Docker ssh honeypot and ddclient

Recently cleaned house and did a fresh os install, and when I was about to reinitialize my edge vm I realized that everything I had been using my virtual debain server for can now be done with docker.

And then some! Basically I was using a virtual server as a file share, an ssh gateway, a web server, and as a ddclient with google domains

I also wanted to create a honeypot because I’m always getting spammed. The honeypot is not super-advanced but for now, I get a steady stream of common usernames and passwords. Also, IPs to “investigate.” I’d love to go farther with this, but of course, who has the time?

my honeypot brings all the bots to the yard

ddclient image

I recently came across the linuxserver collection of docker images, including the one for ddclient. Super easy to set up (just point your image at the ddclient.conf), using something like

docker run -d --name=ddclient -e PUID=1000 -e PGID=1000 -e TZ=America/New_York -v ./docker/:/config --restart unless-stopped linuxserver/ddclient

Now, my IP stays fresh and the service runs all the time without eating into my resources.

the ssh-honey honeypot

I am using this image: txt3rob/docker-ssh-honey for starters. Now, I’ve nat’d my external port 22 to point to the machine where the image is running, and I’ve got it exposed on port 2022, so my command looks like this:

docker run -i -p 2022:22 --name=ssh-honey --restart unless-stopped txt3rob/docker-ssh-honey -e bin/ssh-honeypot -b -d

dynamic dns with google domains using ddclient on debian

Note: there’s a newer post covering this topic that involves containerization

After putting it off for ages due a perceived PITA process, I finally decided to check out how to set up dynamic dns to point at one of my servers that’s behind a changing IP. I was pleased at how surprisingly easy it is.

prereqs

I’m running debian 8 in a kvm vm, using bridged networking to give my web server it’s own identity.
The only package required is ddclient

configure google domains

Jump to the synthetic records section under your google domain dns settings and add the subdomain you want to forward to your dynamic host:

if you click on that blue “view credentials” link you’ll see the username and password google has randomly generated for you. you’ll need those details when you edit your ddclient.conf. note that until I’ve set up the config, the “data” section here shows 0.0.0.0 as my IP.

configure ddclient

for my setup, I’ve got several subdomains I want to forward to the same host. After checking out the ddclient manual, I’ve edited my ddclient.conf similar to the below:

protocol=dyndns2
use=web
server=domains.google.com
ssl=yes
protocol=dyndns2, login=host1login, password='host1password'
custom-subdomain.your-host1.com

test the ddclient configuration

the best way to test your configuration is by running the following command:
ddclient -daemon=0 -noquiet -verbose -debug
this will iterate all of your configured values and the give you pretty detailed debug output 

In the above, my subd.your-host1.com was a new host I added to the config, whereas subd.your-host2.com is one which I’d already updated during a prior test.

verify google has your ip

The final step to make sure everything looks good here is to refresh your google domains dns settings page. what you should see, as I do, is the data section now reflecting the ip for your dynamic host.

I also verified my /etc/default/ddclient config to make sure it’s got run_daemon set to true. When I installed ddclient via aptitude this was done automatically but you may want to double check yours if you find your client doesn’t update regularly. my default config looks like this:


# Configuration for ddclient scripts
# generated from debconf on Sun Feb 21 12:51:42 EST 2016
#
# /etc/default/ddclient
run_dhclient=”false”
run_daemon=”true”
daemon_interval="300"