frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

Show HN: Watch bots interact with an SSH honeypot in real time

https://honeypotlive.cc/
51•tusksm•1h ago

Comments

tusksm•1h ago
Hi HN,

I maintain several web servers and kept seeing a constant stream of SSH login attempts. At some point I became curious: what do these bots actually try to do after they get in?

I set up a Cowrie SSH honeypot and built a small live dashboard around its JSON logs. Cowrie listens on port 22, a Python service follows the log and streams events over WebSockets, and Nginx serves the frontend. The whole thing currently runs on a 1 vCPU / 1 GB Debian VPS.

The dashboard groups activity by source IP, with individual SSH sessions nested underneath. It shows authentication attempts, commands, SSH client fingerprints, file writes and downloads, and tunneling requests in real time.

Initially I thought the interesting part would be simply watching commands appear. After looking at the collected data, I realized that recurring behavior is much more interesting than individual events.

In one roughly 8-hour sample, the honeypot recorded about 1,950 sessions from 213 source IPs. 327 sessions reached command execution.

Some recurring patterns included:

- the same SSH public key being installed 152 times from 11 source IPs - a system fingerprinting script that appears designed to distinguish a real shell from a honeypot - a downloader requesting payloads for several CPU architectures - attempts to use SSH forwarding as a proxy - distributed credential probes that connect, test one value, and immediately disconnect

This also showed me that grouping activity only by IP isn't enough. Several apparently different sources can use the same SSH client fingerprint, command sequence, public key, or downloaded artifact and probably belong to the same automated campaign.

At the moment this is primarily a live log viewer. Some directions I am considering are:

- automatic classification of sessions as scanning, credential probing, reconnaissance, persistence, downloading, or tunneling - clustering activity into campaigns using HASSH fingerprints, command sequences, SSH keys, and artifact hashes - historical statistics and searchable sessions - support for multiple distributed honeypot sensors - publishing the collector and dashboard code

The public stream currently includes source IPs, attempted credentials, and commands. I added a notice explaining that an IP may belong to a compromised machine, proxy, VPN, or scanner, but I am still thinking through the privacy and responsible-disclosure tradeoffs.

Cowrie's "login.success" events only mean that the honeypot accepted the credentials; they don't mean those credentials would work on a real server.

I'm trying to decide whether this should remain a simple live visualization or grow into a small analysis tool.

Which direction would make this project most useful or interesting to you? Are there other patterns or types of analysis that would be worth adding?

p1anecrazy•54m ago
Hi, this is very interesting, thanks. While trying to educate myself about honeypots I came across this (https://securehoney.net/).

The aggregations of popular logins and IP locations seem interesting.

LorenDB•44m ago
From that site:

    Files uploaded 25,522 (46 unique)
    Malware uploaded 7,735 (43 unique)
I wonder what 3 files were so common that they were uploaded 17,787 times instead of malware.
CookieCrisp•8m ago
Probably the ssh key
hideout_berlin•53m ago
you could make the logs public too :)
krunck•50m ago
This is great. Thanks.

Try fingerprinting the behaviour in the sessions. Over time you should be able to distinguish between various automated tools and live people.

rkagerer•34m ago
Some kind of source IP masking would be prudent. As you pointed out, some of those machines are compromised, and you aren't making their owners' lives any easier.

Bad actors might use the data you're publishing to fingerprint specific exploits to which the machines are vulnerable, multiplying the problem.

If producing an IP blacklist is one of your aims, divorcing it from any specific traffic would be more responsible.

You may also want to consider the risk traffic from compromised machines could leak PII (eg. say a script tried to use you as a relay to exfiltrate data) - and the ethical and legal consequences. A filter for SIN, credit cards, etc. would be a basic table-stakes mitigation step.

arm32•1h ago
Hi tusksm! It's honeypot season! Really cool project, I've been working on a honeypot project of my own right now called `honeyprompt` (https://github.com/alectrocute/honeyprompt) that utilizes LLMs to craft responses and supports multiple protocols. Having a public sink presentation layer like honeypotlive.cc was one of my next todos.
tarpitt•49m ago
reminds me of https://xkcd.com/350/
CzaxTanmay•36m ago
Looks cool!
drcongo•32m ago
You know what extra data would be cool? If you hit `curl https://ip.guide/{src_ip}` and got back the ASN and country etc and added a leaderboard. In my own experiments in this area I've been gobsmacked by how much malicious traffic comes from Azure.
ryandrake•15m ago
> Some kind of source IP masking would be prudent. As you pointed out, some of those machines are compromised, and you aren't making their owners' lives any easier.

Hard for me to find much sympathy for negligent users who unintentionally allowed their home computers or phones to join a malicious botnet, or their ISPs who aren't stopping the activity. Even if it is my own grandma's PC.

I agree about the content though, there probably are a lot of actually innocent victims' personal information in the traffic itself.

AWS: Inaccurate Estimated Billing Data – $1.7 billion

412•nprateem•6h ago•280 comments

Mozilla: The state of open source AI

https://stateofopensource.ai/
113•rellem•1h ago•45 comments

First atmosphere found on Earth-like planet in habitable zone of distant star

https://www.bbc.com/news/articles/cy4kdd1e0ejo
72•neversaydie•1h ago•56 comments

Claude Code: Anatomy of a Misfeature

https://www.olafalders.com/2026/07/17/claude-code-anatomy-of-a-misfeature/
54•oalders•1h ago•26 comments

Show HN: Watch bots interact with an SSH honeypot in real time

https://honeypotlive.cc/
52•tusksm•1h ago•12 comments

A Road to Lisp: Which Lisp

https://scotto.me/blog/2026-07-17-which-lisp/
48•silcoon•2h ago•13 comments

AI Meets Cryptography 2: What AI Found in OpenVM's ZkVM

https://blog.zksecurity.xyz/posts/openvm-bugs/
29•duha•1h ago•0 comments

Three ways people respond to a problem (other than solving it)

https://improvesomething.today/responses-to-problems/
43•surprisetalk•1h ago•12 comments

Show HN: Explore the Workspaces of Modern Creators

https://workspaces.xyz/
7•ryangilbert•18m ago•2 comments

Multi-Primary Color Display Emerges as Next-Gen Color Reproduction Technology

https://en.ubiresearchnet.com/multi-primary-color-display-technology-2026/
45•ksec•2h ago•38 comments

Manufact (YC S25) Is Hiring a Senior infra engineer to build the MCP cloud

https://www.ycombinator.com/companies/manufact/jobs/Dh6PYP5-senior-infrastructure-engineer
1•luigipederzani•2h ago

EEG shows brain can simultaneous encode two speech streams

https://journals.plos.org/plosbiology/article?id=10.1371/journal.pbio.3003876
200•giuliomagnifico•10h ago•130 comments

More Bounce to the Ounce

https://mceglowski.substack.com/p/more-bounce-to-the-ounce
23•pavel_lishin•2h ago•2 comments

PennyLane is an open-source quantum software platform for quantum

https://github.com/PennyLaneAI/pennylane
22•donutloop•2h ago•2 comments

VulnHunter: Capital One's agentic AI code security tool

https://www.capitalone.com/tech/open-source/announcing-vulnhunter/
26•medina•3h ago•16 comments

Pebble Mega Update – July 2026

https://repebble.com/blog/pebble-mega-update-july-2026
211•crazysaem•12h ago•115 comments

Show HN: On-chain bond market where the issuers are AI agents

https://selbonds.now
7•griffinfoster7•1h ago•4 comments

Apple targets dozens of OpenAI employees with legal letters

https://www.ft.com/content/1b8c9d52-88a9-426b-ba47-f1811f859166
201•merksittich•3h ago•151 comments

How Has Roman Concrete Lasted for Millennia? 1,900-Year-Old Latrine Offers Clues

https://www.smithsonianmag.com/smart-news/how-has-roman-concrete-lasted-for-millennia-a-1900-year...
217•divbzero•12h ago•167 comments

Minikotlin

https://minikotlin.run
94•frizlab•3h ago•26 comments

Kimi K3, and what we can still learn from the pelican benchmark

https://simonwillison.net/2026/Jul/16/kimi-k3/
6•droidjj•1h ago•0 comments

Microsoft Comic Chat is now open source

https://opensource.microsoft.com/blog/2026/07/16/microsoft-comic-chat-is-now-open-source/
755•jervant•23h ago•161 comments

Faster binary search: from compiled code to mechanical sympathy

https://pythonspeed.com/articles/branchless-binary-search/
21•enz•5d ago•8 comments

Tannakian Reconstruction

https://bartoszmilewski.com/2026/07/14/tannakian-reconstruction/
15•ibobev•3d ago•0 comments

Camera Chase Vehicle

https://transistor-man.com/gimbal_camera_rover.html
109•geerlingguy•1w ago•12 comments

Evidence of inconsistencies in evaluation process and selection of winners

https://www.kaggle.com/competitions/kaggle-measuring-agi/discussion/724918#3498423
393•twerkmeister•4h ago•237 comments

Decoy Font

https://www.mixfont.com/experiments/decoy-font
642•ray__•23h ago•146 comments

Kimi K3: Open Frontier Intelligence

https://www.kimi.com/blog/kimi-k3
1880•vincent_s•1d ago•1113 comments

An Engineer's Guide to USB Typе-С (2024)

https://www.ti.com/lit/eb/slyy228/slyy228.pdf?ts=1759892558029
247•gregsadetsky•6d ago•41 comments

$100 AI Music Video: Claude Fable 5 vs. GPT-5.6 Sol

https://www.tryai.dev/blog/ai-music-video-arena-claude-vs-gpt-5.6
343•hershyb_•19h ago•467 comments