Secure Honey

SSH honeypot, deployed in the wild, collecting and sharing data


Date range
Total logins
Unique credentials
Unique IPs
Files uploaded
Malware uploaded

Top Usernames

Top Passwords


Top Clients

Top Ciphers

Top Malware IOCs

SHA256 Digest Threat Type First Discovered Freq.

Top Shell Commands

Command Freq.

Top IP Address Types

Top IP: Hosting Providers

Hosting Provider Freq.

Top IP: ISPs

ISP Freq.

How to build an SSH honeypot in Python and Docker - Part 2

14 Aug 2021 • 9 min read

Python, Redis, and Docker

In this blog post I'll be extending the SSH honeypot we built in Part 1 (see How to build an SSH honeypot in Python and Docker - Part 1) to download any files the honeypot receives. A great way to collect malware samples to analyse.

The main features we'll be adding to the new honeypot are:

  • A downloader - to download requested files from attackers
  • Docker-compose - to manage multiple Docker containers
  • Redis - to handle the download queue

...continue reading

How to build an SSH honeypot in Python and Docker - Part 1

7 Aug 2021 • 14 min read

Python and Docker network

In today's blog post I'll explain how to build a low-interaction SSH honeypot in Python and containerise it in Docker. In part 2, we'll add functionality to collect malware samples -- ideal for malware analysis.

One of the key design goals of this honeypot is efficiency. Why? Well, if the honeypot has low resource requirements (RAM, CPU, etc), it means we can deploy it to a global infrastructure -- such as multiple virtual private servers (VPS) -- without incurring large costs.

Existing honeypot solutions are available. However, some of them can be quite resource intensive. I've curated a list of popular honeypots here: A Curated List of Awesome Honeypots.

...continue reading

Cryptojacking: a tale of riches, deceit, and theft

31 Jul 2021 • 14 min read

Cryptocurrency coins

In today's blog post we'll explore what cryptojacking is, why cybercriminals are motivated by cryptocurrency mining attacks, and we'll look at real-world attacks.

Why? Well, cryptojacking was big business for cybercriminals in 2017 and 2018. But died down in 2019 after Coinhive shut down. Now, in 2021, Cryptojacking attacks are on the rise again (see report by Kaspersky).

I've noticed this trend of cryptojacking attacks targetting my honeypots (see my last 2 blog posts: Cryptojacking Attacks Continue To Target SSH Servers and Sneaky Malware Reconfigures Hive OS Wallet for Profit). I want to understand more about cryptojacking and why it's on the rise.

So, grab yourself a coffee (or a hot chocolate), find yourself a comfy spot, and I'll put on my best John Hurt storytelling voice...

...continue reading

Cryptojacking Attacks Continue To Target SSH Servers

22 Jul 2021 • 10 min read


Coming up in today's blog post: I'll be exploring recent cyber attacks targeting my SSH honeypots. Since 2018/19, we've known that SSH servers around the world have been targeted by cryptocurrency mining operations. So I'm curious to analyse my honeypot's logs to understand A) if threat actors are still motivated by cryptocurrency, and B) what techniques are used by threat actors.

Just over 1 month ago I deployed my new SSH honeypots (built in Python, containerised in Docker, see: Secure Honey v2.0 has been launched!). Since then, my honeypots have received 129,122 unauthorised logins (username:password credentials) from 3,780 unique IP addresses. 132,479 (77,214 unique) shell commands have been executed, and 91,927 (64,156 unique) files have been uploaded to the honeypot -- of which 23,874 (53 unique) were malicious.

So let's crack on and explore the data!

...continue reading