Skip to content

Version 2 of the LongTail telnet honeypot, now actually gets login attempts

Notifications You must be signed in to change notification settings

wedaa/LongTail-Telnet-honeypot-v2

Repository files navigation

README for LongTail-Telnet-honeypot-v2

What LongTail-Telnet-honeypot-v2 does

Telnet-honeypot is a telnet honeypot which logs attempts to a to syslog in the LongTail logging format.

It can be started with the following commandline.

/usr/local/sbin/ptelnetd -honeypot

It is based entirely on

https://sites.google.com/site/columscode/home/ParanoidTelnetD

which is Copyright (C) 2014 Colum Paget

Installing the Honeypot

I have an installation script which will help significantly and you can download and run it from wget https://raw.githubusercontent.com/wedaa/LongTail-Telnet-honeypot-v2/master/install_ptelnetd.sh

This will configure, make, and install ptelnetd into /usr/local/sbin/ptelnetd and add a startup line to /etc/rc.local to start ptelnetd after a reboot.

BUGS

  1. For as yet unknown reasons ptelnetd hangs and refuses to accept new inbound connections. I thought I had fixed this with a timeout in main.c, but it still happens intermittently. For the moment the workaround is to a line to crontab to call on /etc/init.d/ptelnetd-initd once a day to restart it (/etc/init.d/ptelnetd-initd restart).

Rsyslog Note

  1. If you are using rsyslog, please use the following line in your honeypot's (and if you are using a consolidation server's ) rsyslog.conf file.

$ActionFileDefaultTemplate RSYSLOG_FileFormat

This sets the date format to a more easily parsable format:

2016-03-06T04:33:43-05:00 ecdal2 sshd-22[25692]: IP: 183.3.202.102 PassLog: Username: root Password: leather

Please note the date stamp is YYYY-MM-DDTHH:MM:SS-GMT_offset. Please note the capital "T" as the delimeter from date to hour.

Logging Line Format

The log line format is as follows:

YYYY-MM-DD:HH:MM:SS.HH:MMHOSTNAMEptelnetd[]:IP:127.0.0.1TelnetLog:Username:Username_triedPassword:Password_tried

For Example:

2016-03-10T12:26:18.899244-05:00 localhost ptelnetd[9836]: IP: 127.0.0.1 TelnetLog: Username: TEW Password: TEWEW

Licensing

Minor Modifications Copyright (C) 2016 Eric Wedaa

OTHERWISE

Copyright (C) 2014 Colum Paget, colums.projects@gmail.com, http://www.cjpaget.co.uk

About

Version 2 of the LongTail telnet honeypot, now actually gets login attempts

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published