Endlessh and fail2ban are great to setup a ssh honeypot. There even is a Prometheus exporter version for some nice stats

Just expose endlessh on your public port 22 and if needed, configure your actual ssh on a different port. But generally: avoid exposing ssh if you don’t actually need it or at least disable root login and disable password authentication completely.

https://github.com/skeeto/endlessh https://github.com/shizunge/endlessh-go https://github.com/itskenny0/fail2ban-endlessh

If it is your single purpose to create a blocklist of suspect IP addresses, I guess this could be a honeypot strategy.

If it’s to secure your own servers, you’re only playing whack-a-mole using this method. For every IP you block, ten more will pop up.

Instead of blacklisting, it’s better to whitelist the IP addresses or ranges that have a legitimate reason to connect to your server, or alternatively use someting like geoip firewall rules to limit the scope of your exposure.

Since I’ve switched to using SSH keys for all auth Ive had no problems I’m aware of. Plus I don’t need to remember a bunch of passwords.

But then I’ve had no training in this area. What do I know

I disabled ssh on IPv4 and that reduced hacking attempts by 99%.

It’s on IPv6 port 22 with a DNS pointing to it. I can log into it remotely by hostname. Easy.