Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Honeypot Setup

This guide will help you install an SSH honey pot on an Ubuntu 18.04 LTS server. Please note, you can't copy and paste all of these commands as some are interactive.

Service Account Setup

sudo adduser service_account
sudo usermod -aG sudo service_account
echo "service_account ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/service_account
sudo su - service_account
ssh-keygen
echo "ssh-rsa <key>" >> ~/.ssh/authorized_keys
sudo passwd -d service_account

Honeypot Installation

sudo apt update && sudo apt upgrade -y
sudo apt remove -y libssl-dev
sudo apt-get install -y libssl1.0-dev build-essential libz-dev
wget https://raw.githubusercontent.com/wedaa/LongTail-Log-Analysis/master/install_openssh.sh
chmod +x install_openssh.sh
sudo ./install_openssh.sh
REAL_SSH_PORT=<Port #> # Replace here with what port you want your legitimate SSH service to run under. You can leave it as 22.
sudo sed -i "s/#Port 22/Port $REAL_SSH_PORT/g" /etc/ssh/sshd_config
sudo systemctl restart sshd
FAKE_SSH_PORT=<Port #>  # Replace here with what port you want your honeypot SSH service to run under. You can leave it as 22.
sudo sed -i "s/Port 22/Port $FAKE_SSH_PORT/g" /usr/local/etc/sshd_config-22
/usr/local/sbin/sshd-22 -f /usr/local/etc/sshd_config-22

Splunk Forwarder Installation

wget -O splunkforwarder-8.0.3-a6754d8441bf-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.3&product=universalforwarder&filename=splunkforwarder-8.0.3-a6754d8441bf-linux-2.6-amd64.deb&wget=true'
sudo dpkg -i splunkforwarder-8.0.3-a6754d8441bf-linux-2.6-amd64.deb
sudo /opt/splunkforwarder/bin/splunk start --accept-license
sudo /opt/splunkforwarder/bin/splunk enable boot-start
sudo /opt/splunkforwarder/bin/splunk add forward-server <host>:<port>
sudo /opt/splunkforwarder/bin/splunk set deploy-poll <host>:<port>
sudo /opt/splunkforwarder/bin/splunkadd monitor /var/log/auth.log
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.