A low-interaction SSH honeypot written in C.
Usage: ssh-honeypotd [options]...
Mandatory arguments to long options are mandatory for short options too.
-k,--host-key FILE: the file containing the private host key (RSA, DSA, ECDSA, ED25519)-b,--address ADDRESS: the IP address to bind to (default:0.0.0.0)-p,--port PORT: the port to bind to (default:22)-P,--pid FILE: the PID file (if not specified, the daemon will run in the foreground)-n,--name NAME: the name of the daemon for syslog (default:ssh-honeypotd)-u,--user USER: drop privileges and switch to this USER (default:daemonornobody)-g,--group GROUP: drop privileges and switch to this GROUP (default:daemonornogroup)-x,--no-syslog: log messages only to stderr (only works with--foreground)-f,--foreground: do not daemonize-h,--help: display help and exit-v,--version: output version information and exit
-k option must be specified at least once if ssh-honeypots is compiled against libssh prior to 0.8.0 (note that in Ubuntu (and possibly Debian), libssh 0.8.0 is detected as 0.7.0 because of a bug in libssh.h). For newer libssh versions, the host key is generated automatically (RSA 2048 bits).
The minimum supported libssh version is 0.7.0.
docker run -d \
--network=host \
--cap-add=NET_BIND_SERVICE \
--restart=always \
--read-only \
--name=ssh-honeypotd \
-e ADDRESS=0.0.0.0 \
-e PORT=22 \
wildwildangel/ssh-honeypotd:latestdocker run -d \
--network=host \
--cap-add=NET_BIND_SERVICE \
--restart=always \
--read-only \
wildwildangel/ssh-honeypotd-min:latestssh-honeypotd.yaml:
---
apiVersion: v1
kind: Namespace
metadata:
name: honeypots
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: ssh-honeypotd
namespace: honeypots
spec:
selector:
matchLabels:
name: ssh-honeypotd
template:
metadata:
labels:
name: ssh-honeypotd
spec:
hostNetwork: true
containers:
- name: ssh-honeypotd
image: wildwildangel/ssh-honeypotd-min # or wildwildangel/ssh-honeypotd
resources:
limits:
cpu: 100m
memory: 12Mi
requests:
cpu: 100m
memory: 12Mi
securityContext:
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
ports:
- containerPort: 22
hostPort: 22
protocol: TCPkubectl apply -f ssh-honeypotd.yamlYou can control ssh-honeypotd's behavior in the container (wildwildangel/ssh-honeypotd image) with the following environment variables:
ADDRESS(default: 0.0.0.0): the IP address to bind to;PORT(default: 22): the port to bind to.
These variables make it easy to have several ssh-honeypotd's running on the same machine, should the need arise.
ssh-honeypotd's Docker image comes in two flavors:
- A standard image based on the latest stable Alpine: wildwildangel/ssh-honeypotd.
- A minimalistic image based on the
scratchDocker image: wildwildangel/ssh-honeypotd-min
The ssh-honeypotd-min image contains only the statically linked ssh-honeypotd binary and the set of the pre-generated SSH keys. This image is a bit smaller than ssh-honeypotd but is experimental at the moment. The ssh-honeypotd binary in the ssh-honeypotd-min image does not support the following command-line options: --pid, --name, --user, --group, --no-syslog, --foreground.