morning world! another beautiful day in cyberland! how is everyone? Out little honeypot was busy yesterday! pew pew

Ok so we can see here in the last 7 days noise from http://45.146.164.xxx  is the top hitter. Traffic from this ASN has been hitting stuff all over the world recently with what appears to be untargetted brute force attacks again basically anything they can find, VPN , RDP etc.

Talos has this listed as UK and neutral.. it's not the ASN is what I would consider to be hostile and I believe it's owned by a Russian ISP.

your gonna see all kinds of bad pew pews from here in your logs.

but so far nothing to write home about. It looks like ton of boxes running openssh so it might be a VPN, proxy etc. either way probably isn't doing it for charity!

Now i've got a dedicated CISCO ASA on an isolated network so we are gonna go check out the logs (the log managment is on a laptop to keep it off the lab network)

Ok the only logon attempts to the vpn so far are well.... me. So that’s not getting hit on the exposed ssl vpn on tcp 443.

going back to our 'naughty' subnet we can see activity from that specifc IP in Octover: https://www.abuseipdb.com/check/45.146.164.171?page=7#report
I can see previous activity on other IPs from before that as well.

and we can see here from the TAP (i wanted to check the network rather than the pot) that its been hitting me on VNC. so again zzzzzzzzzzzz.

the passwords its been throwing at me from this ip are now on github.. they are weak foo: https://github.com/PwnDefend/crap_pw_list_irl_ta/blob/main/shit_passwords.txt