24
PSA: My home router went from zero blocked attempts to over 200 a day after I set up a honeypot
I run a small home server and about three months ago, I set up a basic honeypot on a spare Raspberry Pi to see what kind of traffic was hitting my network. For the first week, it was quiet, maybe one or two weird connection tries. Then, after about ten days, it exploded. My firewall logs now show over 200 blocked attempts daily, mostly trying to SSH into the honeypot with common usernames like 'admin' and 'root'. The cause seems clear: once the botnets found that open, fake port, they added my IP to their lists and keep hammering it. It's a stark before-and-after that shows how quickly you become a target once you're visible. I'm debating if the learning was worth painting a target on my home network. Has anyone else run a honeypot and seen this kind of immediate attention spike?
3 comments
Log in to join the discussion
Log In3 Comments
jamieburns3mo ago
What did you expect would happen? You put out a welcome mat for bots, so of course they showed up. That's the whole point of a honeypot, to see the attack traffic.
4
wyatt5133mo ago
Wait, hold up. That's not exactly what a honeypot is for though. It's not just about seeing bots show up, it's about studying how they act once they're inside. You watch what they try to do, what they're looking for. That's how you learn to stop them for real.
4
lilymurphy17d ago
@wyatt513 actually said it better than most people would. That's the whole point of setting up a honeypot - you get to see the full playbook of what these bots are trying to pull off. Just counting how many show up is like seeing a fish hit your line but never reeling it in to see what kind it is.
And jamieburns, you're not wrong about the welcome mat part, but that's just step one. The real value comes from watching them fumble around inside. You can figure out what vulnerabilities they're after, what kind of data they're sniffing for, even which C2 servers they report back to. That's gold for anyone trying to lock down a real network.
Honeypots are more about intel gathering than just counting heads. You want to know what moves they're trying to make so you can block those moves before they try them on your actual systems.
3