An easy to set up and use SSH honeypot, a fake SSH server that lets anyone in and logs their activity
sshesame
accepts and logs SSH connections and activity (channels, requests), without doing anything on the host (e.g. executing commands, making network requests).
Warning
The sshesame
package in the official Debian (and derivatives) repositories may be (probably is) outdated.
$ git clone https://github.com/jaksi/sshesame.git
$ cd sshesame
$ go build
Linux, macOS and Windows binaries for several architectures are built and released automatically and are available on the Releases page.
$ sshesame -h
Usage of sshesame:
-config string
optional config file
-data_dir string
data directory to store automatically generated host keys in (default "...")
Debug and error logs are written to standard error. Activity logs by default are written to standard out, unless the logging.file
config option is set.
Images for amd64, arm64 and armv7 are built and published automatically and are available on the Packages page.
Important
When using a custom config file, set server.listen_address
to listen on all interfaces (e.g. to 0.0.0.0:2022
) to ensure Docker port forwarding works.
$ docker run -it --rm\
-p 127.0.0.1:2022:2022\
-v sshesame-data:/data\
[-v $PWD/sshesame.yaml:/config.yaml]\
ghcr.io/jaksi/sshesame
FROM ghcr.io/jaksi/sshesame
#COPY sshesame.yaml /config.yaml
services:
sshesame:
image: ghcr.io/jaksi/sshesame
ports:
- "127.0.0.1:2022:2022"
volumes:
- sshesame-data:/data
#- ./sshesame.yaml:/config.yaml
volumes:
sshesame-data: {}
[Unit]
Description=SSH honeypot
After=network-online.target
Wants=network-online.target
[Service]
ExecStart=/path/to/sshesame #-config /path/to/sshesame.yaml
Restart=always
[Install]
WantedBy=multi-user.target
A configuration file can optionally be passed using the -config
flag.
Without specifying one, sane defaults will be used and an RSA, ECDSA and Ed25519 host key will be generated and stored in the directory specified in the -data_dir
flag.
A sample configuration file with default settings and explanations for all configuration options is included.
A minimal configuration file which tries to mimic an OpenSSH server is also included.
2021/07/04 00:37:05 [127.0.0.1:64515] authentication for user "jaksi" without credentials rejected
2021/07/04 00:37:05 [127.0.0.1:64515] authentication for user "jaksi" with public key "SHA256:uUdTmvEHN6kCAoE4RJWsxr8+fGTGhCpAhBaWgmMVqNk" rejected
2021/07/04 00:37:07 [127.0.0.1:64515] authentication for user "jaksi" with password "hunter2" accepted
2021/07/04 00:37:07 [127.0.0.1:64515] connection with client version "SSH-2.0-OpenSSH_8.1" established
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] session requested
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] PTY using terminal "xterm-256color" (size 158x48) requested
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] environment variable "LANG" with value "en_IE.UTF-8" requested
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] shell requested
2021/07/04 00:37:16 [127.0.0.1:64515] [channel 1] input: "cat /etc/passwd"
2021/07/04 00:37:17 [127.0.0.1:64515] [channel 1] closed
2021/07/04 00:37:17 [127.0.0.1:64515] connection closed