Docker ssh honeypot and ddclient

Recently cleaned house and did a fresh os install, and when I was about to reinitialize my edge vm I realized that everything I had been using my virtual debain server for can now be done with docker.

And then some! Basically I was using a virtual server as a file share, an ssh gateway, a web server, and as a ddclient with google domains

I also wanted to create a honeypot because I’m always getting spammed. The honeypot is not super-advanced but for now, I get a steady stream of common usernames and passwords. Also, IPs to “investigate.” I’d love to go farther with this, but of course, who has the time?

my honeypot brings all the bots to the yard

ddclient image

I recently came across the linuxserver collection of docker images, including the one for ddclient. Super easy to set up (just point your image at the ddclient.conf), using something like

docker run -d --name=ddclient -e PUID=1000 -e PGID=1000 -e TZ=America/New_York -v ./docker/:/config --restart unless-stopped linuxserver/ddclient

Now, my IP stays fresh and the service runs all the time without eating into my resources.

the ssh-honey honeypot

I am using this image: txt3rob/docker-ssh-honey for starters. Now, I’ve nat’d my external port 22 to point to the machine where the image is running, and I’ve got it exposed on port 2022, so my command looks like this:

docker run -i -p 2022:22 --name=ssh-honey --restart unless-stopped txt3rob/docker-ssh-honey -e bin/ssh-honeypot -b -d

Wordfence is awesome

I’m not affiliated with Wordfence in any way, but if you use WordPress it’s just stupid not to use at the very least their free product. In addition to protecting your shit, it also gives you interesting IP’s that are (IMO) fair game to poke around at, like so:

An image showing ip addresses of attackers by country and a count of attacks. Spain has 21, the next highest is Ukraine with 14
Wow, what happened Spain? I thought we were cool.

I’ve found a bunch of interesting vulnerabilities on boxes that come up in this list. I would usually try to report to the owner or try to dispose of the malware if I can get in and do it myself. Pretty sure that’s illegal though, so I’m purely speaking in the hypothetical here.