Overview
We created an unadvertised honeypot digital ocean droplet, and a user with a weak password to see how long it would take before we were hacked. Attacks came within the first min, we were hacked in less than 9 hours.
Setup
We created a Digital Ocean Droplet that resided in Canada with Ubuntu 20.04. We allowed ssh access via a password and then created a user with a weak password.
adduser devView First Attack
We ran the following bash commands and then took the datestamp to calculate the time for the first attempted ssh login. This attack came from Sudan.
uptime
cat /var/log/auth.log | grep "Failed password" | head -1
Hacked User
cat /var/log/auth.log | grep "Failed password"
cat /var/log/auth.log | grep "Accepted password"After keeping tabs on “Accepted Password”, and doing some calculations we discovered that it took 8 hours and 24 mins for our weak password to be exploited. The attacker how resided in Singapour. The attacker set up a cron job in a hidden folder in the /tmp directory. The attack took the resources of the entire server. We looked at the files they uploaded but could not tell what they did.
Build Heatmap and other tables.
To analyze the failed login logs we created this python repository from a fork and then added some metadata. The steps are on in the readme along with some minor future plans.
Summary
Security should not be an afterthought! We had close to 40,000 attacks in 5 days from 906 different IP Addresses. Our weak user was hacked in less than 9 hours. This information was presented at Volttron Quarterly Meetings in the July 2022 Cyber Security portion.