/When I had SSH
open to the world, I saw similar usernames in the failure log as I now /> >/see on
this telnet honeypot. /
If your connectivity to the world is via a tunnel from
amprgw, please
resist the temptation to run a honeypot - we're trying to reduce the
amount of bandwidth, not increase it. Although a honeypot isn't
necessarily a big bandwidth consumer, every bit helps.
- Brian
It is on our BGP-routed subnet so the traffic is via our own gateway through a direct IPIP
tunnel
to that system. However, it is not really something to worry about. It attracts about
10-20 kbytes
of internet->host traffic per day (the usernames and passwords that I log).
Those attackers are trying maybe 10-15 different logons then move on. It is not like they
try
a list of 100,000 most often use passwords, they probably have the default passwords for
some
commonly used routers and other IoT devices, in some cases probably only a single one.
(the worms that infect one particular device)
The unanswered SYN traffic to port 23 is much, much more. Especially before the
"allow only
registered hosts" filter. We are dropping around 80 Mbyte/day of traffic for our
/16 subnet due
to the address not being registered, so that would be about 20 GByte/day for amprgw....
Rob