Secure Honey

SSH honeypot written in C

Let The Hackers In!

Saturday 26th October 2013 12:12

anonymous hackerThis week I've implemented a basic version of the SSH honeypot. After putting the honeypot live on Sunday (20th Oct) evening there have been a total of 2,897 login attempts.

The password "123456" has been used 48 times and the username "root" has been used 1992 times.

What's most interesting about these attacks on the honeypot is that I've not advertised, promoted or otherwise told anyone the honeypot's IP address. How is this possible?

Also this week I've added a mini stats box to this website which will show a breakdown of recent attacks.

Logging the login attempts

To recap: last week I ended by saying I would implement a version of SSHpot by Pete Morris.

The main changes I made to SSHpot were to add a call to a new function curl and to place this call inside the function log_attempt which stores all login attempts to a file. The new log_attempt function now looks like this (additional line highlighted):

/* Write interesting information about a connection attempt to  LOGFILE. 
 * Returns -1 on error. */
static int log_attempt(struct connection *c) {
    FILE *f;
    int r;

    if ((f = fopen(LOGFILE, "a+")) == NULL) {
        fprintf(stderr, "Unable to open %s\n", LOGFILE);
        return -1;

    if (get_utc(c) <= 0) {
        fprintf(stderr, "Error getting time\n");
        return -1;

    if (get_client_ip(c) < 0) {
        fprintf(stderr, "Error getting client ip\n");
        return -1;

    c->user = ssh_message_auth_user(c->message);
    c->pass = ssh_message_auth_password(c->message);

    if (DEBUG) { printf("%s %s %s %s\n", c->con_time, c->client_ip, c->user, c->pass); }
    r = fprintf(f, "%s %s %s %s\n", c->con_time, c->client_ip, c->user, c->pass);
    curl(c->con_time, c->client_ip, c->user, c->pass);
    return r;

Whereby the function curl is defined as:

int curl(char* con_time, char* client_ip, char* user, char* passwd) {
   CURL *curl;
   char buf[500];
   snprintf(buf, sizeof buf, "", user, passwd, client_ip);
   curl = curl_easy_init();
   curl_easy_setopt(curl, CURLOPT_URL, buf);

return 0; 

This new function basically sends the login attempt data directly to where the data's stored in a database. This makes it much easier to produce data and statistics on the honeypot login attempts

I put this basic version of the honeypot live on Sunday evening in the hope that I'd possibly get at least a few login attempts.

How I'd underestimated what would happen next...

Analysing the attacks

So I'm not going to lie; I've been quite excited this week by the sheer volume of attacks occurring on the honeypot. The honeypot's been running for only 5 full days and it's already received a total of 2,897 login attempts.

In addition to the pre-existing honeypot server, yesterday I installed the honeypot on a second server which I've had running for a few years. I'll be referring to these two servers as the honeypots "alpha" and "bravo", respectively.

The top 10 most common passwords used to attempt to login to the honeypot were:

The top 10 most common usernames used to attempt to login to the honeypot were:

This week I've also implemented a new element/box on this website called "Live Stats" (shown up at the top right of every page). This will show a condensed version of the statistics for recent attacks on the honeypots.

I'm currently working on a full statistics page which will include a comprehensive breakdown of recent attacks along with charts to help analyse the data. I'll update more on this in future posts.

How are there so many login attempts?

So how come so many people are attacking the honeypot already when I've not even promoted its IP address?

The simple answer: IP scanning.

It's relatively easy to scan a range of IP addresses and determine if port 22 (default SSH port) is open or not.

For example, using nmap, the command:

nmap -p 80

Will check to see if port 80 is open on the web server behind But how would someone go about checking every single public IP address on the planet?

There are 4,294,967,296 IPv4 addresses available and 17,891,328 of them are IANA-reserved private IPv4 addresses. So this leaves 4,277,075,968 available IP addresses to scan to determine if port 22 is open.

Once a list of these IP addresses - along with their port 22 status - is produced (which can easily be automated via a script and left to run for a while), the hacking / brute-force attempts can begin.

Problems with the code

One of the main issues that has arisen this week is that child processes (of the honeypot) are not always terminating automatically. This happens when someone connects to the honeypot but doesn't send the correct disconnect message.

When this happens; the child process just waits, instead of terminating. There have been a few instances this week where the sever has become almost unresponsive because it's clogged up with so many waiting child processes. This is an issue I'll try to resolve this week.

Arch linux

This isn't strictly related to the project but it's impacting on the project...

A few years ago I bought an HP Mini netbook. It's such a basic machine and so slow to use that I gave up on it. Plus the battery died about a year after purchasing it. However, this week I discovered that HP have released a BIOS update to fix the battery dying issue. So I bought a cheap £15 replacement battery off Amazon and installed Arch Linux onto the little machine.

I installed the tiling window manager i3 (using this handy guide) onto Arch and, I have to say, I'm impressed with the results. The netbook runs blindingly fast and it's a very productive environment to work in. My only gripe is that I'm getting just under 4 hours from the battery.

As I said, not strictly relevant, but I can highly recommend Arch Linux with i3 window manager. I'll be using it to work on a lot of this project.

Moving onto phase two

Phase one was to setup the honeypot and log all attempted logins. So my challenge this week will be to start implementing phase two: allow users to "login" (or appear to login) to the SSH server and attempt to execute commands.

Phase two won't actually allow the user to execute any commands in the shell, but simply log all attempted commands. I can then log all these attempted commands for analysis.

I'm also keen to add the ability to detect and log what SSH client each user is using. This will be useful in determining what sort of environments users are in.

Image credit: "Anonymous Hacker" by Brian Klug,


There are no comments for this blog post yet

Add Comment


Email (won't be displayed)

Website (optional)


Live Stats (see full stats)

Attempted logins

date range # attempts
past 7 days4,426
past 30 days17,357
all time4,114,040

Top 5 passwords

password # attempts

Top 5 usernames

username # attempts

Stats represent data collected from SSH login attempts on multiple honeypots. Parts of some stats may be filtered to maintain anonymity.

Updated: Tue, 07 Jun 2016 16:33:48 +0100

Live Password Cloud

12qwaszx 963852741 1234%^ POIUYT 12344321 zxcvbn 111 zaqxsw 888888 111111 asdfghjkl a123456 windows qwer1234 q1w2e3 Passw0rd zxcv support 1111 server iloveyou welcome123 user !@ abcdef a cisco 123abc qwer qwerty123 q123456 manager 54321 alpine qq123456 huawei 11223344 password zaqxswcde qazwsx default 1 qwe123 test okokok 88888888 ubnt dragon 159753 147852369 12345678 passwd qwertyuiop 23456 power qwaszx huawei123 changeme123 123123123 5201314 Aa123456 qwe 1qazxsw2 nagios redhat zaqxswcdevfr q1w2e3r4 1234qwer 1qaz2wsx3edc monitor 12345 pass root1234 password123 123qweasd 000000 z1x2c3v4 qaz qazwsx123 f**kyou admin123!@# Pass123 121212 p@ssword 1a2s3d4f 1qaz2wsx Admin123456 woaini zaq1xsw2 linux adminadmin _ system 1qaz@WSX P@ssw0rd1 sapp a1b2c3d4 654321 qazwsxedc 1234 sqlpp qazxsw asdf sysadmin qqpp abc123 idc2008 123123 666666 123456 123qwe 987654321 admin123 admin@123 zhang 789789 11111111 idcidc qwerty123456 secret Huawei@123 !@#$%^ changeme 1q2w3e 147258369 superman 147258 admin1 mnbvcxz admin welcome 225588 !qaz1QAZ 123 p0o9i8u7 apple aaa !QAZ2wsx administrator zzzzzz oracle qwerty china 0000 rootpass 7890pp letmein abcd1234 1122334455 raspberry abc1234 a1s2d3f4 rootroot P@ssw0rd qwert public adminpp 1q2w3e4r5t root 1234567890 qweasd guest asdfgh test123 zxcvbnm caonima - !QAZ@WSX 112233 147147 123654 q1w2e3r4t5 1234567 1q2w3e4r password1 root123 123456789 12345qwert qweasdzxc 110110 159357