Capturing 54 Million Passwords with a Docker SSH Honeypot

Capturing 54 Million Passwords with a Docker SSH Honeypot

Written by Ruan Bekker on Feb 26th, 2021 Views Report Post

The last couple of days I observed thousands of SSH Brute Force Attacks, so I decided I will just revisit my SSH Server configuration, and change my SSH port to something else for the interim.

The dashboard that showed me the results at that point in time:

Then I decided I actually would like to set up an SSH Honeypot to listen on Port 22 and change my SSH Server to listen on 222 and capture their IP Addresses, Usernames, and Passwords that they are trying to use and dump it all in a file so that I can build up my own password dictionary :D

SSH Configuration:

Changing the SSH Port:

$ sudo vim /etc/ssh/sshd_config

Change the port to 222:

Port 222

Restart the SSH Server:

$ sudo /etc/init.d/ssh restart

Verify that the SSH Server is running on the new port:

$ sudo netstat -tulpn | grep sshd
tcp        0      0 0.0.0.0:222            0.0.0.0:*               LISTEN      28838/sshd

Docker SSH Honeypot:

Thanks to random-robbie, as he had everything I was looking for on Github.

Setup the SSH Honeypot:

$ git clone https://github.com/random-robbie/docker-ssh-honey
$ cd docker-ssh-honey/
$ docker build . -t local:ssh-honepot
$ docker run -itd --name ssh-honeypot -p 22:22 local:ssh-honepot

Once people attempt to ssh, you will get the output to stdout:

$ docker logs -f $(docker ps -f name=ssh-honeypot -q) | grep -v 'Error exchanging' | head -10
[Thu Feb 25 01:13:41 2021] ssh-honeypot 0.0.8 by Daniel Roberson started on port 22. PID 5
[Thu Feb 25 01:19:49 2021] 1xx.1xx.1xx.1x gambaa gambaa
[Thu Feb 25 01:23:26 2021] 1xx.9x.1xx.1xx root toor
[Thu Feb 25 01:25:57 2021] 1xx.2xx.1xx.1xx root Passw0rd1234
[Thu Feb 25 01:26:00 2021] 1xx.2xx.1xx.1xx root Qwer1234
[Thu Feb 25 01:26:00 2021] 1xx.2xx.1xx.1xx root Abcd1234
[Thu Feb 25 01:26:08 2021] 1xx.2xx.1xx.1xx root ubuntu
[Thu Feb 25 01:26:09 2021] 1xx.2xx.1xx.1xx root PassWord
[Thu Feb 25 01:26:10 2021] 1xx.2xx.1xx.1xx root password321
[Thu Feb 25 01:26:15 2021] 1xx.2xx.1xx.1xx root zxcvbnm

Saving results to disk:

Redirecting the output to a log file, running in the foreground as a screen session:

$ screen -S honeypot
$ docker logs -f f6cb | grep -v 'Error exchanging' | awk '{print $6, $7, $8}' >> /var/log/ssh-honeypot.log

Detach from your screen session:

Ctrl + a; d

Checking out the logs

$ head -3 /var/log/ssh-honeypot.log
2.7.2x.1x root jiefan
4x.7.2x.1x root HowAreYou
4x.7.2x.1x root Sqladmin

Leaving this running for a couple of months, and I have a massive password database:

$ wc -l /var/log/honeypot/ssh.log
54184260 /var/log/honeypot/ssh.log

That is correct, 54 million password attempts. 5372 Unique IPs, 4082 Unique Usernames, 88829 Unique Passwords.

Comments (0)