sshesame is an easy-to-use SSH honeypot that accepts all SSH connections and logs attacker activity without executing commands on the host.
An easy to set up and use SSH honeypot, a fake SSH server that lets anyone in and logs their activity
This tool is designed for security professionals and system administrators who want to detect and analyze unauthorized SSH access attempts by deploying a fake SSH server that logs all interactions. It helps in intrusion detection and threat hunting by capturing attacker behavior without risking the host system.
The sshesame package in official Debian repositories may be outdated; it is recommended to build from source or use the latest GitHub releases. When using Docker with a custom config, ensure the server.listen_address is set to listen on all interfaces (e.g., 0.0.0.0:2022) to enable proper port forwarding. Logs are written to standard output by default but can be redirected to files via configuration.
git clone https://github.com/jaksi/sshesame.git
cd sshesame
go build
Alternatively, download pre-built binaries from the GitHub Releases page
Use Docker images available on the GitHub Packages page for easy deploymentsshesame -h
Displays help and usage information for sshesame
sshesame -config /path/to/config.yaml
Starts sshesame with a specified configuration file
sshesame -data_dir /path/to/data
Specifies the directory to store generated host keys and data
docker run -it --rm -p 127.0.0.1:2022:2022 -v sshesame-data:/data ghcr.io/jaksi/sshesame
Runs sshesame in a Docker container with port forwarding and persistent data volume