website, where you can also view detailed information about the intended attacks on your router and various statistics. Read on find out more about what an SSH honeypot is good for and how to use the service on Turris routers.

Background

SSH is one of the most common protocols in the world for securely connecting to other machines, which run an SSH server. An SSH server is enabled on pretty much every home router and often without the user’s awareness. Sometimes Telnet is enabled instead of the SSH server, which is much worse security-wise because it sends and receives data in plaintext.

Because manufacturers very rarely update their firmware, the chances that you are running an outdated and vulnerable version of the SSH server are really high. From time to time news is released about new CVEs (Common Vulnerabilities and Exposures), such as #sambacry and #dirtycow. Most of the time, manufacturers don’t care if there is a security issue or even a back door and instead of trying to keep up an old device, the manufacturer will usually tell you to buy a new one. We want to change this with Turris Omnia.

For the purposes of knowing who the attackers are, what methods they use and from which IP addresses they conduct the attacks, we implemented an SSH honeypot. It’s basically a “fake” SSH server to which we deliberately allow the attackers to connect to and monitor their behavior.

Information available to us:

  • From which IP address the attacker logged in
  • Credentials he used to log in
  • Attacker behavior
  • The scripts, which the attacker ran in the honeypot

The more targets the attackers try to reach, the more information we get about the attackers and the bigger the chances that we can reveal them, block them (or fix affected devices) and publish information about them.

How to set up SSH honeypot on Turris

If you were registered to the SSH honeypot before HaaS became an official service, you only need to proceed to the HaaS website, where you will find statistics on everything that is logged under your user profile. Log in using the same login credentials as used for Project Turris.

Installation

For the service to work, you need to enable data collection and download the SSH honeypot package:

1. In the Foris web interface go to the Data Collection tab, check “Enable data collection” and validate your email.

2. Also in Foris under the tab Updater check the package SSH honeypot and confirm.

The package will download and install automatically.

3. Proceed to HaaS where you log in using the email and password, which you got when you registered to Project Turris through this site.

On the HaaS website in section My Honeypot under My devices you should already be able to see your Turris router as well as add other devices. If you click on a specific device, you can view the list of sessions and you can also the list of commands the attacker used in a particular session.

Example list of sessions: Example command list:

Move the SSH server to a port for remote administration

If you use SSH for remote access to your router, you need to redirect port 22 to a different port, otherwise, you will be connected to the honeypot. Changing the SSH port can be a simple protection against intrusion attempts. Don't forget to use a strong password or use a public key for logging in.

You just need to add port forwarding with the following settings:

  • Name: SSH redirect
  • External port: number from 1 to 65535
  • Internal port: 22

For obvious reasons, choose those port numbers, which are not being used.

If you don't fill out the port of your SSH connection, the default port (which is 22) will be used and you will be connected to the honeypot, which could record your password! For this reason it is better to log in with a public key.