The development of this honeypot starts with an example provided in the Apache MINA SSHD libraries: ServerMain.java. This script allows the instauration of a server at a port that the user can choose (in our case port 22, dedicated to SSH communications). The program basically gives access to the host operating system, hence giving complete access to the machine once the authentication step in passed. The data that the honeypot will gather during the activity time are then store on a MongoDB database. I chose to use this database since it gives a really nice representation of the data that are stored in the collection. Thanks to the dashboard function that is buit in MongoDB, we can graphically visualise the data we will collect.
Installation Guide #
Quick guide on how to use this honeypot. You will find a detailed procedure to get the honeypot working on your device.
- Download the source code zip and save it into your desired folder or use the command
git clone https://github.com/marcocampione/SSH_honeypot.git
- Check if you have installed the lates version of java in your system.
- Open command prompt and type :
$ java -version
java version "17.0.1" 2021-10-19 LTS
Java(TM) SE Runtime Environment (build 17.0.1+12-LTS-39)
Java HotSpot(TM) 64-Bit Server VM (build 17.0.1+12-LTS-39, mixed mode, sharing)
$ javac -version
javac 17.0.1
- If you don’t have java installed check this guide and install it.
- To use the honeypot you need to compile and build it first, use the commands
javac -d classes -classpath "lib/*" src/*.java src/util/*.java src/filesystem/*.java
jar -cf sshd.jar -C classes filesystem -C classes util -C classes DummyCommand.class -C classes SshServerMain.class
- After these steps, you should have created two new files in the folder :
- A folder named classes
- Afile named sshd.jar
- Create a
.env
file on the main folder and put the connection string for your MongoDB database in this format :
MONGODB_CONNECTION_STRING=mongodb://myDBReader:D1fficultP%[email protected]/?retryWrites=true&w=majority
- You can find the connection string by clicking on your database, then on the
connect
button and finally onconnect your application
. This is what will appear :
- The honeypot is configured in a way that it will use the
port 22
on the host server/machine as listen port, so before running it we have to change the ssh port in our system to a different one since theport 22
is setted by default.- Log on to the server as an administrator.
- Open the SSH configuration file sshd_config with the text editor :
sudo nano /etc/ssh/sshd_config
- Replace
port 22
with a port between 1024 and 65536 and uncomment the line - Save the file
- Restart the service
$ service ssh restart
- The setup is completed now you can run the honeypot using the command
java -cp "lib/*:sshd.jar" SshServerMain
Server Command #
This is a list of all the command that are implemented inside the honeypot server. These are some of the most used linux terminal commands, implemented in a way that accurately emulates the workings on Linux. You can add or modify the command by modifying the DummyCommand.java
file located in src
folder.
Command | Description | |
---|---|---|
1 | help | Will display all the available commands |
2 | exit | Will close the connection with the honeypot |
3 | ls | This command will list files |
4 | cd | This command allows you to move between directories |
5 | clear | This command will clear the terminal screen |
6 | mkdir | This command creates a directory or subdirectory |
6.a | mkdir -h / –help | This command displays help for the mkdir command |
7 | rm | This command allows removing files and directories |
7.a | rm -h /–help | This command displays help for the rm command |
8 | pwd | This commang writes to standard output the full path name of your current directory |
9 | whoami | This command allows the user to see the currently logged-in user |
9.a | whoami -h / –help | This command displays help for the whoami command |
10 | echo | This command will display lines of text or string which are passed as arguments on the command line |
11 | passwd | This command will show a Permission denied message |
12 | iptables | This command will show a Permission denied message |
13 | grep | This command will show a Permission denied message |
14 | sudo | This command will show a Permission denied message |
15 | cat | This command will show a Permission denied message |
16 | halt | This command will show a Permission denied message |
MongoDB Integration #
To use this honeypot you need fist to register to MongoDB because we will use their sevices to store the data from our machine. I chose this service for its user-friendly nature, but especially for the ability it offers to have databases hosted directly by them and completely free of charge. Another feature that made me choose this service is the ability to graphically visualize the collection of data being collected by our honeypot.
- After we register we need to create a new project and then a new cluster that will host our database:
The data that the honeypot will send to our database are in this format
_id : ObjectId('xxxxxxxxxxxxxxxxxxxxxxxx')
time:"yyyy-mm-dd hh:mm:ss"
ip:"127.0.0.1"
status:"success"
continent:"continentName"
continentCode:"XX"
country: "countryName"
countryCode:"XX"
region: "xx"
regionName: "regionName"
city: "cityName"
zip:"xxxx"
location:
Object type: "Point"
coordinates:
Array
0: 00.0000
1: 11.1111
isp:"ispName"
org: ""
as: "name"
asname: "name"
username: "root"
password: "test"
authentication: "Failed"
All the geolocation information that we have in this file are obtained using an api call thanks to this service, the free api that I am using in this project is rate limited to 45 request per minutes, but from my tests are more than enough for the kind of use we need to perform.
How To Create a Dashboard #
The choice to use mongoDB over other services that offer the ability to host databases , was to be able to directly create interactive dashboards that update in real time. Here you can find a complete guide on how to create a dashboard.
In the folder you will also find a file named Honeypot_Dashboard.charts
this is the configuration file of my dashboard that you can import into MondgoDB to get the same dashboard I created.
-
Go on the
Charts
tab -
Click on
Add Dashboard
then onImport dashboard
-
After selecting the
Honeypot_dashboard.charts
file that you can find on the main folder click onsave
. -
You have successfully imported the dashboard. This is the result you will obtain Honeypot Dashboard
My Dashboard #
Below are presented some images of the dashboard that was created to gather all the attack information from the system I developed. If you want to see the full site you can click here.
Honeypot SSH with MongoDB integration and real time dashboard