Quick Guide to Setting Up an SSH Honeypot

Why every enterprise needs a digital decoy

Ever wonder why your logs are filled with random ip addresses from halfway across the world trying to guess your password? It's 'cause the internet is basically a dark alley where bots constantly rattle every door handle they see.

A honeypot is basically a "fake" server you put out there specifically to get hacked. You want them to break in so you can watch what they do without them touching your actual data. Since ssh is a huge target for brute force attacks, it's the perfect place to start.

• Intelligence gathering: You see the exact tools and scripts hackers are using. As Blake White (2024) explains in his project, setting a trap lets you collect data on thousands of attacks to see how they try to trick you.
• Early Warning: If someone hits your honeypot with a specific credential, it might mean that password is leaked elsewhere in your company.
• Wasting their time: Every minute a bot spends trying to crack your decoy is a minute they aren't hitting your real production database.

Now that we're all using ai agents to automate stuff, the risks are getting weirder. These agents have their own identities and permissions, and if they're misconfigured, they can be tricked by malicious ssh prompts just like a human.

By using decoys, you can catch "zero-click" style attacks before they move laterally through your enterprise workforce. It’s about being proactive instead of just waiting for a jira ticket to tell you you've been breached.

Anyway, it's pretty wild how fast these bots find you—sometimes in just seconds. Next, we're gonna look at the actual tools you need to build one of these traps yourself.

Choosing your tools and environment

So you've decided to build a trap. Honestly, the hardest part isn't the code, it's making sure you don't accidentally pwn yourself by putting the honeypot in the wrong spot.

If you're doing ssh, Cowrie is pretty much the king. It's a medium-interaction honeypot, which is a fancy way of saying it acts like a real linux system enough to keep hackers busy. Unlike the old-school Kippo, Cowrie lets you log every single command they type and even saves the files they try to download onto your "server."

• Cowrie: Best for catching shell interaction and seeing what scripts they run.
• Kippo: The ancestor of Cowrie, but mostly outdated now.
• Custom scripts: Good if you're a masochist or need something super specific for a niche ai agent identity.

A 2024 report by IBM Technology highlights that as we move toward ai agents, these automated entities are becoming targets for "zero-click" attacks, making high-quality logging in your decoys even more critical for rbac tuning.

Don't ever, and I mean ever, run this on your home network or a production vlan. One mistake in the config and that bot is jumping from your honeypot straight into your actual database. Use a cheap vps (Virtual Private Server) from a provider like DigitalOcean or AWS.

You gotta "monitor the monitor." If the honeypot starts sending out thousands of emails, it means a hacker turned your trap into a spam bot. Set a strict firewall rule to block almost all outbound traffic.

Anyway, once the environment is locked down, you're ready to actually install the thing. Next up, we're getting our hands dirty with the command line.

Step-by-step installation guide

Alright, time to get our hands dirty. You’ve got your vps ready, so now we actually need to turn that blank linux box into a convincing trap. If you leave it as a default install, any half-decent bot will smell the trap a mile away.

First thing is first: you gotta move your real ssh access. If you're running your honeypot on port 22 (the default), where are you going to sit?

• Move your real ssh port: edit your /etc/ssh/sshd_config and change Port 22 to something like 2222. Don't forget to open that port in your firewall first or you’ll lock yourself out. I've done it, it sucks.
• Dependencies: you'll need some basics. Run sudo apt update && sudo apt install git python3-virtualenv libssl-dev nmap -y.
• User Safety: never run cowrie as root. Seriously. Create a limited user: sudo adduser --disabled-password cowrie.

Now we grab the code. Switch to your new user and clone the repo. We use a virtual environment so we don't mess up the system python—trust me, it makes decommissioning way easier later.

su - cowrie
git clone http://github.com/cowrie/cowrie
cd cowrie
python3 -m venv cowrie-env
source cowrie-env/bin/activate
pip install --upgrade pip
pip install -r requirements.txt

The default cowrie config is okay, but we want to mimic a high-value target, like a healthcare records server or a retail backend. You need to edit etc/cowrie.cfg.

• Hostname: Change it from "localhost" to something juicy like fin-srv-01 or ai-model-weights-prod.
• Honeyfs: This is a fake filesystem. You can actually seed it with "fake" .env files or api keys. If an attacker finds a file named aws_creds.txt, they're gonna stay much longer, giving you better telemetry for your rbac audit trails.
• JSON Logging: Make sure [output_jsonlog] is enabled. This is how you'll feed data into your siem later.

As mentioned earlier by the project from Blake White, these bots move fast—sometimes in seconds. By setting up a "honeyfs" that looks like a sensitive ai hub, you can see if they are looking for specific model configs or just trying to install miners.

Anyway, once you've tweaked the config, just run bin/cowrie start. You're live. Next, we’re gonna look at how to actually read those logs without losing your mind.

Analyzing the data and taking action

So, you’ve finally got some bites on your line. It’s pretty tempting to just stare at the logs and feel cool, but honestly, data without action is just a wasted cloud bill.

Most of what you'll see is just background noise—dumb bots trying "admin/admin" or "root/123456." But every now and then, you’ll see something weird, like a specific sequence of commands that feels... human.

• Password Trends: If you see a surge in attempts using a specific healthcare or retail-themed password, it might mean a niche credential leak is hitting your industry.
• The "Human" Factor: Automated scripts fire commands in milliseconds. If there’s a five-second pause between cd /etc and cat passwd, you’ve got a live one on the hook.
• IP Reputation: Don't just block the ip; check where it's coming from. If it's a known data center, it's a bot. If it's a residential ISP, someone's proxying through a hacked home router.

Once you've seen how they move, you gotta harden your actual production stuff. This is where your rbac and identity lifecycle management come in.

1. Audit your rbac: If a hacker in your honeypot immediately looks for ai model weights, ensure your real ai agents don't have over-privileged access to those directories.
2. Update SCIM/SAML: Use the "fake" credentials leaked in the honeypot to trigger alerts in your identity provider.
3. Decommissioning: If an ai agent identity is compromised in a similar pattern, have an automated "kill switch" to revoke its api keys.

As mentioned earlier by the project from Blake White, the goal is exposing the hackers. By feeding this telemetry into a system like AuthFyre, you can manage the complex lifecycle of your ai agents and keep your enterprise workforce safe from "zero-click" nonsense.

Anyway, it's a lot to take in. Next, we're wrapping up with some final thoughts on keeping your trap legal and ethical.

Best practices for enterprise honeypots

So you've got a trap running and the logs are pouring in. It's easy to feel like a digital hunter, but if you don't play it smart, you might end up being the one in trouble.

First off, talk to your legal folks. Entrapment is usually for cops, but you don't want to accidentally violate privacy laws by recording data you shouldn't have. Never store real customer info or actual private keys on these decoys—keep it strictly "fake" so there's nothing for a hacker to actually steal.

• Check privacy policies: Make sure your company's fine print mentions you monitor network traffic for security.
• Rotate your IPs: If you keep the same address for months, sites like Shodan will flag you as a honeypot, and the "smart" hackers will just ignore you.
• Auto-patching: Keep the host OS updated. It’d be pretty embarrassing if someone used a real kernel exploit to jump from your trap into your actual vlan.

Scaling this isn't just about more servers; it's about better ai agent lifecycle management. As mentioned earlier, tools like AuthFyre help rotate those keys automatically so your rbac stays tight even when things get messy.

1. Set up a cron job to wipe the honeyfs weekly so it stays "fresh."
2. Link your json logs to a slack or jira alert for "human-like" activity.
3. Use scim to instantly kill any ai agent identities that show up in your trap's logs.

Honestly, a honeypot is a living thing. Treat it like a garden—water it, weed it, and it'll keep the pests away from your real crops. Good luck out there.