New Raspberry Pi? Change the default password! Please!

If you’re running Raspbian or one of the standard Raspberry Pi Linux distros, the default account is pi with a password of raspberry.

Besides running PiAware, I also run a SSH honeypot on one of my Raspberry Pi systems. This honeypot tracks attackers looking to take over Internet-connected systems.

And just about every SSH login attack that my honeypot records has [pi/raspberry] as one of the combinations tried.

Please change the default password on your Pi system!

Bob K6RTM

Good advice Bob! I just changed mine now.

Honeypot? that takes me back to the last millennium :slight_smile: Got to look into setting on up at home here. Nothing should be getting in, but it’s a good way to verify. Thanx

The Raspberry Pi makes a great honeypot – take a look at Kippo, a nice open-source SSH honeypot. I’ve been running one for almost two years.

It records someone trying [pi/raspberry] at least once a day.

k6rtm:

Do you have the honeypot behind the router or straight into the cable modem?

I would think that unless you had the honeypot on an open port the router would block incoming unrequested traffic.

The Pi running the Kippo honeypot is behind the router, with a router port forwarding rule mapping incoming TCP port 22 traffic to port 2222 of the honeypot Pi – the Kippo honeypot listens on port 2222. Another router forwarding rule maps incoming TCP port 443 traffic to another honeypot.

(any more questions, just ask!)

–Bob K6RTM

Bob:

Thanks for the answer (and the offer to ask more questions).

I think I am missing something… If the goal is to keep bad guys out, why not just close port 22? I know that port 22 is the SS common entry, but why open it just to monitor attacks? If it is open them you will certainly log attacks. If it is closed, the routed should bounce the attacks off.

I still SS into my PIs remotely, I use port 443 via a OpenVPN Server running on my PI. OpenVPN allows for DH 256bit public/private key pair encryption for a more hardened entry point.

Again, I am pretty sure I am missing the obvious so thanks again!

That’s pretty much the opposite of the goal of a honeypot

It started a couple of years ago when I was reviewing router logs and saw a large number of whacks on TCP port 22 – SSH. Gradually I decided to track those attacks, found Kippo, dedicated a Pi, and it’s been nonstop fun ever since… It’s amazing (and disheartening) how nasty it is – I restarted the SSH honeypot logs on Jan 1. In 10 days the honeypot has recorded 59,440 SSH login attempts; this is on a residential cable service!

If you want to read about it, http://bob.k6rtm.net/kippo.html

I’m writing up the ADS-B - PiAware boxes; should have that up in a week or so.

Bob K6RTM

Bob:

Your website article is awesome! Thanks! :exclamation:

Still have the same question… you wrote:
“Here’s how the game is played. A remote computer scans the Internet, going to different addresses, sending a query to find out if that particular internet address has a service listening on port 22.”

I have stealth port 22 on my router. So… it seems to me (and I could be wrong here) that a bad guy trying to SSH into my port 22 would see it as hidden (or closed). Also, without my port 22 forwarded the router should “bounce off” the request. Wouldn’t that be enough protection?

Or… is the honeypot less about protection and more about acquiring data for attack research, etc? Which I agree is a valid reason for having it.

Thanks again for the back and forth.

Do you entirely trust every device that ever connects to your internal network?
It’s common for attacks to get a foothold on one device (e.g. browser exploit or whatever) and then use that to compromise whatever it can reach from there.

Or… is the honeypot less about protection and more about acquiring data for attack research, etc? Which I agree is a valid reason for having it.

That is exactly what a honeypot is - it’s a system that lures attackers into a controlled environment so you can collect data about the attacks.

.

It’s about collecting data – who are the bad actors out there and what are they trying? What patterns?

There’s also a perverse economic argument to be made for honeypots – if someone is harassing a honeypot that means they aren’t off harassing someone else. Not as strong an argument, particularly when attacks come from cloud services…

The data I’ve collected has helped a friend get his company to change their install procedures to require the user to provide a password rather than going with a default (and they don’t permit the old default to be used). It’s also helped to convince others to tighten up the way they run their networks.

–Bob K6RTM

Hell no! I know better than to trust me!

I use just about every tool I have available to protect my internal network. I also log what goes on, and review those logs (not as often as I should).

Examples – printers don’t need to connect to the Internet (sorry, HP), so Internet access is blocked (I can open it up to check for updates). Blu-ray players want Internet access, but they don’t need to talk to my computers, servers, printers.

–bob k6rtm

This thread seems to have crept over to Honeypot… could you please post the step-by-step instructions for changing the password for us “pilots who are not programmers”? :smiley:

Tom D.

On the Pi command prompt, type:


passwd

It will prompt you for the current password and then for a new one.
The raspberry site is a good resource: http://www.raspberrypi.org/documentation/linux/usage/users.md
You can generate strong passwords here:
http://passwordsgenerator.net

Regards,
Marcus

Marcus,

Thanks for that reply. I had read those steps previously without success, but now I figured out what I was doing wrong.

For the benefit of any other newbies, I was confused because most instructions start with a command line: “pi@piaware ~ $” or “pi@raspberrypi ~ $”. This makes it seem like it will be the starting point immediately after a fresh boot.

It is not. You will get “piaware login:” which is the default “pi”. Then “password:” which is default “raspberry”. Once entered the system will display “pi@piaware ~ $”. This is when you enter the “passwd” command. From there the prompts are self-explanatory.

Hope this saves some time for other folks.

Since the beginning of the year, my SSH honeypot has recorded 48 attempts trying to log in using that default, [pi/raspberry]. Not at all as common as [root/root], but if you’ve got a Pi connected to the internet…

If you want to see what the top 50 login attempts on my honeypot are, look here – http://bob.k6rtm.net/k50.txt

bob k6rtm

So it seems the new PiAware (1.20) software has changed the default password (by default!) I’m trying to ssh into mine and have no clue how to do it. I don’t have a HDMI screen to connect to it and don’t want to buy one if I don’t have to.

The ultimate goal is to get the wireless dongle working. I’ve tried:
" ssh @ : "

This has not worked.
Yes the raspberry is up and running. I can see it on the web.
Yes I tried the other default password pi:raspberry.

Any help to a noob would be appreciated!

-Mike

Per the 1.20-1 release post, the default is now a username of “pi” / password of “flightaware”
(Not that it really helps to shift from one default to another, but it’s a tricky one to do right…)