An easy to set up and use SSH honeypot, a fake SSH server that lets anyone in and logs their activity

docker-compose.yml

services:
  sshesame:
    image: ghcr.io/jaksi/sshesame
    ports:
      - "0.0.0.0:22:2022"
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "5"
    volumes:
      - ./sshesame.yaml:/config.yaml

sshesame.yaml

server:
  listen_address: 0.0.0.0:2022

  # Host private key files.
  # If unspecified, null or empty, an RSA, ECDSA and Ed25519 key will be generated and stored.
  host_keys: null

  # Fake internal services for handling direct-tcpip channels (`ssh -L`).
  # If unspecified or null, sensible defaults will be used.
  # If empty, no direct-tcpip channels will be accepted.
  tcpip_services:
    25: SMTP
    80: HTTP
    110: POP3
    587: SMTP
    8080: HTTP

logging:
  # The log file to output activity logs to. Debug and error logs are still written to standard error.
  # If unspecified or null, activity logs are written to standard out.
  file: null

  # Make activity logs JSON-formatted instead of human readable.
  json: false

  # Include timestamps in the logs.
  timestamps: true

  # Log full raw details of all global requests, channels and channel requests.
  debug: false

  # Address to export and serve prometheus metrics on.
  # If unspecified or null, metrics are not served.
  metrics_address: null

  # When logging in JSON, log addresses as objects including the hostname and the port instead of strings.
  split_host_port: false

auth:
  # Allow clients to connect without authenticating.
  no_auth: false

  # The maximum number of authentication attempts permitted per connection.
  # If set to a negative number, the number of attempts are unlimited.
  # If unspecified, null or zero, a sensible default is used.
  max_tries: 0

  password_auth:
    # Offer password authentication as an authentication option.
    enabled: true

    # Accept all passwords.
    accepted: true

  public_key_auth:
    # Offer public key authentication as an authentication option.
    enabled: true

    # Accept all public keys.
    accepted: false

  keyboard_interactive_auth:
    # Offer keyboard interactive authentication as an authentication option.
    enabled: false

    # Accept all keyboard interactive answers.
    accepted: false

    # Instruction for the keyboard interactive authentication.
    instruction: Answer these weird questions to log in!

    questions:
      - text: "User: " # Keyboard interactive authentication question text.
        echo: true # Enable echoing the answer.
      - text: "Password: "
        echo: false

ssh_proto:
  # The version identification string to announce in the public handshake.
  # If unspecified or null, a reasonable default is used.
  # Note that RFC 4253 section 4.2 requires that this string start with "SSH-2.0-".
  version: SSH-2.0-sshesame

  # Sent to the client after key exchange completed but before authentication.
  # If unspecified or null, a reasonable default is used.
  # If empty, no banner is sent.
  banner: Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-41-generic x86_64)

  # The maximum number of bytes sent or received after which a new key is negotiated. It must be at least 256.
  # If unspecified, null or 0, a size suitable for the chosen cipher is used.
  rekey_threshold: 0

  # The allowed key exchanges algorithms.
  # If unspecified or null, a default set of algorithms is used.
  key_exchanges: null

  # The allowed cipher algorithms.
  # If unspecified or null, a sensible default is used.
  ciphers: null

  # The allowed MAC algorithms.
  # If unspecified or null, a sensible default is used.
  macs: null