Honeypot Live: 실시간 SSH 봇 상호작용 대시보드
Honeypot Live: Real‑time SSH Bot Interaction Dashboard
Real‑time visibility into SSH bot activity
Honeypotlive.cc turns raw Cowrie logs into a live, web‑based dashboard that shows every SSH connection, credential attempt, and command as it happens. By streaming JSON events over WebSockets, the service lets anyone watch automated attacks unfold in seconds, exposing patterns that are invisible in static log files.
What the dashboard displays
- Source IP and port – each new TCP connection is logged as
session.connectwith the client’s IP (e.g.,91.92.42.61). - SSH client fingerprint (HASSH) – the dashboard extracts the client’s HASSH fingerprint (
0a07365cc01fa9fc82608ba4019af499) for every session, enabling fingerprint‑based clustering. - Authentication attempts – both
login.failed(e.g.,[myuser/123456]) andlogin.successevents are shown, with the exact username/password pair attempted. - Command execution – when a session reaches
login.success, subsequentcommand.inputlines (e.g.,uname -s -v -n -r -m) appear in real time. - File activity – the dashboard reports file writes, downloads, and TTY logs (
log.closed). - Tunneling requests – events such as SSH forwarding attempts are captured as part of the session flow.
Key findings from an 8‑hour sample
- Volume – 1,950 sessions from 213 unique IPs, with 327 sessions reaching command execution.
- Repeated public‑key installations – the same SSH key was installed 152 times across 11 IPs, suggesting a coordinated persistence attempt.
- Fingerprint‑driven campaigns – many sessions share the identical HASSH fingerprint, indicating a single botnet or script family.
- Reconnaissance scripts – a recurring command sequence attempts to differentiate a real shell from a honeypot, likely by probing timing or environment variables.
- Multi‑architecture payloads – bots request download URLs for several CPU architectures, hinting at a universal malware dropper.
- SSH forwarding abuse – several sessions try to set up proxy tunnels, a classic technique for evading egress filtering.
- Distributed credential probing – bots connect, test a single credential, then disconnect within 1–2 seconds, producing a high churn of short‑lived sessions.
Community reactions and ideas
"Hi tusksm! It’s honeypot season! Really cool project, I’ve been working on a honeypot project of my own called
honeypromptthat utilizes LLMs to craft responses and supports multiple protocols. Having a public sink presentation layer like honeypotlive.cc was one of my next todos." – @arm32
"You know what extra data would be cool? If you hit
curl https://ip.guide/{src_ip}and got back the ASN and country etc and added a leaderboard. In my own experiments I’ve been gobsmacked by how much malicious traffic comes from Azure." – @drcongo
"Someone instantly started spamming the bee movie’s introduction. Solid pun." – @belval
"Watching the first few minutes was more educational than I expected." – @preetham_rangu
These comments highlight three recurring themes:
- Enriching IP data – integrating ASN, geolocation, and reputation services would turn raw IPs into actionable intelligence.
- Extending interaction – using LLM‑driven responses (as in
honeyprompt) could make the honeypot more convincing and gather richer payloads. - Community‑driven analytics – a leaderboard or campaign‑level view would help researchers compare activity across different honeypots.
Potential next steps for Honeypotlive
| Goal | Why it matters | How it could be implemented |
|---|---|---|
| Automatic session classification | Quickly separate scanning, credential‑probing, reconnaissance, persistence, downloading, and tunneling activities. | Train a lightweight classifier on labeled Cowrie events; apply in real time to tag sessions. |
| Campaign clustering | Identify coordinated attacks that span multiple IPs. | Group sessions by shared HASSH fingerprint, command sequence, public‑key hash, or downloaded artifact hash. |
| Enriched IP context | Provide immediate threat intelligence (ASN, country, known abuse). | Query services like ipinfo.io or ip.guide on connection, cache results, and display alongside the IP. |
| Historical search and statistics | Allow analysts to query past sessions, trends, and top‑talking bots. | Store events in a time‑series database (e.g., InfluxDB) and expose a search UI. |
| Distributed sensor support | Scale beyond a single VPS to monitor multiple network segments. | Deploy Cowrie instances behind a message broker (Kafka/RabbitMQ) and aggregate events in the dashboard. |
| Open‑source collector & dashboard | Encourage community contributions and reproducibility. | Publish the Python log‑watcher and front‑end code on GitHub with a clear contribution guide. |
Privacy and responsible disclosure considerations
The live stream includes source IPs and attempted credentials. The author notes a disclaimer that an IP may belong to a compromised host, VPN, or scanner. Any expansion of the platform should retain this warning and consider:
- Rate‑limiting the public API to prevent abuse.
- Anonymizing IPs after a retention period.
- Providing a takedown process for owners of mistakenly flagged IPs.
Conclusion
Honeypotlive.cc demonstrates the power of turning raw honeypot logs into an interactive, real‑time visualization. By exposing credential attempts, command execution, and fingerprint data, it reveals the structure of automated SSH attacks that would otherwise be lost in aggregated logs. Community feedback points toward enriching IP data, adding automated classification, and building a searchable historical archive—features that could transform the project from a live viewer into a full‑featured analysis platform for security researchers.