🔑

SSH Honeypot

Detect credential theft targeting SSH servers.

Default Port

TCP

Protocol

Username

Detection

About SSH

SSH (Secure Shell) is the standard protocol for secure remote server access. SSH credentials provide direct command-line access to servers, making them one of the most valuable targets for attackers. Compromised SSH keys or passwords can give attackers full control over production infrastructure.

What Gets Captured

When an attacker attempts to connect using your SSH honeypot credentials, Tripwires captures:

Username - The username sent in the connection attempt
Source IP - The attacker's IP address
Timestamp - Exact time of the connection
Client version - The SSH client identification string

Connection String Formats

SSH credentials can be planted in various formats depending on your tech stack:

SSH Command

ssh user@ssh-xxx.gettripwires.com

SSH with Port

ssh -p 22 user@ssh-xxx.gettripwires.com

SSH Config (~/.ssh/config)

Host production-server
    HostName ssh-xxx.gettripwires.com
    User user
    Port 22
    IdentityFile ~/.ssh/id_rsa

Ansible Inventory

[production]
ssh-xxx.gettripwires.com ansible_user=user ansible_ssh_private_key_file=~/.ssh/id_rsa

Strategic Placement Ideas

SSH Config Files

Leave in ~/.ssh/config as an old 'jump server' entry.

Ansible/Terraform Configs

Add as 'bastion host' in infrastructure-as-code files.

Runbooks & Documentation

Include as 'emergency access' server in internal runbooks.