A few years ago, after being bored of watching hundreds and thousands
of failed ssh login attempts to my home server, I asked myself:
what are these folks trying to bruteforce with?
OpenSSH would log the username, but that’s it.
I wanted to know more. What about the passwords? Are they trying to
use public key auth? What OSs are they using? What commands are they using?
Do they jump into interactive mode? So, as part of my Golang
learning journey, I decided to write a simple sshd honeypot.
Fortunately for me, gliderlabs/ssh
provided a nice interface for building ssh servers, so that I did not have
to go that raw using crypto/ssh or even further.
For fingerprinting the remote OS, I decided to use
p0f , which is and was an amazing
piece of software from
lcamtuf. Although the program
or OS signatures have not been updated in ages, it still does quite
a decent job at fingerprinting remote OSs. You will need to run it with the
-s option so that it provides the API functionality that fakesshd needs
/usr/sbin/p0f -i eth0 -s /var/run/p0f/p0f.socket port 22).
In case that you want to give it a try, here is the
Whatever command the attacker would execute,
fakesshd would return
the following welcome message:
Segmentation fault! (core dumped)
The internet provider where the home server runs went rogue and blocked
all incoming traffic to port 22, so I cannot provide a quick screenshot
of the resulting execution (yeah… no, I did not think of persisting the
logs to disk). In any case, I stopped exposing ssh to the internet and
rely on the great Tailscale for accessing my
servers long time ago (you probably should too).
If I had to continue evolving the honeypot, a neat thing to do would be
to launch a minimal container and log sessions for a limited set of time.