Ssh honeypot gives no result

spiegelei · August 3, 2018, 5:55pm

Hello,

Since a few days I am testing my TO. I am stuck on the honeypot function. What did I do:

made sure I can ssh from inside TO network to TO both lan and wan side

made sure I cannot ssh from outside TO network to TO wan side
installed ‘ssh honeypot’ in foris under updater
checked all boxes in foris under ‘data collection’
in luci under network/firewall made a port forward
source zone: wan
source ip: any
source port: empty
external ip: 192.168.1.137 (wan side TO)
external port: 10022
made sure I can ssh from outside TO network to TO wan side:
$ ssh -p 10022 root@192.168.1.137
(succeeds)
if I now try to ssh from outside TO network to TO on port 22:

Finally I got results in
$ ssh -p 22 root@192.168.1.137
I am asked for a password and after I fill in any password I get: ‘Connection to 192.168.1.137 closed’

I presume this is the reaction the ssh honeypot gives !? Did this regularly the last few days, so I presume I activated the honeypot this way.

If I check these two urls:
https://project.turris.cz/en/data/xxxx/show#/ssh/
under ‘Data sending outages’ gives ‘0 h’
https://haas.nic.cz/device/xxxx/sessions
under ‘Router 1’ gives ‘No sessions in specified interval’. Nothing to see there.

Can anybody point me to what I am missing ?

[Update, answer my own question]
I finally get some input in haas.nic.cz. It turns out that mostly an login attempts get a ‘connection closed’ which does not result into input in haas. Once in a while an attempts succeeds and results into input in haas.

spiegelei · August 3, 2018, 11:21pm

I also tried to ‘hack’ my own TO by telnet. From inside the TO network I can’t telnet (I presume because no telnet server active). From outside the TO network if I telnet to TO I get a telnet prompt, which consistently gives a failed login attempt. But where can I find a log with those failed hacking attempts on TO, project.turris.cz or elsewhere ?

JardaB · August 4, 2018, 9:00am

SSH honeypot you must try from extern IP, no from LAN … 192.168.1.138. From LAN can you go to realy SSH

You can try my honeypot 93.91.50.207 port 22

Nones · August 4, 2018, 9:54am

Unfortunately … there is no log from telnet honeypot (only from SSH).

spiegelei · August 4, 2018, 2:24pm

Thanks for replying. @JardaB: I already succeed to ‘ssh’ my own ssh-honeypot and get results in Haas @Nones: That is a pitty. It feels more safe if one sees the results of self inflicted hacking attempts.

I tried to ssh to this ip about 100 times. I never got a login screen and never got a ‘succeeded’ login. So I am not sure whetter your honeypot actually works.

JardaB · August 4, 2018, 2:51pm

Sorry, problem is be me . And now ??

spiegelei · August 4, 2018, 2:55pm

Succeeded login and succeeded command ‘rm -r *’

JardaB · August 4, 2018, 2:57pm

Sometime are problem with haas server …

vcunat · August 4, 2018, 5:03pm

Succeeded from here.

Jack · August 4, 2018, 5:20pm

I reached the same conclusion, Tried a few times last week and only now it seems to work. Maybe there was a short outage of some sort.

Nones · August 5, 2018, 4:59am

@spiegelei (abou Telnet honeypot monitoring tool) Yes, I agree. It’s a pity. I have tried about it for four years.
But there is big chance to realize it nowadays (the red tram arrived to Stara Boleslav :-))