This analysis covers a 24-hour period of activity recorded by an SSH Honeypot, totaling 418 attack records. The data indicates a high volume of automated, opportunistic attacks primarily focused on brute-forcing common credentials on the SSH service.
1. Geographic Origin of Attacks (GEO) 🌎
The attacks are distributed across various countries, but heavily concentrated in a few locations:
| GEO Country | Attacks (Count) | Attacks (Percentage) | Key Takeaway |
| Romania (RO) | 128 | 30.6% | Highest volume of attacks, potentially from botnet infrastructure. |
| Iran (IR) | 87 | 20.8% | Significant attack origin, consistent with state-sponsored or organized criminal activity. |
| China (CN) | 51 | 12.2% | Standard high-volume source for cyberattacks. |
| Philippines (PH) | 50 | 12.0% | Emerging or common source for botnet-driven attacks. |
| Russia (RU) | 45 | 10.8% | Consistent source for various types of cyberattacks. |
| Ukraine (UA) | 43 | 10.3% | Consistent source for various types of cyberattacks. |
The top six countries account for 96.7% of all recorded attacks, strongly suggesting the use of a wide-ranging, geographically dispersed botnet or multiple botnets.
2. Attacking IP Address Analysis (IOCs) 💻
The IP statistics clearly show that the attacks are driven by a small number of highly active IP addresses, which are strong Indicators of Compromise (IOCs). These IPs are highly likely to be compromised systems (bots/drones) being used for mass scanning and brute-forcing.
| IP Address | Attacks (Count) | Attacks (Percentage) | Enrichment / Known Malicious Activity |
| 62.60.131.157 | 61 | 14.6% | Known Bad IP (Romania): Listed on threat intelligence feeds for Automated Dictionary Attacks against SSH servers, suggesting an infected system (malware/bot). |
| 203.189.116.203 | 50 | 12.0% | No immediate widespread public reporting, but high activity suggests it’s a dedicated attacker or compromised host. |
| 45.135.232.24 | 45 | 10.8% | Known Bad IP (Russia): Reported for Brute-Force and Port Scanning activities on multiple honeypots. |
| 118.145.74.48 | 44 | 10.5% | No immediate widespread public reporting, but its high volume of attacks marks it as an active IOC for this period. |
| 185.156.73.233 | 43 | 10.3% | Known Bad IP (Netherlands – Hosting/Transit): Reported on threat intelligence feeds with 100% confidence of abuse for Brute-Force SSH activity. |
| 2.57.121.112 | 40 | 9.6% | Known Bad IP (United Kingdom – listed as Romania in one source): Listed on multiple blacklists (Spamhaus XBL, blocklist.de) for Automated Dictionary Attacks and SSH attacks, likely part of a compromised network. |
| 2.57.121.25 | 35 | 8.4% | Known Bad IP (Romania – Hosting/Transit): Marked as “Very Aggressive” on threat intelligence platforms, associated with SSH/FTP Brute-Force activity. |
| 80.94.95.116 | 21 | 5.0% | Known Bad IP (Romania – Hosting/Transit): Associated with Malware (86% risk) and Scanning IPs categories. |
| 194.0.234.19 | 19 | 4.5% | Known Bad IP (Lithuania – listed as Iran in one source): Reported for Brute-Force against users like admin and test. 100% confidence of abuse. |
| 193.32.162.157 | 18 | 4.3% | No immediate widespread public reporting, but high activity marks it as an active IOC. |
Campaigns Related to IOCs: The consistent use of compromised IP addresses for dictionary and brute-force attacks is characteristic of large-scale, automated initial access campaigns. These are often precursors to Mirai-like botnet infections targeting Internet of Things (IoT) devices or generic Linux server malware. The goal is to gain an initial foothold for subsequent malicious actions (e.g., launching DDoS attacks, cryptocurrency mining, or establishing command-and-control).
3. Credential Attack Vector Analysis 🔑
The username and password statistics confirm the attacks are focused on default or weak credentials ($T1078.001 – Default Accounts$ in MITRE ATT&CK).
Username Statistics
The attacks overwhelmingly target common, predictable usernames:
user(27.5%),root(21.8%), andadmin(16.0%) make up 65.3% of all username attempts.- The inclusion of
support,test,ubnt(a common default for Ubiquiti devices), andpi(Raspberry Pi default user) suggests the attackers are casting a wide net to compromise various system types, including IoT devices and default server setups.
Password Statistics
The password attempts align with the brute-force strategy:
support(11.5%) is the most common password, which is highly unusual. This suggests a specific sub-campaign or botnet is heavily using thesupportusername-password combination.- Default/Weak Passwords: The remainder of the top passwords, such as
admin,123456,password, and the empty password ((empty)), are textbook examples of weak or default credentials. - High Diversity in Passwords: The high ‘Other’ percentage at 73.7% indicates that while common strings are tried first, the attackers are also utilizing large, comprehensive wordlists (dictionary attacks) beyond the most basic guesses.
Summary of 24-Hour Activity
The SSH honeypot experienced 418 brute-force attacks over 24 hours. The activity is highly aggressive and automated, dominated by a few key observations:
- Geographic Risk: A significant portion of the attacks originated from Romania (30.6%) and Iran (20.8%).
- Identified Threats: The majority of high-volume attacker IPs are known bad actors (IOCs), previously reported for mass-scanning and brute-force campaigns, often associated with botnet or malware propagation.
- Targeting Strategy: The campaign is almost exclusively focused on common and default credentials (user/root/admin combined with weak passwords), indicating opportunistic, automated initial access efforts. The combination of
support/supportappears to be a notable, current focus for the attackers hitting this honeypot. - Mitigation: Immediate action should be taken to block the top 10 IP addresses and to enforce strong password policies (or disable password authentication entirely in favor of SSH keys) to mitigate against this high-volume, automated threat.