13 comments

  • throwaway778335 minutes ago
    Very cool! Adding a client geo would be nice (even if its not very accurate)
  • arm325 hours ago
    Hi tusksm! It&#x27;s honeypot season! Really cool project, I&#x27;ve been working on a honeypot project of my own right now called `honeyprompt` (<a href="https:&#x2F;&#x2F;github.com&#x2F;alectrocute&#x2F;honeyprompt" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;alectrocute&#x2F;honeyprompt</a>) that utilizes LLMs to craft responses and supports multiple protocols. Having a public sink presentation layer like honeypotlive.cc was one of my next todos.
  • _def1 hour ago
    fun to watch until the ssh user input exploits the web interface :P
  • Farrynet2 hours ago
    Its always wild seeing the sheer volume of background noice on public IPs. Fun project.
  • belval3 hours ago
    Someone instantly started spamming the bee movie&#x27;s introduction. Solid pun.
  • spikk2 hours ago
    For the sake of interest you could try to expose periodically rotated keyed hashes of IPs and credentials instead of the raw values. It would still let people correlate events within a limited time window
  • drcongo4 hours ago
    You know what extra data would be cool? If you hit `curl <a href="https:&#x2F;&#x2F;ip.guide&#x2F;{src_ip}" rel="nofollow">https:&#x2F;&#x2F;ip.guide&#x2F;{src_ip}</a>` and got back the ASN and country etc and added a leaderboard. In my own experiments in this area I&#x27;ve been gobsmacked by how much malicious traffic comes from Azure.
    • reaperducer3 hours ago
      <i>In my own experiments in this area I&#x27;ve been gobsmacked by how much malicious traffic comes from Azure.</i><p>I&#x27;m currently fighting this battle.<p>As of this morning:<p><pre><code> 80% of malicious traffic comes from Azure. 10% from Digital Ocean. 5% from AWS. 5% from GCP.</code></pre>
      • ok1234563 hours ago
        Closer to 95% if you count Teams.
      • drcongo2 hours ago
        Mine is <i>very</i> similar, but with DO and AWS swapped around.
  • tarpitt4 hours ago
    reminds me of <a href="https:&#x2F;&#x2F;xkcd.com&#x2F;350&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xkcd.com&#x2F;350&#x2F;</a>
  • preetham_rangu3 hours ago
    Watching the first few minutes was more educational than I expected.
  • CzaxTanmay4 hours ago
    Looks cool!
    • Diti3 hours ago
      [flagged]
      • __MatrixMan__3 hours ago
        Maybe it&#x27;s not the styling they&#x27;re commenting on.
  • b0rbb3 hours ago
    lol @ the person spamming Never Gonna Give You Up
  • tusksm5 hours ago
    Hi HN,<p>I maintain several web servers and kept seeing a constant stream of SSH login attempts. At some point I became curious: what do these bots actually try to do after they get in?<p>I set up a Cowrie SSH honeypot and built a small live dashboard around its JSON logs. Cowrie listens on port 22, a Python service follows the log and streams events over WebSockets, and Nginx serves the frontend. The whole thing currently runs on a 1 vCPU &#x2F; 1 GB Debian VPS.<p>The dashboard groups activity by source IP, with individual SSH sessions nested underneath. It shows authentication attempts, commands, SSH client fingerprints, file writes and downloads, and tunneling requests in real time.<p>Initially I thought the interesting part would be simply watching commands appear. After looking at the collected data, I realized that recurring behavior is much more interesting than individual events.<p>In one roughly 8-hour sample, the honeypot recorded about 1,950 sessions from 213 source IPs. 327 sessions reached command execution.<p>Some recurring patterns included:<p>- the same SSH public key being installed 152 times from 11 source IPs - a system fingerprinting script that appears designed to distinguish a real shell from a honeypot - a downloader requesting payloads for several CPU architectures - attempts to use SSH forwarding as a proxy - distributed credential probes that connect, test one value, and immediately disconnect<p>This also showed me that grouping activity only by IP isn&#x27;t enough. Several apparently different sources can use the same SSH client fingerprint, command sequence, public key, or downloaded artifact and probably belong to the same automated campaign.<p>At the moment this is primarily a live log viewer. Some directions I am considering are:<p>- automatic classification of sessions as scanning, credential probing, reconnaissance, persistence, downloading, or tunneling - clustering activity into campaigns using HASSH fingerprints, command sequences, SSH keys, and artifact hashes - historical statistics and searchable sessions - support for multiple distributed honeypot sensors - publishing the collector and dashboard code<p>The public stream currently includes source IPs, attempted credentials, and commands. I added a notice explaining that an IP may belong to a compromised machine, proxy, VPN, or scanner, but I am still thinking through the privacy and responsible-disclosure tradeoffs.<p>Cowrie&#x27;s &quot;login.success&quot; events only mean that the honeypot accepted the credentials; they don&#x27;t mean those credentials would work on a real server.<p>I&#x27;m trying to decide whether this should remain a simple live visualization or grow into a small analysis tool.<p>Which direction would make this project most useful or interesting to you? Are there other patterns or types of analysis that would be worth adding?
    • rkagerer4 hours ago
      Some kind of source IP masking would be prudent. As you pointed out, some of those machines are compromised, and you aren&#x27;t making their owners&#x27; lives any easier.<p>Bad actors might use the data you&#x27;re publishing to fingerprint specific exploits to which the machines are vulnerable, multiplying the problem.<p>If producing an IP blacklist is one of your aims, divorcing it from any specific traffic would be more responsible.<p>You may also want to consider the risk traffic from compromised machines could leak PII (eg. say a script tried to use you as a relay to exfiltrate data) - and the ethical and legal consequences. A filter for SIN, credit cards, etc. would be a basic table-stakes mitigation step.
      • ryandrake4 hours ago
        &gt; Some kind of source IP masking would be prudent. As you pointed out, some of those machines are compromised, and you aren&#x27;t making their owners&#x27; lives any easier.<p>Hard for me to find much sympathy for negligent users who unintentionally allowed their home computers or phones to join a malicious botnet, or their ISPs who aren&#x27;t stopping the activity. Even if it is my own grandma&#x27;s PC.<p>I agree about the content though, there probably are a lot of actually innocent victims&#x27; personal information in the traffic itself.
        • taftster3 hours ago
          Easy for you to say, assuming your PC is clean. I don&#x27;t think negligent is the right word though. Ignorant maybe? Or some form of naivety? The negligence might be on software or hardware vendors, but grandma isn&#x27;t to blame for the problem.
          • singleshot_23 minutes ago
            Software providers generally lack a duty to their clients to create and sell secure software. Further, generally, when you get hacked, there is only an interrupted causal chain between the software and your loss. Interrupting that chain is the intervening superseding cause of a criminal third-party. Finally, no states allow punitive damages, absent gross negligence in a software context.
        • dpoloncsak3 hours ago
          I disagree personally. If these IPs are being used to attempt to gain unauthorized access, it&#x27;s better to make the public aware, imo.
        • rolph2 hours ago
          when you read or are told not to click on that link in the e-mail, or open the attachment, you should fire up your monitor while you are clicking on the links.<p>it might be interesting to have an eye on this while you are talking to the phone scammer.
    • p1anecrazy4 hours ago
      Hi, this is very interesting, thanks. While trying to educate myself about honeypots I came across this (<a href="https:&#x2F;&#x2F;securehoney.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;securehoney.net&#x2F;</a>).<p>The aggregations of popular logins and IP locations seem interesting.
      • LorenDB4 hours ago
        From that site:<p><pre><code> Files uploaded 25,522 (46 unique) Malware uploaded 7,735 (43 unique) </code></pre> I wonder what 3 files were so common that they were uploaded 17,787 times instead of malware.
    • krunck4 hours ago
      This is great. Thanks.<p>Try fingerprinting the behaviour in the sessions. Over time you should be able to distinguish between various automated tools and live people.
    • hideout_berlin4 hours ago
      you could make the logs public too :)
  • paoliniluis3 hours ago
    There&#x27;s a guy trying to take down the server by sending as user&#x2F;pass the lyrics of Rick Astley&#x27;s &quot;never gonna give you up&quot;
    • KomoD3 hours ago
      From his home IP... very smart. <a href="https:&#x2F;&#x2F;ipinfo.io&#x2F;86.120.252.156" rel="nofollow">https:&#x2F;&#x2F;ipinfo.io&#x2F;86.120.252.156</a>
      • alin231 hour ago
        We don’t have static IPs at home in Romania. A restart of the router will just give that person another public IP and they won’t notice any repercussions.
      • efilife2 hours ago
        Why is it not smart?
        • athrowaway3z2 hours ago
          They are leaking their IP on the internet! Big security no-no. They&#x27;ll need to download a lot more ram to deal with all the hackers coming for them.<p>A data broker is going to correlate this IP with &quot;never gonna give you up&quot; as an ideological statement about his drug dealings. They&#x27;ll be receiving weird ads for weeks!
        • KomoD51 minutes ago
          Because attacking someone else&#x27;s server is very illegal?
      • reaperducer3 hours ago
        Probably a relay through a &quot;free&quot; app installed on someone&#x27;s phone or &quot;smart&quot; TV.
        • KomoD3 hours ago
          Nah, Spur (a company tracking residential proxies) doesn&#x27;t flag it at all.<p>He&#x27;s most likely just not very smart.
          • gruez3 hours ago
            &gt;Nah, Spur (a company tracking residential proxies) doesn&#x27;t flag it at all.<p>I looked into it and so far as I can tell it works off a blacklist system, rather than any sort of automatic analysis (eg. TCP or MTU fingerprinting). If you set up a &quot;residential proxy&quot; in the form of a home VPN, it won&#x27;t be detected. It also means the detection is only as good as whatever their backlist source is. If it&#x27;s a niche provider, it might not get picked up at all.
            • KomoD42 minutes ago
              [dead]
          • GreenVulpine3 hours ago
            They&#x27;re not doing a very good job at it, tried a few disposable free residential proxies - not flagged. Tried my CGNAT home connection - flagged. My phone connection - also flagged.
            • KomoD44 minutes ago
              &gt; tried a few disposable free residential proxies<p>Where are you finding free residential proxies?<p>&gt; Tried my CGNAT home connection - flagged. My phone connection - also flagged.<p>Why does that mean they&#x27;re doing a bad job? Since both are CGNAT, you&#x27;re sharing the IP with lots of other people, and it&#x27;s not unlikely that one of your network neighbors is infected.
          • toilet2 hours ago
            Maybe he is doing it for fun and not actually trying to hack the website with Rick Astley lyrics?
            • KomoD44 minutes ago
              That doesn&#x27;t make it less illegal?
        • m00dy3 hours ago
          IP is clean, most likely will pass any filtering. <a href="https:&#x2F;&#x2F;proxybase.xyz&#x2F;ip&#x2F;86.120.252.156" rel="nofollow">https:&#x2F;&#x2F;proxybase.xyz&#x2F;ip&#x2F;86.120.252.156</a>
    • williamcotton2 hours ago
      So we&#x27;re getting Rickrolled?