fzorb/website
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
website/content/posts/honeypot.md
fzorb 7b6cf882a6
Some checks failed
pipeline / deploy-job (push) Failing after 2m38s
Details
Update content/posts/honeypot.md
2025-01-03 13:52:24 +02:00

3.1 KiB
Raw Permalink Blame History

+++ title = 'Running an SSH honeypot to troll skids' date = 2025-01-03T11:10:19+02:00 draft = false +++

If you've ever looked at a public server's SSH logs, you would have probably found tens of failed connections from IP addresses you are not associated with. Those are bots that are trying to bruteforce their way into your Linux bots. An easy way you can change this is by changing the SSH port, but that's just lame. What you should do is do a little bit of trolling. So today, we'll be configuring sshesame to listen on port 22 and some other common ssh ports.

Prerequisites

  • A public Linux server running a *nix distribution
  • Some moderate CLI experience
  • Patience

Obtaining the binaries

If you're using Debian, like me, you can easily install sshesame, as there is a package for it (that apparently is terribly out of date but it is fine enough), but on other distributions, you might have to follow other instructions. Other distros might have to compile it from source, which I was going to do anyway.

git clone https://github.com/jaksi/sshesame
cd sshesame
go build
mv sshesame /usr/local/bin # You don't have to use this path if you don't want to

Moving SSH from port 22

This can be easily done by editing /etc/ssh/sshd_config. Uncomment the 14th line and replace 22 with any port you want. Personally, I use 69 because it's very funny number!!! Make sure to restart the sshd service after changing the port.

Configuring sshesame

Now that we've got sshesame, we can get to configuring it. For advanced users, you should probably edit the sample configuration file from here, which contains a lot more options, but personally, I think most of the people reading my ramblings would get away with the basic configuration I will share below. Feel free to write the configuration wherever you want, but I prefer having it in /etc/sshesame.yaml

sshesame.yaml

server:
  listen_address: 0.0.0.0:22
  host_keys: null

logging:
  file: null
  json: false
  timestamps: true
  debug: false
  metrics_address: null
  split_host_port: false

auth:
  no_auth: false
  max_tries: 0

  password_auth:
    enabled: true
    accepted: true

  public_key_auth:
    enabled: false
    accepted: false

ssh_proto:
  version: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
  banner: Hewwo skids :3
  rekey_threshold: 0
  key_exchanges: null
  ciphers: null
  macs: null

Now you can just execute sshesame -config /etc/sshesame.yaml and you will have a honeypot, but you probably want this to run whenever your system starts, for this we can use systemd.

Sshesame as a Systemd service

Create a new file, /etc/systemd/system/sshesame.service, and populate it with the following contents.

[Unit]
Description=SSH honeypot
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/local/bin/sshesame -config /etc/sshesame.yaml
Restart=always

[Install]
WantedBy=multi-user.target

systemctl daemon-reload
systemctl enable --now sshesame

And now you can have skids waste their time hacking your box. Yay!

P.S. Happy 2025