New Article: Diskless true SSH honeypot using Alpine Linux
The goal of this article was to set up a honeypot to detect unauthorized SSH authentication attempts in order to detect IP addresses that are targeting SSH services. To achieve this we set up a virtual system running Alpine Linux in diskless mode with OpenSSH active. In this mode the OS is installed in RAM only and thus any data and configuration changes are lost upon a system restart. However we take a snapshot of the system after configuring it so that it can be instantly recreated in the event of a power loss or system restart. The Alpine Linux system in turn is configured to send its SSH logs to AlienVault (OSSIM) for reporting and also to generate actionable alerts.