this post was submitted on 26 Apr 2026
12 points (100.0% liked)

Pulse of Truth

2377 readers
38 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago
MODERATORS
krogoth@infosec.pub
12
I Left Port 22 Open on the Internet for 54 Days. Here's Who Showed Up (arman-bd.hashnode.dev)
submitted 4 hours ago by lemmydev2@infosec.pub to c/pulse_of_truth@infosec.pub
7 comments fedilink hide all child comments
 

Comments

top 7 comments
sorted by: hot top controversial new old
[–] corsicanguppy@lemmy.ca 2 points 58 minutes ago* (last edited 58 minutes ago)

I'm out.

[–] blueworld@piefed.world 6 points 2 hours ago

What I Learned

  1. The internet is loud

Your server isn't special. Nobody is "targeting" it. Every IP address on the internet is being continuously probed by automated systems. Within seconds of exposing port 22, you will receive login attempts. This isn't a question of "if" but "when" — and the answer to "when" is "immediately."

  1. Most attackers are dumb

99.6% of the visitors never went beyond a single automated command. They're not hackers — they're scripts running on compromised machines, following instructions from a C2 server, executing the same uname command a million times a day across millions of IPs. The vast majority of internet "attacks" are just noise.

  1. The few smart ones are very smart

That French IP with the /dev/tcp/ trick, rotating C2 infrastructure, and UPX-packed binaries? That's professional-grade offensive tooling. The gap between the bottom 99% and the top 1% of attackers is enormous.

  1. Crypto is a magnet

The volume of attempts targeting Solana node credentials (solana/sol/validator/node) was surprising. Running crypto infrastructure on a publicly-accessible SSH port without key-based auth is actively being hunted.

  1. Some people are just curious

The explorer from Cameroon, the slow typer from Berlin, the person from Bangladesh poking around /var and creating text.txt — these aren't malicious actors. They're curious humans who found an open door and wanted to see what was on the other side. They didn't download malware or try to establish persistence. They just... looked around.

  1. Nobody reads the MOTD

The honeypot displays a full Ubuntu welcome message with system stats when you log in. Not a single interactive user appeared to notice or care that the system information was suspiciously static. First thing they do? ls.

[–] AmbitiousProcess@piefed.social 1 points 1 hour ago

Very much worth a read!

[–] FrederikNJS@piefed.zip 1 points 1 hour ago

That's pretty interesting.

I have been running an SSH tarpit for several years. Basically it's a tiny go executable that responds to SSH connections, and then proceeds to very very slowly respond with an endless banner. So clients wait endlessly for the login prompt. I have seen clients getting stuck and waiting for whole weeks.

Link for anyone who wants to run a tarpit themselves: https://github.com/skeeto/endlessh

[–] StrawberryPigtails@discuss.tchncs.de 4 points 3 hours ago

That was an interesting read.Thank you.

[–] wizardbeard@lemmy.dbzer0.com 2 points 3 hours ago

Hey, the comments link isn't actually a link, whoever is running this bot.

[–] drkt@scribe.disroot.org 1 points 3 hours ago

I do something even dumber https://drkt.eu/files/ramblings/honeypots-and-tarpits.html