SSH Honeypot


  • In computer security, a honeypot is used to detect or deflect unauthorized access to information systems.

  • In essence, it lays a trap so that an attacker is under the assumption that he/she is making progress in attacking a secure system.

  • This dockerized sshd Honeypot is part of the LongTail project at Marist College that includes the sshd and httpd Honeypot and the LongTail analyzer.

  • The actual sshd port that administrators use is changed from the default port 22 to some other port (49000 in this case), while the LongTail honeypot uses port 22 to trick the attacker.

  • The system log processing rsyslog, is modified to obtain the attacker's IP address, typed user id and password.

  • Such information is fundamental in analyzing the attacker's scheme and the specific user ids, IPs and passwords used by attackers.

  • The /var/log/messages file, is designated to capture the aforementioned information by the LongTail honeypot.

  • The LongTail project's httpd honeypot and LongTail analyzer (require 16 GB of disk space) can also be installed on user servers.

  • Please note that this demonstration is based on our interpretation of a small piece of this research project. It is not intended as a complete representation of the authors' research, but instead provides the basic concepts of Honeypots via a simple demonstration.

  • Interested users are referred to the LongTail Project Page


  • Ready to go? Try It !
  • Note: You will have around 20 minutes to test this application.