I have several honey pot servers and shares with advanced alerting. If someone views, tries to ransomware, or modify anything within these, the bells and whistles may go off, scripts may be run, or emails are sent.
I had a good laugh after I set the first share up as I had no idea how many users just randomly click file shares “poking around” and trigger these alarms. I had to be strategic about most of them, and also educate some users to not click on them to avoid triggering alerts.
I was reminded of this after the other conversation where I mentioned opening 3389 and forwarding the port to your home PC as a joke. This makes me want to create another honeypot server and connect it to the internet for my own curiosity. Around 15-20 years ago I had done something similar to access my PC from work, but it was much less risky back then.
This also brings me to something I witnessed very recently. I support a group of people who have a server connected directly to the internet. When I first started helping them, there was no firewall (aside from windows firewall in defaults) and I told them every day it’s a matter of time before they totally lose everything. It’s an isolated game server so it’s not critical, but it’s heavily used. Recently I had them advise me it was running sluggish and asked for my assistance.
My first step was to check the event log and I noticed the issue immediately. One of their guys opened RDP as he figured it would be easier for him to connect and restart services when he needed too. I found 10’s of thousands security events immediately after he opened the port. The retention time was down to minutes there were so many different IP’s trying to access it lol.
There is also a management port (old dell Idrac) connected to the internet. It quite funny to see the SSH logs and the brute force attacks people are doing on it. (This server has actually been running like this about 6 years now)
I personally believe changing a 1 thing the first time I helped them has prevented a ransomware attempt or hack. That is change the names of all administrative accounts!!!!! I changed all the names from Admin, Administrator, and Root to be very obscure. 99% of the attempts are targeted towards those names. You can see it in the logs in plain view. Not a single attempt is under the obscure names I renamed them too. This is still a terrible way to have a server and the opposite of best practice, but an interesting experiment in security. 😆
