SSH is one of the most common protocols in the world for securely connecting to other machines, which run an SSH server. An SSH server is enabled on pretty much every home router and often without the user’s awareness. Sometimes Telnet is enabled instead of the SSH server, which is much worse security-wise, because it sends and receives data in plaintext.
Because manufacturers very rarely update their firmware, the chances that you are running an outdated and vulnerable version of the SSH server are really high. From time to time news is released about new CVEs (Common Vulnerabilities and Exposures), such as #sambacry and #dirtycow. Most of the time, manufacturers don’t care if there is a security issue or even a back door and instead of trying to keep up an old device, the manufacturer will usually tell you to buy a new one. That's what we wanted to change with Turris Omnia.
For the purposes of knowing who the attackers are, what methods they use and from which IP addresses they conduct the attacks, we implemented an SSH honeypot. It’s basically a “fake” SSH server to which we allow the attackers to connect to on purpose and monitor their behavior.
The more targets the attackers try to reach, the more information we get about the attackers and the bigger the chances that we can reveal them, block them (or fix affected devices) and publish information about them.
The motivation behind this article is to tell you how to run an SSH honeypot on your router Turris and help us gather information, which will helps us combat attackers. For example, the most recent revealed botnet, which is known as Mirai has been discovered using similar methods.
You can get statistics on everything that is logged under your user profile at https://project.turris.cz. This is where you can find a lot of other useful information such as statistics including for example how much data you send and receive, what the most frequent protocol is, connection and bandwidth utilization.
An example of what you can see in your user profile:
Information about the attacker:
Our main priority is safety, which is why we don't run the SSH honeypot directly on your router. Otherwise, there would be a small chance of an attacker breaking into your main system from the emulated environment and we certainly don't want that. To avoid this, we redirect SSH communication from your router to our servers. Attackers won't see any difference, because to them it looks exactly the same - they will use credentials (not yours, but mostly default username and passwords like admin;admin or admin;12345) to log into your router, with the only difference being that they are doing it on our end and your router is only a transparent gateway. Hence, we take all the risk away from you, but you (and others) still get all the perks.
You can install the SSH honeypot in the Foris web interface: Under the tab Updater check
SSH honeypot and confirm. The next step is to setup port forwarding in firewall.
The SSH honeypot has to be open to anyone, so that an attacker (or attackers) can use it. We want to make sure that you have this under full control - that's why there is by default an SSH honeypot available from outside network on the (anonymous) port 58732. You can test this and see it with one day delay in the statistics, which were mentioned earlier. Don't use your password, because the SSH honeypot can record the password, which you used. If you would like to have the SSH honeypot available to everyone, you will need to redirect from port 22 to port 58732.
If you run a publicly available SSH server on port 22, it won't be accessible after port forwarding and you will be accessing the SSH honeypot. In case you want to use SSH for remote administration, you will need to redirect it to another port. How to do that is shown in a different step below.
In the LuCI user interface choose the Firewall menu and then Port forwarding. At the bottom add a new port for forwarding and fill in following information:
Now click “Add” and then “Save & Apply”
This change redirects port 22 only for those outside your network. It means that you will still be able to use port 22 in your local LAN
If you use SSH for remote access to your router, you need redirect port 22 to a different port, otherwise you will be connected to the honeypot. Changing the SSH port can be a simple protection against intrusion attempts. Don't forget to use a strong password or use a public key for logging in.
The method is same as before - you just need to add port forwarding with the following settings:
For obvious reasons, choose those port numbers, which are not being used.
If you don't fill out the port of your SSH connection, the default port (which is 22) will be used and you will be connected to the honeypot, which could record your password** For this reason it is better to login with a public key.