search

tnich / honssh

HonSSH is designed to log all SSH communications between a client and server.
https://github.com/tnich/honssh
BSD 3-Clause "New" or "Revised" License
372 stars 71 forks source link

Problem after HonSSH start #19

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hello all. Can you help me with this problem please?

What steps will reproduce the problem?
1. I have installed and configured HonSSH according instructions
2. I have ran start.sh 
3. After I saw this error (below) in honssh.log. And Honeypot does not record 
any activity after SSH login.

2014-03-11 23:38:34+0100 [-] Log opened.
2014-03-11 23:38:34+0100 [-] twistd 12.0.0 (/usr/bin/python 2.7.3) starting up.
2014-03-11 23:38:34+0100 [-] reactor class: 
twisted.internet.pollreactor.PollReactor.
2014-03-11 23:38:34+0100 [-] HonsshServerFactory starting on 22
2014-03-11 23:38:34+0100 [-] Starting factory 
<honssh.server.HonsshServerFactory instance at 0x7faaba27a5f0>
2014-03-11 23:38:34+0100 [-] Factory starting on 5123
2014-03-11 23:38:34+0100 [-] Starting factory 
<twisted.internet.protocol.Factory instance at 0x7faaba27d908>
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] 
SSH-2.0-OpenSSH_6.0p1 Debian-4
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] Disconnecting with 
error, code 10 reason: user closed connection
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] connection lost
2014-03-11 23:38:34+0100 [HonsshSlimClientTransport,client] Stopping factory 
<honssh.client.HonsshSlimClientFactory instance at 0x7faaba27a830>

Thank you for reply.

Original issue reported on code.google.com by premat...@gmail.com on 11 Mar 2014 at 11:11

GoogleCodeExporter commented 9 years ago 
This looks like normal HonSSH activity. When HonSSH first starts up it connects 
to the Honeypot enough to work out what the Honeypot's SSH server's version is. 
It then uses this information later to present to an attacker.

Have you tried SSH'ing into the HonSSH box after starting HonSSH? Do you access 
the Honeypot by doing this? Is your connection logged?

Original comment by tnn...@googlemail.com on 12 Mar 2014 at 6:07

GoogleCodeExporter commented 9 years ago 
Hello, Thanks for reply. Yes I can connect to SSH and I can enter commands. But 
acitivity does not log. I use openssh server 1:6 0p1-4 on Linux Debian 7.4 as 
honeypot. And HonSSH has installed on Linux Debian 7.4. I use the latest 
version of HonSSH. And in iptables I set 2 rules:
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 
172.16.0.2:22
iptables -A FORWARD -p tcp --syn --dport 22 -m connlimit --connlimit-above 1 
--connlimit-mask 0 -j REJECT --reject-with tcp-reset
Can you help me please? What is the problem?

Original comment by premat...@gmail.com on 12 Mar 2014 at 7:52

GoogleCodeExporter commented 9 years ago 
Can you post your config file (or just the addr parts) and tell me what address 
you're SSHing into?

Original comment by tnn...@googlemail.com on 12 Mar 2014 at 8:14

GoogleCodeExporter commented 9 years ago 
My config file http://pastebin.com/RLTgZAZe

                 3)       2)       1)
                   \        \        \
 /----------\       |--------|       |----------|
 | Internet |-------| HonSSH |-------| HoneyPot |
 \----------/       |--------|       |----------|
                         \
                         NAT and Firewall
1)  172.16.0.1
2.) 172.16.0.2 
3.) my public external IP address

Thank you for help.

Original comment by premat...@gmail.com on 12 Mar 2014 at 10:26

GoogleCodeExporter commented 9 years ago 
All is fine. Just noticed your iptables rule is prerouting SSH packets around 
HonSSH to the honeypot. Try removing the rules and SSHing into it again, check 
the logs are working. Then look at how to implement NAT on the box without 
implementing port forwarding.

Original comment by tnn...@googlemail.com on 13 Mar 2014 at 6:15

GoogleCodeExporter commented 9 years ago 
Thanks. I am sorry but I have one mistake in my previous post: 2.) is 
172.16.0.1 and 1.) is 172.16.0.2.
OK, I am going to look how to implement NAT without implementing port 
forwarding. But do you know about any example please?

Original comment by premat...@gmail.com on 13 Mar 2014 at 10:30

GoogleCodeExporter commented 9 years ago 
That's fine as long as they are on the same subnet.

Google is your friend:

eth0 = the interface at 3)
eth1 = the interface at 2)

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j 
ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Afterwards I would advise locking down the firewall to specific ports and rate 
limiting the connections.

Original comment by tnn...@googlemail.com on 13 Mar 2014 at 11:32

GoogleCodeExporter commented 9 years ago 
Thank you for help.

Original comment by premat...@gmail.com on 13 Mar 2014 at 11:32