The NetWatch SSH-AttackPod is a modified OpenSSH server that records any attempted username/password combinations along with the source IP. This data is sent to the central NetWatch collector, which processes it and sends out abuse notifications as necessary.
To be able to run a SSH-AttackPod you need:
- to have Docker installed
- obtain an API-key
- public IP address: If the system you are running SSH-AttackPod on is not reachable over the internet you have to configure port forwarding on your firewall
1. Obtain an API-key from Netwatch
To run a SSH-AttackPod you need an API-key to be able to submit your results. To request an API-key:
- Go to NetWatch community
- Click: Join the community.
- Enter your email address and you will receive your API-key
To download the SSH-AttackPod and all necessary files clone the repository from Github.
git clone https://github.com/NetWatch-team/SSH-AttackPod.gitIn the cloned repository copy the file template.env to .env and populated with the API-key your received from the Team.
-
Change the directory:
cd ~/SSH-AttackPod
-
Copy the file:
cp template.env .env
-
Edit the
.envfile and add your API-key:NETWATCH_COLLECTOR_AUTHORIZATION=<API_KEY_FROM_NETWATCH_TEAM>
To start the container, run the following commands in the directory where the repository resides with the file: docker-compose.yml [. e.g.: ~/SSH-AttackPod].
This command will start the docker container detached and when successfull it will show the logs for this docker container.
docker compose up --force-recreateWhen you're finished reviewing, you can stop with [Ctrl-C].
-
Edit the
.envfile and change NETWATCH_TEST_MODE to false:NETWATCH_TEST_MODE=false
-
Start SSH-AttackPod in background (detached)
docker compose up --force-recreate -d && docker compose logs -tfWhen you're finished reviewing, you can stop the log output with [Ctrl-C].
When your SSH-AttackPod is running, all login attempts are being send to the Netwatch project. This may include any attempt of you to test the system or when you try to login with your normal username and password for your system!
If you want to test whether the AttackPod is working as expected, you can enable TEST_MODE by adding NETWATCH_TEST_MODE=true to your .env file. This will configure the AttackPod to register and submit the attacks, but the backend will discard them and not take further action.
Please remember to revert this change once you have completed your testing!
NetWatch SSH-AttackPod depends on Docker and Docker Compose to be installed.
To install Docker, follow the Docker Installation instructions. For Ubuntu-based systems, the steps are as follows:
-
Add Docker's official GPG key and execute the following commands:
sudo apt-get update sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-
Verify that Docker and Docker Compose are running by using the following commands:
docker version docker compose version
If you want to run SSH-AttackPod on ssh's default port 22 you can do by changing the NETWATCH_PORT in the .env file
-
Edit the
.envfile and change NETWATCH_PORT:NETWATCH_PORT=22
If you have already an sshd running it's default port is 22 so you must change the port of your sshd to another port. In these instructions we move it to port 2222. You need root privileges to do this.
Beware! If your system is not reachable directly (e.g. it's behind a firewall) and you have a port forwarding to the system ensure that when changing sshd's port that the port forwarding rule in your firewall is changed to the new port! Otherwise you will lose access!
Depending on Linux distribution you use you may need to reconfigure /etc/ssh/sshd_config or ssh.socket.
- Reconfigure the sshd_config file:
- Open
sshd_configwith your favourite editor (here it is vim):sudo vim /etc/ssh/sshd_config
- Find the line
#Port 22, remove the#, and change the port number to one of your choice (2222 for example). - Restart sshd or reboot your system:
sudo systemctl restart sshd
- Open
- Change port in ssh.socket:
- Edit ssh.socket:
sudo systemctl edit ssh.socket - Add this text before
### Lines below this comment will be discarded:[Socket] ListenStream=2222 - Restart ssh.socket:
sudo systemctl restart ssh.socket - Verify if ssh.socket is running:
systemctl status ssh.socket
- Edit ssh.socket:
If you want to build SSH-AttackPod from source you can do by:
docker compose build --no-cache