+++
title = 'Running an SSH honeypot to troll skids'
date = 2025-01-03T11:10:19+02:00
draft = false
+++

If you've ever looked at a public server's SSH logs, you would have probably found tens of failed connections from IP addresses you are not associated with. Those are bots that are trying to bruteforce their way into your Linux bots. An easy way you can change this is by changing the SSH port, but that's just lame. What you should do is do a *little bit of trolling*. So today, we'll be configuring `sshesame` to listen on port 22 and some other common ssh ports.

## Prerequisites
* A public Linux server running a *nix distribution
* Some moderate CLI experience
* Patience

## Obtaining the binaries
If you're using Debian, like me, you can easily install sshesame, as [there is a package for it](https://packages.debian.org/bookworm/sshesame) (that apparently is terribly out of date but it is fine enough), but on other distributions, you might have to follow other instructions. Other distros might have to compile it from source, which I was going to do anyway.

```sh
git clone https://github.com/jaksi/sshesame
cd sshesame
go build
mv sshesame /usr/local/bin # You don't have to use this path if you don't want to
```

## Moving SSH from port 22
This can be easily done by editing `/etc/ssh/sshd_config`. Uncomment the 14th line and replace 22 with any port you want. Personally, I use 69 because it's very funny number!!! Make sure to restart the `sshd` service after changing the port.

## Configuring sshesame
Now that we've got sshesame, we can get to configuring it. For advanced users, you should probably edit the sample configuration file from [here](https://github.com/jaksi/sshesame/blob/master/sshesame.yaml), which contains a lot more options, but personally, I think most of the people reading my ramblings would get away with the basic configuration I will share below. Feel free to write the configuration wherever you want, but I prefer having it in /etc/sshesame.yaml

**sshesame.yaml**
```yaml
server:
  listen_address: 0.0.0.0:22
  host_keys: null

logging:
  file: null
  json: false
  timestamps: true
  debug: false
  metrics_address: null
  split_host_port: false

auth:
  no_auth: false
  max_tries: 0

  password_auth:
    enabled: true
    accepted: true

  public_key_auth:
    enabled: false
    accepted: false

ssh_proto:
  version: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
  banner: Hewwo skids :3
  rekey_threshold: 0
  key_exchanges: null
  ciphers: null
  macs: null
```

Now you can just execute `sshesame -config /etc/sshesame.yaml` and you will have a honeypot, but you probably want this to run whenever your system starts, for this we can use systemd.

## Sshesame as a Systemd service
Create a new file, `/etc/systemd/system/sshesame.service`, and populate it with the following contents.
```ini
[Unit]
Description=SSH honeypot
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/local/bin/sshesame -config /etc/sshesame.yaml
Restart=always

[Install]
WantedBy=multi-user.target
```

```sh
systemctl daemon-reload
systemctl enable --now sshesame
```

And now you can have skids waste their time hacking your box. Yay!

P.S. Happy 2025