26
PSA: I set up a honeypot on my home network and the results were way scarier than I expected.
I used a Raspberry Pi with a basic setup to look like a vulnerable server, and within 24 hours it logged over 50 automated login attempts from random IP addresses. It really shows how much constant, automated probing is happening out there. Has anyone else tried something like this and found a specific port getting hammered more than others?
3 comments
Log in to join the discussion
Log In3 Comments
holly_sanchez751mo ago
Started seeing the same thing when I plugged an old router into my network without any passwords enabled. The SSH port got hammered nonstop, like every few seconds someone was trying to get in. What really got me was how many of those IPs came from residential ranges, makes you wonder if those are just random people's computers that got infected with bot software. Port 22 was the worst by far, but port 3389 for Remote Desktop was a close second even though I don't even have Windows on that box.
1
taylor_young1mo ago
Oh man, wait... 3389 getting hit on a non-Windows box? That is wild. Those bots are just pounding away at anything with an IP, hoping someone left RDP wide open. I had the same thing happen with a little Linux server I run at home, saw a ton of traffic on port 445, like, someone trying to use SMB exploits on a machine that doesn't even have Samba installed. It really shows how stupid and lazy these automated scans are, they just carpet bomb everything and hope something sticks. Freaked me out the first time I saw it, like am I being targeted or is this just random noise?
8
linda5001mo ago
Did you try just changing the default SSH port to something random like 2222 or higher? I did that on my setup and the login attempts dropped from hundreds a day to maybe one or two a week. It's not a perfect fix but it really cuts down on the noise from those automated bots that only scan the standard ports. Another thing that helped me was setting up fail2ban to block IPs after a few failed attempts, that stopped the constant hammering almost completely. Your point about residential IPs is spot on, I traced a few and they were definitely compromised IoT gadgets like smart TVs or old routers. Have you considered putting that old router behind a firewall or just using a VPN for incoming connections instead?
3