sshpot: A Simple SSH Honeypot for Logging Login Attempts

sshpot: A Simple SSH Honeypot for Logging Login Attempts

Summary

sshpot is a straightforward SSH honeypot designed to capture login attempts. It logs usernames, passwords, IP addresses, and timestamps without ever authenticating users. This tool is useful for security research and monitoring malicious activity.

Repository Info

Updated on April 2, 2026
View on GitHub

Tags

CsecurityhoneypotSSHnetwork-securitylogging

Click on any tag to explore related repositories

Introduction

sshpot is a simple and effective SSH honeypot designed to capture and log login attempts. It functions as an SSH server that never authenticates users, instead focusing on recording valuable information such as usernames, passwords, IP addresses, and the time of each login attempt. This tool is particularly useful for security researchers and system administrators looking to monitor and analyze malicious activity targeting SSH services.

You can find the official repository here: sshpot GitHub Repository

Installation

To get sshpot up and running, follow these steps:

  1. Generate an RSA public key: This key will be used by the server. 
    ssh-keygen -t rsa
  2. Edit config.h: Set your desired options. You must specify the path to the RSA public key generated in step one using RSA_KEYFILE. Also, ensure LOGFILE is set to a location where the user running sshpot has write permissions.
  3. Compile the software: 
    make
# make install (optional, but necessary to listen on ports < 1024)

Examples

Once compiled, you can run sshpot with the following options:

sshpot [-h] [-p <port>]
  • -h, --help: Display usage information.
  • -p <port>, --port <port>: Specify the port to listen on; defaults to 22.

To run sshpot on the default SSH port (22):

sudo sshpot

To run sshpot on a custom port, for example, port 2222:

sshpot -p 2222

Why Use sshpot?

sshpot offers a straightforward solution for gathering threat intelligence. By deploying this honeypot, you can:

  • Monitor Malicious Activity: Observe and record attempts to brute-force or compromise SSH services.
  • Collect Credentials: Log usernames and passwords used in attempted logins, providing insights into common attack patterns.
  • Understand Attack Vectors: Analyze the source IP addresses and timing of attacks to better understand who is targeting your systems and when.
  • Simplicity: Its design is minimal, making it easy to deploy and manage without complex configurations.

Links