- Go 91.7%
- Dockerfile 8.3%
| .github/workflows | fix: update go.yml to stop naming the output build file 'src' | |
| src | fix(main): correct if statement syntax | |
| .gitignore | fix: pin go version again | |
| Dockerfile | fix: update dockerfile go version again | |
| go.mod | fix: pin x/sys to v0.20.0 for go 1.22 compatability | |
| go.sum | fix: pin x/sys to v0.20.0 for go 1.22 compatability | |
| LICENSE | chore: add license | |
| README.md | chore: add readme | |
sshoo
a minimal, lightweight and secure ssh honeypot
sshoo is a ssh honeypot that does what it needs to do. Nothing fancy, just logs attacker's sessions into a file.
That is all it does. No fake shell. Other SSH honeypots often write their own minimal implementations of sh. sshoo doesn't.
It does one job, and does it well.
running
A Docker image of sshoo is provided to make it incredibly easy to run on your own hardware. Simply run:
bash
docker run -d \
--name sshoo \
-p 2222:2222 \
-v $(pwd)/logs:/var/log/sshoo \
ghcr.io/xorlaw/sshoo:latest
Or you could alternatively build from source.
configuring
There are really only 2 variables you would want to configure, and they can be configured via environment variables:
- SSHOO_ADDR : The address to listen on. Defaults to 2222.
- SSHOO_LOG : Path to sshoo's log file. Defaults to
/var/log/sshoo/attempts.log.
log format
Very self explanatory. One JSON object per line. Example:
{
"timestamp": "2024年01月15日T10:23:01Z",
"remote_addr": "1.2.3.4:54321",
"username": "admin",
"password": "password123",
"client_version": "SSH-2.0-OpenSSH_9.0"
}
You can inspect logs with jq:
bash cat logs/attempts.log | jq .
building from source
To build from source, build sshoo as you would build any other Golang project. Simply run:
git clone https://github.com/xorlaw/sshoo
cd sshoo
go mod tidy
go build -o sshoo ./src/
licensing
Licensed under The Unlicense.