A researcher compares DShield honeypot data across networks and finds that the attack surface, particularly iptables NAT rules, can change which malware is observed. By reconfiguring an Azure honeypot with a different Linux OS and properly configured NAT rules, they show that exposed ports influence malware submissions and the usefulness of firewall logs. #Azure #iptables #Cowrie #DShield #VirusTotal #Debian #Ubuntu
Keypoints
- Azure honeypot observed only two malware files, plus a set of four files seen on other honeypots but not on Azure.
- Across all honeypots except Azure, four additional files were consistently observed.
- NAT redirected ports via iptables expanded the attack surface, making more services reachable (e.g., ports 22, 23, 2323, 80, 8080, 7547, 5555, 9000).
- The local firewall logs hadnโt been updated since January 2024, limiting visibility into activity.
- Switching from Ubuntu 20.04 to Debian 11 and then Debian 12 led to iptables configurations that finally worked, with Debian 12 having properly configured NAT rules.
- New malware appeared on the Azure honeypot when iptables were functioning with proper NAT rules (see Figure 5).
- Conclusion: Keeping iptables active can protect the admin port but also changes the data collected by honeypots, since some attackers probe different surfaces (e.g., SSH over port 22).
MITRE Techniques
- [T1133] External Remote Services โ The Azure honeypot showed activity on TCP port 22 for the cowrie session, indicating external remote access attempts. โOnly activity fo TCP port 22 for the IP address registered for the cowrie [10] session, which without iptables would have not been available for attack.โ
- [T1562.004] Impair Defenses โ NAT redirection rules expanded the attack surface by exposing additional ports, as described by the NAT rules. โNAT redirected ports to add surface area to the honeypot.โ
Indicators of Compromise
- [IP Address] โ 49.87.111.198 โ Appears in the logs when filtering for DPT=22, indicating a source attempting SSH-like activity on the honeypot.
- [SHA-256 Hash] โ a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 โ One of the two files seen on Azure honeypot.
- [SHA-256 Hash] โ 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b โ Another file observed on Azure honeypot.
- [SHA-256 Hash] โ 7a9da7d10aa80b0f9e2e3f9e518030c86026a636e0b6de35905e15dd4c8e3e2d โ One of the four files seen across non-Azure honeypots.
- [SHA-256 Hash] โ 199d11d0fd7043fe9206954ed8bc7b54d1912013a2a71bdf8bb007b71bb490c8 โ One of the four files seen across non-Azure honeypots.
- [SHA-256 Hash] โ 18e0f574bf11bc5e7de8c95b83c187649b2d87d74651e59d9c2aad53ac7bb7f1 โ One of the four files seen across non-Azure honeypots.
- [SHA-256 Hash] โ f344f455f7c90b835c2a8e87d5e6a2c1f8f5c02324a8e02bd066c3a10be1f3d0 โ One of the four files seen across non-Azure honeypots.
- [URL] โ https://github.com/cowrie/cowrie โ The honeypot software used in this study.
- [SHA-256 Hash] โ 3c5ffe548ea93622d11b67eead48d50f9ee39b09e1e813747883d1528569ffd1 โ Another related hash listed in the article.
Read more: https://isc.sans.edu/diary/Does+it+matter+if+iptables+isnt+running+on+my+honeypot/30862/