Telnet-honeypot is a telnet honeypot which logs attempts to a to syslog in the LongTail logging format.
It can be started with the following commandline.
/usr/local/sbin/ptelnetd -honeypot
It is based entirely on
https://sites.google.com/site/columscode/home/ParanoidTelnetD
which is Copyright (C) 2014 Colum Paget
I have an installation script which will help significantly and you can download and run it from wget https://raw.githubusercontent.com/wedaa/LongTail-Telnet-honeypot-v2/master/install_ptelnetd.sh
This will configure, make, and install ptelnetd into /usr/local/sbin/ptelnetd and add a startup line to /etc/rc.local to start ptelnetd after a reboot.
- For as yet unknown reasons ptelnetd hangs and refuses to accept new inbound connections. I thought I had fixed this with a timeout in main.c, but it still happens intermittently. For the moment the workaround is to a line to crontab to call on /etc/init.d/ptelnetd-initd once a day to restart it (/etc/init.d/ptelnetd-initd restart).
- If you are using rsyslog, please use the following line in your honeypot's (and if you are using a consolidation server's ) rsyslog.conf file.
$ActionFileDefaultTemplate RSYSLOG_FileFormat
This sets the date format to a more easily parsable format:
2016-03-06T04:33:43-05:00 ecdal2 sshd-22[25692]: IP: 183.3.202.102 PassLog: Username: root Password: leather
Please note the date stamp is YYYY-MM-DDTHH:MM:SS-GMT_offset. Please note the capital "T" as the delimeter from date to hour.
The log line format is as follows:
YYYY-MM-DD:HH:MM:SS.HH:MMHOSTNAMEptelnetd[]:IP:127.0.0.1TelnetLog:Username:Username_triedPassword:Password_tried
For Example:
2016-03-10T12:26:18.899244-05:00 localhost ptelnetd[9836]: IP: 127.0.0.1 TelnetLog: Username: TEW Password: TEWEW
Minor Modifications Copyright (C) 2016 Eric Wedaa
OTHERWISE
Copyright (C) 2014 Colum Paget, colums.projects@gmail.com, http://www.cjpaget.co.uk