wetland – A high interaction SSH honeypot

Wetland is a high interaction SSH honeypot,designed to log brute force attacks.What’s more, wetland will log shell、scp、sftp、exec-command、direct-forward、reverse-forward interation performded by the attacker.

Wetland is based on python ssh module paramiko. And wetland runs as a multi-threading tcp server using SocketServer.


  • Use docker to provide a real linux environment.
  • All the password auth will redirect to docker.
  • All the command will execute on docker.
  • Save a copy of file when hacker uploads some files with SFTP.
  • Extract and Save files from exec-log when hacker uoloads some files with SCP.
  • Providing a playlog script to replay the [shell | exec | direct-forward | reverse-forward] kind of log.
  • Advanced networking feature to spoof attackers IP address between wetland and docker(thanks to honssh)
  • Kinds of ways to report to you when wetland is touching by hacker, but now only email and bearychat.


Add Comment