Ssh honeypot gives no result

Hello,

Since a few days I am testing my TO. I am stuck on the honeypot function. What did I do:

  • made sure I can ssh from inside TO network to TO both lan and wan side
  • made sure I cannot ssh from outside TO network to TO wan side
  • installed ‘ssh honeypot’ in foris under updater
  • checked all boxes in foris under ‘data collection’
  • in luci under network/firewall made a port forward
    source zone: wan
    source ip: any
    source port: empty
    external ip: 192.168.1.137 (wan side TO)
    external port: 10022
  • made sure I can ssh from outside TO network to TO wan side:
    $ ssh -p 10022 root@192.168.1.137
    (succeeds)
  • if I now try to ssh from outside TO network to TO on port 22:

Finally I got results in
$ ssh -p 22 root@192.168.1.137
I am asked for a password and after I fill in any password I get: ‘Connection to 192.168.1.137 closed’

I presume this is the reaction the ssh honeypot gives !? Did this regularly the last few days, so I presume I activated the honeypot this way.

If I check these two urls:
https://project.turris.cz/en/data/xxxx/show#/ssh/
under ‘Data sending outages’ gives ‘0 h’
https://haas.nic.cz/device/xxxx/sessions
under ‘Router 1’ gives ‘No sessions in specified interval’. Nothing to see there.

Can anybody point me to what I am missing ?

[Update, answer my own question]
I finally get some input in haas.nic.cz. It turns out that mostly an login attempts get a ‘connection closed’ which does not result into input in haas. Once in a while an attempts succeeds and results into input in haas.

1 Like

I also tried to ‘hack’ my own TO by telnet. From inside the TO network I can’t telnet (I presume because no telnet server active). From outside the TO network if I telnet to TO I get a telnet prompt, which consistently gives a failed login attempt. But where can I find a log with those failed hacking attempts on TO, project.turris.cz or elsewhere ?

3 Likes

SSH honeypot you must try from extern IP, no from LAN … 192.168.1.138. From LAN can you go to realy SSH

You can try my honeypot 93.91.50.207 port 22

Unfortunately … there is no log from telnet honeypot (only from SSH).

1 Like

Thanks for replying. @JardaB: I already succeed to ‘ssh’ my own ssh-honeypot and get results in Haas @Nones: That is a pitty. It feels more safe if one sees the results of self inflicted hacking attempts.

I tried to ssh to this ip about 100 times. I never got a login screen and never got a ‘succeeded’ login. So I am not sure whetter your honeypot actually works.

2 Likes

Sorry, problem is be me . And now ??

Succeeded login and succeeded command ‘rm -r *’ :wink:

1 Like

Sometime are problem with haas server …

1 Like

Succeeded from here.

I reached the same conclusion, Tried a few times last week and only now it seems to work. Maybe there was a short outage of some sort.

@spiegelei (abou Telnet honeypot monitoring tool) Yes, I agree. It’s a pity. I have tried about it for four years.
But there is big chance to realize it nowadays (the red tram arrived to Stara Boleslav :-))