Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/JustinAzoff/ssh-auth-logger

A low/zero interaction ssh authentication logging honeypot
https://github.com/JustinAzoff/ssh-auth-logger

honeynet ssh-server

Last synced: 2 months ago
JSON representation

A low/zero interaction ssh authentication logging honeypot

Lists

README

        

A low/zero interaction ssh authentication logging honeypot

## Interesting features

### Structured logging

ssh-auth-logger logs all authentication attempts as json making it easy to
consume in other tools. No more ugly [openssh log parsing
vulnerabilities](http://dcid.me/texts/attacking-log-analysis-tools.html).

### "Random" host keys
ssh-auth-logger uses HMAC to hash the destination IP address and a key in order to
generate a consistently "random" key for every responding IP address. This
means you can run ssh-auth-logger on a /16 and every ip address will appear
with a different host key. TODO: add random sshd version reporting as well.

## Example log entry

This is normally logged on one line

```
{
"client_version": "SSH-2.0-libssh2_1.4.3",
"destinationServicename": "sshd",
"dpt": "22",
"dst": "192.168.1.2",
"duser": "root",
"level": "info",
"msg": "Request with password",
"password": "P@ssword1",
"product": "ssh-auth-logger",
"server_version": "SSH-2.0-OpenSSH_5.3",
"spt": "38624",
"src": "192.168.1.4",
"time": "2017-11-17T19:16:37-05:00"
}
```

## How to use it

go get -u -v github.com/JustinAzoff/ssh-auth-logger
export SSHD_BIND=:2222
~/go/bin/ssh-auth-logger

## Note

To bind to port 22 directly:

sudo setcap cap_net_bind_service=+ep ~/go/bin/ssh-auth-logger

## Run with docker

docker run -t -i --rm -p 2222:22 justinazoff/ssh-auth-logger