黑客对抗黑客——SSH蜜罐搭建指南

了解如何设置SSH蜜罐,以实时检测和分析网络攻击。学习配置一个伪装的SSH服务器,记录攻击者凭证和IP,提升威胁情报和系统防护能力。

Hack the Hacker - How to Setup an SSH Honeypot

什么是蜜罐:

蜜罐用于检测和记录攻击,当攻击者试图入侵系统时发挥作用。

这里我们讨论的蜜罐是一个 SSH 蜜罐。

前言

本文是在我之前发布的关于在实际环境中运行 SSH 蜜罐 30 天的文章之后发表的,那个文章引起了不小的关注,我收到了很多请求,想看我如何设置和配置这个 SSH 蜜罐。

上一篇文章:

Hack the Hacker - How to Setup an SSH Honeypot

Sofiane的博客 - 运行 SSH 蜜罐 30 天后的收获

r/CyberSecurity Reddit

YCombinator Hacker News

要求

我们将在一个没有任何特定预配置的普通 VPS 上进行设置。

[!重要]
该设置仅用于研究和测试,请勿在您的本地网络或个人/工作网络中部署。

VPS

您可以根据自己的需求选择适合您的VPS 提供商

Cowrie 蜜罐

有几种著名的 SSH 蜜罐,我们这里使用的是名为 Cowrie 的蜜罐。

它是著名的 Kippo 蜜罐的改进版本。

Hack the Hacker - How to Setup an SSH Honeypot

Docker

本次安装将使用 Cowrie 的 Docker 镜像。

因此,您需要在新 VPS 上安装 Docker,可以查阅官方 Docker 文档进行安装。

Hack the Hacker - How to Setup an SSH Honeypot

需要安装的软件包

  • python3
  • wget

配置

我通常会更改服务器或机器上的默认 SSH 端口。

我喜欢的方法是将真实的 SSH 端口设置为类似 2022 的端口,然后配置蜜罐监听默认的 SSH 端口 22。

安装

Cowrie 默认配置为监听端口 2222。我们将在 Docker 容器中将此端口映射到主机上的 22 端口。这样设置后,可以无缝地把所有扫描机器人和攻击者引导到蜜罐上。

Hack the Hacker - How to Setup an SSH Honeypot

创建、配置并使用 cowrie 用户:

> sudo adduser --disabled-password cowrie #添加用户
Adding user 'cowrie' ...
Adding new group 'cowrie' (1002) ...
Adding new user 'cowrie' (1002) with group 'cowrie' ...
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]

> sudo usermod -aG docker cowrie #将 cowrie 用户添加到 docker 组

> sudo su - cowrie #切换到 cowrie 用户

继续之前,先在 VPS 目录内创建文件夹来存储所有日志,确保日志是直接可访问的,而非仅存在容器内。

此外,将 “cowrielog” 和 “cowrietty” 文件夹设置为所有用户可读写权限。

> mkdir cowrielog && mkdir cowrietty
> chmod -R a+rw cowrielog/ cowrietty/

启动 Cowrie 蜜罐:

> docker run --name cowrie -p 22:2222 -v /home/cowrie/cowrielog:/cowrie/cowrie-git/var/log/cowrie/ -v /home/cowrie/cowrietty:/cowrie/cowrie-git/var/lib/cowrie/tty cowrie/cowrie:latest
2024-06-17T14:47:28+0000 [-] Python Version 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0]
2024-06-17T14:47:28+0000 [-] Twisted Version 24.3.0
2024-06-17T14:47:28+0000 [-] Cowrie Version 2.5.0
2024-06-17T14:47:28+0000 [-] Loaded output engine: jsonlog
2024-06-17T14:47:28+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 24.3.0 (/cowrie/cowrie-env/bin/python3 3.11.2) starting up.
2024-06-17T14:47:28+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2024-06-17T14:47:28+0000 [-] CowrieSSHFactory starting on 2222
2024-06-17T14:47:28+0000 [cowrie.ssh.factory.CowrieSSHFactory#info] Starting factory <cowrie.ssh.factory.CowrieSSHFactory object at 0x7c4c73951b10>
2024-06-17T14:47:28+0000 [-] Generating new RSA keypair...
2024-06-17T14:47:28+0000 [-] Generating new ECDSA keypair...
2024-06-17T14:47:28+0000 [-] Generating new ed25519 keypair...
2024-06-17T14:47:28+0000 [-] Ready to accept SSH connections

分析日志

日志文件位于 ~/cowrielog,tty 重放日志则在 ~/cowrietty

使用 Linux 命令

使用 jq 命令可以过滤和组织输出。该工具允许您从 JSON 数据中精确提取所需信息。

JSON 格式日志在结构可读性处理鲁棒性观察性方面优势显著,是现代软件开发与运维日志的理想选择。

获取所有登录尝试:

> jq '.| select(.eventid | startswith("cowrie.login"))' cowrie.json

输出示例:

{
  "eventid": "cowrie.login.failed",
  "username": "tserver",
  "password": "tserver",
  "message": "login attempt [tserver/tserver] failed",
  "sensor": "8caf2d7e4943",
  "timestamp": "2024-06-17T14:56:07.547278Z",
  "src_ip": "59.24.160.227",
  "session": "6530ab02251d"
}
{
  "eventid": "cowrie.login.failed",
  "username": "student02",
  "password": "student02",
  "message": "login attempt [student02/student02] failed",
  "sensor": "8caf2d7e4943",
  "timestamp": "2024-06-17T14:56:12.223248Z",
  "src_ip": "59.24.160.227",
  "session": "56b69171281c"
}
{
  "eventid": "cowrie.login.failed",
  "username": "vyos",
  "password": "vyos",
  "message": "login attempt [vyos/vyos] failed",
  "sensor": "8caf2d7e4943",
  "timestamp": "2024-06-17T14:56:16.560385Z",
  "src_ip": "59.24.160.227",
  "session": "c0fcc16bedfc"
}

获取所有成功登录尝试:

> jq '. | select(.eventid == "cowrie.login.success")' cowrie.json

输出示例:

{
  "eventid": "cowrie.login.success",
  "username": "root",
  "password": "Passw0rd",
  "message": "login attempt [root/Passw0rd] succeeded",
  "sensor": "8caf2d7e4943",
  "timestamp": "2024-06-17T14:53:39.274245Z",
  "src_ip": "141.98.10.106",
  "session": "d5c5f7b97455"
}

获取所有失败登录尝试:

> jq '. | select(.eventid == "cowrie.login.failed")' cowrie.json

输出示例:

{
  "eventid": "cowrie.login.failed",
  "username": "vsftp",
  "password": "vsftp",
  "message": "login attempt [vsftp/vsftp] failed",
  "sensor": "8caf2d7e4943",
  "timestamp": "2024-06-17T14:55:55.663982Z",
  "src_ip": "59.24.160.227",
  "session": "164c6534c698"
}
{
  "eventid": "cowrie.login.failed",
  "username": "yangjie",
  "password": "yangjie",
  "message": "login attempt [yangjie/yangjie] failed",
  "sensor": "8caf2d7e4943",
  "timestamp": "2024-06-17T14:55:59.626399Z",
  "src_ip": "59.24.160.227",
  "session": "809749c9eba7"
}
{
  "eventid": "cowrie.login.failed",
  "username": "pedro",
  "password": "pedro",
  "message": "login attempt [pedro/pedro] failed",
  "sensor": "8caf2d7e4943",
  "timestamp": "2024-06-17T14:56:03.966702Z",
  "src_ip": "59.24.160.227",
  "session": "b9bee41ed3d2"
}

获取登录尝试次数:

> cat cowrie.json| grep "cowrie.login" | wc -l

12419

获取成功登录次数:

> cat cowrie.json| grep "cowrie.login.success" | wc -l

379

获取失败登录次数:

> cat cowrie.json| grep "cowrie.login.failed" | wc -l

12040

获取来源 IP 地址:

> jq '.src_ip' cowrie.json

"141.98.10.106"
"141.98.10.106"
"141.98.10.106"
"141.98.10.106"
"59.24.160.227"
"59.24.160.227"
"59.24.160.227"
"59.24.160.227"
"59.24.160.227"
"59.24.160.227"

检查执行的命令

过滤日志文件

> jq '. | select(.eventid == "cowrie.command.input")' cowrie.json

输出示例:

{
  "eventid": "cowrie.command.input",
  "input": "cd ~; chattr -ia .ssh; lockr -ia .ssh",
  "message": "CMD: cd ~; chattr -ia .ssh; lockr -ia .ssh",
  "sensor": "2c091cd328dc",
  "timestamp": "2024-06-18T00:38:20.746663Z",
  "src_ip": "121.156.118.253",
  "session": "22e1e1e98a94"
}
{
  "eventid": "cowrie.command.input",
  "input": "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~",
  "message": "CMD: cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~",
  "sensor": "2c091cd328dc",
  "timestamp": "2024-06-18T00:38:21.702641Z",
  "src_ip": "121.156.118.253",
  "session": "22e1e1e98a94"
}
...

使用 Cowrie playlog 重放会话日志

使用 playlog,您可以重放 tty 会话中执行的命令。

> cd ~/cowrietty && wget https://raw.githubusercontent.com/cowrie/cowrie/master/src/cowrie/scripts/playlog.py

> python3 playlog.py <SESSION ID>

Hack the Hacker - How to Setup an SSH Honeypot

示例输入输出:

> python3 playlog.py cc1eb03e9b5926d8076e25826664a04400de854bf5cc660fa35eb86cbdf7dc0f

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

想更深入了解?

你可以将 Cowrie 配置为与日志监控工具集成,相关配置和安装可查阅官方 Cowrie 文档

I just do cybersecurity stuff.

讨论

发表评论

访客评论在网站上显示前将被审核。

还没有评论。成为第一个开始讨论的人!

有建议或发现Bug?请联系我们!