An SSH Honeypot Architecture Using Port Knocking and Intrusion Detection System

This paper proposes an architecture of Secure Shell (SSH) honeypot using port knocking and Intrusion Detection System (IDS) to learn the information about attacks on SSH service and determine proper security mechanisms to deal with the attacks. Rapid development of information technology is directly proportional to the number of attacks, destruction, and data theft of a system. SSH service has become one of the popular targets from the whole vulnerabilities which is existed. Attacks on SSH service have various characteristics. Therefore, it is required to learn these characteristics by typically utilizing honeypots so that proper mechanisms can be applied in the real servers. Various attempts to learn the attacks and mitigate them have been proposed, however, attacks on SSH service are kept occurring. This research proposes a different and effective strategy to deal with the SSH service attack. This is done by combining port knocking and IDS to make the server keeps the service on a closed port and open it under user demand by sending predefined port sequence as an authentication process to control the access to the server. In doing so, it is evident that port knocking is effective in protecting SSH service. The number of login attempts obtained by using our proposed method is zero.