Even better is to additionally setup a fake SSHd at port 22, so that port scanners do not even bother keeping on looking for the port and instead use what they suspect to be working
I run it as a dedicated user, on a high port. Port 22 of the router is merely forwarded to the internal high port I use.
Sure, I could chroot the thing as well.
# accept traffic to the normal ssh port
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# accept traffic on the port kippo is listening on
iptables -A INPUT -i eth0 -p tcp --dport 2222 -j ACCEPT
# direct traffic inbound on port 22 to port 2222
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222
Make sure also to add an ACCEPT rule for traffic to whatever port sshd is actually bound to.
That's fine so long as you trust all of the users on your system. Otherwise they could potentially get something running on port 22. Which, so long as you aren't actually sending auth info to 22, probably isn't a big deal.
As interesting and fun as honeypots are - unless it's your own gig, or the data from the honeypot fits into a larger security plan, it's just adding one more thing to manage. Move the port, run denyhosts, and in general just have access firewalled off to begin with.
The data is quite interesting.
Here's a snapshot of where most "attacks" to my honeypot originate from (the more, the brighter): http://darkpan.com/files/latlong255.png