Capture, analyze, and log SSH brute-force attempts in real-time
Features • Quick Start • Installation • Usage • Documentation
|
|
# Debian/Ubuntu
sudo apt-get update && sudo apt-get install -y build-essential libssh-dev
# RHEL/CentOS/Fedora
sudo dnf install -y gcc make libssh-devel
# Arch Linux
sudo pacman -S gcc make libssh# Clone the repository
git clone https://github.com/Paol0B/SSHoneyC.git
cd SSHoneyC
# Build the project
make
# Generate SSH host key
make hostkey
# Run the honeypot (port 2222, no root required)
./sshoneycThat's it! Your honeypot is now running and logging attempts to sshoneyc.log 🎉
# 1. Install dependencies (see Prerequisites section)
# 2. Compile
make
# 3. Generate SSH host key
make hostkey
# 4. (Optional) Install system-wide
sudo make install| Target | Description |
|---|---|
make |
Build the honeypot binary |
make hostkey |
Generate SSH host RSA key |
make install |
Install to /usr/local/bin (requires root) |
make run |
Build and run on port 2222 |
make run-privileged |
Build and run on port 22 (requires root) |
make clean |
Remove build artifacts |
make distclean |
Remove all generated files including logs |
# Run with default settings (port 2222, log to sshoneyc.log)
./sshoneyc
# Run on standard SSH port (requires root)
sudo ./sshoneyc -p 22
# Specify custom log file
./sshoneyc -l /var/log/ssh-honeypot.log
# Combine options
sudo ./sshoneyc -p 22 -l /var/log/ssh-attacks.logUsage: sshoneyc [OPTIONS]
Options:
-p PORT Port to listen on (default: 2222)
-l FILE Log file path (default: sshoneyc.log)
-h Show help message
[2025-10-30 14:23:45] SSHoneyC started on port 2222
[2025-10-30 14:23:45] Logging to file: sshoneyc.log
[2025-10-30 14:25:12] Connection from 192.168.1.100:54321
[2025-10-30 14:25:14] SSH handshake initiated from 192.168.1.100
[2025-10-30 14:25:15] Key exchange completed with 192.168.1.100
[2025-10-30 14:25:16] Auth attempt #1: user='root' password='admin' from 192.168.1.100
[2025-10-30 14:25:18] Auth attempt #2: user='admin' password='12345' from 192.168.1.100
[2025-10-30 14:25:20] Connection closed from 192.168.1.100 after 2 attempts
┌─────────────────┐
│ Main Thread │
│ (Listener) │
└────────┬────────┘
│
│ Accept connections
│
┌────▼────┐
│ Socket │
└────┬────┘
│
│ Spawn thread per connection
│
┌────▼─────────────────┐
│ Worker Thread │
│ - SSH handshake │
│ - Capture attempts │
│ - Log credentials │
└──────────────────────┘
- 🔍 Security Research - Study attack patterns and trends
- 🛡️ Threat Intelligence - Collect IOCs and attacker IPs
- 📈 Network Monitoring - Detect port scanning activity
- 🎓 Educational - Learn about SSH attacks and honeypots
- 🧪 Testing - Simulate SSH attacks for blue team training
Warning
This is a honeypot designed for security research. Use responsibly!
- ✅ DO run in an isolated environment (VM/container)
- ✅ DO configure proper firewall rules
- ✅ DO regularly monitor and rotate logs
- ✅ DO ensure legal compliance in your jurisdiction
- ❌ DON'T expose to production networks
- ❌ DON'T use on systems with sensitive data
- ❌ DON'T use without proper authorization
docker run -d -p 2222:2222 -v ./logs:/logs sshoneyc:latestContributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Built with libssh - The SSH library
- Inspired by the security research community
- Thanks to all contributors and users
For questions, issues, or suggestions, please open an issue on GitHub.
⭐ Star this repository if you find it useful!
Made with ❤️ for the security community