What are SSH honeypots?
Honeypots are decoy servers or systems set up to gather information regarding an attacker or intruder into a system. They are designed to look vulnerable to attack, but once an intruder gains access to the system all of their actions are controlled and monitored.
SSH honeypots are fairly easy to detect, even laughably so. Many of them are aimed at catching automated or older malware that doesn't have any built-in honeypot checking.
NOTE: This guide will only be helpful for medium-interaction honeypot - any honeypot that is an actual computer sitting there vulnerable, to be analyzed at a later date, is almost impossible to detect.
There are two main ways that SSH honeypots allow access into them, which is the easiest way to detect them.
The allowed password list
Many SSH honeypots will allow you to set an allowed password list. For example, you could put root:*, meaning root as the username with any password would be allowed.
These are easy to detect - just test a wide range of passwords, and if more than one gives you access to the same user, its a honeypot!
The random-login allowance
Some honeypots will allow you to set two integers, a maximum and a minimum, and will generate a random number between these two integers every time someone connects.
The person has to attempt logging in that many times to finally be allowed access. For example, if the number was 4, you'd have to attempt logging in four times to finally gain access.
These are easily detectable because it will allow login with obviously-wrong passwords. You can try logging in 50 times with the password TheresN0waY!y-ouCanHav3th1SpAssw0rD?! or something to that effect. If it gives you a successful login, you know its a honeypot.
Honeypots are decoy servers or systems set up to gather information regarding an attacker or intruder into a system. They are designed to look vulnerable to attack, but once an intruder gains access to the system all of their actions are controlled and monitored.
SSH honeypots are fairly easy to detect, even laughably so. Many of them are aimed at catching automated or older malware that doesn't have any built-in honeypot checking.
NOTE: This guide will only be helpful for medium-interaction honeypot - any honeypot that is an actual computer sitting there vulnerable, to be analyzed at a later date, is almost impossible to detect.
There are two main ways that SSH honeypots allow access into them, which is the easiest way to detect them.

Many SSH honeypots will allow you to set an allowed password list. For example, you could put root:*, meaning root as the username with any password would be allowed.
These are easy to detect - just test a wide range of passwords, and if more than one gives you access to the same user, its a honeypot!

Some honeypots will allow you to set two integers, a maximum and a minimum, and will generate a random number between these two integers every time someone connects.
The person has to attempt logging in that many times to finally be allowed access. For example, if the number was 4, you'd have to attempt logging in four times to finally gain access.
These are easily detectable because it will allow login with obviously-wrong passwords. You can try logging in 50 times with the password TheresN0waY!y-ouCanHav3th1SpAssw0rD?! or something to that effect. If it gives you a successful login, you know its a honeypot.
Last edited by a moderator: