SSH Honeypot
This unfortunately named program listens for incoming ssh connections and logs the IP address, username, and password used by the client. This is a low-interaction honeypot that does not allow malware or attackers to login.
This was originally written to gather rudimentary intelligence on brute force attacks and not meant for production usage.
Nowadays, I mostly use this at attack/defend CTFs paired with sshunt: https://github.com/droberson/sshunt
I set up sshunt to forward tools such as Hydra, Metasploit, and Ncrack to ssh-honeypot and allow OpenSSH clients to connect to ssh normally.
Quickstart
Linux
Make sure headers/development packages are installed for:
- libssh
- openssl
- libjson-c
- libpcap
apt install libssh-dev libjson-c-dev libpcap-dev libssl-dev
Build and Run
make
ssh-keygen -t rsa -f ./ssh-honeypot.rsa
bin/ssh-honeypot -r ./ssh-honeypot.rsa
OSX (experimental/unsupported)
WARNING: I haven't tested JSON logging, HASSH, or anything really on OSX. MacOS is officially unsupported as I do not own any Macs to test this software with.
Make sure that xcode is up to date.
Install libssh and json-c
brew install libssh json-c
Specify MakefileOSX with make:
make -f MakefileOSX
Docker (experimental)
Please take a look at our Docker documentation.
HASSH
As of version 0.2.0, ssh-honeypot attempts to calculate the HASSH of the client software initiating sessions with ssh-honeypot. In short, you can tell if the client is using OpenSSH, PuTTY, SecureCRT, ...
For more information about HASSH, refer to these links:
- https://github.com/salesforce/hassh
- https://engineering.salesforce.com/open-sourcing-hassh-abed3ae5044c
Syslog facilities
As of version 0.0.5, this supports logging to syslog. This feature is toggled with the -s flag. It is up to you to configure your syslog facilities appropriately. This logs to LOG_AUTHPRIV which is typically /var/log/auth.log. You may want to modify this to use one of the LOG_LOCAL facilities if you are worried about password leakage.
Dropping Privileges
As of version 0.0.8, you can drop root privileges of this program after binding to a privileged port. You can now run this as nobody on port 22 for example instead of root, but have to initially start it as root:
sudo bin/ssh-honeypot -p 22 -u nobody
Beware that this chowns the logfile to the user specified as well.
Changing the Banner
ssh-honeypot allows you to change the server's banner to blend in with other hosts on your network or mimic a specific device.
List available banners
bin/ssh-honeypot -b
Set banner string
bin/ssh-honeypot -b "my banner string"
Set banner by index
bin/ssh-honeypot -i <banner index>
JSON Logging
The -j CLI flag specifies the path to log results in JSON
format. This feature can make log analytics much easier because many
languages have robust JSON support.
JSON logs can be sent to a remote host. The -J and -P CLI flags
set the host and port to send logs in JSON to, respectively. At this
time, logs are transmitted using UDP and not encrypted.
This feature can be useful when running multiple ssh-honeypot instances. Listeners can be created for Splunk and ElasticSearch to ingest these logs and make them searchable.
Systemd Integration
On Linux you can install ssh-honeypot as a Systemd service so that it automatically runs at system startup:
make install
systemctl enable --now ssh-honeypot
Before installing, check ssh-honeypot.service and modify it to run
with the options you want.