How can I fake port 22 when I made sshd listen to another port?

ssh security

You can use an SSHD honeypot like Kippo or Kojoney


You can also simply log all attempts to connect to port 22 with iptables, even if nothing is listening on that port:

$ sudo iptables -A INPUT -p tcp  --dport 2222 -j LOG
$ nc localhost 2222
$ tail -n1 /var/log/syslog
Oct 26 13:35:07 localhost kernel: [325488.300080] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56580 DF PROTO=TCP SPT=35625 DPT=2222 WINDOW=43690 RES=0x00 SYN URGP=0

To answer the question "Will it make sense doing that?" I ask, "Are you a security researcher?" If you answer yes, then running an ssh honeypot would make sense.

If you're just running a production service and you don't care about failed scans, just run your sshd on a different port with additional authentication mechanisms (such as public key only, or requiring a Yubikey or similar device) and drop port 22 traffic without logging it.

There are brute force ssh worms actively scanning the Internet that will probe your ssh port all day long, and if you're not going to look at the data from firewall logs or honeypots, all you're doing is wasting disk space.


You want a honeypot.

Example: http://code.google.com/p/kippo/

Related

Linux rdesktop ERROR recv Connection reset by peer
glusterfs: failed to get the 'volume file' from server
How to configure iptables so an unwanted port is not reported as filtered
CNAME with S3 buckets
Connecting to PostgreSQL with SSL using OpenSSL s_client
Is it safe to write data to a RAID 6 while it's rebuilding?
Does UPS Rack Position Matter
How to make the task scheduler display the cmd shell when invoking a batch file?
Why use chef-solo on a single instance?
How to find all filenames with given extension
How to find files that don't contain a given search string
Security Admins toolkit? What's in yours? [closed]