Scans in Internet

by Jonathan Nicholas on November 8th, 2017
in Background, IOT

Scans in Internet
 

Further from reading about the IOT (see previous post) I was interested in how many scans there were of people trying to get into devices.  I started to look at telnet and SSH protocols, which you can use to connect to a device.

I used a Raspberry Pi I had in a drawer, like you do, and I connected it to the Internet and watched to see if any one tried to connect.  I reckoned in a day you might get a couple of connection attempts; boy was I wrong!

First I got out the old Raspberry and fired it up.  It has Debian 7 (wheezy) which is a bit old but what the hell.  The idea for this expreiment was to keep it isolated from the rest of our network and reinstall the thing when I had finished.  I installed the following:

  • telnet
  • snmp
  • ssh
  • tcpdump
  • rsyslog logging to a Linux box I have with Splunk

The router we have from our provider (A1 Telecom) allows you to create a DMZ, so I put the device there and left it overnight.  The next day I took a look and was pretty blown away:

Telnet:  in 17 hours there wwere 28,000 attempts to connect from 360 different IP addresses.
SSH: there were 711 failed login attampts from 71 different addresses
SNMP: only 4 hits

To do:  Analyse where they came from.  Picked a few adresses at random for the telnet attempts and most were in Brazil.

No feedback yet


Form is loading...