Raveh's

Feb  7 00:19:44 localhost haproxy[1283]: ::ffff:111.207.91.116:36088 [07/Feb/2025:00:19:41.065] git-ssh git-ssh/srv-1 1/0/3483 1793 -- 1/1/0/0/0 0/0
Feb  7 00:22:40 localhost haproxy[1283]: ::ffff:111.207.91.116:35140 [07/Feb/2025:00:22:31.982] git-ssh git-ssh/srv-1 1/0/8470 1793 -- 1/1/0/0/0 0/0
...
Feb  7 01:24:17 localhost haproxy[1283]: ::ffff:111.207.91.116:43500 [07/Feb/2025:01:24:14.251] git-ssh git-ssh/srv-1 1/0/3305 1793 -- 1/1/0/0/0 0/0
Feb  7 01:27:00 localhost haproxy[1283]: ::ffff:111.207.91.116:42550 [07/Feb/2025:01:26:57.266] git-ssh git-ssh/srv-1 1/0/2972 1793 -- 1/1/0/0/0 0/0

# 新增一个链, 专用于拦截恶意IP
iptables -N BAN-INPUT
iptables -I INPUT 1 -j BAN-INPUT

# 将111.207.91.116加入BAN-INPUT
ubuntu@VM-12-7-ubuntu:~/pods/ssh-honeypot$ sudo iptables -A BAN-INPUT -s 111.207.91.116 -j DROP

# 查看iptables规则
ubuntu@VM-12-7-ubuntu:~/pods/ssh-honeypot$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 162K packets, 50M bytes)
 pkts bytes target     prot opt in     out     source               destination
 171K   50M BAN-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 7902  677K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 168K packets, 28M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain BAN-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  492 29520 DROP       all  --  *      *       111.207.91.116       0.0.0.0/0
    0     0 DROP       all  --  *      *       2.57.122.117         0.0.0.0/0
    0     0 DROP       all  --  *      *       193.32.162.8         0.0.0.0/0
    0     0 DROP       all  --  *      *       193.32.162.49        0.0.0.0/0
    0     0 DROP       all  --  *      *       193.32.162.6         0.0.0.0/0
    0     0 DROP       all  --  *      *       193.32.162.5         0.0.0.0/0
    0     0 DROP       all  --  *      *       195.178.110.0/24     0.0.0.0/0

# 启动ssh蜜罐
podman run --name ssh-honeypot \
        -d \
        -p 2222:22 \
        --memory 2M \
        --cpus 0.01 \
        --cap-drop=all \
        --cap-add=NET_BIND_SERVICE \
        --read-only \
        --user=10001:10001 \
        wildwildangel/tiny-ssh-honeypot:edge

# 检查ssh蜜罐日志
ubuntu@VM-12-7-ubuntu:~/pods/ssh-honeypot$ podman logs -f ssh-honeypot
2025-02-07 08:31:43 tiny-ssh-honeypot: [10.0.2.100:48666 => 10.0.2.100:22]: incoming connection
2025-02-07 08:31:48 tiny-ssh-honeypot: [10.0.2.100:48666 => 10.0.2.100:22]: login attempt for user: ubuntu (password: 11)
2025-02-07 08:31:49 tiny-ssh-honeypot: [10.0.2.100:48666 => 10.0.2.100:22]: login attempt for user: ubuntu (password: 22)
2025-02-07 08:31:50 tiny-ssh-honeypot: [10.0.2.100:48666 => 10.0.2.100:22]: login attempt for user: ubuntu (password: 33)
2025-02-07 08:31:50 tiny-ssh-honeypot: [10.0.2.100:48666 => 10.0.2.100:22]: SSH error: IO error
2025-02-07 08:31:50 tiny-ssh-honeypot: [10.0.2.100:48666 => 10.0.2.100:22]: closing connection