droberson / ssh-honeypot Goto Github PK

Fake sshd that logs ip addresses, usernames, and passwords.

License: MIT License

Makefile 1.94% C 73.69% Shell 22.08% Dockerfile 2.29%

ssh-honeypot's Introduction

SSH Honeypot

This unfortunately named program listens for incoming ssh connections and logs the IP address, username, and password used by the client. This is a low-interaction honeypot that does not allow malware or attackers to login.

This was originally written to gather rudimentary intelligence on brute force attacks and not meant for production usage.

Nowadays, I mostly use this at attack/defend CTFs paired with sshunt: https://github.com/droberson/sshunt

I set up sshunt to forward tools such as Hydra, Metasploit, and Ncrack to ssh-honeypot and allow OpenSSH clients to connect to ssh normally.

Quickstart

Linux

Make sure headers/development packages are installed for:

libssh
openssl
libjson-c
libpcap

apt install libssh-dev libjson-c-dev libpcap-dev libssl-dev

Build and Run

make
ssh-keygen -t rsa -f ./ssh-honeypot.rsa
bin/ssh-honeypot -r ./ssh-honeypot.rsa

OSX (experimental/unsupported)

WARNING: I haven't tested JSON logging, HASSH, or anything really on OSX. MacOS is officially unsupported as I do not own any Macs to test this software with.

Make sure that xcode is up to date.

Install libssh and json-c

brew install libssh json-c

Specify MakefileOSX with make:

make -f MakefileOSX

Docker (experimental)

Please take a look at our Docker documentation.

HASSH

As of version 0.2.0, ssh-honeypot attempts to calculate the HASSH of the client software initiating sessions with ssh-honeypot. In short, you can tell if the client is using OpenSSH, PuTTY, SecureCRT, ...

For more information about HASSH, refer to these links:

Syslog facilities

As of version 0.0.5, this supports logging to syslog. This feature is toggled with the -s flag. It is up to you to configure your syslog facilities appropriately. This logs to LOG_AUTHPRIV which is typically /var/log/auth.log. You may want to modify this to use one of the LOG_LOCAL facilities if you are worried about password leakage.

Dropping Privileges

As of version 0.0.8, you can drop root privileges of this program after binding to a privileged port. You can now run this as nobody on port 22 for example instead of root, but have to initially start it as root:

sudo bin/ssh-honeypot -p 22 -u nobody

Beware that this chowns the logfile to the user specified as well.

Changing the Banner

ssh-honeypot allows you to change the server's banner to blend in with other hosts on your network or mimic a specific device.

List available banners

bin/ssh-honeypot -b

Set banner string

bin/ssh-honeypot -b "my banner string"

Set banner by index

bin/ssh-honeypot -i <banner index>

JSON Logging

The -j CLI flag specifies the path to log results in JSON format. This feature can make log analytics much easier because many languages have robust JSON support.

JSON logs can be sent to a remote host. The -J and -P CLI flags set the host and port to send logs in JSON to, respectively. At this time, logs are transmitted using UDP and not encrypted.

This feature can be useful when running multiple ssh-honeypot instances. Listeners can be created for Splunk and ElasticSearch to ingest these logs and make them searchable.

Systemd Integration

On Linux you can install ssh-honeypot as a Systemd service so that it automatically runs at system startup:

make install
systemctl enable --now ssh-honeypot

Before installing, check ssh-honeypot.service and modify it to run with the options you want.

ssh-honeypot's People

Contributors

Stargazers

Watchers

Forkers

x0rz shekkbuilder bronx205 mcshauno alexxnica zerotoone777 chocolakuma deosai daedalus paran0ids0ul handofbod sage-pe systemx gingerhot mvukovic gvsurenderreddy dhayalanb dot-sean vinodsmenon empereurmarcaurele javarockstar bbsyaya random-robbie h0k5 skyformat99 heikipikker ferrolad rudimeier littlecho liumorgan eexwhyzee ad77root zuoshouxu longkeyy fatykrch johnhubcr mrtaheramine permikomnaskaltara qussimodo n0thing2speak screab-idh isostarec scanfsec eg0xy dubnaio gavz ashr hazer 0xman dirkwilken plasticuproject 02bx athna some1suspicious mxdjo zjsxwc santigz hmel interbiznw nrjulian yianzhai h4r0 vivienney otilrac jackjieyyy lanceae telnetd-dev posjenswegener xzero707 rainbowbreeze link89 synaesthesia hapser eengstrom chatchu amarjitghuman wjcxk21 lynxgeeknyc zzzapzzz eckyecky tuuunya leelee121 strivenous tsengsam 17zuonie mod94 eeak kamish ktanable1 bryanwills hartl3y94 amanchawla97 chrisumbel russwe husixu1 pfect jorgeverastegui marcpartensky hafo821 philflex2020

ssh-honeypot's Issues

Doesn't work on Raspberrypi 2 B

Hi, and thanks a lot for your code.

I've tried to make it run on a Raspberry pi, but it won't.

There is no issue with the compilation, but, when I try to execute it, it give me the help informations.
I've take on my main computer the exact same configuration using scp to transfer from one to the other, recompil' it, and there are no issues on my main.

Configs:
Raspberry Pi 2 B v1.1 with last Stable Raspbian
gcc: gcc (Raspbian 4.9.2-10) 4.9.2

Main : MSI GP62-6qe with Linux Mint 18.1 Cinnamon
gcc: gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609

I've added into your code to check lots of printf() to get me where it goes on the raspberry and which are the values, and what it do is in the main() is going in the default case, even with a parameter.

If you need more informations, contact me, I'll try to figure what is happening, maybe just because of a bad gcc version, idk..

[FR] auto report attacks

zombie child processes

Zombie created with each authentication request.
i think something like this http://stackoverflow.com/questions/17015830/how-can-i-prevent-zombie-child-processes can help you solve problem

MD5 Error

root@ubuntu~/ssh-honeypot# make
cc -Wall -o bin/ssh-honeypot src/ssh-honeypot.c -lssh -ljson-c -lpcap -lssl -lcrypto
src/ssh-honeypot.c: In function ‘parse_hassh’:
src/ssh-honeypot.c:484:9: warning: ‘MD5_Init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
484 | MD5_Init(&ctx);
| ^~~~~~~~
In file included from src/ssh-honeypot.c:39:
/usr/include/openssl/md5.h:49:27: note: declared here
49 | OSSL_DEPRECATEDIN_3_0 int MD5_Init(MD5_CTX *c);
| ^~~~~~~~
src/ssh-honeypot.c:485:9: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
485 | MD5_Update(&ctx, hassh, strlen(hassh));
| ^~~~~~~~~~
In file included from src/ssh-honeypot.c:39:
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
src/ssh-honeypot.c:486:9: warning: ‘MD5_Final’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
486 | MD5_Final(digest, &ctx);
| ^~~~~~~~~
In file included from src/ssh-honeypot.c:39:
/usr/include/openssl/md5.h:51:27: note: declared here
51 | OSSL_DEPRECATEDIN_3_0 int MD5_Final(unsigned char *md, MD5_CTX *c);
| ^~~~~~~~~

pcap error

Got this error when a client connected and sent no data. This was likely a port scan.

[Thu Mar 3 16:59:13 2022] ERROR: Unable to open ssh pcap file /tmp/ssh-honeypot-369734.pcap: truncated dump file; tried to read 4 file header bytes, only got 0

Source Port in Log

The inclusion of source port in logs is necessary to send abuse reports (via X-ARF). This would be highly beneficial to the project.

CVE-2018-10933

I noticed that ssh-honepot use libssh. Is it secure?

Gentoo ebuild

here

ssh-honeypot creates hundreds of forks, consuming all memory

Hi. I’ve been using ssh-honeypot for a few weeks now, and i noticed that the server has a very concerning ram usage. This server is a firewall, and only uses iptables (kernel-space) and ssh-honeypot. Here’s my monitoring graph for the last 7 days:

The drops in memory consumption are when i restart the ssh-honeypot service (using openrc). Right now, there’s 425 honeypot processes running.

Why is ssh-honeypot behaving like this, and what can be done to prevent crashing my server every 2 days if i don’t stop manually the service?

FATAL: ssh_bind_listen():

~/src/ssh-honeypot(master) » sudo bin/ssh-honeypot -p 22 -u nobody                                          
[Tue May 19 14:50:10 2020] ssh-honeypot 0.1.0 by Daniel Roberson started on port 22. PID 1073190
[Tue May 19 14:50:10 2020] FATAL: ssh_bind_listen(): 
--------------------------------------------------------------------------------------------------------------------------------
~/src/ssh-honeypot(master) » sudo bin/ssh-honeypot -p 2222 -u nobody                                        
[Tue May 19 14:50:13 2020] ssh-honeypot 0.1.0 by Daniel Roberson started on port 2222. PID 1073210
[Tue May 19 14:50:13 2020] FATAL: ssh_bind_listen(): 
--------------------------------------------------------------------------------------------------------------------------------
~/src/ssh-honeypot(master) » sudo bin/ssh-honeypot -p 22222 -u nobody                                       
[Tue May 19 14:50:16 2020] ssh-honeypot 0.1.0 by Daniel Roberson started on port 22222. PID 1073226
[Tue May 19 14:50:16 2020] FATAL: ssh_bind_listen():

[feature] allow disabling the file log

I think I can run ssh-honeypot on a readonly filesystem if it didn't need to log. As a workaround, I'm logging to /dev/null right now, but with the way log_entry() is written, writing to console or syslog is in addition to the logfile, which is unfortunate.