I’ve run a bunch of different VPS servers for my own projects over the years, and one odd hobby was checking the /var/log/auth.log
and seeing just how frequently random mass scans of the internet would turn into unauthorised SSH attempts on my server. The following is one minute of my logs:
May 15 06:55:23 srsbzns sshd[6401]: Invalid user ubnt from 116.110.92.78 port 55134
May 15 06:55:23 srsbzns sshd[6401]: Connection closed by invalid user ubnt 116.110.92.78 port 55134 [preauth]
May 15 06:55:24 srsbzns sshd[6403]: Connection closed by authenticating user root 116.110.92.78 port 40728 [preauth]
May 15 06:55:27 srsbzns sshd[6405]: Invalid user admin from 116.110.92.78 port 45286
May 15 06:55:27 srsbzns sshd[6405]: Connection closed by invalid user admin 116.110.92.78 port 45286 [preauth]
May 15 06:55:41 srsbzns sshd[6407]: Invalid user ubnt from 116.110.92.78 port 36770
May 15 06:55:41 srsbzns sshd[6407]: Connection closed by invalid user ubnt 116.110.92.78 port 36770 [preauth]
May 15 06:55:48 srsbzns sshd[6409]: Invalid user test from 116.103.23.190 port 38226
May 15 06:55:48 srsbzns sshd[6409]: Connection closed by invalid user test 116.103.23.190 port 38226 [preauth]
May 15 06:55:49 srsbzns sshd[6411]: Connection closed by authenticating user root 171.251.25.38 port 56538 [preauth]
May 15 06:55:53 srsbzns sshd[6413]: Invalid user ftpuser from 116.110.92.78 port 48590
May 15 06:55:54 srsbzns sshd[6415]: Invalid user user from 116.110.92.78 port 43658
May 15 06:55:54 srsbzns sshd[6413]: Connection closed by invalid user ftpuser 116.110.92.78 port 48590 [preauth]
May 15 06:55:54 srsbzns sshd[6415]: Connection closed by invalid user user 116.110.92.78 port 43658 [preauth]
As an aside, always use SSH public/private key auth for any public facing servers and disable password based login.
Another fun one is checking your HTTP auth logs and seeing just how frequently random scans of the internet are looking for SQL backups, vulnerable CMS versions, and the like:
39.106.157.127 - - [20/May/2022:01:18:58 +0000] "POST /cgi-bin/ViewLog.asp HTTP/1.1" 404 0 "-" "MtmKilledYou"
39.106.157.127 - - [20/May/2022:01:18:58 +0000] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 971 "-" "-"
159.89.207.135 - - [20/May/2022:01:19:28 +0000] "POST /wp-login.php HTTP/1.1" 200 7695 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 MVisionPlayer/1.0.0.0"
137.184.125.204 - - [20/May/2022:01:28:55 +0000] "GET /.env HTTP/1.1" 404 491 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
206.189.34.6 - - [20/May/2022:01:28:56 +0000] "POST /wp-cron.php?doing_wp_cron=1653010135.9818480014801025390625 HTTP/1.1" 301 658 "http://example.com/wp-cron.php?doing_wp_cron=1653010135.9818480014801025390625" "WordPress/5.9.3; https://example.com"
137.184.125.204 - - [20/May/2022:01:28:55 +0000] "POST / HTTP/1.1" 200 9737 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
193.106.191.48 - - [20/May/2022:01:29:09 +0000] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 486 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
Here we can see a few attempts to access a WordPress admin panel, the .env
file used by lots of Node.js, PHP, and Python frameworks to store values like database locations, API keys, and similar, and we can also see an attempt to acces cgi-bin
(executables usable from a web request) with a traversing path to get us to the root directory to try and execute commands directly on our server.
These constant attempts to find weak points and targets across the internet have always fascinated me. Whether someone is trying to find a new vulnerable host to add to their botnet, something they can deny ownership of to use for C2 (command and control), or even finidng something they can use for cryptomining - whether directly on the server or by serving web pages for viewers to start mining.
I’ve always wanted a way to monitor and display the live attempts, because it puts it into a different context when you realise that this is happening 24/7, fully automated, even against brand new servers (thanks to the ennumerability of public IP addressing) or websites not yet cached in search enginers. I finally found some time and hardware spare, and decided to set up a little system to demonstrate this effect.
Setup
I set up some old hardware I had (that HP N40L Microserver I recently resurrected) and installed Logstash on it. I then set up the following Logstash config focused on ingesting syslog
:
input {
syslog {
port => 10514
}
}
output {
file {
path => "/dev/tty1"
codec => plain
}
}
I also needed to set up port forwarding in my router so that all syslog messages sent to my home IP got forwarded to my Logstash server because most home connections are behind NAT.
This should ingest all the syslog messages and then write them to a file called /dev/tty1
.
The thing is, /dev/tty1
isn’t a normal file. It’s the output of a screen attached to my server. A TTY in Linux is a terminal, which can be a virtual one like your SSH session or a monitor displaying a shell session.
And because everything is a file in Linux, I can append data to it and it will just be written straight to that output. This gives me the following cool display system hanging out under my desk:
Now I have a live scrolling feed of some of the common attempted attacks against my server. It’s not a complete list, nor is it a comprehensive or complex system. It could be developed into a more rigorous honeypot system but it’s a cool demonstration and adds a cyberpunk flair to my daily work area.