The last couple of days I picked up on my ELK Stack a couple thousands of SSH Brute Force Attacks, so I decided I will just revisit my SSH Server configuration, and change my SSH Port to something else for the interim. The dashboard that showed me the results at that point in time:
Then I decided I actually would like to setup a SSH Honeypot to listen on Port 22 and change my SSH Server to listen on 222 and capture their IP Addresses, Usernames and Passwords that they are trying to use and dump it all in a file so that I can build up my own password dictionary :D
SSH Configuration:
Changing the SSH Port:
1
|
|
Change the port to 222:
1
|
|
Restart the SSH Server:
1
|
|
Verify that the SSH Server is running on the new port:
1 2 |
|
Docker SSH Honeypot:
Thanks to random-robbie, as he had everything I was looking for on Github.
Setup the SSH Honeypot:
1 2 3 4 |
|
Once people attempt to ssh, you will get the output to stdout:
1 2 3 4 5 6 7 8 9 10 11 |
|
Saving results to disk:
Redirecting the output to a log file, running in the foreground as a screen session:
1 2 |
|
Detach from your screen session:
1
|
|
Checking out the logs
1 2 3 4 |
|
Leaving this running for a couple of months, and I have a massive password database:
1 2 |
|
That is correct, 54 million password attempts. 5372 Unique IPs, 4082 Unique Usernames, 88829 Unique Passwords.