A low-interaction SSH honeypot with an interactive fake shell that captures attacker credentials, commands, and post-exploitation behavior. Built with Python and Paramiko.
- Credential Harvesting - Captures all password and public key authentication attempts
- Interactive Fake Shell - Drops attackers into a realistic bash environment that logs every command
- Fake Filesystem - Emulated directory structure with bait files (
credentials.bak,.env,.mysql_history) - Command Emulation - Responds to
ls,cat,cd,whoami,ifconfig,ps,wget,curl, and more - Download Detection - Logs
wget/curlattempts with full URLs (malware staging detection) - Structured JSON Logging - Every event is a JSON line, ready for
jq, SIEM ingestion, or ELK - Configurable Banner - Impersonate any SSH server version
- Session Tracking - Each connection gets a unique session ID for event correlation
pip install -r requirements.txt
# Run on default port 2222
python3 honeypot.py
# Run on port 22 (requires root)
sudo python3 honeypot.py -p 22
# Custom banner + log file
python3 honeypot.py -p 22 -b "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2" -o /var/log/honeypot.jsonusage: honeypot.py [-h] [-l LISTEN] [-p PORT] [-b BANNER] [-o OUTPUT] [-k KEY]
SSH Honeypot - Capture credentials and attacker behavior
optional arguments:
-h, --help show this help message and exit
-l, --listen LISTEN Host to listen on (default: 0.0.0.0)
-p, --port PORT Port to listen on (default: 2222)
-b, --banner BANNER SSH banner string (default: OpenSSH 8.2)
-o, --output OUTPUT Log file path (default: honeypot.log)
-k, --key KEY Host key file (default: .host.key)
All events are structured JSON, one per line:
{"timestamp": "2023-12-25T15:15:27.213Z", "event": "connection", "session_id": "5b36d44a-5e22", "src_ip": "192.168.1.100", "port": 54321}
{"timestamp": "2023-12-25T15:15:30.933Z", "event": "auth_attempt", "session_id": "5b36d44a-5e22", "src_ip": "192.168.1.100", "method": "password", "username": "root", "password": "toor"}
{"timestamp": "2023-12-25T15:15:31.002Z", "event": "shell_opened", "session_id": "5b36d44a-5e22", "src_ip": "192.168.1.100", "username": "root"}
{"timestamp": "2023-12-25T15:15:35.123Z", "event": "command", "session_id": "5b36d44a-5e22", "src_ip": "192.168.1.100", "username": "root", "command": "cat /etc/passwd", "cwd": "/root"}
{"timestamp": "2023-12-25T15:15:42.456Z", "event": "download_attempt", "session_id": "5b36d44a-5e22", "src_ip": "192.168.1.100", "username": "root", "url": "http://evil.com/payload.sh", "cwd": "/tmp"}# All unique passwords attempted
jq -r 'select(.event=="auth_attempt") | .password' honeypot.log | sort -u
# Top 10 source IPs
jq -r 'select(.src_ip) | .src_ip' honeypot.log | sort | uniq -c | sort -rn | head
# All commands run by attackers
jq -r 'select(.event=="command") | "\(.src_ip) [\(.username)] \(.command)"' honeypot.log
# Malware download attempts
jq -r 'select(.event=="download_attempt") | .url' honeypot.logThe fake filesystem includes deliberately planted bait files to observe attacker behavior:
| File | Purpose |
|---|---|
/home/admin/documents/credentials.bak |
Fake database credentials |
/home/admin/scripts/backup.sh |
Script containing "leaked" passwords |
/var/www/html/.env |
Fake application environment file |
/root/.mysql_history |
Fake MySQL command history |
/etc/passwd |
Realistic passwd file |
When an attacker cats these files, the access is logged — useful for understanding post-exploitation tradecraft.
This tool is intended for security research, threat intelligence, and educational purposes only. Deploy responsibly and in compliance with applicable laws. The authors are not responsible for misuse.
MIT