SSH Honeypot?

xuanbao · · 705 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>So i was checking one of my servers and saw that i have been getting attacked by a botnet on port 22. I changed my port to negate the issue. </p> <p>This made me think. Could i make a Honeypot using Go? From what i know, I would have to listen on port 22 and just log the information to a file?</p> <p>Fake the login? Any ideas?</p> <hr/>**评论:**<br/><br/>EscobarATM: <pre><p><a href="https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/" rel="nofollow">https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/</a></p></pre>joushou: <pre><p>Very sane arguments indeed, although I highly disagree that a port beneath 1024 should increase your trust. The capabilities to start services on ports under 1024 can assigned to arbitrary files, and can just be disabled in the kernel by removing a few lines of code. Some operating systems never had this in the first place either. If you&#39;re not the only one with &#34;hard&#34; access, as well as the only one with root access to the machine, you cannot make any assumptions about port privileges.</p> <p>Also, as long as you have the real SSH servers public key (you have logged in once before, or just have a copy otherwise), it won&#39;t be possible to make a new fake SSH server without the SSH client warning you, telling you to change your known_hosts. Without the evil person having root on the original machine to read the host private key (assuming proper file permissions), he won&#39;t be able to trick the client, but if he has root, the game is lost regardless, privileged ports or not.</p></pre>lantins: <pre><p>I come across these just the other day:</p> <p><a href="https://github.com/joshrendek/ssh-passwd-honeypot" rel="nofollow">https://github.com/joshrendek/ssh-passwd-honeypot</a> and this feeds into <a href="http://sshpot.com/" rel="nofollow">http://sshpot.com/</a></p></pre>SaturnsVoid: <pre><p>Well guess some beat me to it! Thanks for the link i want to look into this.</p></pre>togamans: <pre><p>mm, you could fake a shell with a simple REPL, and you&#39;ll want to handle ssh negotiation. Set a weak user/pass combo like root:root, so they at least have to try. </p> <p>so, core functionality: Negotiate SSH, imitate error and success conditions based on input, don&#39;t mess up and drop them an actual shell, log attacker info like IP, log interaction once in your REPL.</p></pre>tdewolff: <pre><p>Maybe it would be interesting what they would do when they get shell access. Fake the shell too and see what commands they try to execute, perhaps this can help in identifying whether they want to install software (and which), if they need information (which information?) and so on...sounds like a good one!</p> <p>Btw changing port only reduces the amount of bots, but doesn&#39;t improve security. If you&#39;re still using passwords I suggest you take a look at RSA key logins!</p></pre>Simpfally: <pre><p>Already saw a blog post of someone doing that, in general they try to download some files and execute it in there.</p></pre>LowValueTarget: <pre><p>You could get some ideas from Kippo</p> <p><a href="https://github.com/desaster/kippo" rel="nofollow">https://github.com/desaster/kippo</a></p></pre>RandNho: <pre><p>You may take this and expand: <a href="https://www.reddit.com/r/golang/comments/2p1cms/high_interaction_ssh_honeypot/" rel="nofollow">https://www.reddit.com/r/golang/comments/2p1cms/high_interaction_ssh_honeypot/</a></p></pre>fubo: <pre><p>The <a href="https://godoc.org/golang.org/x/crypto/ssh" rel="nofollow">ssh package</a> from the /x/ repository is pretty good.</p> <p>Aside from logging username/password attempts, other things you can do:</p> <ul> <li>For some fraction of attempts, accept the password and present a fake shell prompt which just logs the commands they try to run.</li> <li>Publish the attackers&#39; IP addresses to use as a blacklist. <a href="https://www.openbl.org/" rel="nofollow">These folks</a> are already doing something similar.</li> <li>Closely imitate the banners and login message of a particular expected-vulnerable system, like some oldish Linux distribution, or an older version of OpenWRT or something.</li> </ul></pre>walkeraj: <pre><p><a href="https://github.com/traetox/sshForShits" rel="nofollow">https://github.com/traetox/sshForShits</a></p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

705 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传