Lightweight SSH & SMB Honeypots written in Go
Go-HoneyPot provides lightweight security monitoring tools that detect and report malicious scanning and unauthorized access attempts. The project consists of two honeypot implementations:
- SSH Honeypot - Detects brute force attempts against SSH servers
- SMB Honeypot - Identifies unauthorized SMB access attempts
Both honeypots automatically report offending IPs to AbuseIPDB and temporarily ban them using iptables.
β οΈ Security Note: This tool provides basic detection of abusive scanning and unauthorized login attempts. For enhanced protection, it is strongly recommended to use Fail2Ban or other trusted security solutions alongside this tool.
Improvements are needed in two key areas:
- Error Handling: Ensuring that error handling is clean, effective, and comprehensive to minimize issues and improve system stability.
- Protocol Simulation (SMB and SSH): Enhancing the simulation of both SMB and SSH protocols by adding more banners and improving request detection. While the system still captures connections based on the respective ports, refining these aspects will lead to a cleaner, more accurate simulation.
| Feature | Description |
|---|---|
| π Multi-port Listening | Monitors multiple common SSH ports (2222, 2200, 22, etc.) |
| π‘οΈ Server Simulation | Accurately mimics OpenSSH server behavior |
| π Comprehensive Logging | Records all connection attempts with timestamps |
| π« Automated Reporting | Reports to AbuseIPDB (category 18 - SSH, 22 - Brute Force) |
| β±οΈ Temporary Banning | Implements 30-minute IP bans using iptables |
| π Duplicate Prevention | Prevents duplicate reports within 15 minutes |
| Feature | Description |
|---|---|
| π Protocol Monitoring | Listens on standard SMB port (445) |
| π‘οΈ Protocol Simulation | Simulates SMB protocol negotiation |
| π Detailed Logging | Writes comprehensive logs to smb_attempts.log |
| π« Automated Reporting | Reports to AbuseIPDB (categories 14 - SMB, 15 - Brute Force) |
| β±οΈ Temporary Banning | Implements 30-minute IP bans using iptables |
| π Attack Analytics | Tracks attack patterns and frequency |
Before installation, ensure you have the following dependencies installed:
- Linux system (Debian/Ubuntu recommended)
- Go 1.16+ (required to build the project)
- iptables (used for IP banning)
- curl (for reporting to AbuseIPDB)
- AbuseIPDB API key (Free tier available, sign up here)
# Clone the repository
git clone https://github.com/Birdo1221/Go-HoneyPot.git
# Navigate to project directory
cd Go-HoneyPot
# Build both honeypots
go build sshpot.go
go build smbpot.goBefore running, you'll need to set your AbuseIPDB API key:
# Edit the configuration (example - actual implementation may vary)
nano config.json
# Set your API key in the configuration file
{
"abuseipdb_api_key": "YOUR_API_KEY_HERE"
}Both honeypots require root privileges to manage iptables:
# Run SSH honeypot
sudo ./sshpot
# Run SMB honeypot
sudo ./smbpotTo run the honeypots in the background:
# Run SSH Honeypot in the background
nohup sudo ./sshpot &
# Run SMB Honeypot in the background
nohup sudo ./smbpot &π‘ Tip: As an alternative to
nohup, you can usescreenortmuxfor better session management.
- SSH Honeypot: Outputs to stdout/stderr by default
- SMB Honeypot: Logs to
smb_attempts.login the same directory
These honeypots are designed to attract malicious traffic by simulating public services. Please consider the following:
- Dedicated Environment: Run on a dedicated server or VM, not your primary system
- System Security: Ensure your system is properly secured before deploying
- Resource Monitoring: Keep an eye on system resources, especially when under attack
- Data Protection: Never run on systems with sensitive data
- Access Control: Use firewall rules to restrict access if needed
The honeypots collect statistics on attack attempts which can be viewed in the log files. For a visual representation of attacks reported through your account, visit your AbuseIPDB dashboard.
To modify listening ports, edit the source code:
// In sshpot.go
var sshPorts = []int{22, 2222, 2200} // Modify as neededTo change the default 30-minute ban duration:
// In both sshpot.go and smbpot.go
const banDuration = 30 // Time in minutes, modify as neededThis project is licensed under the MIT License - see the LICENSE file for details.
Contributions are welcome! Please feel free to ask for a Pull Request.
Made with β€οΈ by Birdo1221