HN
Today

Show HN: Watch bots interact with an SSH honeypot in real time

This project, Honeypot Live, offers a real-time dashboard showcasing interactions with an SSH honeypot, providing a fascinating, unfiltered look at automated attack attempts. Its popularity on Hacker News stems from the immediate, tangible insights into bot activity and the surprising, sometimes humorous, content uncovered. The live feed sparks both technical discussions on security research and ethical debates on data exposure.

91
Score
36
Comments
#5
Highest Rank
6h
on Front Page
First Seen
Jul 17, 3:00 PM
Last Seen
Jul 17, 8:00 PM
Rank Over Time
56881213

The Lowdown

Honeypot Live is a live telemetry dashboard built by tusksm that visualizes inbound connections to an SSH honeypot. Driven by the author's curiosity about constant SSH login attempts on their web servers, the project aims to provide insights into what bots attempt to do once they connect.

The system utilizes a Cowrie SSH honeypot, with a Python service streaming events via WebSockets to a Nginx-served frontend, all running on a minimal VPS. The dashboard meticulously displays:

  • Source IP addresses of connecting entities.
  • Attempted usernames and passwords.
  • Executed commands, SSH client fingerprints, and file operations (writes, downloads).
  • Tunneling requests.

While individual commands were initially thought to be the most interesting aspect, tusksm found recurring behavioral patterns to be far more insightful. For instance, an 8-hour sample revealed 1,950 sessions from 213 IPs, with 327 reaching command execution. Observed patterns include repeated SSH public key installations, system fingerprinting scripts designed to detect honeypots, multi-architecture payload downloaders, SSH forwarding attempts, and distributed credential probing. The author notes that grouping activity solely by IP is insufficient and suggests clustering by more granular identifiers like SSH client fingerprints or command sequences. Future plans include automatic session classification, advanced activity clustering, historical statistics, support for distributed sensors, and open-sourcing the code, while also carefully considering privacy and responsible disclosure implications.

Ultimately, Honeypot Live provides a raw, dynamic window into the persistent landscape of internet-wide automated attacks, serving as both an educational tool and a foundation for deeper security analysis.

The Gossip

Curious Clicks & Comedy Commands

Many commenters expressed amusement and fascination with the bizarre and unexpected interactions observed in the honeypot's live feed. Highlights included bots spamming lyrics from Rick Astley's 'Never Gonna Give You Up' and the entire 'Bee Movie' introduction as authentication attempts. The sheer volume of 'background noise' from public IPs was also a common point of interest, with users finding the real-time display surprisingly educational and entertaining.

Privacy Paradox & Public IPs

A significant discussion revolved around the ethics and privacy implications of displaying raw source IP addresses. Concerns were raised about potentially exposing compromised machines and their owners, and the risk that malicious actors could use the data to fingerprint vulnerabilities. While some argued for masking IPs to protect innocent victims, others contended that making such information public helps raise awareness of malicious traffic origins. The debate also touched on the potential for PII leakage through exfiltrated data and whether such public exposure is beneficial or detrimental.

Feature Fantasies & Future Functions

Hacker News users offered numerous suggestions for enhancing the honeypot project. Ideas included enriching the data with ASN and country information for source IPs, displaying statistics on which cloud providers generate the most malicious traffic (with Azure frequently mentioned), and implementing leaderboards. Commenters also proposed replacing raw IP/credential display with keyed hashes for correlation, fingerprinting session behaviors to distinguish automated tools from human activity, and adding broader protocol support through LLM-driven honeypots.