I tried to configure ssh honeypot using your FAQ on https://www.turris.cz/doc/cs/howto/ssh_honeypot without any success. What is the package name for Omnia? In Forris there is no check box to enable ssh Honeypot only Telnet.
Have you updated the list of packages? There is a button for this in Forris on the tab with packages. The âSSH honeypotâ package should appear in the list of available packages.
Yes I have updated list of packages several times⊠Do you have Omnia or the previous version?
All available packages on Omnia containing ssh are
opkg find ssh
announce - 1.0.1-1 - Announce services on the network with Zeroconf/Bonjour.
This announces services such as ssh, sftp, and http running on the local machine
to the network.
avahi-daemon-service-ssh - 0.6.31-13 - Avahi is an mDNS/DNS-SD (aka RendezVous/Bonjour/ZeroConf)
implementation (library). It facilitates
service discovery on a local network â this means that
you can plug your laptop or computer into a network and
instantly be able to view other people who you can chat with,
find printers to print to or find files being shared.
This kind of technology is already found in MacOS X
(branded âRendezvousâ, âBonjourâ and sometimes âZeroConfâ)
and is very convenient.
.
This package contains the service definition for announcing SSH service.
erlang-ssh - 3.2 - Erlang/OTP is a general-purpose programming language and runtime
environment. Erlang has built-in support for concurrency, distribution
and fault tolerance.
.
This Erlang/OTP package provides an implementation of the Secure Shell
protocol, with SSH & SFTP support.
kmod-ledtrig-netfilter - 4.4.13+7-1-05df79f63527051ea0071350f86faf76-7 - Kernel module to flash LED when a particular packets passing through your machine.
For example to create an LED trigger for incoming SSH traffic:
iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
Then attach the new trigger to an LED on your system:
echo netfilter-ssh > /sys/class/leds//trigger
libssh - 2015-12-18-be36586d74367f562937da041ce6a5615d647f3b - libssh is a mulitplatform C library implementing the SSHv2 and SSHv1 protocol
for client and server implementations.
libssh2 - 1.7.0-1 - libssh2 is a client-side C library implementing the SSH2 protocol.
openssh-client - 7.2p2-2 - OpenSSH client.
openssh-client-utils - 7.2p2-2 - OpenSSH client utilities.
openssh-keygen - 7.2p2-2 - OpenSSH keygen.
openssh-moduli - 7.2p2-2 - OpenSSH server moduli file.
openssh-server - 7.2p2-2 - OpenSSH server.
openssh-sftp-avahi-service - 7.2p2-2 - This package contains the service definition for announcing
SFTP support via mDNS/DNS-SD.
openssh-sftp-client - 7.2p2-2 - OpenSSH SFTP client.
openssh-sftp-server - 7.2p2-2 - OpenSSH SFTP server.
pppossh - 2 - This package adds protocol support for PPP over SSH. The protocol name is
âppposshâ as in netifd interface config option âprotoâ.
sshfs - 2.5-2 - Mount remote system over sftp.
sshtunnel - 4-1 - Creates openssh ssh(1) Local and Remote tunnels configured in UCI file. Can be used to allow remote connections, possibly over NATed connections or without public IP/DNS
strongswan-mod-sshkey - 5.3.5-1 - StrongSwan SSH key decoding plugin
I have Turris Omnia (arrived approx. 5 days ago).
Unfortunately, Iâm not sure how exactly I installed the ssh honeypot, but I definitely used only Forris and LuCI.
I believe that I refreshed the list of packages (button in LuCI) and then an âSSH Honeypotâ appeared in Forris (in the Updater tab). I checked the âSSH Honeypotâ checkbox in the Updater, clicked âSave changesâ and all the packages installed (which was announced on the main page of the Forris).
If I now uncheck and check the âSSH Honeypotâ item in the Updater, the main page of the Forris announces that the following packages were uninstalled and then installed:
- zope-interface
- python-pyasn1
- python-crypto
- pyopenssl
- python-twisted
- mitmproxy
Thanks Pepe,
it helped me a lot. I was looking in LuCI single package and itâs multiple package.
2016-10-25 17:03 TRANSACTION START
2016-10-25 17:03 install 4.1.1-1 zope-interface
2016-10-25 17:03 install 0.1.9-1 python-pyasn1
2016-10-25 17:03 install 2.6.1-1 python-crypto
2016-10-25 17:03 install 0.10-1 pyopenssl
2016-10-25 17:03 install 14.0.2-3 python-twisted
2016-10-25 17:03 install 0.4.1-4 mitmproxy
2016-10-25 17:04 TRANSACTION END
Youâre welcome. But it was said also in FAQ which you linked.
"Instalaci lze provĂ©st v rozhranĂ Foris. Na zĂĄloĆŸce Updater zaĆĄkrtnÄte SSH honeypot a potvrÄte. Pak je tĆeba jiĆŸ jen nastavit firewall podle nĂĄvodu v dalĆĄĂ sekci. "
In next few days I will try translate it to our English members
Iâd apprecate a step-by-step instructions on enabling the ssh honeypot. I read elswehere that you need to disable ssah for the honeypot to work, which I find hardly believable. Also, I donât want to undergo another hit-and-miss session with this one
There is Czech howto here: https://www.turris.cz/doc/cs/howto/ssh_honeypot
In short:
- Enable
Data collection
and wait until itâs enabled. - Install
SSH honeypot
in Foris (itâs inUpdater
selection, not inData collection
as Telnet emulation is), it will listen on port 58732 by default - If you want SSH accessible from outside, change port on which real SSH is listening (either in
/etc/config/sshd
or by using port forwarding) - Add port forwarding from port 22 to 58732 (
Network
/Firewall
/Port Forwards
in LuCI):- Protocol TCP
- External zone WAN
- External port 22
- Internal zone empty
- Internal IP address empty
- Internal port 58732
SSH from internal network is not affected by port forwarding, so as long as you want it only from there, there is no need to change SSH setup, itâs needed only to be accessible from outside.
I do not see SSH honeypot in Foris\Updater listed at all. Did anyone encountered the same issue? How to âaddâ it there? Thank you
@Kes I see it in âPackage listâ : âïżŒ SSH Honeypot Trap for password-guessing robots on SSH.â
@nijel Thanks for the detailed explanations. Now, connections from the outside to port 22 no longer receives a âConnection refusedâ but there is still a problem. I test froma remote machine to my Turris:
% ssh -l admin x.y.z.t
Unable to negotiate with x.y.z.t port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
So, I assume that the honeypot does not work (I did not have the opportunity to type the password)
Thatâs client issue, see https://www.openssh.com/legacy.html
Obviously honeypot doesnât expect bots to use decent SSH setup :-).
If I remember correct itÂŽs necessary to activate Data collection first. Then honeypot âmaterializedâ in Updater section and I can install it.
â
PĆi prvoinstalaci jsem souhlasil se sbÄrem dat (pĆi plnĂ©m vÄdomĂ), ale aktivoval se aĆŸ pĆedevÄĂrem. Teprve s aktivnĂm sbÄrem dat se âzjevilaâ moĆŸnost zatrhnout a nainstalovat balĂÄky honeypotu. VĆĄe ve Forrisu.
M.
it works, you need temporarily add these two lines in your .ssh/config:
KexAlgorithms diffie-hellman-group1-sha1
MACs hmac-sha1,hmac-md5
then for example ârootâ with password âpiâ works
By the way, what does actually happen with logged requests? Can I see who and with what credentials attempted to log onto my machine? In fact this isnât limited to SSH since Iâm also curious about telnet attempts.
The ssh sessions are shown on turris website (with one day delay). Not sure if they are logged on the router somewhereâŠ
@fik Youâre right, it works, Iâm now connected to the honeypot.
admin@cluster:~$ id
uid=1001(admin) gid=1001(admin) groups=1001(admin)
admin@cluster:~$ ls
richard
admin@cluster:~$ hostname
cluster