Home

Awesome

Build Status Build status

Syrup

A SSH honeypot with rich features written in Go

Features

See Recorded Session in Action!

asciicast

Requirements

Running

Building

Download

You may find the pre-build packages for various platform on the release tab. If you find the platform you need is not on the list, you can follow the building procedure in the next section.

Building

Go pre-1.11/1.11 with GO111MODULE=auto:

go get -u github.com/mkishere/sshsyrup
cd ~/go/src/github.com/mkishere/sshsyrup
dep ensure
go build -ldflags "-s -w" -o sshsyrup ./cmd/syrup
go build -ldflags "-s -w" -o createfs ./cmd/createfs

Go 1.11 with GO111MODULE=on:

Currently building executable with GO111MODULE=on is a bit tricky in Go 1.11 with module, here is how to do it if you want to leave module on:

git clone https://github.com/mkishere/sshsyrup/
go build -ldflags "-s -w" -o sshsyrup ./cmd/syrup
go build -ldflags "-s -w" -o createfs ./cmd/createfs

Setting up for the first run

Running from a Docker instance

A Docker image based on the latest build:

  docker pull mkishere/sshsyrup

By default the internal sshsyrup listens on 22.

docker run -d mkishere/sshsyrup

The following example shows how you can customize stuff while running Syrup in container:

docker run -d -p 9999:22 \
-v /path/to/vfs/image.zip:/filesystem.zip \
-v /path/to/config.yaml:/config.yaml \
-v /path/to/logfiles:/logs \
-v /path/to/group:/group \
-v /path/to/passwd:/passwd \
-v /path/to/private_key:/id_rsa \
-v /path/to/commands.txt:/commands.txt \
-v /path/to/command_output:/cmdOutput \
mkishere/sshsyrup

But you may want to map to port 22 to make your honeypot easier to find.

If you want to see what happens (logs) in the Docker instance, get the instance id (docker ps) and then run docker logs -f YOUR_INSTANCE_ID.

Configuration parameters

Check out config.yaml

Logging

By default Syrup will create a logging file in logs/ directory with file name activity.log in JSON format.

Please note that Syrup will no longer append dates to log files. Use a proper log rotation tool (e.g. logrotate) to do the work.

Also, each terminal session (the shell) will be logged into a separate file under logs/sessions in asciinema v2 format.

Extending Syrup

Syrup comes with a framework that helps to implement command easier. By implementing the Command interface you can create your own command and being executed by intruders connecting to your honeypot. For more details refer to the wiki.

If your command prints static output every time, you can put the output in cmdOutput/, and Syrup will print that when client type the command in terminal.

Contributing

Feel free to submit feature request/bug report via the GitHub issue tracker.

For submitting PR, do the following steps:

  1. Fork
  2. Create a branch for the feature/bugfix containing your changes on your fork
  3. Submit PR with your branch

It is advised that creating an issue to discuss the matter in advance if your change is large :)

TODO