I run endlessh on the port 2222 and I configured fail2ban to redirect the source ip addresses who did X failed attempts from the dest port 22 to the dest port 2222 transparently. I use the table NAT and prerouting to achieve that, you can use ipset to match the source ip addresses.

Oh nice, do you have a blog post detailing it step by step?

I do something similar except send them bytes from /dev/random, providing free protocol fuzzing.

Isn't the point of a honeypot that it's not a real server? What guarantees are there that there won't be an exploit that allows escaping the honeypot into the real data? Personally, I do not believe anything is 100% secure. So inviting the vampire into your facade home, and then getting upset when the vampire sees the charade and walks into your real home is just one of those "well of course that happened" situations.

if you use port knocking, the first hit on your honeypot, can be the trigger to lockdown or redirect, a lot of other ports to somewhere away from your actual.

Yes, check this distro https://hub.docker.com/r/linuxserver/endlessh

I don't think it matters, ssh bots will try any port that sends back the ssh banner.

That's the theory. I have an internet facing box using ssh on a weird port with fail2ban on it just in case.

In over 10 years I've never had a single probe on that port with ssh.

Same, I went from logging thousands of attempts per day to zero per decade with a simple switch of ports.

But they don't scan every port. I've been running my SSH server on a non-standard port for a long time, it took four years until I had the first bot with login attempts. About a year ago I changed the port and haven't seen any bots since then.

You can surround your custom port by a couple of ports on which a simple server listens for connection attempts. Any connection attempt is considered hostile and the ip will then be blacklisted in iptables. This prevents portscans from reaching your port.

If they're targetting SSH specifically how are they going to guess i'm running it on port 1690 and not port 22 other than by scanning up in sequence?

Different quality of locks in the ever-escalating arms race. Probably there are many many more sequential scanners out there. For the persistent actors who are doing random ordering or shuffle then you could add port-knocking for the real sshd... but then they just have to find a working client and sniff the connection requests... to which you add a TOTP step for determining which ports to use, and so on...

There is a known upper bound they could randomise the guesses from the range.

Excuse the old school metaphor - you put a lock on your door so your house is harder to break into, not to prevent anyone from breaking into your house.

Absolutely agree, when I wrote this I was thinking more of defending against the low hanging fruit - mass scanners.

Once someone has deemed you a worthwhile target and is carefully proving all ports, these more nuanced approaches become more worthwhile. Even then, a sophisticated adversary may have many unique src IPs at their disposal.

The more targeted/sophisticated ones will, but there's a crapload of bots that just scan all publicly addressable IPs for port 22 and attempt to connect. If your goal is to trap as many bots as possible in the tarpit, you'll get a lot more if you run on port 22.

They CAN, but they don't.

That's how I have it setup