SSH Honeypot?

<p>So i was checking one of my servers and saw that i have been getting attacked by a botnet on port 22. I changed my port to negate the issue. </p> <p>This made me think. Could i make a Honeypot using Go? From what i know, I would have to listen on port 22 and just log the information to a file?</p> <p>Fake the login? Any ideas?</p> <hr/>**评论：**<br/><br/>EscobarATM: <pre><p><a href="https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/" rel="nofollow">https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/</a></p></pre>joushou: <pre><p>Very sane arguments indeed, although I highly disagree that a port beneath 1024 should increase your trust. The capabilities to start services on ports under 1024 can assigned to arbitrary files, and can just be disabled in the kernel by removing a few lines of code. Some operating systems never had this in the first place either. If you&#39;re not the only one with &#34;hard&#34; access, as well as the only one with root access to the machine, you cannot make any assumptions about port privileges.</p> <p>Also, as long as you have the real SSH servers public key (you have logged in once before, or just have a copy otherwise), it won&#39;t be possible to make a new fake SSH server without the SSH client warning you, telling you to change your known_hosts. Without the evil person having root on the original machine to read the host private key (assuming proper file permissions), he won&#39;t be able to trick the client, but if he has root, the game is lost regardless, privileged ports or not.</p></pre>lantins: <pre><p>I come across these just the other day:</p> <p><a href="https://github.com/joshrendek/ssh-passwd-honeypot" rel="nofollow">https://github.com/joshrendek/ssh-passwd-honeypot</a> and this feeds into <a href="http://sshpot.com/" rel="nofollow">http://sshpot.com/</a></p></pre>SaturnsVoid: <pre><p>Well guess some beat me to it! Thanks for the link i want to look into this.</p></pre>togamans: <pre><p>mm, you could fake a shell with a simple REPL, and you&#39;ll want to handle ssh negotiation. Set a weak user/pass combo like root:root, so they at least have to try. </p> <p>so, core functionality: Negotiate SSH, imitate error and success conditions based on input, don&#39;t mess up and drop them an actual shell, log attacker info like IP, log interaction once in your REPL.</p></pre>tdewolff: <pre><p>Maybe it would be interesting what they would do when they get shell access. Fake the shell too and see what commands they try to execute, perhaps this can help in identifying whether they want to install software (and which), if they need information (which information?) and so on...sounds like a good one!</p> <p>Btw changing port only reduces the amount of bots, but doesn&#39;t improve security. If you&#39;re still using passwords I suggest you take a look at RSA key logins!</p></pre>Simpfally: <pre><p>Already saw a blog post of someone doing that, in general they try to download some files and execute it in there.</p></pre>LowValueTarget: <pre><p>You could get some ideas from Kippo</p> <p><a href="https://github.com/desaster/kippo" rel="nofollow">https://github.com/desaster/kippo</a></p></pre>RandNho: <pre><p>You may take this and expand: <a href="https://www.reddit.com/r/golang/comments/2p1cms/high_interaction_ssh_honeypot/" rel="nofollow">https://www.reddit.com/r/golang/comments/2p1cms/high_interaction_ssh_honeypot/</a></p></pre>fubo: <pre><p>The <a href="https://godoc.org/golang.org/x/crypto/ssh" rel="nofollow">ssh package</a> from the /x/ repository is pretty good.</p> <p>Aside from logging username/password attempts, other things you can do:</p> <ul> <li>For some fraction of attempts, accept the password and present a fake shell prompt which just logs the commands they try to run.</li> <li>Publish the attackers&#39; IP addresses to use as a blacklist. <a href="https://www.openbl.org/" rel="nofollow">These folks</a> are already doing something similar.</li> <li>Closely imitate the banners and login message of a particular expected-vulnerable system, like some oldish Linux distribution, or an older version of OpenWRT or something.</li> </ul></pre>walkeraj: <pre><p><a href="https://github.com/traetox/sshForShits" rel="nofollow">https://github.com/traetox/sshForShits</a></p></pre>