Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


A program monitoring port 22 - who is knocking on my window
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

A program monitoring port 22 - who is knocking on my window

NokiaNokia Member

If you have a public IP address exposed to the internet, there will definitely be many people trying to guess your password.
To see who is knocking on my window, I wrote a program with the help of AI to monitor visitors' information.
Not much practical use, just for fun.

https://github.com/Yorkian/knock

Comments

  • LeviLevi Member
    edited January 9

    Data stored in plain files JSON? Damn... Why not CSV. On a little bit serious note:

    1. Use Sqlite;
    2. Template default language is chinese? If you offer this to foreign devils, please make it English as a default;
    3. Remove chinese comments from source code. It is horrible;
    Thanked by 1jnd
  • I'm actually doing something similar - trying to catch folks scanning my servers, not just TCP port 22 though. Got HAProxy watching around 20k TCP connections. Sitting on a pile of data here but have been scratching my head about how to show what I've caught. Your code might be just what I needed to see. Thanks!
    And don't worry about the code comments - Chinese is totally fine, I can read it.

  • LeviLevi Member

    @chihcherng said: trying to catch folks scanning my servers

    You are inventing wheel. Why not use existing honey pot systems with GUI for data analysis etc. For learning, of course - DIY is the best way.

  • NokiaNokia Member

    @Levi said:
    Data stored in plain files JSON? Damn... Why not CSV. On a little bit serious note:

    1. Use Sqlite;
    2. Template default language is chinese? If you offer this to foreign devils, please make it English as a default;
    3. Remove chinese comments from source code. It is horrible;

    It's interesting. Thanks!
    The default language of the template is English, and I will change the Chinese comments in source code to English.
    Just like the surveillance camera at your doorstep, it only saves about a week of footage, which is normal data security requirements and only you watch. So there's no need to consider too much about performance and stability. However, using CSV or Sqlite is indeed a more professional way. And I will consider using them in the next project.

  • NokiaNokia Member

    @chihcherng said:
    I'm actually doing something similar - trying to catch folks scanning my servers, not just TCP port 22 though. Got HAProxy watching around 20k TCP connections. Sitting on a pile of data here but have been scratching my head about how to show what I've caught. Your code might be just what I needed to see. Thanks!
    And don't worry about the code comments - Chinese is totally fine, I can read it.

    I am glad you like it. Your monitoring can obtain a larger amount of data and is more likely to find interesting presentation methods.

  • So maltrail?

  • gksgks Member
    edited January 9

    I use Fail2Ban and ban those IPs for 365 days. Edited toolname

  • wuckwuck Member

    Don't use port 22, f2ban port 22

  • bdlbdl Member

    Knockia

  • wii747wii747 Member

    I just use crowdsec

    Thanked by 1vicaya
  • gksgks Member
    edited January 9

    Feeding these IPs to firewall to block permanently would helpful. You no need to listen on port 22, use Fail2Ban, which already blocks those IPs, listen on auth logs of sshd. A tool that put these IPs to ufw to block them permanently would be useful. Indian IPs are attacked by Chinese
    by default, 24/7.

    Last failed login: Thu Jan  9 05:39:24 EST 2025 from 218.92.0.166 on ssh:notty
    There were 92988 failed login attempts since the last successful login.
    Last login: Mon Dec 30 06:56:11 2024 from <<MY-IP>>
    
  • ralfralf Member
    edited January 9

    Got to ask though... If you're not going to do anything with the data, why bother? I ask, because I used to filter and log all junk ssh connections for about 2 years, and it was only when the disk filled that I wondered why I was even doing it and stopped.

    Now I just use iptables to whitelist the one IP I plan to connect from, also whitelist my wireguard subnet so that I do have a backup escape route in, and then reject the packets from every other IP.

    If you're doing this, don't forget to reject ssh packets on IPv6 as well as it's easy to overlook if you're otherwise only using IPv4.

    PS rejecting the packet is better than dropping the packet is it then looks like you don't even run ssh at all rather than providing a hint that it's being filtered.

    Thanked by 1gks
  • gksgks Member

    @ralf said:
    Got to ask though... If you're not going to do anything with the data, why bother? I ask, because I used to filter and log all junk ssh connections for about 2 years, and it was only when the disk filled that I wondered why I was even doing it and stopped.

    Now I just use iptables to whitelist the one IP I plan to connect from, also whitelist my wireguard subnet so that I do have a backup escape route in, and then reject the packets from every other IP.

    If you're doing this, don't forget to reject ssh packets on IPv6 as well as it's easy to overlook if you're otherwise only using IPv4.

    PS rejecting the packet is better than dropping the packet is it then looks like you don't even run ssh at all rather than providing a hint that it's being filtered.

    Seems solid plan to reject all except few, my case is similar, I am only user. ufw on Ubuntu fine with that? And IP V6 would be countless, Is it not? Good to block all, white list few would be best option. Thank you @ralf

  • @ralf said:
    Got to ask though... If you're not going to do anything with the data, why bother? I ask, because I used to filter and log all junk ssh connections for about 2 years, and it was only when the disk filled that I wondered why I was even doing it and stopped.

    Now I just use iptables to whitelist the one IP I plan to connect from, also whitelist my wireguard subnet so that I do have a backup escape route in, and then reject the packets from every other IP.

    If you're doing this, don't forget to reject ssh packets on IPv6 as well as it's easy to overlook if you're otherwise only using IPv4.

    PS rejecting the packet is better than dropping the packet is it then looks like you don't even run ssh at all rather than providing a hint that it's being filtered.

    What if the IP changes?
    My IP address changes every year or so, but it's unpredictable when it happens.
    Maybe that's just my ISP.

  • donlidonli Member

    @stealthy said:

    @ralf said:
    Got to ask though... If you're not going to do anything with the data, why bother? I ask, because I used to filter and log all junk ssh connections for about 2 years, and it was only when the disk filled that I wondered why I was even doing it and stopped.

    Now I just use iptables to whitelist the one IP I plan to connect from, also whitelist my wireguard subnet so that I do have a backup escape route in, and then reject the packets from every other IP.

    If you're doing this, don't forget to reject ssh packets on IPv6 as well as it's easy to overlook if you're otherwise only using IPv4.

    PS rejecting the packet is better than dropping the packet is it then looks like you don't even run ssh at all rather than providing a hint that it's being filtered.

    What if the IP changes?
    My IP address changes every year or so, but it's unpredictable when it happens.
    Maybe that's just my ISP.

    You access your VPS through provider provided consol and update IP address.

    Thanked by 1ralf
  • ralfralf Member

    @stealthy said:

    @ralf said:
    Got to ask though... If you're not going to do anything with the data, why bother? I ask, because I used to filter and log all junk ssh connections for about 2 years, and it was only when the disk filled that I wondered why I was even doing it and stopped.

    Now I just use iptables to whitelist the one IP I plan to connect from, also whitelist my wireguard subnet so that I do have a backup escape route in, and then reject the packets from every other IP.

    If you're doing this, don't forget to reject ssh packets on IPv6 as well as it's easy to overlook if you're otherwise only using IPv4.

    PS rejecting the packet is better than dropping the packet is it then looks like you don't even run ssh at all rather than providing a hint that it's being filtered.

    What if the IP changes?
    My IP address changes every year or so, but it's unpredictable when it happens.
    Maybe that's just my ISP.

    Get a cheap VPS for use as a jump host. If it ever shows signs of being compromised, re-install it completely. You don't even have to have your real host trust the ssh key on the jump host, you just need both your real host and the jump host to trust your key.

    Also, set up wireguard and whitelist that IP as well. You don't need to worry about firewalling off the wireguard port because it'll just ignore any traffic sent to it that it doesn't recognise.

  • run portspoof on port 22 and move ssh to another high port.

  • donlidonli Member

    @ralf said:

    @stealthy said:

    @ralf said:
    Got to ask though... If you're not going to do anything with the data, why bother? I ask, because I used to filter and log all junk ssh connections for about 2 years, and it was only when the disk filled that I wondered why I was even doing it and stopped.

    Now I just use iptables to whitelist the one IP I plan to connect from, also whitelist my wireguard subnet so that I do have a backup escape route in, and then reject the packets from every other IP.

    If you're doing this, don't forget to reject ssh packets on IPv6 as well as it's easy to overlook if you're otherwise only using IPv4.

    PS rejecting the packet is better than dropping the packet is it then looks like you don't even run ssh at all rather than providing a hint that it's being filtered.

    What if the IP changes?
    My IP address changes every year or so, but it's unpredictable when it happens.
    Maybe that's just my ISP.

    Get a cheap VPS for use as a jump host. If it ever shows signs of being compromised, re-install it completely. You don't even have to have your real host trust the ssh key on the jump host, you just need both your real host and the jump host to trust your key.

    Also, set up wireguard and whitelist that IP as well. You don't need to worry about firewalling off the wireguard port because it'll just ignore any traffic sent to it that it doesn't recognise.

    Write and run a program that monitors some UDP port on your main VPS. When the program receives an instruction to add an IP address to your firewall it does.

  • DataRecoveryDataRecovery Member
    edited January 9

    @Nokia said:
    To see who is knocking on my window, I wrote a program

    These days you can get a different toy for each chicken window:

  • ralfralf Member

    Forget honeypots, I want this! DOS via ssh? That sounds AMAZING! :)

  • DataRecoveryDataRecovery Member
    edited January 9

    @ralf said:

    Forget honeypots, I want this! DOS via ssh? That sounds AMAZING! :)

    I didn't find the link for that one, unfortunately. Only a pic :-\

    The closest one is this: https://github.com/benjojo/dos_ssh

    Have a look at cheeseandcereal/fake-ssh though. With it you can have Clippy™ on port 22 :)

    Thanked by 3ralf 0xC7 vicaya
  • Been running a ssh honeypot for several months, actually most inputs are pretty boring, just something like cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa [blahblah]\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~...
    But I do get a fresh password dict :)

    Thanked by 1donli
  • @Levi said:

    @chihcherng said: trying to catch folks scanning my servers

    You are inventing wheel. Why not use existing honey pot systems with GUI for data analysis etc. For learning, of course - DIY is the best way.

    Which existing systems do you think are

  • jon617jon617 Veteran

    @ralf said: Now I just use iptables to whitelist the one IP I plan to connect from, also whitelist my wireguard subnet so that I do have a backup escape route in, and then reject the packets from every other IP.

    This.

    While the research is fun, and nice job using AI for this purpose, just don't leave your actual real ssh open to the world.

Sign In or Register to comment.