i Build a SSH-honeypot with docker – All things in moderation

Build a SSH-honeypot with docker

Setting up a honeypot is a very interesting technique to detect and diagnose system vulnerabilities, attack vectors and other things related to computer security. There are many different types of honeypots used in the wild, but the most simple ones are designed to run on systems with intentionally (or not) weakeaned security settings. With a few monitoring tools in place it gives you a good chance of catching bad guys, or most likely automated scripts, red handed.

In the world-wild-web, one the most common attack vector is targeted for SSH services. Pretty much every server that’s not configured to run on private network will have either a standard or tweaked SSH port exposed to public. Accompanied with insecure (short, simple, default) passwords it makes the perfect target for all those bot nets and what not. And what could be possibly worse than a server with a bad root password?

Build a ssh-honeypot with docker

This tutorial using ssh-honeypot build on docker for listens for incoming ssh connections and logs the ip address, username, and password used. This was written to gather rudimentary intelligence on brute force attacks.

Create entrypoint.sh file to run ssh-honeypot in docker container:

#!/bin/ash
ssh-honeypot -r /ssh-honeypot/ssh-honeypot.rsa -p 22 -u nobody
echo "SSH Honeypot is Running..."
exec "[email protected]"

**Create Dockerfile: **

FROM alpine:latest
RUN apk add --no-cache git libssh-dev screen gcc musl-dev nano openssl build-base bash openssh geoip curl netcat-openbsd
RUN git clone https://github.com/droberson/ssh-honeypot.git
WORKDIR /ssh-honeypot/
RUN make
RUN ssh-keygen -t rsa -f ./ssh-honeypot.rsa
RUN chmod 777 /ssh-honeypot/bin/ssh-honeypot
RUN mv /ssh-honeypot/bin/ssh-honeypot /bin/ssh-honeypot
EXPOSE 22
ADD entrypoint.sh /entrypoint.sh
RUN chmod 777 /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

**Build and docker container: **
In Dockerfile folder run following command to build and run ssh-honeyport:

Don’t forget the dot (.) at the end of the docker build command.

sudo docker build -t ssh-honeypot .
sudo docker run -d -p 22:22 ssh-honeypot

Check ssh-honeyport running

sudo docker ps
sudo netstat -antp | grep 22

Leave a Reply