{"id":13540376,"url":"https://github.com/droberson/ssh-honeypot","last_synced_at":"2025-04-02T07:30:57.028Z","repository":{"id":37924753,"uuid":"77460713","full_name":"droberson/ssh-honeypot","owner":"droberson","description":"Fake sshd that logs ip addresses, usernames, and passwords.","archived":false,"fork":false,"pushed_at":"2024-10-29T02:06:51.000Z","size":71,"stargazers_count":620,"open_issues_count":7,"forks_count":240,"subscribers_count":29,"default_branch":"master","last_synced_at":"2024-10-29T02:21:42.579Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/droberson.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-12-27T14:19:35.000Z","updated_at":"2024-10-29T02:06:54.000Z","dependencies_parsed_at":"2023-01-31T07:30:59.544Z","dependency_job_id":null,"html_url":"https://github.com/droberson/ssh-honeypot","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/droberson%2Fssh-honeypot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/droberson%2Fssh-honeypot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/droberson%2Fssh-honeypot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/droberson%2Fssh-honeypot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/droberson","download_url":"https://codeload.github.com/droberson/ssh-honeypot/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246774335,"owners_count":20831517,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:48.075Z","updated_at":"2025-04-02T07:30:53.737Z","avatar_url":"https://github.com/droberson.png","language":"C","funding_links":[],"categories":["\u003ca id=\"a2df15c7819a024c2f5c4a7489285597\"\u003e\u003c/a\u003e密罐\u0026\u0026Honeypot","\u003ca id=\"c8f749888134d57b5fb32382c78ef2d1\"\u003e\u003c/a\u003eSSH\u0026\u0026Telnet","Honeypots"],"sub_categories":["\u003ca id=\"c8f749888134d57b5fb32382c78ef2d1\"\u003e\u003c/a\u003eSSH\u0026\u0026Telnet"],"readme":"# SSH Honeypot\n\nThis unfortunately named program listens for incoming ssh connections\nand logs the IP address, username, and password used by the\nclient. This is a low-interaction honeypot that does not allow malware\nor attackers to login.\n\nThis was originally written to gather rudimentary intelligence on\nbrute force attacks and not meant for production usage.\n\nNowadays, I mostly use this at attack/defend CTFs paired with sshunt:\nhttps://github.com/droberson/sshunt\n\nI set up sshunt to forward tools such as Hydra, Metasploit, and Ncrack\nto ssh-honeypot and allow OpenSSH clients to connect to ssh normally.\n\n\n## Quickstart\n\n### Linux\n\nMake sure headers/development packages are installed for:\n\n- libssh\n- openssl\n- libjson-c\n- libpcap\n\n```\napt install libssh-dev libjson-c-dev libpcap-dev libssl-dev\n```\n\nBuild and Run\n\n```\nmake\nssh-keygen -t rsa -f ./ssh-honeypot.rsa\nbin/ssh-honeypot -r ./ssh-honeypot.rsa\n```\n\n### OSX (experimental/unsupported)\n\n_WARNING: I haven't tested JSON logging, HASSH, or anything really on\nOSX. MacOS is officially unsupported as I do not own any Macs to test\nthis software with._\n\nMake sure that xcode is up to date.\n\nInstall libssh and json-c\n\n```\nbrew install libssh json-c\n```\n\nSpecify MakefileOSX with make:\n\n```\nmake -f MakefileOSX\n```\n\n\n### Docker (experimental)\n\nPlease take a look at our [Docker documentation](docker/README.md).\n\n\n## HASSH\n\nAs of version 0.2.0, ssh-honeypot attempts to calculate the HASSH of\nthe client software initiating sessions with ssh-honeypot. In short,\nyou can tell if the client is using OpenSSH, PuTTY, SecureCRT, ...\n\nFor more information about HASSH, refer to these links:\n\n- https://github.com/salesforce/hassh\n- https://engineering.salesforce.com/open-sourcing-hassh-abed3ae5044c\n\n## Syslog facilities\n\nAs of version 0.0.5, this supports logging to syslog. This feature is\ntoggled with the -s flag. It is up to you to configure your syslog\nfacilities appropriately. This logs to LOG_AUTHPRIV which is typically\n/var/log/auth.log. You may want to modify this to use one of the\nLOG_LOCAL facilities if you are worried about password leakage.\n\n\n## Dropping Privileges\n\nAs of version 0.0.8, you can drop root privileges of this program\nafter binding to a privileged port. You can now run this as _nobody_\non port 22 for example instead of root, but have to initially start it\nas root:\n\n```\nsudo bin/ssh-honeypot -p 22 -u nobody\n```\n\nBeware that this chowns the logfile to the user specified as well.\n\n\n## Changing the Banner\n\nssh-honeypot allows you to change the server's banner to blend in with\nother hosts on your network or mimic a specific device.\n\nList available banners\n\n```\nbin/ssh-honeypot -b\n```\n\nSet banner string\n\n```\nbin/ssh-honeypot -b \"my banner string\"\n```\n\nSet banner by index\n\n```\nbin/ssh-honeypot -i \u003cbanner index\u003e\n```\n\n\n## JSON Logging\n\nThe `-j` CLI flag specifies the path to log results in JSON\nformat. This feature can make log analytics much easier because many\nlanguages have robust JSON support.\n\nJSON logs can be sent to a remote host. The `-J` and `-P` CLI flags\nset the host and port to send logs in JSON to, respectively. At this\ntime, logs are transmitted using UDP and not encrypted.\n\nThis feature can be useful when running multiple ssh-honeypot\ninstances. Listeners can be created for Splunk and ElasticSearch to\ningest these logs and make them searchable.\n\n\n## Systemd Integration\n\nOn Linux you can install ssh-honeypot as a Systemd service so that it\nautomatically runs at system startup:\n\n```\nmake install\nsystemctl enable --now ssh-honeypot\n```\n\nBefore installing, check `ssh-honeypot.service` and modify it to run\nwith the options you want.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdroberson%2Fssh-honeypot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdroberson%2Fssh-honeypot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdroberson%2Fssh-honeypot/lists"}