honeyssh is a Honey-Pod for SSH. It automatically logs username and password
tries during brute-force attacks.
This repository contains two applications, honeyssh itself as well as statsd
which provides a simple HTTP API to query logon attempts.
Installation of honeyssh requires a working GoLang environment:
go install github.com/nethack42/honeysshWhen started without a configuration file or commandline parameters, honeyssh
will start in user/password logging mode. Incoming authentication requests are
logged and afterwards rejected with "wrong password".
$ ./setup_db.sh
$ nohup ./statsd &sudo ./honeyssh --listen 0.0.0.0:22
...
INFO[57] Logon attempt: host=112.99.218.173:51445 version=SSH-2.0-sshlib-0.1 user="root" pass="system"
INFO[57] Logon attempt: host=112.99.218.173:51445 version=SSH-2.0-sshlib-0.1 user="root" pass="raspi"
INFO[57] Logon attempt: host=112.99.218.173:51445 version=SSH-2.0-sshlib-0.1 user="root" pass="ubnt"
INFO[57] Logon attempt: host=112.99.218.173:51445 version=SSH-2.0-sshlib-0.1 user="root" pass="00000000"
...Query logon attempts:
$ curl http://localhost:4000/stats
{
"recent_ips": {
"153.99.182.12": 102,
"185.110.132.202": 1,
"185.29.9.169": 3
},
"recent_usernames": {
"globalflash": 3,
"root": 102,
"test": 1
},
"recent_passwords": {
"!QAZxsw2#EDC": 1,
"!QAZzaq1": 1,
"!qa2ws3ed": 1,
"00": 1,
"0o9i8u7y": 1,
"100200": 1,
"10203040": 1,
"110120": 1,
"1111111111": 1,
"121314": 1,
"123456789a": 1,
"123456789a123": 1,
"123456a?": 1,
"1234abc": 1,
"123qwe,.": 1,
"159159": 1,
"1qaz2wsx#EDC": 1,
"1qaz3edc": 1,
"1qazse4": 1,
"3.1415": 1,
"4444444": 1,
"@dmin": 1,
"Nopass@elong.com": 1,
"P@ssword123456": 1,
"Pass@1234": 1,
"abc.123": 1,
}
}