Show HN: Watch bots interact with an SSH honeypot in real time
175 points
• 1 day ago
• Article
Link
该仪表板展示了来自为安全研究、威胁情报和教学用途部署的 SSH 蜜罐的实时遥测数据。通过捕获入站连接尝试,系统记录了多种信息,包括源 IP 、尝试的用户名与密码、执行的命令以及客户端指纹等,为观察未经授权实体探测网络基础设施的手法提供了实时视角。
观测到的流量来源多样:受损主机、代理服务器、 VPN 、扫描器、云实例以及僵尸网络节点等。需要注意的是,源 IP 并不一定能识别发起攻击的个人,而只是表明用于执行这些自动化探测的基础设施。捕获的数据常包含恶意内容,如未授权命令、潜在的恶意软件投放尝试和不可信的凭据。
由于这些数据是原始攻击记录,不应被视为已证实的归因或可安全运行的代码。该仪表板主要作为透明度工具,用于观察常见攻击模式,例如使用不同凭据反复尝试登录。在连接成功的情况下,蜜罐还会记录后续交互,包括命令输入和文件下载,从而揭示攻击者常用的自动化工作流程。
我们建议用户和研究人员对所有显示的信息保持必要的谨慎。如任何具体数据点涉及隐私、安全或滥用问题,应向站点运营方报告以便审查并在必要时删除。通过持续监控和汇总这些事件,该项目有助于分析人员更好地了解威胁态势及针对开放 SSH 服务的自动化扫描的持续性。
This dashboard provides live telemetry from an SSH honeypot designed for security research, threat intelligence, and educational purposes. By capturing inbound connection attempts, the system logs a variety of data, including source IP addresses, attempted usernames and passwords, executed commands, and specific client fingerprints. This information offers a real-time window into the tactics used by unauthorized entities to probe network infrastructure.
The observed traffic originates from a diverse range of sources, including compromised hosts, proxy servers, VPNs, scanners, cloud instances, and botnet nodes. It is important to note that a source IP address does not necessarily identify the individual behind an attack, but rather highlights the infrastructure used to carry out these automated probes. The captured data frequently includes malicious content, such as unauthorized commands, potential malware delivery attempts, and untrusted credentials.
Because this data is raw and reflects actual attack attempts, it should not be considered verified attribution or safe-to-run code. The dashboard functions as a transparency tool for observing common attack patterns, such as repeated login failures with varying credentials. In instances where a connection is successful, the honeypot records subsequent interactions, including command inputs and file downloads, providing insight into the automated workflows typically deployed by attackers.
Users and researchers are encouraged to treat all displayed information with appropriate caution. The platform emphasizes that if any specific data points reveal privacy, security, or abuse concerns, they should be reported to the site operator for review and potential removal. By continuously monitoring and aggregating these events, the project helps analysts better understand the threat landscape and the persistent nature of automated scanning activity against open SSH services.
59 comments • Comments Link
• SSH honeypot dashboard 能实时呈现 botnet 的行为,并表明与单次连接尝试相比,共享的 public keys 和特定的 command sequences 等重复模式更有参考价值。
• 该实现使用 Cowrie 作为交互式 honeypot,配合 Python-based log parser 和由 WebSocket 驱动的前端,可视化 authentication attempts 、 file downloads 和 system fingerprinting scripts 。
• 在发布来自 compromised machines 的原始数据时,privacy 和 ethics 是首要考量——日志可能无意泄露 victim PII,或为 malicious actors 提供可用于 fingerprint vulnerabilities 的实用数据。
• 建议通过 masking source IPs 或提供 filtered, anonymized data 来减少因转发来自潜在受害的 non-malicious users 的流量而引发的法律和伦理风险。
• 来自类似部署的观测显示,绝大部分 malicious traffic 来源于 Azure 等 major cloud providers,DigitalOcean 和 AWS 也贡献显著的 noise 。
• 下一步合乎逻辑的做法是区分 automated campaigns 与 manual human intervention,可通过基于 HASSH fingerprints 、 command sequences 和 artifact hashes 的 session clustering 实现。
• Public-facing honeypots 常被 playful spam 攻击,例如在 login fields 注入 song lyrics 或 scripts,这凸显了对 web 接口进行 robust input sanitization 以防止 exploits 的必要性。
• Residential IP proxy detection 仍不稳定,许多 commercial tools 依赖不完整的 blacklists 而非 behavioral 或 TCP-level fingerprinting,容易对处于 CGNAT 后方的 legitimate users 产生 false positives 。
• 未来改进可包括 geographic tagging 、 ASN lookups 、 leaderboards,以及使用 periodically rotated keyed hashes 处理 IP addresses,以便在不暴露 raw identifiers 的前提下实现 event correlation 。
• 亲眼观察这些 automated patterns 的教育价值很大,直观展示了公共互联网 background noise 的规模与持久性。
关于该 honeypot implementation 的讨论强调了 transparent threat intelligence 的教育价值与揭露 compromised infrastructure 的道德责任之间的张力。参与者普遍认为实时可视化 botnet activity 既有吸引力又具指导意义,但也警示了可能导致 secondary exploitation 或意外泄露 sensitive information 的风险。共识倾向于放弃单纯依赖 IP-based logging,改用 sophisticated behavioral clustering,以更好地应对高度自动化且分布式的 internet-wide scanning campaigns 。 • An SSH honeypot dashboard provides real-time visibility into botnet behavior, revealing that recurring patterns, such as shared public keys and specific command sequences, are more informative than individual connection attempts.
• The project architecture uses Cowrie for interaction, a Python-based log parser, and a WebSocket-powered frontend to visualize authentication attempts, file downloads, and system fingerprinting scripts.
• Privacy and ethics are significant concerns when publishing raw data from compromised machines, as the logs could unintentionally expose victim PII or provide malicious actors with actionable data to fingerprint vulnerabilities.
• Masking source IPs or providing filtered, anonymized data is recommended to mitigate legal and ethical risks associated with relaying traffic from potentially victimized, non-malicious users.
• Observations from similar setups indicate that a substantial majority of malicious traffic originates from major cloud providers like Azure, with other services like DigitalOcean and AWS also contributing significantly to the noise.
• Distinguishing between automated campaigns and manual human intervention is a logical next step, achievable through session clustering based on HASSH fingerprints, command sequences, and artifact hashes.
• Public-facing honeypots often become targets for playful spam, such as injecting song lyrics or scripts into login fields, which highlights the need for robust input sanitization to prevent web interface exploits.
• Residential IP proxy detection remains inconsistent, as many commercial tools rely on incomplete blacklists rather than behavioral or TCP-level fingerprinting, often resulting in false positives for legitimate users behind CGNAT.
• Future improvements could include geographic tagging, ASN lookups, leaderboards, and the adoption of periodically rotated keyed hashes for IP addresses to allow for event correlation without exposing raw identifiers.
• The educational value of observing these automated patterns firsthand is substantial, effectively demonstrating the sheer volume and persistence of background noise on the public internet.
The discussion surrounding this honeypot implementation emphasizes the tension between the educational value of transparent threat intelligence and the ethical responsibility of exposing compromised infrastructure. While participants find the real-time visualization of botnet activity both fascinating and instructive, they caution against the potential for secondary exploitation or the inadvertent broadcasting of sensitive information. Consensus points toward moving beyond simple IP-based logging in favor of sophisticated behavioral clustering, which better accounts for the highly automated, distributed nature of modern internet-wide scanning campaigns.