╔═══════════════════════════════════════════╗
║  ░██████╗░█████╗░███╗░░░███╗███╗░░██╗███████╗████████╗  ║
║  ██╔════╝██╔══██╗████╗░████║████╗░██║██╔════╝╚══██╔══╝  ║
║  ╚█████╗░███████║██╔████╔██║██╔██╗██║█████╗░░░░░██║░░░  ║
║  ░╚═══██╗██╔══██║██║╚██╔╝██║██║╚████║██╔══╝░░░░░██║░░░  ║
║  ██████╔╝██║░░██║██║░╚═╝░██║██║░╚███║███████╗░░░██║░░░  ║
║  ╚═════╝░╚═╝░░╚═╝╚═╝░░░░░╚═╝╚═╝░░╚══╝╚══════╝░░░╚═╝░░░  ║
║                    HONEYPOT                             ║
╚═══════════════════════════════════════════╝
ssh://samnet.dev ~ security operations center
Connecting...
root@honeypot ~/stats
Total Attacks
0
0 attacks
Unique IPs
0
0 unique IPs
Passwords Tried
0
0 passwords
Commands Executed
0
0 commands
IPs Banned
0
0 banned
Threat Level
SCANNING
live attack feed
--:--:-- Waiting... Connecting to honeypot...
global attack origins
attack activity (24h UTC)
top attack origins 24H / ALL BAR / PIE
top passwords
Password Count
permanently banned ips // iptables -L BANNED
IP Address Location Attempts Reason Banned At
🏆 top attackers // hall of shame
# IP Address Location Attacks Logins Success Cmds Type Status
top usernames attempted
top commands executed
root@honeypot ~/intel
ip intelligence lookup
about this honeypot

🍯 What is a Honeypot?

A decoy system designed to look vulnerable. Attackers try to break in, but everything they do is logged and they can't access anything real. This is a real SSH honeypot running 24/7 on my home server—every attack you see here is genuine.

⚙️ How It Works

Cowrie SSH accepts weak passwords like root/123456, gives attackers a fake Linux shell, and logs every command. The sandbox prevents any real damage.

🛠️ Tech Stack

Cowrie SSH FastAPI SQLite Docker MaxMind GeoIP

Self-hosted on my home lab infrastructure

📊 Dashboard Guide

  • Threat Level — Current attack intensity
  • Live Feed — Real-time attack stream
  • Top Passwords — Most tried credentials
  • Attack Origins — Geographic breakdown
FAQ & my perspective

💭 Why I Built This

As a network engineer and security enthusiast, I've always wondered what actually happens when you expose a server to the public internet. This project started as curiosity and became an eye-opening window into the constant automated attacks that hit every public IP—usually within minutes of going online. It's a reminder of why we need proper security, firewalls, and strong passwords. Every login attempt and command you see on this dashboard is real—no simulations, no fake data.

Is this real data?

Yes! Every entry is a genuine attack attempt against my public IP address. Nothing is simulated or staged.

Is my network at risk?

No—Cowrie is completely sandboxed. Attackers interact with a fake filesystem and can't access anything on my real network.

How fast do attacks start?

Usually within 5 minutes of a new public IP going online. Bots scan the entire internet constantly looking for vulnerable services.

What do attackers do?

Most run reconnaissance (uname, cat /proc), then try to download malware (wget, curl), and finally try to cover their tracks (rm).