Show HN: Watch bots interact with an SSH honeypot in real time

tusksm 151 points 55 comments July 17, 2026
honeypotlive.cc · View on Hacker News

Discussion Highlights (17 comments)

tusksm

Hi HN, I maintain several web servers and kept seeing a constant stream of SSH login attempts. At some point I became curious: what do these bots actually try to do after they get in? I set up a Cowrie SSH honeypot and built a small live dashboard around its JSON logs. Cowrie listens on port 22, a Python service follows the log and streams events over WebSockets, and Nginx serves the frontend. The whole thing currently runs on a 1 vCPU / 1 GB Debian VPS. The dashboard groups activity by source IP, with individual SSH sessions nested underneath. It shows authentication attempts, commands, SSH client fingerprints, file writes and downloads, and tunneling requests in real time. Initially I thought the interesting part would be simply watching commands appear. After looking at the collected data, I realized that recurring behavior is much more interesting than individual events. In one roughly 8-hour sample, the honeypot recorded about 1,950 sessions from 213 source IPs. 327 sessions reached command execution. Some recurring patterns included: - the same SSH public key being installed 152 times from 11 source IPs - a system fingerprinting script that appears designed to distinguish a real shell from a honeypot - a downloader requesting payloads for several CPU architectures - attempts to use SSH forwarding as a proxy - distributed credential probes that connect, test one value, and immediately disconnect This also showed me that grouping activity only by IP isn't enough. Several apparently different sources can use the same SSH client fingerprint, command sequence, public key, or downloaded artifact and probably belong to the same automated campaign. At the moment this is primarily a live log viewer. Some directions I am considering are: - automatic classification of sessions as scanning, credential probing, reconnaissance, persistence, downloading, or tunneling - clustering activity into campaigns using HASSH fingerprints, command sequences, SSH keys, and artifact hashes - historical statistics and searchable sessions - support for multiple distributed honeypot sensors - publishing the collector and dashboard code The public stream currently includes source IPs, attempted credentials, and commands. I added a notice explaining that an IP may belong to a compromised machine, proxy, VPN, or scanner, but I am still thinking through the privacy and responsible-disclosure tradeoffs. Cowrie's "login.success" events only mean that the honeypot accepted the credentials; they don't mean those credentials would work on a real server. I'm trying to decide whether this should remain a simple live visualization or grow into a small analysis tool. Which direction would make this project most useful or interesting to you? Are there other patterns or types of analysis that would be worth adding?

arm32

Hi tusksm! It's honeypot season! Really cool project, I've been working on a honeypot project of my own right now called `honeyprompt` ( https://github.com/alectrocute/honeyprompt ) that utilizes LLMs to craft responses and supports multiple protocols. Having a public sink presentation layer like honeypotlive.cc was one of my next todos.

tarpitt

reminds me of https://xkcd.com/350/

CzaxTanmay

Looks cool!

drcongo

You know what extra data would be cool? If you hit `curl https://ip.guide/{src_ip} ` and got back the ASN and country etc and added a leaderboard. In my own experiments in this area I've been gobsmacked by how much malicious traffic comes from Azure.

belval

Someone instantly started spamming the bee movie's introduction. Solid pun.

preetham_rangu

Watching the first few minutes was more educational than I expected.

b0rbb

lol @ the person spamming Never Gonna Give You Up

paoliniluis

There's a guy trying to take down the server by sending as user/pass the lyrics of Rick Astley's "never gonna give you up"

spikk

For the sake of interest you could try to expose periodically rotated keyed hashes of IPs and credentials instead of the raw values. It would still let people correlate events within a limited time window

Farrynet

Its always wild seeing the sheer volume of background noice on public IPs. Fun project.

_def

fun to watch until the ssh user input exploits the web interface :P

throwaway7783

Very cool! Adding a client geo would be nice (even if its not very accurate)

fragmede

Yeah I have an SSH daemon running on the default port at funky.nondeterministic.computer for people to hit, but it's mostly bots, which is no fun.

Fabricio20

Opened the website to be greeted with only spam of huge walls of random text, seems people are abusing the fun out of it! Would love to actually have seen some interesting bot patterns from the authors comments.

charcircuit

Looking at it, all they do is install ssh keys. I honestly expected them to do more like start some kind of service.

micheloosterhof

Cowrie author here! Yes this is the usual background noise on the internet! Cowrie (which I suspect is used here as well as the data generator) recently had a lot of updates, including now easy install from pip (pip install cowrie), and a much improved shell parser that’s much more capable of parsing attacker commands! https://github.com/cowrie/cowrie and get the full raw data in JSON or other formats to add geoip and ASN attribution! And of course malware samples.

Semantic search powered by Rivestack pgvector
14,015 stories · 131,331 chunks indexed