Giters

rykdesjardins / ssh-honeypot

A lightweight, parameterized fake SSH with custom responses and command detection strategies.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SSH Honeypot

A lightweight, parameterized fake SSH with custom responses and command detection strategies.

What is this?

This honeypot acts as a fake SSH, and will store usernames, passwords, ip addresses, locations, and commands executed. It can be used for various reasons :

  • Determine if a former employee is trying to sabotage your server
  • Find out where the attacks are coming from
  • Stay on top of the latest bash commands used by attackers
  • Have a serious laugh

What can it do?

Pretty much anything you want. That includes responding to certain commands with custom responses, sending Slack messages, storing attempts in a text file, converting IPs to country strings.

How do I install it?

First of all, if you want to run this in production, you will have to change your default SSH port. Altough I don't recommend running this in production, it can be interesting to use it on a public development server.

You will need Node.JS installed. You can check if it's installed by running node -v or nodejs -v.

Edit this file /etc/ssh/sshd_config as root (sudo) and add the following :

Port 22
Port 2222

Assuming you are doing this from SSH, you don't want to remove port 22 just yet. Good news is SSH can listen to multiple ports. Now, restart your SSH deamon.

# As root (sudo)
service sshd restart

Log out, and log back in using the new port 2222. You can specify which port you want to use with the -p argument like so : ssh -p 2222 user@server.

Close this repo somewhere on your server, and cd inside the directory. You can then run npm install.

git clone https://github.com/rykdesjardins/ssh-honeypot
cd ssh-honeypot
npm install

The post installation script will generate an RSA key pair. Note that if you want Node.JS to be able to bind on port 22, the process will need root access. Running Node.JS using the root user if not recommended at all. Having a process listen to 22 and upstream to Node.JS using a different port locally is the way to go.

To get things started, use the usual

npm start

Default logs will appear in output.log, and SSH credentials + commands in honey.txt. Those can be changed in a config file.

Configuring

The honeypot will try to load your personal config.js file, and will default all missing configs with the ones in config.default.js. If you want to configure this honeypot, you can simply copy the default file and start editing.

cp config.default.js config.js

The available configurations

port

The SSH port to which the honeypot will bind

outputfile

A relative path to a file that will contain all acquired credentials and commands

privatekey

A private key used for SSH communication. It is generated automatically.

slackwebhook

A Slack web hook URL. The honeypot will send Slack messages if a web hook is present every time there's a hit.

slackformatter

Function receiving an SSHClient object. It should return a Slack message to be sent. The SSHClient object has the following structure

SSHClient {
    username : String,
    password : String,
    location : String,
    ip : String,
    command : String
}

If no command is sent by the attacker, the command property will still be defined but will contain an empty string.

iplookup

Function receiving an IP address and a callback to be used once finished. If defined, this function will be called when the SSH connection terminates, and is used to locate an IP address on Earth.

The signature is iplookup(String, Function). There is a working example in config.default.js of a reverse lookup.

responses

An array of custom responses. The custom responses structure is :

CustomResponse {
    strategy : String("includes" | "matches" | "regexp"),
    command : String, 
    response : String
}

There are three available strategies at the moment.

  • includes : Will match if the attacker's command includes the custom response command
  • matches : Will match if the attacker's command is exactly the same as the custom response command
  • regexp : Will match if the response command (as a regexp) finds a match using the attacker's command

The command property is used as a selector.

The response will be sent as is if the command matches the command property using the provided strategy.

responses : [
    {
        strategy : "includes",
        command : "/etc/passwd",
        response : "root:x:0:0:root:/root:/bin/bash"
    }
]

The previous would match if the attacker's command is cat /etc/passwd or rm /etc/passwd, but would not match cd /etc && cat passwd since it does not include the command.

It this free?

Yeah.

About

A lightweight, parameterized fake SSH with custom responses and command detection strategies.

License:MIT License

Languages

Language:JavaScript 100.0%