Install a SSH honeypot, and have the data logged in 3 easy steps

Did you ever wonder who is trying to log on to your server?

Here is how to set up a SSH honeypot inside of a Docker container that sends the data to CSIRT Gadgets using the Collective Intelligence Framework (CIF) in 3 steps. Sending the data to CSIRT Gadgets is great because you can then pull the data back down to be injected in to your IDS, or any other number of uses like by a SIEM for correlation.

Below is a short video that shows the entire process that takes less than 90 seconds(once your account is set up) on an Ubuntu 16.04 server, but will work on any *nix machine that can run Docker and Python 2.7.14+

For those less trusting of scripts found on the Internet, I’ve detailed the steps below the video.

90 Second install!

  1. Create an account on if you don’t have one
    • Set up a ‘ssh-scanning’ feed
    • Create a token for your account
  2. Change your real SSH server to run on a non-default port. I normally use 2020, but you can use whatever suits your fancy
    • You do this in the /etc/ssh/sshd_config file
    • Then do a sudo service ssh restart to restart it on the new port
  3. Run this command from your Ubuntu 16.04 box
    • Enter your CSIRTG username/provider/token when prompted.
$bash <(curl -s

My public feeds can be seen here

Once your CSIRTG account is ready to go, the rest takes less than 2 minutes! The video below picks up right after your CSIRTG account and token is setup.

For those of you less trusting of scripts found on the Internet, here are the steps laid out for you.

Step 1: Create account

Go to and sign up to create your username.

Create a feed called 'ssh-scanning'.

Finally create a token for your account, you'll need this in step 6.

Step 2: Move SSH port

Change the SSHD default port, by updating the line in /etc/ssh/sshd_config that says
Port 22 to Port 2020 or run this command:

$ sudo sed -i 's/Port\ 22/Port\ 2020/' /etc/ssh/sshd_config

Step 3: Install Ubuntu packages

Install and PIP on Ubuntu with this command:

$ sudo apt-get update && sudo apt-get install python-pip

Step 4: Set up Docker container

Once Docker is installed, pull down Justin Azoff's ssh-auth-logger and run it. This command pulls the latest image from, set it to start the container to auto restart on failure, and exposes and publishes port 22 of the Docker container to port 22 of the host:

$ sudo docker run -d -p 22:22 --expose=22 --name=sshlogger --restart=always justinazoff/ssh-auth-logger

Step 5: Install CIF

Install csirtg-smrt and csirtgsdk:

$sudo pip install --upgrade pip && sudo pip install csirtg-smrt csirtgsdk

Step 6: Set up CIF to tail Docker container

Because ssh-auth-logger just logs any IP that tries to connect to it and outputs it to STDOUT we need to install the service files that configure csirtg-cef to tail the Docker container.
- Edit the csirtg-docker.service file and change the provider and feed to whatever you set on and update --tail-docker to whatever you named your container.
- Edit the darknet.env file with your username, token and use 'ssh-scanning' as the feed.
- These commands pull the files down from github, and puts them where they need to go. Make sure you edit both files with your variables before you copy them:

$ git clone
$ sudo cp csirtg-docker.service /etc/systemd/system/
$ sudo cp darknet.env /etc/

Step 7: Start/check services

First, check the Docker container is running, because csirtg-cef won't run if it isn't. This will show the status of all containers on your system, running and not-running:

$ sudo docker ps -a

Once the ssh-auth-logger container is verified to be running, start up the CSIRTG service.

$ sudo service csirtg-docker start

Finally, after it's been started, check it to verify it's running properly. If it's encountered an error and exited, you'll have to double check the configuration and/or other services to make sure they are running.

$ sudo service csirtg-docker status
This entry was posted in CIF, Docker, SSH. Bookmark the permalink.