Turning the Tables on Attackers: Building a Threat-Intelligence SSH Honeypot
I've always been fascinated by the idea of not just defending against attacks, but actively learning from them. It's one thing to block a malicious IP, but it's another thing entirely to understand who they are, what they're doing, and what tools they're using. That curiosity led me down a rabbit hole and I've emerged with a new project I'm really excited about: a comprehensive SSH honeypot with integrated threat intelligence.
For the uninitiated, a honeypot is a decoy system, designed to be an attractive target for attackers. It looks and feels like a real system, but it's heavily monitored. My honeypot, built around Cowrie, is an enhanced SSH honeypot that not only accepts connections but provides a fake filesystem and realistic command responses to better engage attackers. This means attackers spend more time interacting with the system, giving us more data to analyze. But that's just the start.
From Simple Logs to Actionable Intelligence
Raw logs are great, but they don't tell the whole story. I wanted more than just a list of failed login attempts. I wanted context. That's where the "threat intelligence" part comes in. I've built a cowrie-log-processor service that takes the raw JSON logs from Cowrie and enriches them with data from a whole suite of APIs:
This turns a simple log entry like "IP 1.2.3.4 failed to log in" into a rich profile: "This IP from a data center in [Country], has a 90% abuse score, is linked to malware, and is part of a known botnet." Now that's what I call actionable intelligence!
Geeking Out on the Tech Stack
The whole thing is, of course, dockerized. docker-compose is my best friend for stuff like this. The architecture has evolved quite a bit since I first built it, and it's now a comprehensive security monitoring platform. Here's the current stack:
Core Honeypot Components
cowriesits on the front line, taking the hits. It's an enhanced SSH honeypot with a fake filesystem and realistic command responses that keeps attackers engaged longer, giving us more data.- The
cowrie-log-processoris the brains of the operation, parsing JSON logs, talking to the threat intel APIs, analyzing commands for suspicious patterns, and writing everything to PostgreSQL. PostgreSQLstores everything in a structured way—connections, auth attempts, commands (with suspicious flagging), port forwarding attempts, and all that juicy threat intel.Grafanaprovides the eye candy, with comprehensive dashboards visualizing it all. I've got world maps, attack timelines, top attackers, password analysis, and port forwarding visualizations.
Additional Security Components
Beyond the honeypot itself, I've added several additional security monitoring tools:
SSH tunneling & port forwarding detection: The honeypot can see when an attacker is trying to use my decoy server as a proxy to attack other systems. This has revealed that many attackers aren't just trying to compromise systems—they're building proxy networks. Seeing that in the logs for the first time was a real "aha!" moment.
Why Bother?
So, why go to all this trouble? For me, it's about curiosity and learning. It's a live-fire exercise in threat analysis. Every connection, every command, is a little piece of a puzzle. It's also a way to contribute back. The system can be configured to automatically report malicious IPs back to services like AbuseIPDB, helping to make the internet a little bit safer for everyone.
It's just plain cool to watch the attack traffic roll in and see the system dissect it in real-time. It's like having your own little cybersecurity research lab in a box.
What We've Learned So Far
After running the honeypot for 8 days (November 24 - December 1, 2025) and conducting a thorough analysis, I've discovered some fascinating patterns. The corrected analysis shows 27,443 connections from 172 unique IPs—significantly more than initially reported due to a data query issue that has since been corrected.
Key Findings
- Extreme attack concentration: A single IP (85.215.32.66) accounted for 70.3% of all connections (19,294 connections)—indicating a very aggressive automated scanner or botnet node
- Coordinated botnet surge: November 28-29 saw 21,220 connections (77.3% of all attacks) in just two days, with November 29th alone seeing 12,597 attacks (45.9% of total)—clear evidence of coordinated botnet activation
- Root account targeting: 77.2% of all authentication attempts targeted the root account (20,993 attempts out of 27,179 total)—showing attackers are primarily focused on gaining administrative access
- Weak passwords still prevalent: Top 10 passwords account for 7.3% of all attempts, with "123456" being the most common (796 attempts). While the percentage is lower than expected, the absolute numbers are significant
- 86.6% of attacking IPs have high threat scores (188 of 217 IPs scored above 50 on AbuseIPDB)—confirming threat intelligence feeds are highly effective at identifying malicious actors
- 1,007 port forwarding attempts—showing attackers are building proxy networks, not just compromising systems
- Low success rate, high volume: Despite 27,179 authentication attempts, only 419 were successful (1.5% success rate), but at scale this results in significant compromises
📊 Data Correction Note:
An initial analysis reported 1,898 connections from 33 IPs. After thorough verification, the actual numbers are 27,443 connections from 172 IPs - over 14 times more than initially reported. This correction actually strengthens the conclusions about the scale and sophistication of modern SSH attacks. All statistics have been verified against the complete database.
Want the full analysis? I've written a comprehensive data analysis whitepaper with full statistics, charts, security insights, and defensive recommendations. Download the PDF for all the details.
The honeypot is continuously evolving—I'm always tweaking the dashboards, adding new threat intelligence sources, and improving the analysis capabilities. It's become an invaluable tool for understanding the modern attack landscape.