I want to create a network looks like a honeynet to observer attackers’ behavior after intruded into a container. My opinion is a container that will be able to ssh into all other containers by starting the sshd in the containers (purely ssh only containers). So I want to log all commands that are run on a specific account that logs in via SSH.
I consulted about how to sets up an SSHd service in a container on docker hub.
I am using Dockerfile is below.
RUN apt-get update && apt-get install -y
RUN mkdir /var/run/sshd
RUN echo ‘root:123456’ | chpasswd
RUN sed -ri ‘s/^#PermitRootLogin prohibit-password/PermitRootLogin yes/’ /etc/ssh/sshd_config
RUN sed ‘s@session\srequired\spam_loginuid.so@session optional pam_loginuid.so@g’ -i /etc/pam.d/sshd
CMD ["/usr/sbin/sshd", “-D”, “-e”]
Containers that directly allow access from an attacker are located on the outside, other containers are placed in a separate local network. Of course, the external container is also connected to this local network. I used docker-compose to automate the steps.
I had ssh to the containers together. Moreover, I can also track ssh daemon logs directly. But what I am most concerned about is how to get the log after accessing the container via ssh? Specifically, the command lines are entered into the container and their standard output as well.
I hope someone can help me with this.