46

I stumbled upon this sshesame software which appears to imitate an SSH server accepting any username/password, only instead of executing the subsequent shell commands it logs them in a file.

What I can't figure out is what possible use this tool might have (besides educational). As such, it only attracts unwanted attention to the server because of successful SSH login attempts, and it won't protect any other ports from being attacked (including the real SSH), so it visibly only makes the situation worse.

Did I overlook something?

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
  • 55
    It will become more clear if you look up the term ["honeypot"](https://en.wikipedia.org/wiki/Honeypot_(computing)) – Stradivari Jan 28 '19 at 15:09
  • 4
    Every day you'll receive about 50 new log files of people trying to install malware on your server. – user253751 Jan 29 '19 at 09:43
  • 2
    Lazy software developers can use that for integration testing. So, besides educational, it has another useful purpose. – usr-local-ΕΨΗΕΛΩΝ Jan 29 '19 at 11:06
  • The "decoy" approach" is very effective. There is *no* other way of capturing scripted password values. You can firewall any matching a "doorknock" like pattern. You can also build in a 30s delay, which will be attributed to DNS lookup. It is a very bad idea if you have mulitple SSH behind NAT as you expose user's passwords (bona fide users, but careless with port numbers). – mckenzm Jan 30 '19 at 00:04
  • if your ssh port is hidden (with port knocking) then having a fake ssh port listener might obscure the fact that you're hiding your ssh port... sshesame would be the wrong tool for that of course... more something like https://github.com/tylermenezes/FakeSSH – life-on-mars Mar 20 '21 at 00:16

3 Answers3

96

The reasons to have such fake SSH servers are multiple. They include such as:

  • determining whether you’re under attack
  • knowing the users and passwords guessed (which can display the intel the attacker has)
  • to see attacker’s actions of interest
  • to see attempts of exploitation of the server (might disclose 0days or backdoors)
  • to study how the attacker tries to approach the system and so on.
  • test client software, including audit / testing / attack tools during development (thanks to Mołot)

You should consider NOT putting up a fake SSH server on your system if you have anything of value in the server, since the fake server might be prone to vulnerabilities as well - one closed port is better than one open service.

Vilius Povilaika
  • 972
  • 8
  • 20
  • 3
    One more reason (not worth its own answer) is to test client software, including audit / testing / attack tools during development. – Mołot Jan 29 '19 at 14:15
  • @Mołot Thanks, will include in my answer if you're not against it – Vilius Povilaika Jan 29 '19 at 14:17
  • 1
    That's what comments are for! If you agree with my comment, then yes, please include it :) – Mołot Jan 29 '19 at 14:18
  • 1
    Nice answer. Second point could identify account which passwords where stolen and help to search for vulnerabilities inside or outside of the company. – dan Jan 29 '19 at 14:34
  • 2
    @danielAzuelos The identified stolen passwords would almost certainly be from someone in your own organization accidentally ssh'ing into presumably the default port this is set up on instead of the actual ssh port. In fact if this service doesn't properly handle these passwords it might expose the plaintext passwords of your own user accounts. – Steve Cox Jan 29 '19 at 15:39
  • @Steve Cox such a honeypot software shouldn't be accessible to legitimate users (to avoid thinking their password was stolen) but only to criminals through a simple IP filtering blocking all intranets. Otherwise you didn't set up a honeypot but a legitimate users password sniffer . – dan Jan 29 '19 at 20:37
27

It can be used as honeypot/research to collect most used password attempts and the like.

Otherwise, I agree with your assessment, it's an attractive nuisance.

If you are looking for actual protection mechanisms, I recommend "Fail2Ban".

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • 9
    It’s not intended just for capturing credentials. It’s a honeypot for capturing and studying malicious commands used by malware or hackers. This would help understand what the Mirai bots were doing, for example. – John Deters Jan 28 '19 at 17:42
  • 13
    Actually, honeypots can be used as warning systems, for example you can see if somebody is unexpectedly doing nasty things in your intranet. You now know at least that somebody got in. Hence the name honeypot, it seems to be a tempting target. – goteguru Jan 28 '19 at 20:57
  • 1
    A honeypot can also collect the IP addresses used to build up a database of compromised machines. – thomasrutter Jan 29 '19 at 04:24
11

A good use for an open and fake ssh server like this is to set it up on a corporate LAN as a honeypot. Give it an attractive (but not obviously fake) hostname set up syslog forwarding to your SIEM and see if anybody connects to it and what they try to do. Nobody legitimate should be poking around in it (unless you have a hunt team or a red team operation underway).

DarkMatter
  • 2,671
  • 2
  • 5
  • 23