Hi, I set up HaaS from the 3.9 firmware, and used an external network to access the honeypot for my router. What I consistently noticed is that it’s very slow to get a shell prompt from the honeypot after logging in with a username and password. It can take 2-3 minutes or more before you get the honeypot’s Debian shell prompt. Responses to shell commands are also slow (10-15 seconds) This would seem to make the honeypot less effective, as I can imagine attackers wouldn’t wait around that long just to see if login is successful. Is this intentional? I had previously used the old Turris SSH honeypot, and it was far faster to give the shell after login.
Here’s a sample of logs if it’s helpful. As I said I don’t usually get a shell until 2-3 minutes after “getting shell” appears in the log.
2017-12-13T07:17:51-08:00 info twisted[]: [haas_proxy.proxy.ProxySSHFactory] disabling non-fixed-group key exchange algorithms because we cannot find moduli file
2017-12-13T07:17:51-08:00 info twisted[]: [SSHServerTransport,24,174.214.14.31] kex alg, key alg: diffie-hellman-group14-sha1 ssh-rsa
2017-12-13T07:17:51-08:00 info twisted[]: [SSHServerTransport,24,174.214.14.31] outgoing: aes256-ctr hmac-sha2-256 none
2017-12-13T07:17:51-08:00 info twisted[]: [SSHServerTransport,24,174.214.14.31] incoming: aes256-ctr hmac-sha2-256 none
2017-12-13T07:17:52-08:00 info twisted[]: [SSHServerTransport,24,174.214.14.31] NEW KEYS
2017-12-13T07:17:52-08:00 info twisted[]: [SSHServerTransport,24,174.214.14.31] starting service ssh-userauth
2017-12-13T07:17:53-08:00 info twisted[]: [SSHService ssh-userauth on SSHServerTransport,24,174.214.14.31] root trying auth none
2017-12-13T07:17:56-08:00 info twisted[]: [SSHService ssh-userauth on SSHServerTransport,24,174.214.14.31] root trying auth password
2017-12-13T07:17:56-08:00 info twisted[]: [SSHService ssh-userauth on SSHServerTransport,24,174.214.14.31] root authenticated with password
2017-12-13T07:17:56-08:00 info twisted[]: [SSHService ssh-userauth on SSHServerTransport,24,174.214.14.31] starting service ssh-connection
2017-12-13T07:17:56-08:00 info twisted[]: [SSHService ssh-connection on SSHServerTransport,24,174.214.14.31] got channel session request
2017-12-13T07:17:56-08:00 info twisted[]: [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,24,174.214.14.31] channel open
2017-12-13T07:17:56-08:00 info twisted[]: [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,24,174.214.14.31] pty request: xterm (24, 80, 0, 0)
2017-12-13T07:17:56-08:00 info twisted[]: [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,24,174.214.14.31] getting shellHi. No, this is not intentional. We have load problems with so many users now we didn’t expect. We are working on that (I mean on HaaS) and planning to release final version (now we are in the beta phase) by end of January or early February.
4 Likes