Setting up a honeypot is a very interesting technique to detect and diagnose system vulnerabilities, attack vectors and other things related to computer security. There are many different types of honeypots used in the wild, but the most simple ones are designed to run on systems with intentionally (or not) weakeaned security settings. With a few monitoring tools in place it gives you a good chance of catching bad guys, or most likely automated scripts, red handed.
In the world-wild-web, one the most common attack vector is targeted for SSH services. Pretty much every server that’s not configured to run on private network will have either a standard or tweaked SSH port exposed to public. Accompanied with insecure (short, simple, default) passwords it makes the perfect target for all those bot nets and what not. And what could be possibly worse than a server with a bad root password?
Build a ssh-honeypot with docker
This tutorial using ssh-honeypot build on docker for listens for incoming ssh connections and logs the ip address, username, and password used. This was written to gather rudimentary intelligence on brute force attacks.
Create entrypoint.sh file to run ssh-honeypot in docker container:
#!/bin/ash ssh-honeypot -r /ssh-honeypot/ssh-honeypot.rsa -p 22 -u nobody echo "SSH Honeypot is Running..." exec "[email protected]"
**Create Dockerfile: **
FROM alpine:latest RUN apk add --no-cache git libssh-dev screen gcc musl-dev nano openssl build-base bash openssh geoip curl netcat-openbsd RUN git clone https://github.com/droberson/ssh-honeypot.git WORKDIR /ssh-honeypot/ RUN make RUN ssh-keygen -t rsa -f ./ssh-honeypot.rsa RUN chmod 777 /ssh-honeypot/bin/ssh-honeypot RUN mv /ssh-honeypot/bin/ssh-honeypot /bin/ssh-honeypot EXPOSE 22 ADD entrypoint.sh /entrypoint.sh RUN chmod 777 /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"]
**Build and docker container: **
In Dockerfile folder run following command to build and run ssh-honeyport:
Don’t forget the dot (.) at the end of the docker build command.
sudo docker build -t ssh-honeypot . sudo docker run -d -p 22:22 ssh-honeypot
Check ssh-honeyport running
sudo docker ps sudo netstat -antp | grep 22