Did you ever wonder who is trying to log on to your server?
Here is how to set up a SSH honeypot inside of a Docker container that sends the data to CSIRT Gadgets using the Collective Intelligence Framework (CIF) in 3 steps. Sending the data to CSIRT Gadgets is great because you can then pull the data back down to be injected in to your IDS, or any other number of uses like by a SIEM for correlation.
Below is a short video that shows the entire process that takes less than 90 seconds(once your csirtg.io account is set up) on an Ubuntu 16.04 server, but will work on any *nix machine that can run Docker and Python 2.7.14+
For those less trusting of scripts found on the Internet, I’ve detailed the steps below the video.
90 Second install!
- Create an account on CSIRTG.io if you don’t have one
- Set up a ‘ssh-scanning’ feed
- Create a token for your account
- Change your real SSH server to run on a non-default port. I normally use 2020, but you can use whatever suits your fancy
- You do this in the /etc/ssh/sshd_config file
- Then do a
sudo service ssh restart
to restart it on the new port
- Run this command from your Ubuntu 16.04 box
- Enter your CSIRTG username/provider/token when prompted.
$bash <(curl -s https://gist.githubusercontent.com/sfinlon/f639699db8ce9ea4d87187b21f3c792f/raw/54fab1e785daf084b0277774da55cb513307c001/ubuntu-ssh-logger-install.sh)
My public feeds can be seen here https://csirtg.io/users/sfinlon
Once your CSIRTG account is ready to go, the rest takes less than 2 minutes! The video below picks up right after your CSIRTG account and token is setup.
For those of you less trusting of scripts found on the Internet, here are the steps laid out for you.
Step 1: Create account
Go to csirtg.io and sign up to create your username.
Create a feed called 'ssh-scanning'.
Finally create a token for your account, you'll need this in step 6.
Step 2: Move SSH port
Change the SSHD default port, by updating the line in /etc/ssh/sshd_config that says
Port 22
to Port 2020
or run this command:
$ sudo sed -i 's/Port\ 22/Port\ 2020/' /etc/ssh/sshd_config
Step 3: Install Ubuntu packages
Install docker.io and PIP on Ubuntu with this command:
$ sudo apt-get update && sudo apt-get install docker.io python-pip
Step 4: Set up Docker container
Once Docker is installed, pull down Justin Azoff's ssh-auth-logger and run it. This command pulls the latest image from hub.docker.com, set it to start the container to auto restart on failure, and exposes and publishes port 22 of the Docker container to port 22 of the host:
$ sudo docker run -d -p 22:22 --expose=22 --name=sshlogger --restart=always justinazoff/ssh-auth-logger
Step 5: Install CIF
Install csirtg-smrt and csirtgsdk:
$sudo pip install --upgrade pip && sudo pip install csirtg-smrt csirtgsdk
Step 6: Set up CIF to tail Docker container
Because ssh-auth-logger just logs any IP that tries to connect to it and outputs it to STDOUT we need to install the service files that configure csirtg-cef to tail the Docker container.
- Edit the csirtg-docker.service file and change the provider and feed to whatever you set on csirtg.io and update --tail-docker to whatever you named your container.
- Edit the darknet.env file with your csirtg.io username, token and use 'ssh-scanning' as the feed.
- These commands pull the files down from github, and puts them where they need to go. Make sure you edit both files with your variables before you copy them:
$ git clone https://gist.github.com/1eddaa3d1a4de129dcf27cd90f90ec93.git
$ sudo cp csirtg-docker.service /etc/systemd/system/
$ sudo cp darknet.env /etc/
Step 7: Start/check services
First, check the Docker container is running, because csirtg-cef won't run if it isn't. This will show the status of all containers on your system, running and not-running:
$ sudo docker ps -a
Once the ssh-auth-logger container is verified to be running, start up the CSIRTG service.
$ sudo service csirtg-docker start
Finally, after it's been started, check it to verify it's running properly. If it's encountered an error and exited, you'll have to double check the configuration and/or other services to make sure they are running.
$ sudo service csirtg-docker status