SSH Honeypot

[Rizzen]

I'm looking for a way to monitor the commands they're sending. I know I could use the bash history but theres nothing to stop them from erasing it. Is there a way to monitor what passwords they try?

I was thinking about setting up the server running using SSH v1 and using dsniff's sshmitm. Any suggestions?

[PeppersGhost]

You could use SSH v2 with TCPWrappers set up you're host.allow file and write a script that writes the history file to a log and tail -f the log in another terminal for real time monitoring. SSH does not send plain text passwords. Therefore they will need to hook up first, enter their password which will be logged in the history file and then get bounced. Leaving a nice trail. OR, you didnt specify which login they are using. Simply deny shell access for that login and the above should work with SSH v1 without wrappers. Some SSH expert correct me if I'm wrong. Just offering ideas so be gentle.

[the_rooster]

I've used Sebek on windows honetpots to log cmd line to a linux box that was monitoring all the traffic. Worked pretty nice, they have a linux client as well you can get at honeynet.org/tools/sebek/.

[totothedwarf]

Kojoney fits the bill.

[PeppersGhost]

Alright, I'll correct myself then. The history file only keeps a history of commands typed. Not login and passwords.