Honeypot SSH with MongoDB

The development of this honeypot starts with an example provided in the Apache MINA SSHD libraries: ServerMain.java. This script allows the instauration of a server at a port that the user can choose (in our case port 22, dedicated to SSH communications). The program basically gives access to the host operating system, hence giving complete access to the machine once the authentication step in passed. The data that the honeypot will gather during the activity time are then store on a MongoDB database. I chose to use this database since it gives a really nice representation of the data that are stored in the collection. Thanks to the dashboard function that is buit in MongoDB, we can graphically visualise the data we will collect.

Installation Guide #

Quick guide on how to use this honeypot. You will find a detailed procedure to get the honeypot working on your device.

1. Download the source code zip and save it into your desired folder or use the command

git clone https://github.com/marcocampione/SSH_honeypot.git 

2. Check if you have installed the lates version of java in your system.

• Open command prompt and type :

$ java -version
java version "17.0.1" 2021-10-19 LTS
Java(TM) SE Runtime Environment (build 17.0.1+12-LTS-39)
Java HotSpot(TM) 64-Bit Server VM (build 17.0.1+12-LTS-39, mixed mode, sharing)

$ javac -version
javac 17.0.1

• If you don’t have java installed check this guide and install it.

3. To use the honeypot you need to compile and build it first, use the commands

javac -d classes -classpath "lib/*" src/*.java src/util/*.java src/filesystem/*.java

jar -cf sshd.jar -C classes filesystem -C classes util -C classes DummyCommand.class -C classes SshServerMain.class

• After these steps, you should have created two new files in the folder :
  • A folder named classes
  • Afile named sshd.jar

4. Create a .env file on the main folder and put the connection string for your MongoDB database in this format :

MONGODB_CONNECTION_STRING=mongodb://myDBReader:D1fficultP%[email protected]/?retryWrites=true&w=majority

• You can find the connection string by clicking on your database, then on the connect button and finally on connect your application. This is what will appear :

5. The honeypot is configured in a way that it will use the port 22 on the host server/machine as listen port, so before running it we have to change the ssh port in our system to a different one since the port 22 is setted by default.
   • Log on to the server as an administrator.
   • Open the SSH configuration file sshd_config with the text editor :

sudo nano /etc/ssh/sshd_config

• Replace port 22 with a port between 1024 and 65536 and uncomment the line
• Save the file
• Restart the service

$ service ssh restart

6. The setup is completed now you can run the honeypot using the command

java -cp "lib/*:sshd.jar" SshServerMain

Server Command #

This is a list of all the command that are implemented inside the honeypot server. These are some of the most used linux terminal commands, implemented in a way that accurately emulates the workings on Linux. You can add or modify the command by modifying the DummyCommand.java file located in src folder.

MongoDB Integration #

To use this honeypot you need fist to register to MongoDB because we will use their sevices to store the data from our machine. I chose this service for its user-friendly nature, but especially for the ability it offers to have databases hosted directly by them and completely free of charge. Another feature that made me choose this service is the ability to graphically visualize the collection of data being collected by our honeypot.

• After we register we need to create a new project and then a new cluster that will host our database:

  

The data that the honeypot will send to our database are in this format

_id : ObjectId('xxxxxxxxxxxxxxxxxxxxxxxx')
time:"yyyy-mm-dd hh:mm:ss"
ip:"127.0.0.1"
status:"success"
continent:"continentName"
continentCode:"XX"
country: "countryName"
countryCode:"XX"
region: "xx"
regionName: "regionName"
city: "cityName"
zip:"xxxx"
location: 
	Object type: "Point"
	coordinates:
	Array 
		0: 00.0000
		1: 11.1111
isp:"ispName"
org: ""
as: "name"
asname: "name"
username: "root"
password: "test"
authentication: "Failed"

All the geolocation information that we have in this file are obtained using an api call thanks to this service, the free api that I am using in this project is rate limited to 45 request per minutes, but from my tests are more than enough for the kind of use we need to perform.

How To Create a Dashboard #

The choice to use mongoDB over other services that offer the ability to host databases , was to be able to directly create interactive dashboards that update in real time. Here you can find a complete guide on how to create a dashboard. In the folder you will also find a file named Honeypot_Dashboard.charts this is the configuration file of my dashboard that you can import into MondgoDB to get the same dashboard I created.

• Go on the Charts tab

  

• Click on Add Dashboard then on Import dashboard

  

• After selecting the Honeypot_dashboard.charts file that you can find on the main folder click on save.

  

• You have successfully imported the dashboard. This is the result you will obtain Honeypot Dashboard

My Dashboard #

Below are presented some images of the dashboard that was created to gather all the attack information from the system I developed. If you want to see the full site you can click here.