Repository files navigation

A low-interaction SSH honeypot written in C.

Usage: ssh-honeypotd [options]...

Mandatory arguments to long options are mandatory for short options too.

• -k,--host-key FILE: the file containing the private host key (RSA, DSA, ECDSA, ED25519)
• -b,--address ADDRESS: the IP address to bind to (default:0.0.0.0)
• -p,--port PORT: the port to bind to (default:22)
• -P,--pid FILE: the PID file (if not specified, the daemon will run in the foreground)
• -n,--name NAME: the name of the daemon for syslog (default:ssh-honeypotd)
• -u,--user USER: drop privileges and switch to this USER (default:daemon ornobody)
• -g,--group GROUP: drop privileges and switch to this GROUP (default:daemon ornogroup)
• -x,--no-syslog: log messages only to stderr (only works with--foreground)
• -f,--foreground: do not daemonize
• -h,--help: display help and exit
• -v,--version: output version information and exit

-k option must be specified at least once if ssh-honeypots is compiled against libssh prior to 0.8.0 (note that in Ubuntu (and possibly Debian), libssh 0.8.0 is detected as 0.7.0 because of a bug inlibssh.h). For newer libssh versions, the host key is generated automatically (RSA 2048 bits).

The minimum supportedlibssh version is 0.7.0.

docker run -d \    --network=host \    --cap-add=NET_BIND_SERVICE \    --restart=always \    --read-only \    --name=ssh-honeypotd \    -e ADDRESS=0.0.0.0 \    -e PORT=22 \    wildwildangel/ssh-honeypotd:latest

docker run -d \    --network=host \    --cap-add=NET_BIND_SERVICE \    --restart=always \    --read-only \    wildwildangel/ssh-honeypotd-min:latest

ssh-honeypotd.yaml:

---apiVersion:v1kind:Namespacemetadata:name:honeypots---apiVersion:apps/v1kind:DaemonSetmetadata:name:ssh-honeypotdnamespace:honeypotsspec:selector:matchLabels:name:ssh-honeypotdtemplate:metadata:labels:name:ssh-honeypotdspec:hostNetwork:truecontainers:        -name:ssh-honeypotdimage:wildwildangel/ssh-honeypotd-min# or wildwildangel/ssh-honeypotdresources:limits:cpu:100mmemory:12Mirequests:cpu:100mmemory:12MisecurityContext:capabilities:drop:                -alladd:                -NET_BIND_SERVICEreadOnlyRootFilesystem:trueallowPrivilegeEscalation:falseseccompProfile:type:RuntimeDefaultports:            -containerPort:22hostPort:22protocol:TCP

kubectl apply -f ssh-honeypotd.yaml

You can control ssh-honeypotd's behavior in the container (wildwildangel/ssh-honeypotd image) with the following environment variables:

• ADDRESS (default: 0.0.0.0): the IP address to bind to;
• PORT (default: 22): the port to bind to.

These variables make it easy to have several ssh-honeypotd's running on the same machine, should the need arise.

ssh-honeypotd's Docker image comes in two flavors:

1. A standard image based on the latest stable Alpine:wildwildangel/ssh-honeypotd.
2. A minimalistic image based on thescratch Docker image:wildwildangel/ssh-honeypotd-min

Thessh-honeypotd-min image contains only the statically linkedssh-honeypotd binary and the set of the pre-generated SSH keys. This image is a bit smaller thanssh-honeypotd but is experimental at the moment. Thessh-honeypotd binary in thessh-honeypotd-min image does not support the following command-line options:--pid,--name,--user,--group,--no-syslog,--foreground.