This program listens for incoming ssh connections and logs the ip address, username, and password used. This was written to gather rudimentary intelligence on brute force attacks.
USE : awk '{print $7,$8}' ssh-honeypot.log > passlist
Make sure libssh is installed
$ apt install libssh-dev
Make sure that xcode is up to date.
Install libssh
$ brew install libssh
Specify MakefileOSX with make:
$ make -f MakefileOSX
$ make
$ ssh-keygen -t rsa -f ./ssh-honeypot.rsa
$ bin/ssh-honeypot -r ./ssh-honeypot.rsa
$ bin/ssh-honeypot -h
As of version 0.0.5, this supports logging to syslog. This feature is toggled with the -s flag. It is up to you to configure your syslog facilities appropriately. This logs to LOG_AUTHPRIV which is typically /var/log/auth.log. You may want to modify this to use one of the LOG_LOCAL facilities if you are worried about password leakage.
This was implemented to aggregate the data from several hosts into a centralized spot.
As of version 0.0.8, you can drop root privileges of this program after binding to a privileged port. You can now run this as nobody on port 22 for example instead of root, but have to initially start it as root:
$ sudo bin/ssh-honeypot -p 22 -u nobody
Beware that this chowns the logfile to the user specified as well.
Change the port of your ssh server from 22 to something like 2222 - check out this for help!
$ https://www.godaddy.com/help/changing-the-ssh-port-for-your-linux-server-7306
List available banners
$ bin/ssh-honeypot -b
Set banner string
$ bin/ssh-honeypot -b "my banner string"
Set banner by index
$ bin/ssh-honeypot -i <banner index>