Skip to content

paseaf/ContainerSSH-honeypot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

191 Commits
.github
.github
 
 
.vscode
.vscode
 
 
analyzer
analyzer
 
 
diagrams
diagrams
 
 
packer
packer
 
 
terraform
terraform
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

ContainerSSH-honeypot

An SSH honeypot built with ContainerSSH for GCP.

Highlights

  • Infrastructure-as-Code: all the infrastructure, software installation and configuration steps are coded with the help of Terraform and Packer
  • Montoring system: our system is monitored with Prometheus, Grafana, and cAdvisor
  • Audit logging: we log attackers' IP, username, password, and all SSH activities, thanks to ContainerSSH
  • Data integrator: with a single command, audit logs are downloaded from GCP, transformed locally, then loaded into a local database for further analysis

Infrastructure

infra diagram

  • Gateway VM works as a proxy, and logs user interactions to Logger VM.
  • Sacrificial VM hosts containers for SSH backend.
  • Logger VM hosts audit log storage and monitoring systems.

Ports

Gateway VM:

  • Honeypot gateway: 22, 2222 (2222 is redirected to 22)
  • SSH: 2333
  • cAdvisor: 8088
  • Node Exporter: 9100
  • ContainerSSH auth-config server: 8080
  • ContainerSSH metrics server: 9101

Logger VM:

  • SSH: 22
  • cAdvisor: 8088
  • Node Exporter: 9100
  • MinIO server: 9000
  • MinIO Console: 9090
  • Grafana: 3000
  • Prometheus with auth proxy: 19091->9091

Sacrificial VM:

  • SSH: 22
  • cAdvisor: 8088
  • Node Exporter: 9100
  • Dockerd over TLS: 2376

Getting started

Prerequisites

  • Linux (tested on Fedora and Ubuntu)
  • a GCP account

Deploying the Honeypot System

  1. Build VM images following /packer/README.md
  2. Provision infrastructure and deploy services following /terraform/README.md

Now, you should be able to asscess your SSH honeypot via

ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa \
 root@$(gcloud compute instances describe gateway-vm \
 --format='get(networkInterfaces[0].accessConfigs[0].natIP)' \
 --zone=europe-west3-c)

Your will be redirected to a newly created container in the sacrificial VM.

Accessing audit logs and metrics

After you deployed the honeypot, following monitoring tools should be available:

  • Prometheus: for raw hardware and OS metrics.
  • Grafana: for visualized hardware and OS metrics.
  • MinIO Console: for audit logs (what attackers did via SSH).

To get their URLs:

cd terraform
terraform output

You should see something like

grafana = "http://34.89.246.67:3000/"
minio_console = "http://34.89.246.67:9090/"
prometheus = "http://34.89.246.67:19091/"

Log in with credentials generated at ./terraform/credentials.txt.

Downloading and Analyzing Audit Logs

You can either

  1. download audit logs from MinIO manually
  2. or use our log analyzer script to download logs and load them into a SQLite database file.

Manual download

  1. Open MinIO Console URL in browser.
  2. Log in with credentials generated at ./terraform/credentials.txt
  3. You should see records in the containerssh bucket. Download records you want to analyze.
  4. Decode the records with containerssh-auditlog-decoder from https://github.com/ContainerSSH/ContainerSSH/releases/tag/v0.4.1, or implement your own decoder.
    Read more about the record format here.

Note: this SSH guide may help you understand the audit log.

About

An high-interaction SSH honeypot built with ContainerSSH for GCP

Topics

ssh packer terraform honeypot

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages