Back Personal Security Research · Ongoing

SSH Honeypot
Research.

A two-phase experiment exposing a server to the open internet to study automated botnet behaviour. Phase 1 captured raw, unfiltered attack traffic. Phase 2 introduced CrowdSec blocklists to filter out known botnet noise—revealing the novel, sophisticated threats that bypass standard defences.

Phase 1 Raw traffic · no filtering

Phase 2 CrowdSec blocklists active

Live Dashboard

Attack Telemetry

Real-time login attempt data captured directly from the honeypot. Data is refreshed continuously, updating live as attacks occur.

attack_log live · last 7 days

Observed intrusion

Gain SSH access → Wipe .ssh dir → Inject attacker key → Recon (uname) → Execute bendi.py → Clean traces

— attempts / 7d

— unique IPs / 7d

— max spike / min

Post-Exploit Sessions

What Attackers Do After Getting In

An analysis of post-exploitation commands executed by attackers who successfully breached default credentials. Commands are ranked by frequency across all captured sessions to reveal common attacker methodologies.

attack_log :: post_exploit_sessions

$ collecting session data…

Geo Intelligence

Attack Origins

Top attack origins by source IP, resolved locally using MaxMind GeoLite2. This map highlights the novel, sophisticated attacks that successfully bypassed CrowdSec blocklists during Phase 2.

origin_map 7d

loading…

SSH HoneypotResearch.

Attack Telemetry

What Attackers Do After Getting In

Attack Origins

SSH Honeypot
Research.