Happy Birthday: Facebook Post Experiment & SSH Honeypot

Another birthday, and it’s a reminder that yet another year has passed. Time seems to pass by quickly, even when you do your best to make the most of every day without overloading yourself. That’s just how life is, I suppose. Unfortunately, nothing can stay the same, and that includes me. I am getting older, and likewise, my interests and technology continue to evolve. The only way forward is to keep up with the changes.

While the readers might be familiar with the site’s humble beginnings, it is now regularly serving over 1,800 views a day, at times close to 2,400 views in a day, which is a bit of a stretch for an “economy” hosting plan. Its Alexa rank has slipped to about 500,000, but is still plenty of places above where I thought it would be. I am still trying to make the most of it – balancing expense with quality of service, and using my time to bring readers “unique” content which I have built personally (unless otherwise noted). The monthly views exceed 180GiB of traffic, even with the help of GZIP and CloudFlare caching.

As a result, I’m not always able to keep up with the comments and e-mail that come in. Sorry if I haven’t been able to reply to your e-mail or comment – I simply don’t have the time sometimes, and other times, I really can’t help you out – sometimes due to copyright reasons. I must apologize to some readers, as they get “lost” in the myriad of technology themes, especially those who may have subscribed due to an interest in any “one” particular theme, for example shortwave DX or retrocomputing, which I haven’t had much time to revisit despite having piles of things to put up “when I get around to it.” I always promise to make things easier to navigate, but I never get around to it!

In essence, this has turned into more of a (messy) engineer’s logbook of things I have done, or random-reference resource that people stumble across by Google. While some people may look upon what I have achieved and be envious, rest assured that I regularly look upon their lives in a similar sort of envy. We always want what we don’t have.

IMG_1994

To that end, I am trying to be a (little) more social, being the introvert that I am. I hope to meet someone who is truly my “other half” – about time as well, especially when I look around my Facebook feed. However, it’s not easy when you’re as nerdy and introverted as I am.

While I don’t have the time to personally thank everyone for sending me a “happy birthday” post or message, I guess this post (with the obligatory cake photo) will have to do. As a reward, here are the results of two random experiments which I “set up” to happen at about the time of my birthday.

Facebook Post Experiment

This experiment started last year, when I thought it was a good idea to take a look at how many people bothered to wish me Happy Birthday on my Facebook wall. The theme was along the lines of declining engagement with Facebook by users, and originally was supposed to be a tongue-in-cheek about how I might not get any posts.

While there was a big flaw with that finding – namely, my family will probably still continue to post despite the lack of value in doing so, the idea is somewhat solid. Of course, most of the posts were simplistic variations on a simple theme with not much substance, and despite Facebook’s introduction of a reminder system which tells you about birthdays and encourages you to make a post, the trend is firmly downward.

Percentage-of-Friends

Dividing the number of posts received within the 24 hour period of my birthday with the number of friends, allows us to plot the percentage of friends which posted a message to my wall. While not as dire as initially estimated (under 2%), it is still notably less than last year. I haven’t actually gained many friends in the period (under 2%), so this probably reflects some of my friends “not bothering” anymore. Exactly what I’d expect from declining engagement with Facebook.

As for “template responses”, it seems this year, all of the messages can be categorized as a template response due to their general structure of “happy” + “birthday” + <optional “name”> + <optional ‘!’ repeated n times> + <optional cliche statement>. It was predicted that this would rise to about 95%, so this represents a less thoughtful posting, probably as a result of desensitization by being reminded about birthdays … or more likely, a lack of connection with me “personally”.

Post-Forecast

The actual number of posts did decrease as expected, and taking an exponential fit (rather than a silly linear one last year), it seems that we’re going to lose one or two posts by next year, despite Facebook (and the world population) continuing to grow.

Is this such a bad thing? Arguably not. If our interactions are templated, and a function of social convention, aside from being a social “lubricant”, the posts serve no real purpose. A reduction in the number of posts might actually save Facebook some storage space in their database, and reduce the energy consumption of their services.

Of course, all of this could be explained by the fact that my Facebook friends don’t actually like me anymore, or consider me their friend … a hypothesis that I’m not willing to discount just yet.

The SSH Honeypot Experiment

For the more technologically inclined people, they would probably like this segment of the post a little more than the last. One of my friends showed me an SSH attack “map” earlier in the month, and I really didn’t think it looked quite right. Being the victim of brute forcing early in the life of this site, I decided to create an SSH honeypot and try to make my own “map” of the attack space.

On 7th April, I bought up a box with OpenSSH running on it, and I opened up port 22 through the router to the box. The box was secured, of course, to avoid actual intrusion, but to “tempt” would-be brute-forcers to the box. The box was continually run from a home ADSL2+ connection, with no publication of the address anywhere.

The box was left running, with the logs from 12th to 18th April (a one week period) inspected and a program written to parse the logs to gain statistics about the actual brute force attempts. The reason the initial logs were discarded was to ensure there was sufficient time for scanners to catch the presence of the box and begin their attempts.

The logs were combed for number of attempts per IP address, and a reverse DNS and geolocation of the IP used to determine country of origin (imprecise, but close enough). The number of attempts for each unique username was recorded as well. Full data at the end of this posting.

Findings

Some of the summary findings from this honeypot experiment are as follows:

  • The time from port opening to the first brute force attempt was about 36 minutes.
  • During the survey period, 499 unique IP addresses were caught attempting to login to the box, by pure “scanning” it seems.
  • A total of 142,542 attempts were made, an average of 4.24 seconds between attempts.
  • 96.68% of all attempts were made for the username “root”.
  • Total bandwidth usage exceeded 200MiB on some days in pure traffic spent answering phony SSH requests. This means scanning traffic could reach 6GB in a month, equal to the whole monthly broadband bandwidth allowance for some plans.
  • China and Hong Kong were the main attackers on a number of attempts basis, with Bahrain, China and Hong Kong taking the cake for the number of unique hosts.
  • A check did not correlate any of the attacking IP addresses as ToR exit nodes.
  • Most IP addresses had no reverse DNS records available.

Lets take a look at some of these findings in a graphical format.

Username Hit Count

See the big blue pie? Yep. That’s all the attempts at a password for “root” – so probably best not to have a root account, at least, not under the “root” name.

Username Hit Count excl root

If we exclude “root” from the pie, we get the remaining ~3.6% of attempted account names. Many of the names are standard names you might use, based on application names, or default hard-coded administrative accounts, some of which are device specific. Not all of them can be seen in the legend due to the scale – see data section for full data.

Number of Hosts per Country

Looking at the number of unique hosts by country, interestingly, Bahrain tops the list, followed by China and Hong Kong. The reason for this may be due to malware and worms, because if we plot the number of attempts versus country, then the graph changes considerably.

Number of Attempts by Country

China and Hong Kong both account for about 90% (roughly) of all the brute force attempts. This indicates that they have some concentrated deliberate systematic attacking going on, as opposed to the other countries where quicker and less systematic attempts are done maybe as a quick way to infect neighbouring machines.

Despite what others may say about security through obscurity, running SSH on port 22 is only inviting chatter and wasting bandwidth, and potentially putting you at risk. This is the case if you use other common alternatives, such as 222 or 2222. Moving it to another different port has reduced the load on my SSH-accessible boxes to pretty much that of my own usage, so it’s recommended, along with other SSH authentication best practices.

Data – List of Hosts

IP Country Count
43.255.191.143 Hong Kong 11828
43.255.191.158 Hong Kong 9105
210.211.127.170 Vietnam, 44, Hanoi 6807
59.63.192.198 China, 03, Nanchang 6579
111.2.199.136 China 5503
59.63.192.196 China, 03, Nanchang 3429
221.203.3.18 China, 19, Shenyang 3134
43.255.191.154 Hong Kong 3060
60.173.8.117 China, 01, Hefei 2237
218.87.111.107 China, 03, Nanchang 1851
218.65.30.61 China, 03, Nanchang 1654
43.255.190.168 Hong Kong 1630
43.255.190.130 Hong Kong 1589
43.255.190.160 Hong Kong 1494
43.255.190.164 Hong Kong 1458
43.255.190.155 Hong Kong 1414
43.255.190.89 Hong Kong 1299
43.255.190.163 Hong Kong 1299
218.87.111.108 China, 03, Nanchang 1254
43.255.190.189 Hong Kong 1252
43.255.190.187 Hong Kong 1242
222.187.223.214 China, 04, Nanjing 1191
43.255.190.172 Hong Kong 1188
43.255.190.115 Hong Kong 1188
43.255.190.124 Hong Kong 1177
43.255.190.143 Hong Kong 1128
43.255.190.116 Hong Kong 1119
43.255.190.140 Hong Kong 1093
43.255.190.153 Hong Kong 1055
43.255.190.117 Hong Kong 1053
58.218.213.254 China, 04, Nanjing 1034
43.255.190.170 Hong Kong 1016
43.255.190.120 Hong Kong 1011
210.51.2.193 China, 22, Beijing 987
43.255.190.148 Hong Kong 981
43.255.190.121 Hong Kong 975
43.255.190.92 Hong Kong 951
43.255.190.158 Hong Kong 938
58.218.199.195 China, 04, Nanjing 936
113.195.145.12 China, 03, Nanchang 921
144.0.0.200 China, 25, Jinan 915
43.255.190.175 Hong Kong 897
43.255.190.132 Hong Kong 894
58.218.204.226 China, 04, Nanjing 885
117.21.174.111 China, 03, Nanchang 878
221.229.166.27 China, 04, Nanjing 831
58.218.204.241 China, 04, Nanjing 810
43.255.190.118 Hong Kong 800
43.255.190.186 Hong Kong 799
43.255.190.183 Hong Kong 798
43.255.190.152 Hong Kong 792
43.255.190.119 Hong Kong 791
43.255.190.191 Hong Kong 781
221.229.166.98 China, 04, Nanjing 774
43.255.190.149 Hong Kong 769
43.255.190.147 Hong Kong 768
43.255.190.146 Hong Kong 767
61.160.213.190 China, 04, Nanjing 758
182.100.67.112 China, 03, Nanchang 753
61.160.247.104 China, 04, Nanjing 753
43.255.190.126 Hong Kong 748
221.229.166.30 China, 04, Nanjing 709
43.255.190.144 Hong Kong 705
43.255.190.157 Hong Kong 681
43.255.190.135 Hong Kong 680
43.255.190.190 Hong Kong 671
43.255.190.134 Hong Kong 663
43.255.190.176 Hong Kong 657
58.218.199.49 China, 04, Nanjing 654
43.255.190.162 Hong Kong 630
43.255.190.137 Hong Kong 623
43.255.190.182 Hong Kong 600
43.255.190.159 Hong Kong 594
43.255.190.167 Hong Kong 588
58.218.204.248 China, 04, Nanjing 582
222.186.51.228 China, 04, Nanjing 582
43.255.190.125 Hong Kong 578
43.255.190.151 Hong Kong 570
43.255.190.171 Hong Kong 570
43.255.190.93 Hong Kong 531
43.255.190.188 Hong Kong 527
43.255.190.141 Hong Kong 516
117.21.191.23 China, 03, Nanchang 507
43.255.190.156 Hong Kong 501
43.255.190.161 Hong Kong 501
43.255.190.185 Hong Kong 501
61.166.189.69 China, 29, Kunming 496
222.186.58.131 China, 04, Nanjing 492
221.229.160.241 China, 04, Nanjing 477
43.255.190.139 Hong Kong 474
182.92.225.147 China, 02, Hangzhou 472
222.186.21.198 China, 04, Nanjing 470
43.255.190.90 Hong Kong 464
198.13.108.234 United States, CA, Walnut 462
61.160.222.76 China, 04, Nanjing 456
222.186.21.217 China, 04, Nanjing 451
182.100.67.115 China, 03, Nanchang 450
43.255.190.142 Hong Kong 437
221.229.166.29 China, 04, Nanjing 437
218.65.30.107 China, 03, Nanchang 435
221.229.166.28 China, 04, Nanjing 424
43.255.190.122 Hong Kong 420
43.255.190.145 Hong Kong 414
218.65.30.23 China, 03, Nanchang 405
221.229.160.237 China, 04, Nanjing 393
222.186.21.215 China, 04, Nanjing 385
61.160.212.27 China, 04, Nanjing 384
43.255.190.169 Hong Kong 370
58.218.204.245 China, 04, Nanjing 360
58.218.201.17 China, 04, Nanjing 357
222.186.56.138 China, 04, Nanjing 357
43.255.190.131 Hong Kong 351
43.255.190.154 Hong Kong 345
43.255.190.138 Hong Kong 342
58.218.211.190 China, 04, Nanjing 329
43.255.190.133 Hong Kong 322
43.255.190.165 Hong Kong 309
117.21.191.196 China, 03, Nanchang 306
58.218.213.212 China, 04, Nanjing 300
43.255.190.166 Hong Kong 289
182.100.67.114 China, 03, Nanchang 288
61.160.215.103 China, 04, Nanjing 281
221.229.160.222 China, 04, Nanjing 264
218.87.109.62 China, 03, Nanchang 255
58.218.211.166 China, 04, Nanjing 255
182.100.67.102 China, 03, Nanchang 255
218.87.111.109 China, 03, Nanchang 252
118.98.96.156 Indonesia 249
221.229.166.16 China, 04, Nanjing 243
58.218.201.19 China, 04, Nanjing 225
221.229.160.230 China, 04, Nanjing 219
43.255.190.91 Hong Kong 200
221.229.166.254 China, 04, Nanjing 180
43.255.190.150 Hong Kong 177
222.186.21.209 China, 04, Nanjing 174
218.65.30.73 China, 03, Nanchang 174
43.255.190.173 Hong Kong 173
43.255.190.174 Hong Kong 171
218.65.30.92 China, 03, Nanchang 165
218.87.109.60 China, 03, Nanchang 163
113.195.145.80 China, 03, Nanchang 159
104.130.3.26 United States, TX, San Antonio 157
221.229.166.240 China, 04, Nanjing 156
218.87.111.117 China, 03, Nanchang 138
221.229.160.223 China, 04, Nanjing 138
177.193.34.182 Brazil 137
222.186.21.240 China, 04, Nanjing 126
190.210.182.225 Argentina, 07, Buenos Aires 124
60.173.26.206 China, 01, Hefei 120
58.218.201.22 China, 04, Nanjing 117
202.201.13.178 China, 15, Lanzhou 112
180.210.234.87 China, 22, Beijing 108
212.129.8.87 France 108
222.186.21.251 China, 04, Nanjing 108
88.132.42.67 Hungary, 04, Tarcal 90
43.255.190.123 Hong Kong 78
195.154.56.58 France 68
220.247.239.70 Sri Lanka 65
195.154.235.37 France, A8, Paris 49
218.87.111.118 China, 03, Nanchang 47
218.87.111.116 China, 03, Nanchang 45
119.147.47.9 China, 30, Guangzhou 41
43.255.190.184 Hong Kong 39
121.173.121.68 Korea, Republic of 35
218.87.111.110 China, 03, Nanchang 33
58.218.213.230 China, 04, Nanjing 33
61.180.38.41 China, 03, Nanchang 31
162.216.171.239 United States, CA, Santa Clara 30
136.169.186.69 Russian Federation, 08, Ufa 22
114.112.54.22 China, 22, Beijing 21
61.174.13.53 China, 02, Jinhua 20
222.161.4.149 China, 05, Changchun 18
222.161.4.147 China, 05, Changchun 17
115.238.55.163 China, 02, Hangzhou 15
222.161.4.148 China, 05, Changchun 15
5.139.223.94 Russian Federation 15
94.79.33.21 Russian Federation, 48, Moscow 14
123.243.180.201 Australia, 04, Brisbane 12
202.96.188.150 China, 30, Guangzhou 11
109.161.162.41 Bahrain 11
117.79.156.130 China, 22, Beijing 10
200.10.52.14 Brazil, 07, Bras?lia 9
222.186.21.196 China, 04, Nanjing 8
194.8.150.225 France 7
109.161.186.33 Bahrain 7
188.219.107.82 Italy 7
187.45.39.195 Brazil 7
189.74.3.104 Brazil 7
187.87.112.113 Brazil 7
109.63.12.39 Bahrain, 16, Manama 7
109.161.250.38 Bahrain 7
109.161.240.177 Bahrain 7
134.255.160.234 Italy 7
109.161.237.249 Bahrain 7
90.157.124.73 Russian Federation 7
109.63.92.78 Bahrain 7
188.162.170.54 Russian Federation, 38, Krasnodar 7
109.161.237.186 Bahrain 7
109.63.84.88 Bahrain 7
109.161.181.211 Bahrain 7
109.161.132.189 Bahrain 7
159.20.228.19 Italy 7
109.161.225.135 Bahrain 7
109.161.155.195 Bahrain 7
109.168.61.98 Italy 7
185.11.225.56 Italy, 10, Cerreto 7
109.63.101.69 Bahrain 7
212.164.216.207 Russian Federation 7
109.161.232.146 Bahrain 7
109.161.163.210 Bahrain 7
177.154.75.162 Brazil 7
109.161.163.131 Bahrain 7
93.63.88.37 Italy, 07, Rome 7
134.255.175.140 Italy 7
109.63.108.149 Bahrain, 16, Manama 6
109.63.100.8 Bahrain 6
189.51.112.25 Brazil 6
109.63.64.199 Bahrain 6
109.63.88.228 Bahrain 6
109.63.11.53 Bahrain 6
94.81.138.244 Italy, 06, Trieste 6
94.31.151.204 Russian Federation 6
109.161.215.52 Bahrain 6
109.63.92.144 Bahrain 6
189.51.112.7 Brazil 6
177.104.202.90 Brazil 5
109.161.202.60 Bahrain 5
188.135.224.142 Italy, 12, Isola Sant’antonio 5
94.243.137.222 Russian Federation, 48, Moscow 5
134.255.161.8 Italy 5
77.37.174.118 Russian Federation, 48, Moscow 5
62.196.170.129 Italy 5
187.44.126.108 Brazil, 26, Itaja? 4
109.63.58.174 Bahrain 4
95.224.220.243 Italy, 09, Lissone 4
186.221.123.199 Brazil, 21, Rio De Janeiro 4
93.88.75.27 Russian Federation 4
109.161.247.50 Bahrain 4
89.208.145.190 Russian Federation 4
93.57.37.58 Italy, 13, Orta Nova 4
31.197.145.82 Italy 4
109.63.24.130 Bahrain 4
178.35.199.45 Russian Federation 4
93.88.72.173 Russian Federation 3
83.211.61.26 Italy, 11, Isernia 3
109.161.214.73 Bahrain 3
109.161.194.110 Bahrain 3
109.63.77.40 Bahrain 3
187.102.77.167 Brazil 3
186.226.79.19 Brazil 3
109.161.167.214 Bahrain 3
177.53.2.231 Brazil 3
109.63.24.146 Bahrain 3
81.201.251.202 Russian Federation, 04, Barnaul 3
109.63.118.70 Bahrain 3
188.135.177.145 Italy, 16, Anghiari 3
109.63.87.144 Bahrain, 16, Manama 3
95.213.164.2 Russian Federation 3
186.193.102.146 Brazil, 15, Serrania 3
94.138.160.199 Italy, 09, Codogno 3
109.63.2.167 Bahrain 3
109.161.214.26 Bahrain 3
109.63.99.43 Bahrain 3
109.63.89.64 Bahrain 3
200.158.211.17 Brazil, 27, S?o Paulo 3
118.193.241.192 China, 23, Shanghai 3
182.100.67.113 China, 03, Nanchang 3
119.167.223.87 China, 25, Jinan 2
109.161.159.29 Bahrain 2
109.73.14.103 Russian Federation 2
109.63.91.78 Bahrain, 16, Manama 2
88.81.171.250 Italy 2
109.63.83.23 Bahrain 2
109.63.71.114 Bahrain 2
186.225.10.71 Brazil 2
185.11.224.186 Italy, 10, Cerreto 2
109.161.225.217 Bahrain 2
109.161.247.125 Bahrain 2
109.161.141.236 Bahrain 2
109.161.165.196 Bahrain 2
186.227.79.205 Brazil 2
188.73.174.69 Russian Federation, 71, Yekaterinburg 2
109.63.111.11 Bahrain 2
222.186.59.91 China, 04, Nanjing 2
109.161.244.193 Bahrain, 16, Manama 2
109.161.200.165 Bahrain 2
187.87.19.2 Brazil 2
188.135.154.44 Italy 2
37.186.250.2 Italy 2
177.104.13.228 Brazil 2
109.161.168.10 Bahrain, 16, Manama 2
187.102.49.42 Brazil 2
134.255.162.55 Italy, 05, Ravenna 2
185.11.225.68 Italy, 10, Cerreto 2
189.7.127.153 Brazil, 23, Santa Maria 2
5.228.240.18 Russian Federation, 48, Moscow 2
109.161.152.134 Bahrain 2
109.63.2.48 Bahrain 2
109.63.115.191 Bahrain, 15, Hidd 2
187.108.71.132 Brazil 2
109.63.108.176 Bahrain, 16, Manama 2
109.161.242.190 Bahrain 2
109.63.71.176 Bahrain 2
109.161.248.151 Bahrain, 19, Tubli 2
109.161.177.233 Bahrain 2
189.50.134.170 Brazil 2
109.63.14.176 Bahrain 2
186.192.217.222 Brazil, 23, Espumoso 2
109.63.87.190 Bahrain, 16, Manama 2
109.161.252.111 Bahrain 2
177.154.75.169 Brazil 2
2.235.187.253 Italy, 12, Orbassano 2
109.63.59.6 Bahrain 2
109.161.128.194 Bahrain 2
109.161.140.204 Bahrain 2
200.209.188.114 Brazil 2
109.63.101.37 Bahrain 2
2.229.23.146 Italy, 04, Napoli 2
110.36.53.4 Pakistan 2
109.63.25.149 Bahrain 2
187.17.154.46 Brazil 2
94.199.14.191 Italy, 04, Montemarano 2
109.161.219.162 Bahrain, 16, Manama 2
109.161.208.115 Bahrain, 16, Manama 2
109.63.90.29 Bahrain 2
109.63.86.130 Bahrain 2
109.63.114.140 Bahrain 2
93.57.17.153 Italy, 12, Torino 2
187.120.81.165 Brazil, 15, Passos 2
109.63.99.25 Bahrain 2
109.63.14.225 Bahrain 2
2.239.5.121 Italy 2
134.255.171.101 Italy 2
109.161.232.59 Bahrain 2
177.36.248.58 Brazil 2
177.126.169.72 Brazil 2
109.63.85.110 Bahrain 2
109.63.97.128 Bahrain 2
177.104.4.161 Brazil 2
109.161.138.9 Bahrain 2
85.32.96.163 Italy 2
187.84.186.60 Brazil 2
109.161.164.147 Bahrain 2
188.135.196.127 Italy 2
85.18.242.82 Italy, 04, Cardito 2
60.163.21.177 China, 02, Jiaxing 2
187.102.36.46 Brazil 2
109.161.220.91 Bahrain 2
109.161.209.95 Bahrain 2
109.63.117.16 Bahrain 2
95.230.17.194 Italy 2
178.132.36.159 Bahrain 2
189.90.254.5 Brazil, 15, Monlevade 2
188.135.193.227 Italy 2
201.62.50.29 Brazil 2
109.161.240.107 Bahrain 2
217.196.135.89 Italy, 04, Avellino 2
5.133.60.13 Italy, 05, Ravenna 2
109.63.28.147 Bahrain 2
189.51.98.233 Brazil, 15, Taiobeiras 2
81.208.25.120 Italy, 09, Milan 2
109.161.162.242 Bahrain 2
201.76.123.94 Brazil 2
109.161.165.116 Bahrain 2
109.63.119.211 Bahrain, 16, Manama 2
109.161.227.230 Bahrain 2
109.161.134.109 Bahrain 2
118.244.150.207 China, 22, Beijing 2
109.161.246.61 Bahrain 2
187.62.215.114 Brazil 2
83.220.235.170 Russian Federation 2
109.63.98.163 Bahrain 2
217.133.15.246 Italy 2
109.63.15.60 Bahrain 2
88.149.228.144 Italy, 20, Dolc? 2
109.63.1.65 Bahrain 2
195.31.38.18 Italy 2
156.54.158.181 Italy 2
87.224.142.150 Russian Federation 2
187.44.78.98 Brazil 2
94.79.200.23 Bahrain 2
109.63.74.112 Bahrain 2
109.63.69.51 Bahrain 2
109.63.28.205 Bahrain 2
109.63.69.68 Bahrain 2
109.63.89.68 Bahrain 2
109.63.75.18 Bahrain 2
109.63.125.176 Bahrain 2
188.135.206.148 Italy 2
109.161.246.80 Bahrain 2
156.54.141.40 Italy 2
93.88.68.231 Russian Federation 2
177.44.232.146 Brazil 2
189.127.35.172 Brazil 2
95.84.125.141 Bahrain 2
87.224.173.244 Russian Federation 2
109.63.70.93 Bahrain 2
109.161.245.199 Bahrain 2
93.88.208.222 Russian Federation, 59, Ussuri 2
58.27.165.238 Pakistan 2
83.103.69.219 Italy, 07, Rome 2
109.63.76.110 Bahrain 2
110.36.43.119 Pakistan 2
110.36.38.216 Pakistan 2
159.20.207.4 Italy, 16, Figline Valdarno 2
109.161.236.49 Bahrain 2
187.121.198.54 Brazil, 27, Pirassununga 2
187.49.248.61 Brazil 2
37.235.192.102 Russian Federation, 72, Tambov 2
83.174.232.190 Russian Federation 2
109.63.100.124 Bahrain 2
92.54.94.32 Russian Federation 2
109.63.28.231 Bahrain 2
176.196.76.201 Russian Federation, 29, Kemerovo 2
94.31.254.107 Russian Federation 2
109.161.168.166 Bahrain, 16, Manama 2
109.161.200.143 Bahrain 2
189.22.150.51 Brazil 2
87.237.196.3 Bahrain 2
200.231.117.106 Brazil 2
91.143.201.87 Italy 2
177.37.112.23 Brazil, 15, Cataguases 2
200.233.141.237 Brazil 2
187.38.11.103 Brazil, 27, S?o Paulo 2
109.63.75.56 Bahrain 2
189.36.205.44 Brazil 2
188.135.174.103 Italy 2
109.63.104.255 Bahrain 2
177.6.19.226 Brazil 2
95.142.188.102 Italy 2
109.63.115.38 Bahrain, 15, Hidd 2
188.135.161.227 Italy, 12, Predosa 2
82.185.229.123 Italy 2
188.234.139.13 Russian Federation 2
177.104.15.179 Brazil, 26, Gaspar 2
134.255.168.64 Italy 2
109.161.149.164 Bahrain 2
109.161.167.216 Bahrain 2
109.63.109.249 Bahrain 2
109.63.66.36 Bahrain, 16, Manama 2
109.161.236.193 Bahrain 2
89.96.229.14 Italy, 09, Milan 2
5.133.61.132 Italy 2
189.125.163.30 Brazil, 27, S?o Paulo 2
109.161.169.26 Bahrain 2
109.63.126.152 Bahrain 2
82.105.5.125 Italy 2
87.23.87.7 Italy 2
87.224.198.144 Russian Federation 2
94.140.192.226 Russian Federation, 66, Saint Petersburg 2
82.90.218.240 Italy, 09, Castiglione Delle Stiviere 2
195.32.114.236 Italy 2
201.71.175.5 Brazil 2
46.44.217.104 Italy 2
37.194.36.82 Russian Federation 2
109.161.236.231 Bahrain 2
109.63.28.240 Bahrain 2
109.63.116.51 Bahrain 2
83.174.198.140 Russian Federation 2
187.1.38.34 Brazil 2
200.179.229.234 Brazil 2
109.63.81.30 Bahrain 2
109.161.203.105 Bahrain 2
109.63.96.153 Bahrain 2
109.161.200.14 Bahrain 2
95.231.204.57 Italy 2
109.63.57.191 Bahrain 2
78.4.4.210 Italy 2
109.63.10.90 Bahrain, 16, Manama 2
109.63.31.63 Bahrain 2
109.161.237.55 Bahrain 2
109.161.254.163 Bahrain 2
87.224.199.38 Russian Federation 2
87.20.1.155 Italy, 04, Napoli 2
178.132.39.230 Bahrain 2
189.28.159.246 Brazil 2
189.50.129.122 Brazil 2
95.224.151.43 Italy, 05, Piacenza 2
201.49.232.159 Brazil 2
109.63.90.230 Bahrain 2
109.161.234.67 Bahrain 2
109.63.64.238 Bahrain 2
109.63.98.173 Bahrain 2
109.161.240.32 Bahrain 2
109.63.89.247 Bahrain 2
5.133.60.161 Italy, 05, Ravenna 2
109.63.81.106 Bahrain 2
109.161.202.22 Bahrain 2
188.135.237.176 Italy, 13, Maruggio 2
213.79.127.194 Russian Federation 2
186.201.199.234 Brazil 2
117.6.133.229 Vietnam, 82, Nam Dinh 2
187.37.233.197 Brazil, 27, S?o Paulo 2
177.154.76.217 Brazil 1
109.161.237.100 Bahrain 1
78.108.89.231 Russian Federation 1
92.54.79.248 Russian Federation 1
78.4.46.174 Italy 1
109.161.232.189 Bahrain 1

Data – List of Usernames

Username Count
root 137812
test 565
nagios 288
admin 256
zabbix 200
guest 199
oracle 98
zxin10 92
git 68
ubuntu 60
tomcat 56
apache 54
weblogic 48
cacti 48
zhaowei 48
www-data 43
web 42
ubnt 42
ftpuser 39
ftp 36
user 33
MGR 33
postgres 32
jboss 32
webadmin 31
mysql 30
squid 30
support 26
info 26
Test 24
boot 22
sysadmin 22
nginx 20
r00t 18
PlcmSpIp 17
dff 16
svn 16
hadoop 16
www 16
java 16
apache2 16
httpd 16
zhangyan 14
vnc 14
plesk 14
vyatta 14
slview 14
deploy 14
xiuzuan 12
alex 12
tom 12
common 12
nobody 12
wangyi 12
operator 11
system 11
Administrator 11
123456 10
123 10
pi 10
usuario 10
grid 10
administrator 10
pgadmin 10
cms 10
patrol 10
FIELD 10
MANAGER 9
bash 8
webapp 8
dev 8
test2 8
david 8
sasaki 8
teamspeak 8
mysql2 8
cvs 8
mongodb 8
smbuser 8
images 8
centos 8
helen 8
john 8
sshusr 8
webuser 8
portal 8
D-Link 8
isadmin 8
infratel 8
setup 7
login 7
service 6
atsuser 6
huawei 6
bin 6
catadmin 6
cactiuser 6
avconroot 6
ds 6
ratan 6
mas 6
testftp 6
tsminst1 6
hmsftp 6
cron 6
syscheck 6
matlab 6
amitj 6
amandabackup 6
lsfadmin 6
office 6
user01 6
apc 6
ftpuser1 6
helpdesk 6
nms 6
jack 6
yang 6
edu 6
webmaster 6
user1 6
manager 6
default 6
mysql1 6
demo 6
db2fenc1 6
mqm 6
eshop 6
redis 6
ved 6
cvsadmin 6
ftptest 6
ajay 6
sshuser 6
jake 6
solr 6
chandru 6
rabbitmq 6
gerrit2 6
vncuser 6
nan 6
nologin 6
OPERATOR 6
MAIL 6
webmail 6
blank 5
HELLO 5
maint 5
cgi 4
a 4
redmine 4
sybase 4
pos 4
db2inst1 4
vinod 4
hhj 4
epg 4
tanimoto 4
nemoto 4
aaron 4
devdata 4
live 4
deepak 4
air 4
cmsftp 4
medtech 4
himanshu 4
itadmin 4
openbravo 4
rahulb 4
dbuser 4
developer 4
mpi 4
tracking 4
omcuser 4
mandy 4
naveen 4
bmp 4
ces 4
cti 4
msp 4
auser 4
frank 4
anu 4
bao 4
cs 4
gdnslog 4
sw 4
jjs 4
user10 4
cdr 4
digital1 4
johannes 4
max 4
theresa 4
cat 4
kat 4
chris 4
sam 4
janak 4
lisa 4
khaled 4
audrey 4
beyond 4
sandeep 4
nforge 4
postfix 4
upload 4
public 4
emily 4
backuppc 4
security 4
deployer 4
nexus 4
sonar 4
xbian 4
alin 4
test1 4
testuser 4
tester 4
adam 4
deme 4
mongodb2 4
eric 4
db2fenc 4
steven 4
lihan 4
username 4
syncro 4
nfsnobody 4
craft 4
super 4
superuser 4
ts 4
telkom 4
siaga 4
centerback 4
hotbill 4
guestadmin 4
guestuser 4
guestx 4
javaprg 4
resin 4
apache1 4
httpd2 4
httpdocs 4
nagiosadmin 4
nagiosuser 4
ftp1 4
ftpd 4
sshd 3
backup 3
tech 3
sysadm 3
install 3
diag 3
admim 3
cusadmin 3
supervisor 3
ADVMAIL 3
browse 3
inads 3
superman 3
lp 3
Polycom 3
piranha 3
op 3
tose 2
dasusr1 2
imapuser 2
inst01 2
wwwrun 2
mgm 2
oracle10 2
psd 2
svnadmin 2
websync 2
cnred 2
oracle11 2
student 2
abc123 2
1 2
2 2
mf 2
business 2
boris 2
chandu 2
apple 2
matthew 2
julien 2
ikeda 2
kas 2
arun 2
gis 2
bill 2
marc 2
jinseok 2
nikhil 2
sghosh 2
jurist 2
dima 2
thomas 2
ktkim 2
kjs 2
hxhtftp 2
user07 2
ldap 2
gopal 2
benny 2
benoit 2
jmpark 2
smg 2
garden 2
hacluster 2
gao 2
ftpadmin 2
controller 2
amavisd 2
rsync 2
jenkins 2
tuxedo 2
gwaf 2
garrysmod 2
xiaow 2
zsofi 2
rtorrent 2
ibmuser 2
hduser 2
asterisk 2
debian 2
oracle2 2
soft 2
temp 2
operador 2
daniel 2
pc 2
polycom 2
server 2
soporte 2
project 2
skaner 2
master 2
servidor 2
log 2
pgsql 2
mike 2
alan 2
git1 2
deploy1 2
gitadmin 2
gittest 2
supersys 2
wasadmin 2
maximo 2
db2inst3 2
db2admin 2
vijay 2
db2inst2 2
db2fenc2 2
vbox 2
ttf 2
iptv 2
alice 2
Sorin 2
amix 2
dede 2
ghost 2
gusr 2
gyaseen 2
kde 2
koba 2
nano 2
nfsnobod 2
paras 2
payment 2
red 2
isa 2
smokey 2
xVIRal 2
amanda 2
martin 2
fidelity 2
z 2
monitor 2
claudia 2
cisco 2
adrian 2
jerry 2
marie 2
rk 2
anna 2
library 2
bruce 2
bob 2
five 2
barbara 2
emma 2
debug 2
adminttd 2
3comcso 2
recovery 2
User 2
volition 2
3play 2
addon 2
airlive 2
kermit 2
dhs3mt 2
at4400 2
mtch 2
mtcl 2
dhs3pms 2
adfexc 2
client 2
halt 2
SUPERUSER 2
1234 2
acc 2
device 2
IntraSwitch 2
IntraStack 2
readonly 2
DTA 2
Service 2
manuf 2
dadmin 2
isp 2
installer 2
mediator 2
cellit 2
cmaker 2
netrangr 2
bbsd-client 2
Cisco 2
hsa 2
wlse 2
wlseuser 2
citel 2
comcast 2
PFCUser 2
corecess 2
cgadmin 2
Alphanetworks 2
davox 2
MDaemon 2
PBX 2
NETWORK 2
draytek 2
tiger 2
netman 2
websecadm 2
MD110 2
anonymous 2
maintainer 2
manage 2
DSL 2
netadmin 2
PCUSER 2
RSBCMON 2
WP 2
SPOOLMAN 2
Factory 2
vodafone 2
telecomadmin 2
storwatch 2
vt100 2
superadmin 2
hscroot 2
USERID 2
tmadmin 2
iclock 2
Admin 2
SYSDBA 2
intermec 2
JDE 2
PRODDTA 2
netscreen 2
readwrite 2
LUCENT01 2
LUCENT02 2
bciim 2
bcim 2
bcms 2
bcnas 2
blue 2
cust 2
enquiry 2
init 2
locate 2
rcust 2
scmadmin 2
medion 2
MICRO 2
router 2
SYSADM 2
GlobalAdmin 2
ben 2
Gearguy 2
mythtv 2
tnmspon 2
rpcuser 2
gopher 2
ns 2
ashish 2
naadmin 2
netopia 2
e500 2
vcr 2
m1122 2
telecom 2
disttech 2
mlusr 2
l2 2
l3 2
ro 2
rw 2
rwa 2
spcl 2
ccrusr 2
266344 2
adminview 2
adminstat 2
adminuser 2
cac_admin 2
write 2
echo 2
on 2
telekom 2
adminpldt 2
engmode 2
radware 2
wradmin 2
teacher 2
temp1 2
admin2 2
adminstrator 2
deskalt 2
deskman 2
desknorm 2
deskres 2
replicator 2
RMUser1 2
topicalt 2
topicnorm 2
topicres 2
GEN2 2
ADMN 2
eng 2
su 2
31994 2
poll 2
smc 2
mso 2
1.79 2
SSA 2
stratacom 2
surecom 2
sweex 2
target 2
super.super 2
xbox 2
telco 2
tellabs 2
tiara 2
NAU 2
UNIDEN 2
Any 2
enduser 2
VTech 2
CSG 2
witpack 2
VNC 2
rapport 2
1502 2
xd 2
11111 2
ADSL 2
ZXDSL 2
HPN 2
unknown 2
sales 2
uploader 2
marketing 2
alu 2
amssys 2
poolerconf 2
ratmin 2
tlkmaddm 2
duktek 2
ipdn 2
netamdm 2
billing100 2
enigma 2
system_user 2
anin 2
sentral 2
itrack 2
sys 1
uucp 1

About lui_gough

I’m a bit of a nut for electronics, computing, photography, radio, satellite and other technical hobbies. Click for more about me!

This entry was posted in Computing, Event, Uncategorized and tagged , , , , . Bookmark the permalink.

8 Responses to Happy Birthday: Facebook Post Experiment & SSH Honeypot

  1. Geoge says:

    The top IP address is a VPS server – http://who.is/whois-ip/ip-address/43.255.191.143 hosted at http://93.gd/… Shows that abuse is kept under control well… -_-

  2. Geoge says:

    Happy Birthday by the way! 🙂
    In a few years I bet you will be posting saying you’re 21! 😉

    • lui_gough says:

      Thanks George!

      Eh, I’m not so sure about that. As a scientist, we’re taught not to shy away from the “truth” – and ageing is all part of the natural process, nothing to be ashamed of there. Of course, we will eventually yearn for our younger days when we may have been more free, more energetic, and more curious, but everyone has their own timeline and an agenda to make the most (or least, in some cases) of it. Lying to yourself? Well that ain’t going to fix anything :). I think I’ll look back in the future with less regrets than I otherwise would, because I can say that I’ve done many things I never thought I would. There’s always more to be done though.

      Thanks for the look-up – I did check it myself after I sent the post up and I did have a giggle at the NetName. VPS-es and VPNs are all ripe for abuse, but as you rightly noted, nobody seems to care. I think it’s also plenty nice that my ISP seems not to care either – traffic is traffic, and traffic is money. That being said, in the name of net neutrality, we have to take the good with the bad and I’d prefer an ISP that wasn’t listening in or tampering with my traffic to one that does – so I think it’s a good thing in some ways, albeit an annoying thing when abused. A few knocks on the door is fine … but not 10,000+ knocks. Maybe just for kicks, I’ll try it again with next week’s logs and see who comes out on top.

      – Gough

  3. sparcie says:

    I’ve also found that using a program like SSHguard or fail2ban are good for blocking intruders. SSHguard blocks IPs for an exponentially longer time each time they commit an offense I believe. It’s funny that they target the root user the most, as root access is disabled by default and shouldn’t be enabled (use su or sudo instead). I agree using a different port of your own choosing is prudent, it reduces chatter like you said, but also CPU load on your machine. A while ago before I modernised my server I was running an SparcStation 20 (a vintage sun machine) which had SSH access. I set it up on port 22 at first much like yourself and the chatter was enough to max out all the processors in the machine!

    Anyhow belatedly, Happy birthday!
    Sparcie

    • lui_gough says:

      Thanks for your comment! Indeed, Fail2ban is a recommended practice, but I find it relatively unnecessary with a very “esoteric” choice of port number. CPU usage is especially important for smaller, especially embedded devices for internet of things usage. If they were determined to scan all 65536 ports, go right ahead, but most aren’t that patient. If it’s outside the first 1024, they rarely look, unless it coincides with a popular service or popular alternate (e.g. 2222 for SSH, 8080 for HTTP, 5060 for SIP, 5900 for VNC, 9100 for print, etc). Besides, most people with a NAT device don’t have DMZ set to any particular box, so knocks on unused ports just silently get discarded which increases scanning time as well.

      It is, nonetheless, a deliberate experiment which I enjoyed, as it bought back memories of a time when the SSH knocking was collapsing my website, because they were served on one and the same Raspberry Pi. Those days are long gone … but the chatter remains :).

      Hope you didn’t get knocked about too badly with the storm – just saw your posting – I like to keep at least a 12v to 230v inverter so as to run it from a car if under a real emergency. Power banks for phones are a must. If you have a deep cycle 12v battery, that might go well with the inverter – plug a laptop in and use a phone for tethering for very “emergency” internet access. Standard LED torch and radio are a minimum requirement, as would a nice “corded” landline phone if you still have a landline (just don’t use it during the storm).

      – Gough

      • sparcie says:

        Luckily I didn’t run into any major problems, just spent my time reading mostly. Although I did ride my motorbike all the way to work before finding out that Uni of Newcastle was closed!

        I used to have a corded landline phone, I don’t anymore, but I’d heard that telephone exchanges have limited battery backup of about 1 hour, so it may not have done me any good. I do know that many mobile towers were off-line because of this as well. Good reasons to have a ordinary FM radio, if only I’d thought to listen to it before going to work!

        I’ll have to look into a battery/inverter combination as that would have been handy.

        I’m still trying out the solar charger I bought, I’ve used some suction cups to stick it to a window this afternoon, I’ll see if it will put some charge into my tablet tomorrow, and will have to get a power bank to connect to it. My old power bank is looking a bit worse for wear.

        Cheers
        Sparcie

        • lui_gough says:

          Generally exchanges have large banks of 48v DC battery power that’s supposed to last for at least 4 hours, if not longer. The lines may have been up for even longer than that, especially if lots of people leave their phones on hook – but I suppose flood water shorting out lines will cause a drain on the cells that negates any savings there, as does the temptation to hook up other telco related equipment to the battery banks as a UPS (e.g. ADSL DSLAM gear).

          Mobile towers are a bit sad, because there really isn’t any long term back-up on those, but depending on how localized the destruction is, a good external cellular yagi antenna may have got you a signal from a base station over several km away provided you’re in an advantageous spot. Of course, if you had a CB walkie talkie and some batteries, that could have been another safety measure to keep in touch with folks in the house as you wander outside to find a cell signal (perhaps).

          Inverters are lovely, but it doesn’t make sense to run anything too large (e.g. fridge, microwave, heater) from them because the amount of charge you can store in a lead acid battery isn’t all that much. If you really wanted to go “off grid”, using the most efficient devices (e.g. a tablet with an inbuilt 4G modem or phone, or even low powered laptop) as a primary platform might be possible for longer terms. If you’re into RV-ing, you might even have a few 65W/80W solar panels you can throw outside to try and catch a bit of cloud (heh)!

          But no need to panic. It’s not an apocalypse just yet :).

          – Gough

  4. Pingback: Experiment: SSH Honeypot – Week 2 | Gough's Tech Zone

Error: Comment is Missing!