Using SSH Honey Pots to Data Mine Attackers in the Cloud



The goal of this project is to take a stand alone Linux SSH honey pot server and take it to the cloud and even further. The way we accomplish this is using orchestration technology such as ansible to automatically deploy SSH honeypots to multiple cloud providers, such as: AWS, GCE, & Rackspace. We did this to get a better idea of the type of attacks being launched against cloud providers and how it differs from one vender to another. One area this helps in is when a new security vulnerability is discovered. We can see the increase on our nodes and how hackers have switched their attack types based off the most recent exploit. Our first cluster went live in early February and began to log attack types. Currently we span multiple providers and geographic regions.

In this session we will talk about the technology behind this project such as: SSH honey pot software, orchestration, data logging, and analytics. We will also talk about the current state, future plans, and how others can contribute or setup their own honeypot. This will include the following:

SSH Honey Pot Software – Kippo & Cowrie
Database Logging – MongoDB & MySQL
Orchestrations – Ansible Playbooks & SALT
Python API – Custom python API to register new nodes & communicate with MongoDB
Analytics – Elastic Search / Kibana Dash Board

Audience Takeaways
SSH Honeypot, what this is and what it provides us
Linux Servers Security Best Practices
Documentation for contributing OR getting started your self

Attendees need a basic understanding around linux servers, honeypots, & cloud providers. We will be covering the technology at a high level and the data collected so far along with our next steps.