SSH Honeypot Enterprise Community
The SSH service presents an SSH banner and login prompt, captures every authentication attempt, and closes or denies access.
Enterprise configuration
Configure from Trapsters → device → Services → SSH:
| Parameter | Description |
|---|---|
port | Listen port (default 22) |
version | SSH banner string (match your environment) |
banner | Optional pre-authentication MOTD |
Every password and public-key attempt is logged. Authentication always fails from the attacker's perspective.
Community configuration
"ssh": [
{
"port": 2222,
"version": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7",
"banner": null,
"users": {}
}
]AI
Community's users map accepts a configured password and drops the attacker into an AI-generated shell session. That is useful for malware research, training, and fingerprinting studies, but interactive honeypots are well-known to scanners and experienced attackers. Do not rely on this mode for operational deception.
Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
port | integer | (required) | TCP port |
version | string | SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 | SSH version string |
banner | string | null | Pre-authentication banner |
users | object | {} | Community only. username → password pairs that unlock the AI shell |
Leave users empty for Enterprise-style behavior: log every attempt, accept no session.
Research example (Community)
Matching credentials unlock an AI shell when AI dependencies are installed:
"ssh": [{
"port": 2222,
"version": "SSH-2.0-OpenSSH_8.1p1 Debian-1",
"banner": null,
"users": {
"guest": "guest",
"admin": "admin",
}
}]When optional AI dependencies are installed, a matching login enters a simulated shell with AI-generated command output. All other attempts are logged and rejected.
Version strings
Match servers on your network:
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7
SSH-2.0-OpenSSH_7.4What gets captured
| Event | Fields |
|---|---|
| Connection made | Source IP and port |
| Login attempt | Username and password (password auth), or key type, data, and fingerprint (public-key auth) |
| Data sent | Session data when a Community AI shell is active |
