SSH honeypots log attacker activity

Change SSH Port

Edit the /etc/ssh/sshd_config configuration file, remove the # comment from the Port line, change 22 to another port, and then restart SSH with systemctl restart sshd.

Honeypot

Honeypot technology is essentially a technique for deceiving attackers. By deploying hosts, network services, or information as bait, it lures attackers into launching attacks against them. This allows for the capture and analysis of the attack behavior, providing an understanding of the tools and methods used by the attacker, and helping to infer their intent and motives. It enables defenders to clearly understand the security threats they face and to enhance the security protection capabilities of their actual systems through technical and administrative measures.

sshesame Honeypot Program

GitHub: https://github.com/jaksi/sshesame

Features: It allows any username and password for login and permits the "execution" of any command. However, these are all invalid operations and are not actually executed. Everything is logged.

docker run -d --name ssh -p 22:2022 ghcr.io/jaksi/sshesame

View the logs to see the commands executed by the attacker.

docker logs ssh

endlessh Honeypot Program

GitHub: https://github.com/skeeto/endlessh

Features: It very slowly sends a banner, causing SSH clients to lock up for hours or even days at a time.

docker run -d \
    --name=endlessh \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Etc/UTC \
-e MSDELAY=10000  \
-e MAXLINES=32  \
-e MAXCLIENTS=4096  \
-e LOGFILE=false  \
-e BINDFAMILY=  \
-p 22:2222 \
--restart unless-stopped \
linuxserver/endlessh