A fake SSH server that lets everyone in and logs their activity

Kristof Jakab b3fe49af30 Merge pull request #106 from jaksi/jaksi/issue105 2 weeks ago
.github d7348046ca Update dependencies and actions 1 month ago
replay_tests 220050ccc6 Add a replay test involving su 11 months ago
snap d2249fcc3b Add git as a build dep when building the snap 9 months ago
testproxy d09df0e824 Unrelated: also fix error handling in testproxy 2 weeks ago
.gitignore 2707e4f8cf Ignore __debug_bin 2 weeks ago
Dockerfile 82b0c2e310 Dockerfile: remove unneeded go get 9 months ago
LICENSE 71f46a337b Initial commit 5 years ago
README.md 865fa3b518 README: fix TOC 1 month ago
auth.go 8974f280a0 Export metrics about auth attempts 11 months ago
auth_test.go 8d4599c4ae Remove metadata variables to context 11 months ago
commands.go 366e6d677c commands: add su 11 months ago
config.go b590bcb5c2 Add the logging.split_host_port config option 2 weeks ago
config_test.go b590bcb5c2 Add the logging.split_host_port config option 2 weeks ago
connection.go 3a36aa0786 Clean up comments 2 months ago
go.mod 7bf6c6b033 Update sshutils 1 month ago
go.sum 7bf6c6b033 Update sshutils 1 month ago
logging.go 4b1780dd1d Support logging.split_host_port for all addresses 2 weeks ago
logging_test.go c97893f809 logging_test: add helper and consolidate tests 2 weeks ago
main.go 7126278690 use sshutils.Listen 2 months ago
openssh.yaml c1b2fa34ec Restructure the configuration 1 year ago
replay_test.go 1aaad1b103 Unrelated: fix error handling in replay_test 2 weeks ago
request.go 4b1780dd1d Support logging.split_host_port for all addresses 2 weeks ago
session.go 636d9610be no-more-sessions: fix error typo 1 month ago
sshesame.yaml b590bcb5c2 Add the logging.split_host_port config option 2 weeks ago
tcpip.go 4b1780dd1d Support logging.split_host_port for all addresses 2 weeks ago
testutils.go e4c579284f Use static keys in most tests to speed them up 9 months ago

README.md

sshesame

An easy to set up and use SSH honeypot, a fake SSH server that lets anyone in and logs their activity

sshesame accepts and logs SSH connections and activity (channels, requests), without doing anything on the host (e.g. executing commands, making network requests).

asciicast

Installation and usage

:warning: The sshesame package in the official Debian (and derivatives) repositories may be (probably is) outdated.

From source

$ git clone https://github.com/jaksi/sshesame.git
$ cd sshesame
$ go build

GitHub releases

Linux, macOS and Windows binaries for several architectures are built and released automatically and are available on the Releases page.

Snap

Snaps for several architectures are built and released automatically and are available on the Snap Store.

:warning: The snap can only access files (configs, keys, logs) in the user's home directory.

$ snap install sshesame

Usage

$ sshesame -h
Usage of sshesame:
  -config string
    	optional config file
  -data_dir string
    	data directory to store automatically generated host keys in (default "...")

Debug and error logs are written to standard error. Activity logs by default are written to standard out, unless the logging.file config option is set.

Docker

Images for amd64, arm64 and armv7 are built and published automatically and are available on the Packages page.

CLI

$ docker run -it --rm\
    -p 127.0.0.1:2022:2022\
    -v sshesame-data:/data\
    [-v $PWD/sshesame.yaml:/config.yaml]\
    ghcr.io/jaksi/sshesame

Dockerfile

FROM ghcr.io/jaksi/sshesame
#COPY sshesame.yaml /config.yaml

Docker Compose

services:
  sshesame:
    image: ghcr.io/jaksi/sshesame
    ports:
      - "127.0.0.1:2022:2022"
    volumes:
      - sshesame-data:/data
      #- ./sshesame.yaml:/config.yaml
volumes:
  sshesame-data: {}

systemd

[Unit]
Description=SSH honeypot
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/path/to/sshesame #-config /path/to/sshesame.yaml
Restart=always

[Install]
WantedBy=multi-user.target

Configuration

A configuration file can optionally be passed using the -config flag. Without specifying one, sane defaults will be used and an RSA, ECDSA and Ed25519 host key will be generated and stored in the directory specified in the -data_dir flag.

A sample configuration file with default settings and explanations for all configuration options is included.
A minimal configuration file which tries to mimic an OpenSSH server is also included.

Sample output

2021/07/04 00:37:05 [127.0.0.1:64515] authentication for user "jaksi" without credentials rejected
2021/07/04 00:37:05 [127.0.0.1:64515] authentication for user "jaksi" with public key "SHA256:uUdTmvEHN6kCAoE4RJWsxr8+fGTGhCpAhBaWgmMVqNk" rejected
2021/07/04 00:37:07 [127.0.0.1:64515] authentication for user "jaksi" with password "hunter2" accepted
2021/07/04 00:37:07 [127.0.0.1:64515] connection with client version "SSH-2.0-OpenSSH_8.1" established
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] session requested
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] PTY using terminal "xterm-256color" (size 158x48) requested
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] environment variable "LANG" with value "en_IE.UTF-8" requested
2021/07/04 00:37:07 [127.0.0.1:64515] [channel 1] shell requested
2021/07/04 00:37:16 [127.0.0.1:64515] [channel 1] input: "cat /etc/passwd"
2021/07/04 00:37:17 [127.0.0.1:64515] [channel 1] closed
2021/07/04 00:37:17 [127.0.0.1:64515] connection closed