Analysis and visualization of SSH attacks using honeypots

In the field of computer security, honeypots are systems aimed at deceiving malicious users who launch attacks against the servers and network infrastructure of various organizations. They can be deployed as protection mechanisms to an organization´s real systems, or as research units to study and analyze the methods employed by individual hackers. In this paper we present the results of a research honeypot´s operation, which undertook the role of a web trap for attackers who target the SSH service in order to gain illegal server access. The fake system has remained online and fully operational during a course of several consequent months, capturing attacks and logging all malicious activity. During this assessment it was shown that honeypots remain very effective tools in gathering information about SSH attacks. Furthermore, we observed that attackers are constantly targeting servers in the wild employing ready-to-use tools and dictionaries, while their post-compromise actions include mostly pivoting and IRC-related activities. Lastly we present a visualization tool aimed at helping security researchers during the analysis and conclusions drawing phases, for use with the same SSH honeypot implementation software as outlined in this work.