a minimal, lightweight and secure ssh honeypot
sshoo is a ssh honeypot that does what it needs to do. Nothing fancy, just logs attacker's sessions into a file.
That is all it does. No fake shell. Other SSH honeypots often write their own minimal implementations of sh. sshoo doesn't.
It does one job, and does it well.
A Docker image of sshoo is provided to make it incredibly easy to run on your own hardware. Simply run:
bash
docker run -d \
--name sshoo \
-p 2222:2222 \
-v $(pwd)/logs:/var/log/sshoo \
ghcr.io/xorlaw/sshoo:latest
Or you could alternatively build from source.
There are really only 2 variables you would want to configure, and they can be configured via environment variables:
- SSHOO_ADDR : The address to listen on. Defaults to 2222.
- SSHOO_LOG : Path to sshoo's log file. Defaults to
/var/log/sshoo/attempts.log.
Very self explanatory. One JSON object per line. Example:
{
"timestamp": "2024-01-15T10:23:01Z",
"remote_addr": "1.2.3.4:54321",
"username": "admin",
"password": "password123",
"client_version": "SSH-2.0-OpenSSH_9.0"
}You can inspect logs with jq:
bash cat logs/attempts.log | jq .
To build from source, build sshoo as you would build any other Golang project. Simply run:
git clone https://github.com/xorlaw/sshoo
cd sshoo
go mod tidy
go build -o sshoo ./src/Licensed under The Unlicense.