A fake SSH server that lets everyone in and logs their activity

Kristof Jakab 2036179d9f Merge pull request #108 from jaksi/dependabot/go_modules/github.com/prometheus/client_golang-1.14.0		2 months ago
.github	ae854f232f Create dependabot.yml	2 months ago
replay_tests	220050ccc6 Add a replay test involving su	1 year ago
snap	d2249fcc3b Add git as a build dep when building the snap	1 year ago
testproxy	d09df0e824 Unrelated: also fix error handling in testproxy	9 months ago
.gitignore	2707e4f8cf Ignore __debug_bin	9 months ago
Dockerfile	82b0c2e310 Dockerfile: remove unneeded go get	1 year ago
LICENSE	71f46a337b Initial commit	6 years ago
README.md	865fa3b518 README: fix TOC	10 months ago
auth.go	8974f280a0 Export metrics about auth attempts	1 year ago
auth_test.go	8d4599c4ae Remove metadata variables to context	1 year ago
commands.go	366e6d677c commands: add su	1 year ago
config.go	b590bcb5c2 Add the logging.split_host_port config option	9 months ago
config_test.go	b590bcb5c2 Add the logging.split_host_port config option	9 months ago
connection.go	3a36aa0786 Clean up comments	11 months ago
go.mod	464ab630f9 Bump github.com/prometheus/client_golang from 1.12.1 to 1.14.0	2 months ago
go.sum	464ab630f9 Bump github.com/prometheus/client_golang from 1.12.1 to 1.14.0	2 months ago
logging.go	4b1780dd1d Support logging.split_host_port for all addresses	9 months ago
logging_test.go	c97893f809 logging_test: add helper and consolidate tests	9 months ago
main.go	7126278690 use sshutils.Listen	11 months ago
openssh.yaml	c1b2fa34ec Restructure the configuration	1 year ago
replay_test.go	1aaad1b103 Unrelated: fix error handling in replay_test	9 months ago
request.go	4b1780dd1d Support logging.split_host_port for all addresses	9 months ago
session.go	636d9610be no-more-sessions: fix error typo	10 months ago
sshesame.yaml	b590bcb5c2 Add the logging.split_host_port config option	9 months ago
tcpip.go	4b1780dd1d Support logging.split_host_port for all addresses	9 months ago
testutils.go	e4c579284f Use static keys in most tests to speed them up	1 year ago

sshesame

An easy to set up and use SSH honeypot, a fake SSH server that lets anyone in and logs their activity

sshesame accepts and logs SSH connections and activity (channels, requests), without doing anything on the host (e.g. executing commands, making network requests).

Installation and usage
- From source
- GitHub releases
- Snap
- Usage
- Docker
- CLI
- Dockerfile
- Docker Compose
- systemd
- Configuration
Sample output

Installation and usage

:warning: The sshesame package in the official Debian (and derivatives) repositories may be (probably is) outdated.

From source

$ git clone https://github.com/jaksi/sshesame.git
$ cd sshesame
$ go build

GitHub releases

Linux, macOS and Windows binaries for several architectures are built and released automatically and are available on the Releases page.

Snap

Snaps for several architectures are built and released automatically and are available on the Snap Store.

:warning: The snap can only access files (configs, keys, logs) in the user's home directory.

$ snap install sshesame

Usage

$ sshesame -h
Usage of sshesame:
  -config string
    	optional config file
  -data_dir string
    	data directory to store automatically generated host keys in (default "...")

Debug and error logs are written to standard error. Activity logs by default are written to standard out, unless the logging.file config option is set.

Docker

Images for amd64, arm64 and armv7 are built and published automatically and are available on the Packages page.

CLI

$ docker run -it --rm\
    -p 127.0.0.1:2022:2022\
    -v sshesame-data:/data\
    [-v $PWD/sshesame.yaml:/config.yaml]\
    ghcr.io/jaksi/sshesame

Dockerfile

FROM ghcr.io/jaksi/sshesame
#COPY sshesame.yaml /config.yaml

Docker Compose

services:
  sshesame:
    image: ghcr.io/jaksi/sshesame
    ports:
      - "127.0.0.1:2022:2022"
    volumes:
      - sshesame-data:/data
      #- ./sshesame.yaml:/config.yaml
volumes:
  sshesame-data: {}

systemd

[Unit]
Description=SSH honeypot
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/path/to/sshesame #-config /path/to/sshesame.yaml
Restart=always

[Install]
WantedBy=multi-user.target

Configuration

A configuration file can optionally be passed using the -config flag. Without specifying one, sane defaults will be used and an RSA, ECDSA and Ed25519 host key will be generated and stored in the directory specified in the -data_dir flag.

A sample configuration file with default settings and explanations for all configuration options is included.
A minimal configuration file which tries to mimic an OpenSSH server is also included.

Sample output

2021/07/04 00:37:05 [127.0.0.1:64515] authentication for user "jaksi" without credentials rejected
2021/07/04 00:37:05 [127.0.0.1:64515] authentication for user "jaksi" with public key "SHA256:uUdTmvEHN6kCAoE4RJWsxr8+fGTGhCpAhBaWgmMVqNk" rejected
2021/07/04 00:37:07 [127.0.0.1:64515] authentication for user "jaksi" with password "hunter2" accepted
2021/07/04 00:37:07 [127.0.0.1:64515] connection with client version "SSH-2.0-OpenSSH_8.1" established
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] session requested
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] PTY using terminal "xterm-256color" (size 158x48) requested
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] environment variable "LANG" with value "en_IE.UTF-8" requested
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] shell requested
2021/07/04 00:37:16 [127.0.0.1:64515] [channel 1] input: "cat /etc/passwd"
2021/07/04 00:37:17 [127.0.0.1:64515] [channel 1] closed
2021/07/04 00:37:17 [127.0.0.1:64515] connection closed

README.md