Discovering remote hosts used to involve dialing every number in a telephone exchange until you got a carrier tone. Finding one was pretty exciting. Today that process is largely automated, with fewer network explorers stopping to admire the welcome banners. Modern network scans are largely opportunistic – attackers are constantly probing the address space for a range of misconfigured or insecure devices. Knowing this, I wanted some visibility into who was scanning me at home. (Spoiler: it was China.) This required some network changes:I used to let incoming traffic bounce off my router's firewall without being logged. Some specific requests to non-default ports would get routed to internal hosts and the rest would get dropped. I changed that and deployed a DMZ host to receive every request not rule-bound to another destination. Most labs use virtual machines but I accomplished this with a Raspberry Pi. It's a cheap physical host and it offers the ability to re-flash the SD card as necessary.A sensor was required to watch all the network traffic. I used a spare machine to install Security Onion, a capable IDS built into a Linux distro. Because every machine was connected to the same switch, I just mirrored any traffic from the router to the Security Onion host. That allowed the IDS to monitor the whole network.I deployed a Kippo honeypot on the Raspberry Pi. Kippo emulates SSH and provides a sandbox with a limited set of commands. Once attackers get access, Kippo presents a fake file system and logs the entire session. Here’s what I saw:
- The most common requests were attempts to use the exposed host for DNS amplification attacks.
- Standard services like RDP and NTP were probed and many requests looked for the presence of a database.
- Some traffic looked for ports used by malware, perhaps to hijack an already-compromised host.
- Most SSH requests were automated login attempts using common credentials. Kippo uses an easily-guessed account ("root/123456") by default. I looked for "vanity strings" in the list of attempted passwords – unique signatures that attackers inject into honeypot logs during the login process.
An automated SSH scanner will usually disconnect right after getting in. The results are likely saved so an attacker can manually visit the system later. Those repeat visits would often begin with an SFTP request, a service that Kippo doesn't provide.One attacker still appeared to test the system boundaries. On a typical system, you can execute a command after login by appending it to the SSH request (ex. "ssh user@addr command"). But Kippo hasn’t implemented this functionality, so it terminates the connection instead of performing the command.An attacker tried this using a command (“service iptables stop”) that would have dropped the host firewall altogether. Unlike a real system, Kippo ended the session early, revealing the presence of a honeypot. That came from an address in the 222.184.0.0/12 range (China Telecom).So with some cheap infrastructure you can watch security incidents unfold on your own network! And aside from the threat intelligence, you'll have a great reason to keep your machines patched. Most of the traffic is already there, just waiting to be looked at.
