Awesome
honeypot
Code inspired (and mostly taken directly from) this post by Jerry Garcia. Jerry also has a follow up post on how to allow "hackers" to ssh into your container. The code used can be found here.
What is a "honeypot" ?
"In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site, but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, who are then blocked. This is similar to police sting operations, colloquially known as "baiting," a suspect." Wikipedia
How to build a simple honeypot
In Jerrys post linked above he provides the commands and detailed instructions on how to setup a honeypot to log ssh attempts. I simply stuck these commands into a Ubuntu based Dockerfile.
Usage
Clone this repo and build the image :
docker build -t ssh_honeypot:latest .
Start the container :
docker run -p 22:22 --name honeypot -dt ssh_honeypot:latest
Check the logs :
You can exec into the container and check the /var/log/auth.log for full logging output including source IP or run :
docker logs -f honeypot
Example Output :
Starting rsyslog
* Starting enhanced syslogd rsyslogd [ OK ]
Starting sshd
Checking ps
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 15:29 pts/0 00:00:00 /bin/sh -c /tmp/start_honeypot.s
root 7 1 0 15:29 pts/0 00:00:00 /bin/bash /tmp/start_honeypot.sh
syslog 24 1 0 15:29 ? 00:00:00 /usr/sbin/rsyslogd
root 31 1 0 15:29 ? 00:00:00 /opt/openssh2/dist/sbin/sshd -f
root 32 7 0 15:29 pts/0 00:00:00 ps -ef
Tailing auth.log for login attempts
Dec 21 15:59:38 cfcde3edc46e sshd[52]: Honey: Username: root Password: admintrup
Dec 21 15:59:38 cfcde3edc46e sshd[52]: Honey: Username: root Password: admintrup
Dec 21 15:59:39 cfcde3edc46e sshd[52]: Honey: Username: root Password: admintrup
Dec 21 15:59:39 cfcde3edc46e sshd[52]: Honey: Username: root Password: rpitc
Dec 21 15:59:40 cfcde3edc46e sshd[52]: Honey: Username: root Password: openelec
Dec 21 15:59:40 cfcde3edc46e sshd[52]: Honey: Username: root Password: system
Using the source IP and this site you can generate a Heatmap.
Find the location of the source IP
curl -X GET http://ip-api.com/json/103.217.152.20
{"as":"AS135259 SKYLINE INFONET PRIVATE LIMITED","city":"Sīkar","country":"India","countryCode":"IN","isp":"Skyline Infonet Private Limited","lat":27.6126,"lon":75.1457,"org":"Skyline Infonet Private Limited","query":"103.217.152.20","region":"","regionName":"Rajasthan","status":"success","timezone":"Asia/Kolkata","zip":""}
Port and OS scan using nmap
nmap --top-ports 1000 -T4 -sC 218.65.30.126
nmap -O -v 218.65.30.126
That's as far as I've got. Thanks Jerry for your posts. Future plans include port scanning source IPs to see which ports are open out of curiosity.