Honeypot System for Attacks on SSH Protocol

Full Text (PDF, 498KB), PP.19-26

Views: 0 Downloads: 0

Author(s)

Solomon Z. Melese 1,* P.S. Avadhani 1

1. Andhra University CS&SE, Visakhapatnam, 530003, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2016.09.03

Received: 22 Jan. 2016 / Revised: 21 Apr. 2016 / Accepted: 3 Jun. 2016 / Published: 8 Sep. 2016

Index Terms

Secure Shell, Dictionary attack, Kippo, Dionaea, Honeypot, Intrusion

Abstract

Honeypots are effective network security systems built to study the tactics of attackers and their intents. In this paper, we deployed Kippo honeypot to analyze Secure Shell attacks. Both the dictionary attack and intrusion activities of attackers have been discussed. We collected usernames and passwords that are attempted by dictionary attack targeting Secure Shell service. We have traced the frequently attacking machines based on their IP addresses. We have also recorded the commands they executed after successful logins to the Secure Shell honeypot server. We logged vast amount of connection requests destined to number of ports originated from different locations of the world. From our honeypot system, we have collected attack data that enables us to learn common Secure Shell based attacks.

Cite This Paper

Solomon Z. Melese, P.S. Avadhani, "Honeypot System for Attacks on SSH Protocol", International Journal of Computer Network and Information Security(IJCNIS), Vol.8, No.9, pp.19-26, 2016. DOI:10.5815/ijcnis.2016.09.03

Reference

[1]The Honeynet Project. Know Your Enemy: Honeynets (May 2005) http://old.honeynet.org/papers/honeynet/
[2]L. Spitzner, “Honeypots: Tracking Hackers,” Boston, USA: Addison-Wesley, Parson Education, ISBN 0-321-10895-7, 2003.
[3]Kippo: An ssh honeypot. https://github.com/desaster/kippo.
[4]The Secure Shell Protocol Architecture, https://www.ietf.org/rfc/rfc4251.txt
[5]Akihiro Satoh, Yutaka Nakamura, Takeshi Ikenaga “A Flow-based Detection Method for Stealthy Dictionary Attacks against Secure Shell”. Journal of Information Security and Applications, Vol 21, pp 31-41, April 2015.
[6]V. Nicomette, M. K?aaniche, E. Alata, and M. Herrb, “Set-up and Deployment of a High Interaction Honeypot: Experiment and Lessons Learned,” Journal in Computer Virology, vol. 7, no. 2, pp. 143–157, Mai 2011.
[7]D. Ramsbrock, R. Berthier, and M. Cuckier, “Profiling Attacker Behavior Following SSH Compromises,” in Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2007, pp. 119–124.
[8]Koniaris, I. Papadimitriou, G. ; Nicopolitidis, P. “Analysis and Visualization of SSH Attacks Using Honeypots”, in proceedings of EuroCon, Zagreb, Croatia 1-4 July 2013, page 65 – 72.
[9]J. C. Klein Keane, “Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post Compromise Attacker Behavior,” HITB Magazine, Volume 1, Issue 3, pp. 4–14, 2010.
[10]Christian Seifert, “Analyzing Malicious SSH Login Attempts”, November 2010, http://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts
[11]“Observations of Login Activity in an SSH Honeypot,” Cisco Security Intelligence Operations, 2009. Available: http://www.cisco.com/web/about/security/intelligence/ssh-security.html
[12]I. Studnia, V. Nicomette, M. K?aaniche, and E. Alata, “A Distributed Platform of High Interaction Honeypots and Experimental Results”, Conf. on Privacy, Security and Trust (PST), 2012 Tenth Annual, Jul 2012 pp 229 - 230
[13]J. Owens and J. Matthews, “A Study of Passwords and Methods Used in Brute-Force SSH Attacks.” In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008.
[14]Craig Valli, “SSH - Somewhat Secure Host”, Cyberspace Safety and Security, Volume 7672, Springer Berlin Heidelberg, 2012.
[15]Dionaea: A low interaction honeypot. https://github.com/rep/dionaea.
[16]Geo-location Utilities, http://www.infobyip.com/ ipbulklookup.php
[17]Geo-location Utilities, http://www.ipligence.com/ iplocation
[18]J. Owens and J. Matthews “A Study of Passwords and Methods Used in Brute-Force SSH Attacks
[19]Esmaeil Kheirkhah, Sayyed Mehdi, Poustchi Amin, Hediyeh Amir, Jahanshahi Sistani and Haridas Acharya “An Experimental Study of SSH Attacks by using Honeypot Decoys” Indian Journal of Science and Technology, vol. 6, no. 12, pp. 5567-5578, December, 2013.
[20]Al Awadhi, E. Salah, K.; Martin, T. “Assessing the security of the cloud environment” GCC Conference and Exhibition (GCC), Pp 251 – 256, 2013 Nov. 2013.
[21]Saxena, U. Bachhan, O.P.; Majumdar, R. “Static and dynamic malware behavioral analysis based on arm based board“ Conf. on Computing for Sustainable Global Development (INDIACom), pp 272 - 277 Mar 2015.
[22]Matthew L. Bringer, Christopher A. Chelmecki, Hiroshi Fujinoki “A Survey: Recent Advances and Future Trends in Honeypot Research” International Journal of Computer Network and Information Security. V. PP.63-75. 2012.