Who is knocking at the door?

A few years ago, after being bored of watching hundreds and thousands of failed ssh login attempts to my home server, I asked myself: what are these folks trying to bruteforce with? OpenSSH would log the username, but that’s it.

I wanted to know more. What about the passwords? Are they trying to use public key auth? What OSs are they using? What commands are they using? Do they jump into interactive mode? So, as part of my Golang learning journey, I decided to write a simple sshd honeypot.

Fortunately for me, gliderlabs/ssh provided a nice interface for building ssh servers, so that I did not have to go that raw using crypto/ssh or even further.

For fingerprinting the remote OS, I decided to use p0f , which is and was an amazing piece of software from lcamtuf. Although the program or OS signatures have not been updated in ages, it still does quite a decent job at fingerprinting remote OSs. You will need to run it with the -s option so that it provides the API functionality that fakesshd needs (i.e. /usr/sbin/p0f -i eth0 -s /var/run/p0f/p0f.socket port 22).

In case that you want to give it a try, here is the gist:

Whatever command the attacker would execute, fakesshd would return the following welcome message:

Segmentation fault! (core dumped)

The internet provider where the home server runs went rogue and blocked all incoming traffic to port 22, so I cannot provide a quick screenshot of the resulting execution (yeah… no, I did not think of persisting the logs to disk). In any case, I stopped exposing ssh to the internet and rely on the great Tailscale for accessing my servers long time ago (you probably should too).

If I had to continue evolving the honeypot, a neat thing to do would be to launch a minimal container and log sessions for a limited set of time.

• sshd
• honeypot
• p0f
• tailscale