wetland: A high interaction SSH honeypot
Wetland
Wetland is a high interaction SSH honeypot,designed to log brute force attacks.What’s more, wetland will log shell、scp、sftp、exec-command、direct-forward、reverse-forward interation performded by the attacker.
Wetland is based on python ssh module paramiko. And wetland runs as a multi-threading tcp server using SocketServer.
Features
- Use docker to provide a real linux environment.
- All the password auth will redirect to docker.
- All the command will execute on docker.
- Save a copy of file when hacker uploads some files with SFTP.
- Extract and Save files from exec-log when hacker uoloads some files with SCP.
- Providing a playlog script to replay the [shell | exec | direct-forward | reverse-forward] kind of log.
- Advanced networking feature to spoof attackers IP address between wetland and docker(thanks to honssh)
- Kinds of ways to report to you when wetland is touching by hacker, but now only email and bearychat.
Requirements
- A linux system (tested on ubuntu)
- sshd images in docker (e.g rastasheep/ubuntu-sshd)
- python2.7
- paramiko
- yagmail
- IPy
- requests
Setup and Configuration
- Copy wetland.cfg.default to wetland.cfg
- Generate keys used by ssh server
- run
mkdir data
- run
ssh-keygen -t rsa
, and put them indata/
- run
ssh-keygen -t dsa
, and put them indata/
- Remember that Wetland and sshd container should use the same keys.
- Install python requirements
- run
pip install -r requirements
- Configure the banner of ssh server
- Edit banner in wetland.cfg
- It should be same with the ssh banner of sshd contaniner
- Or you can run
python util/initwetland.py ./
,this script will do all the work above - Configure the output plugins in wetland.cfg
- enable or disable in
[output]
section - Edit the url of incoming robots when using bearychat
- Edit user、pwd… when using email
- Install p0f if you want
- run
git clone https://github.com/p0f/p0f
- run
cd p0f
- run
./build.sh
- Edit
[p0fp0f]
section in wetland.cfg - if you dont need p0f, just disable p0f in [output] section
- Install docker
- install docker with docs in www.docker.com
- run
docker search sshd
, then choose a image running sshd - run
docker run -d --name sshd sshd_image_name
- run
docker inspect sshd
, then edit docker ip address and port in wetland.cfg - sshd’s ssh port should be same with wetland’s
- delete and replace sshd container sometimes if you want
Running
- Run
- run
nohup python main.py &
- Stop
- run
netstat -autpn | grep 22
- then
kill pid_number
- ahaha
- Clean
- Maybe you should delete some iface created by networking module by hand.
- run
ip link list
- then
ip link del dev wdxxxxxx
- finally clean up the nat table of iptables or just reboot
- View logs
- run
python util/clearlog.py -p log
will remove logs that only have pwd.log, and username:password will write into -l file, default ./pwd.txt - then use playlog.py in util
- file system changes
- filechange.py will copy the read-write layer of the sshd container to ./ , the layer includes that hacker create and remove
- e.g.
docker inspect sshd --format '{{.Id}}' | python filechange.py -
Dockerized wetland
- run
docker pull ohmyadd/wetland
- see it in docker hub