Where is SSH Honeypot on Omnia?

I tried to configure ssh honeypot using your FAQ on https://www.turris.cz/doc/cs/howto/ssh_honeypot without any success. What is the package name for Omnia? In Forris there is no check box to enable ssh Honeypot only Telnet.

Have you updated the list of packages? There is a button for this in Forris on the tab with packages. The “SSH honeypot” package should appear in the list of available packages.

Yes I have updated list of packages several times… Do you have Omnia or the previous version?

All available packages on Omnia containing ssh are

opkg find ssh
announce - 1.0.1-1 - Announce services on the network with Zeroconf/Bonjour.
This announces services such as ssh, sftp, and http running on the local machine
to the network.
avahi-daemon-service-ssh - 0.6.31-13 - Avahi is an mDNS/DNS-SD (aka RendezVous/Bonjour/ZeroConf)
implementation (library). It facilitates
service discovery on a local network – this means that
you can plug your laptop or computer into a network and
instantly be able to view other people who you can chat with,
find printers to print to or find files being shared.
This kind of technology is already found in MacOS X
(branded ‘Rendezvous’, ‘Bonjour’ and sometimes ‘ZeroConf’)
and is very convenient.
.
This package contains the service definition for announcing SSH service.
erlang-ssh - 3.2 - Erlang/OTP is a general-purpose programming language and runtime
environment. Erlang has built-in support for concurrency, distribution
and fault tolerance.
.
This Erlang/OTP package provides an implementation of the Secure Shell
protocol, with SSH & SFTP support.
kmod-ledtrig-netfilter - 4.4.13+7-1-05df79f63527051ea0071350f86faf76-7 - Kernel module to flash LED when a particular packets passing through your machine.

For example to create an LED trigger for incoming SSH traffic:
iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
Then attach the new trigger to an LED on your system:
echo netfilter-ssh > /sys/class/leds//trigger
libssh - 2015-12-18-be36586d74367f562937da041ce6a5615d647f3b - libssh is a mulitplatform C library implementing the SSHv2 and SSHv1 protocol
for client and server implementations.
libssh2 - 1.7.0-1 - libssh2 is a client-side C library implementing the SSH2 protocol.
openssh-client - 7.2p2-2 - OpenSSH client.
openssh-client-utils - 7.2p2-2 - OpenSSH client utilities.
openssh-keygen - 7.2p2-2 - OpenSSH keygen.
openssh-moduli - 7.2p2-2 - OpenSSH server moduli file.
openssh-server - 7.2p2-2 - OpenSSH server.
openssh-sftp-avahi-service - 7.2p2-2 - This package contains the service definition for announcing
SFTP support via mDNS/DNS-SD.
openssh-sftp-client - 7.2p2-2 - OpenSSH SFTP client.
openssh-sftp-server - 7.2p2-2 - OpenSSH SFTP server.
pppossh - 2 - This package adds protocol support for PPP over SSH. The protocol name is
‘pppossh’ as in netifd interface config option ‘proto’.
sshfs - 2.5-2 - Mount remote system over sftp.
sshtunnel - 4-1 - Creates openssh ssh(1) Local and Remote tunnels configured in UCI file. Can be used to allow remote connections, possibly over NATed connections or without public IP/DNS
strongswan-mod-sshkey - 5.3.5-1 - StrongSwan SSH key decoding plugin

I have Turris Omnia (arrived approx. 5 days ago).

Unfortunately, I’m not sure how exactly I installed the ssh honeypot, but I definitely used only Forris and LuCI.
I believe that I refreshed the list of packages (button in LuCI) and then an “SSH Honeypot” appeared in Forris (in the Updater tab). I checked the “SSH Honeypot” checkbox in the Updater, clicked “Save changes” and all the packages installed (which was announced on the main page of the Forris).

If I now uncheck and check the “SSH Honeypot” item in the Updater, the main page of the Forris announces that the following packages were uninstalled and then installed:

  • zope-interface
  • python-pyasn1
  • python-crypto
  • pyopenssl
  • python-twisted
  • mitmproxy

Hello,
From Omnia: https://ctrlv.cz/shots/2016/10/25/FBQj.png
It’s there.

1 Like

Thanks Pepe,
it helped me a lot. I was looking in LuCI single package and it’s multiple package.
2016-10-25 17:03 TRANSACTION START
2016-10-25 17:03 install 4.1.1-1 zope-interface
2016-10-25 17:03 install 0.1.9-1 python-pyasn1
2016-10-25 17:03 install 2.6.1-1 python-crypto
2016-10-25 17:03 install 0.10-1 pyopenssl
2016-10-25 17:03 install 14.0.2-3 python-twisted
2016-10-25 17:03 install 0.4.1-4 mitmproxy
2016-10-25 17:04 TRANSACTION END

You’re welcome. But it was said also in FAQ which you linked.
"Instalaci lze provést v rozhraní Foris. Na záložce Updater zaškrtněte SSH honeypot a potvrďte. Pak je třeba již jen nastavit firewall podle návodu v další sekci. "

In next few days I will try translate it to our English members :slight_smile:

1 Like

I’d apprecate a step-by-step instructions on enabling the ssh honeypot. I read elswehere that you need to disable ssah for the honeypot to work, which I find hardly believable. Also, I don’t want to undergo another hit-and-miss session with this one :wink:

There is Czech howto here: https://www.turris.cz/doc/cs/howto/ssh_honeypot

In short:

  1. Enable Data collection and wait until it’s enabled.
  2. Install SSH honeypot in Foris (it’s in Updater selection, not in Data collection as Telnet emulation is), it will listen on port 58732 by default
  3. If you want SSH accessible from outside, change port on which real SSH is listening (either in /etc/config/sshd or by using port forwarding)
  4. Add port forwarding from port 22 to 58732 (Network / Firewall / Port Forwards in LuCI):
    • Protocol TCP
    • External zone WAN
    • External port 22
    • Internal zone empty
    • Internal IP address empty
    • Internal port 58732

SSH from internal network is not affected by port forwarding, so as long as you want it only from there, there is no need to change SSH setup, it’s needed only to be accessible from outside.

2 Likes

I do not see SSH honeypot in Foris\Updater listed at all. Did anyone encountered the same issue? How to “add” it there? Thank you

@Kes I see it in “Package list” : “ SSH Honeypot Trap for password-guessing robots on SSH.”

@nijel Thanks for the detailed explanations. Now, connections from the outside to port 22 no longer receives a “Connection refused” but there is still a problem. I test froma remote machine to my Turris:

% ssh  -l admin x.y.z.t
Unable to negotiate with x.y.z.t port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

So, I assume that the honeypot does not work (I did not have the opportunity to type the password)

That’s client issue, see https://www.openssh.com/legacy.html

Obviously honeypot doesn’t expect bots to use decent SSH setup :-).

If I remember correct it´s necessary to activate Data collection first. Then honeypot “materialized” in Updater section and I can install it.

Při prvoinstalaci jsem souhlasil se sběrem dat (při plném vědomí), ale aktivoval se až předevčírem. Teprve s aktivním sběrem dat se “zjevila” možnost zatrhnout a nainstalovat balíčky honeypotu. Vše ve Forrisu.

M.

it works, you need temporarily add these two lines in your .ssh/config:

KexAlgorithms diffie-hellman-group1-sha1
MACs hmac-sha1,hmac-md5

then for example “root” with password “pi” works

By the way, what does actually happen with logged requests? Can I see who and with what credentials attempted to log onto my machine? In fact this isn’t limited to SSH since I’m also curious about telnet attempts.

The ssh sessions are shown on turris website (with one day delay). Not sure if they are logged on the router somewhere…

@nijel I still see nothing on the portal, under “logged sessions”

@fik You’re right, it works, I’m now connected to the honeypot.

admin@cluster:~$ id
uid=1001(admin) gid=1001(admin) groups=1001(admin)
admin@cluster:~$ ls
richard 
admin@cluster:~$ hostname
cluster