frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

Show HN: Watch bots interact with an SSH honeypot in real time

https://honeypotlive.cc/
26•tusksm•1h ago

Comments

tusksm•1h ago
Hi HN,

I maintain several web servers and kept seeing a constant stream of SSH login attempts. At some point I became curious: what do these bots actually try to do after they get in?

I set up a Cowrie SSH honeypot and built a small live dashboard around its JSON logs. Cowrie listens on port 22, a Python service follows the log and streams events over WebSockets, and Nginx serves the frontend. The whole thing currently runs on a 1 vCPU / 1 GB Debian VPS.

The dashboard groups activity by source IP, with individual SSH sessions nested underneath. It shows authentication attempts, commands, SSH client fingerprints, file writes and downloads, and tunneling requests in real time.

Initially I thought the interesting part would be simply watching commands appear. After looking at the collected data, I realized that recurring behavior is much more interesting than individual events.

In one roughly 8-hour sample, the honeypot recorded about 1,950 sessions from 213 source IPs. 327 sessions reached command execution.

Some recurring patterns included:

- the same SSH public key being installed 152 times from 11 source IPs - a system fingerprinting script that appears designed to distinguish a real shell from a honeypot - a downloader requesting payloads for several CPU architectures - attempts to use SSH forwarding as a proxy - distributed credential probes that connect, test one value, and immediately disconnect

This also showed me that grouping activity only by IP isn't enough. Several apparently different sources can use the same SSH client fingerprint, command sequence, public key, or downloaded artifact and probably belong to the same automated campaign.

At the moment this is primarily a live log viewer. Some directions I am considering are:

- automatic classification of sessions as scanning, credential probing, reconnaissance, persistence, downloading, or tunneling - clustering activity into campaigns using HASSH fingerprints, command sequences, SSH keys, and artifact hashes - historical statistics and searchable sessions - support for multiple distributed honeypot sensors - publishing the collector and dashboard code

The public stream currently includes source IPs, attempted credentials, and commands. I added a notice explaining that an IP may belong to a compromised machine, proxy, VPN, or scanner, but I am still thinking through the privacy and responsible-disclosure tradeoffs.

Cowrie's "login.success" events only mean that the honeypot accepted the credentials; they don't mean those credentials would work on a real server.

I'm trying to decide whether this should remain a simple live visualization or grow into a small analysis tool.

Which direction would make this project most useful or interesting to you? Are there other patterns or types of analysis that would be worth adding?

p1anecrazy•10m ago
Hi, this is very interesting, thanks. While trying to educate myself about honeypots I came across this (https://securehoney.net/).

The aggregations of popular logins and IP locations seem interesting.

hideout_berlin•9m ago
you could make the logs public too :)
krunck•6m ago
This is great. Thanks.

Try fingerprinting the behaviour in the sessions. Over time you should be able to distinguish between various automated tools and live people.

arm32•22m ago
Hi tusksm! It's honeypot season! Really cool project, I've been working on a honeypot project of my own right now called `honeyprompt` (https://github.com/alectrocute/honeyprompt) that utilizes LLMs to craft responses and supports multiple protocols. Having a public sink presentation layer like honeypotlive.cc was one of my next todos.
tarpitt•5m ago
reminds me of https://xkcd.com/350/

Show HN: Ansede – Free SAST with 100% CVE recall (Semgrep CE got 23%)

https://github.com/mattybellx/Ansede
1•ardyv•1m ago•0 comments

Mesa-Optimization Is Destroying Education

https://letter.palladiummag.com/p/new-article-mesa-optimization-is
1•jger15•1m ago•0 comments

Nxsys, Signalling and Interlocking Simulator

https://www.nycsubway.org/wiki/NXSYS,_Signalling_and_Interlocking_Simulator
2•gregsadetsky•3m ago•0 comments

Google required to open up to AI, search engine rivals under EU-mandated changes

https://www.reuters.com/world/google-required-open-up-ai-search-engine-rivals-under-eu-mandated-c...
2•1vuio0pswjnm7•3m ago•0 comments

Sleep Is Air New Zealand's Strategy

2•r2sk5t•4m ago•0 comments

'I felt Holden was talking to me alone': The Catcher in the Rye at 75

https://www.theguardian.com/books/2026/jul/16/i-felt-holden-was-talking-to-me-alone-the-catcher-i...
1•theanonymousone•4m ago•0 comments

Amsterdam activists throw acid at Microsoft datacenter project

https://www.theregister.com/ai-and-ml/2026/07/16/amsterdam-activists-throw-acid-at-microsoft-data...
1•root-parent•4m ago•0 comments

Europe Won't Live by Deporting

https://dark.ronacher.eu/2026/7/17/live-by-deporting/
1•pmbanugo•5m ago•0 comments

Google Gemini launch delayed as tech falls short of internal goals

https://www.reuters.com/business/google-gemini-launch-delayed-tech-falls-short-internal-goals-blo...
2•1vuio0pswjnm7•6m ago•0 comments

Every after party worth going to during Startup School 2026

https://startupschoolafter.party/
1•timetoogo•7m ago•0 comments

Of forks and clones and package management

https://theconsensus.dev/p/2026/07/11/of-forks-and-clones-and-package-management.html
1•eatonphil•7m ago•0 comments

Kreo – Postgres to Instant REST API, Redis Cache and WebSockets

https://kreo.work/
1•KREO_•8m ago•0 comments

Build Economy Is All about Build and None about Economy

https://pawelbrodzinski.substack.com/p/build-economy-is-all-about-build
1•flail•8m ago•0 comments

Show HN: Design Skills Directory – curated agent skills for UI taste and craft

https://agents-design.com
1•gineko•9m ago•0 comments

I measured my multi-agent idea. It failed. I shipped the autopsy instead

https://github.com/jonathascordeiro20/bioma-framework
2•jonathasc•9m ago•0 comments

As Trump accuses China of election theft, Xi pitches Beijing as AI leader

https://www.cnn.com/2026/07/17/china/china-ai-conference-analysis-intl-hnk
2•blakean•11m ago•0 comments

Agents Need Shells, Not Selves

http://marv1nnnnn.com/signals/journal/agents-need-shells-not-selves
2•marv1nnnnn•11m ago•0 comments

A Vacuum of the Imagination

https://angadh.com/rockets-1
1•surprisetalk•14m ago•0 comments

Show HN: Slidum – A player for the HTML presentations AI writes

https://slidum.com
1•oandre•14m ago•0 comments

SpaceX declared a military target by Iran

https://finance.yahoo.com/markets/stocks/articles/spacex-spcx-faces-risk-iran-121423559.html
5•binyu•16m ago•1 comments

Stop Tuning the Prompt, Set the Constants

https://jschuck9.substack.com/p/stop-tuning-the-prompt-set-the-constants
1•jschuck9•17m ago•1 comments

HP fined 1.4 billion rupees for “cartelization” of ink cartridges, toner, PCs

https://arstechnica.com/gadgets/2026/07/hp-fined-1-4-billion-rupees-for-cartelization-of-ink-cart...
1•Brajeshwar•18m ago•0 comments

The Seahorse Emoji Was Real (But Not the One You Remember)

https://blog.emojipedia.org/the-seahorse-emoji-was-real-but-not-the-one-you-remember/
2•msephton•18m ago•0 comments

Weft – An Alternative Internet with Its

https://abouttime-d5a.pages.dev/project-weft
1•thvvv•19m ago•1 comments

Edgee's AI Gateway is now available on-premise

https://www.edgee.ai/blog/posts/edgee-on-premise-gateway
2•kokakiwi•19m ago•0 comments

How to solve cubic and quartic equations I: quartics

https://hidden-phenomena.com/articles/quartic
1•mb1699•19m ago•0 comments

Show HN: I built a site that shows private US company filings

https://mosaicfilings.pages.dev/
1•LawZoldyck•19m ago•0 comments

Understanding Reader Perception Shifts Upon Disclosure of AI Authorship

https://arxiv.org/abs/2510.24011
1•thoughtpeddler•22m ago•0 comments

The Attention-Span Class Divide

https://www.theatlantic.com/ideas/2026/07/attention-span-class-divide-ballet-opera-movies/687919/
1•loughnane•22m ago•0 comments

StageX: Eliminating Single Points of Failure in Linux Distributions [pdf]

https://codeberg.org/stagex/whitepapers/raw/branch/main/out/stagex.pdf
1•lioeters•25m ago•0 comments