SSH honeypot, deployed in the wild, collecting and sharing data

Secure Honey v2.0 has been launched!

23 Jun 2021 • 2 min read

Blimey, how times flies! It's been a while since I wrote a blog post for Secure Honey. This is just a quick update to explain the new honeypot and why I've re-launched.

Back in 2016, I took my original honeypot offline. The main reason was because the data that was being sent from the honeypot to the website hosting account was triggering IDS (intrusion detection system) warnings. At the time, I couldn't think of a way around the problem so I decided to leave the honeypot offline.

However, fast forward to 2021, and I'm curious to know if SSH attacker methodology has changed. Plus, I found a way around the IDS triggering problem. So, I've launched a brand new version of Secure Honey!

The Secure Honey SSH honeypot was originally written in C-code. My main motive for writing in C was a) the SSH server implementation is written in C so it makes sense to use the same language (same timings, etc) and b) I was an undergrad student studying Computer Science and wanted to learn a new programming language.

But that was back in 2014. And now, with my new aim -- to revisit SSH attack methodology -- I want to quickly prototype an SSH honeypot in a more agile manner; adding features based on observable data from the honeypot, and my own ideas.

So, I've built a new SSH honeypot from scratch, in Python, and containerised it in Docker. I'll share the source code on GitHub soon. I deployed the new honeypot just over a week ago and it's been collecting some nice data since.

Over the past few days I've also rapidly prototyped a new dashboard for this website's homepage. So, please forgive me if there are bugs/issues, etc. I'm keen to hear your thoughts and feedback on the new honeypot and dashboard. So please do get in touch. I've not implemented the comments feature of the blog yet, but you can reach me on Twitter @SimonByte.

About the author

Simon BellSimon Bell is an award-winning Cyber Security Researcher, Software Engineer, and Web Security Specialist. Simon's research papers have been published internationally, and his findings have featured in Ars Technica, The Hacker News, PC World, among others. He founded Secure Honey, an open-source honeypot and threat intelligence project, in 2013. He has a PhD in Cyber Security from Royal Holloway's world-leading Information Security Group.

Follow Simon on Twitter: @SimonByte