Skip to content

SSH Honeypot Enterprise Community

The SSH service presents an SSH banner and login prompt, captures every authentication attempt, and closes or denies access.

Enterprise configuration

Configure from Trapsters → device → Services → SSH:

ParameterDescription
portListen port (default 22)
versionSSH banner string (match your environment)
bannerOptional pre-authentication MOTD

Every password and public-key attempt is logged. Authentication always fails from the attacker's perspective.

Community configuration

json
"ssh": [
  {
    "port": 2222,
    "version": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7",
    "banner": null,
    "users": {}
  }
]

AI

Community's users map accepts a configured password and drops the attacker into an AI-generated shell session. That is useful for malware research, training, and fingerprinting studies, but interactive honeypots are well-known to scanners and experienced attackers. Do not rely on this mode for operational deception.

Parameters

ParameterTypeDefaultDescription
portinteger(required)TCP port
versionstringSSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7SSH version string
bannerstringnullPre-authentication banner
usersobject{}Community only. usernamepassword pairs that unlock the AI shell

Leave users empty for Enterprise-style behavior: log every attempt, accept no session.

Research example (Community)

Matching credentials unlock an AI shell when AI dependencies are installed:

json
"ssh": [{
  "port": 2222,
  "version": "SSH-2.0-OpenSSH_8.1p1 Debian-1",
  "banner": null,
  "users": {
    "guest": "guest",
    "admin": "admin",
  }
}]

When optional AI dependencies are installed, a matching login enters a simulated shell with AI-generated command output. All other attempts are logged and rejected.

Version strings

Match servers on your network:

SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7
SSH-2.0-OpenSSH_7.4

What gets captured

EventFields
Connection madeSource IP and port
Login attemptUsername and password (password auth), or key type, data, and fingerprint (public-key auth)
Data sentSession data when a Community AI shell is active