Deploying an SSH Honeypot with Docker to Record SSH Login Passwords

If your server is being brute-forced over SSH, a safer response is not to modify the production OpenSSH service directly. A cleaner approach is to move the real SSH service to another port, then place a separate honeypot container on port 22 to observe source IPs, usernames, and password attempts.

This article stays on the defensive side: protect the real SSH service first, deploy a Docker-based SSH honeypot second, and use the logs only for monitoring and analysis.

My environment is CentOS 7; Ubuntu differs somewhat, so you might need to adjust environment-related parameters accordingly.

Main steps:

1. Change the sshd service port

• Change the default sshd service port
• Disable SELinux
• Modify sshd configuration file and restart ssh service

2. Deploy SSH honeypot with Docker

• Install Docker and start Docker service
• Build the SSH honeypot Docker image and run the honeypot

Before you start

1. Make sure you can still log in through the new SSH port before exposing the honeypot
2. Open the new management port in your cloud security group or firewall
3. Treat the honeypot as an observation tool, not as a real SSH service

Change sshd service port

Change the default sshd port

Directly edit the SSH config file /etc/ssh/sshd_config, find the line #Port 22 and change it to port 2222 here:

vim /etc/ssh/sshd_config

As shown:

Disable SELinux

Edit /etc/selinux/config to disable SELinux:

vim /etc/selinux/config

Change to

SELINUX=disabled Then reboot the system:

shutdown -r now

Check SELinux status with

If it shows SELinux status: disabled then SELinux is successfully disabled.

Restart ssh service

systemctl restart sshd.service

If you see errors like

please go back and make sure SELinux is disabled.

Check SSH service status on the new port:

netstat -nlp|grep 222

it means the sshd service port was successfully changed.

If your server also uses a cloud firewall or firewalld, allow the new port there as well, otherwise you may lock yourself out after restarting SSH.

Deploy SSH honeypot Docker

Install Docker and start Docker service

yum update -y
yum install docker -y
systemctl start docker.service

Update yum and install/run Docker.

Build the first server and record information

Use the SSH honeypot Docker image from GitHub repo droberson/ssh-honeypot:

 git clone https://github.com/random-robbie/docker-ssh-honey
 cd docker-ssh-honey/
 docker build . -t local:ssh-honepot
 docker run -itd --name ssh-honeypot -p 22:22 local:ssh-honepot

Here, we build an SSH honeypot image with Docker, then map the Docker honeypot’s port 22 to the local port 22. We changed our own SSH port earlier to avoid conflict with this honeypot port.

Check local port 22 status:

netstat -nlp|grep 22

How to verify the honeypot is working

At minimum, check these three points:

1. Port 22 is now handled by the container
2. docker ps shows the honeypot container is running
3. docker logs starts to show connection attempts or scan noise

For example:

docker ps
docker logs --tail 20 ssh-honeypot

Next, check the usernames and passwords captured by the honeypot.

First, view logs via command line:

docker logs -f $(docker ps -f name=ssh-honeypot -q) | grep -v 'Error exchanging' | head -10

Second, save logs to a file for later analysis:

docker logs -f $(docker ps -f name=ssh-honeypot -q) | grep -v 'Error exchanging' | awk '{print $6, $7, $8}' >> /root/ssh_name_pass.log

From now on, analyze the recorded SSH brute-force passwords from the log file ssh_name_pass.log.

After one day, check SSH login records:

Analyze login IPs and passwords using shell commands:

cat /root/ssh_name_pass.log|grep -v ssh- |grep -v Sess|awk '{print $1}'|sort |uniq -c  ##Check login IPs and counts

cat /root/ssh_name_pass.log |grep -v ssh-|grep -v Sess|awk '{print $3}'|sort > /root/pass.txt  ###Save passwords used to login via SSH

#cd ~ && tail pass.txt

Now you know the attacker IPs and the passwords they tried.

Check the login passwords:

cd ~ && tail pass.txt

Common issues

1. You cannot log in after changing the SSH port

Check these first:

1. Whether sshd_config was applied correctly
2. Whether the new port is allowed by your cloud firewall or local firewall
3. Whether SELinux or another policy layer is still blocking the service

2. The honeypot container starts, but port 22 is not listening

That usually means there is still a port conflict. Either the real SSH service is still bound to port 22, or Docker failed to map the port.

3. The logs stay empty

First confirm that public port 22 is actually exposed and that you are reading logs from the correct container name.

Summary

That’s all for this article. It started from finding SSH brute-force attempts, then deployed an SSH honeypot using Docker to capture usernames and passwords trying to log into the server. Compared to patching OpenSSH, this is simpler and avoids recording local user information, which is a great method.

Of course, the real way to secure SSH is:

Use SSH keys and disable password login

Restrict remote port access to only local IPs via firewall/security groups

Related reading

• Managing Long-Running Tasks on Unix-like Systems