On August 10th, 2025 - I set up an SSH honeypot on my home network, daring any and all hackers to try and break in. I did not actually run any special honeypot software - although they exist - I simply set an incredibly strong SSH password (30 characters long) on my little Raspberry Pi 4 Model B, and opened up port 22 on my ISP-provided SOHO router.
This little microcomputer has been sitting on my desk, fearlessly fending off thousands of intrusions across the globe. I thank it for its service.
I set up a local job that runs at midnight every night that emails me a report on all the SSH intrusion attempts from the previous day. A sample report looks like the following:
Data Collection
The way I achieved this was a simple Bash script that I set to run on a cron schedule:
#!/bin/bash...echo "SSH Login Attempts for $REPORTDAY" > $TMPFILEecho "===================================" >> $TMPFILEcat $AUTHLOG | grep "$REPORTDAY" | grep "Failed password" | grep -v "192.168.1" \| awk '{print $(NF-3)}' \| sort | uniq -c | sort -nr \| while read COUNT IP; doCOUNTRY=$(geoiplookup "$IP" | awk -F ': ' '{print $2}' | awk -F, '{print $2}')if [[ "$COUNTRY" == *"United States"* ]]; thenSTATE=$(whois "$IP" | grep StateProv | awk '{print $2}' | head -1)echo "$COUNT attempts from $IP (${COUNTRY:1} - $STATE)" >> $TMPFILEelif [[ "$COUNTRY" == "" ]]; thenecho "$COUNT attempts from $IP (Country not found)" >> $TMPFILEelseecho "$COUNT attempts from $IP (${COUNTRY:1})" >> $TMPFILEfi...USERS_TRIED=$(cat $AUTHLOG | grep "$REPORTDAY" | grep "$IP" | grep 'Invalid user' | awk '{print $8}' | uniq -c | head -5)echo "Users tried:" >> $TMPFILEecho "$USERS_TRIED" | while read ucount uname; doprintf " %s %s\n" "$ucount" "$uname" >> "$TMPFILE"doneecho "---------------" >> $TMPFILEdone...
This script (shortened for brevity) pulls all the authentication logs from the previous day, correlates the IP address with a geolocation and checks it against known Snort blacklist addresses and ToR exit nodes.
Visualization
Using two Python scripts, I aggregated all of these honeypot reports from my email into a single JSON payload that fed an HTML dashboard page. Let's dive into each of the dashboard panels below.
Top 20 Attacking IPs
The top five attacking IPs were all from China. The top one (8[.]140[.]229[.]224) had 957 attempts over the past month and a half. Looking at this IP in Shodan gives us this information:
And searching for it on various malicious IP trackers reveals it is indeed malicious:
Attempts By Country
Looking at total attempts by country (across all IPs coming from each country), you can see China takes the lead at 6,312 with the U.S. not far behind at 6,149. Then it drops off dramatically:
China - 6,312 attempts
United States - 6,149 attempts
India - 1,805 attempts
South Korea - 1,098 attempts
Sweden - 1,001 attempts
Netherlands - 997 attempts
Tunisia - 930 attempts
Iran - 713 attempts
Australia - 480 attempts
Canada - 453 attempts
Top 20 Users Tried
While the graph shows top 20, only the top 10 users tried (excluding attempts without a username) were really relevant:
1. user
2. admin
3. ubuntu
4. debian
5. test
6. oracle
7. dev
8. guest
9. usario
10. support
After that you may see only a handful of attempts with other users.
IPs in Snort List
Here is an interesting one. Snort is an open source IPS (Intrusion Prevention System) and they maintain a pretty active IP blocklist that you can download and add to your firewall rules even if you don't use Snort itself. This blocklist includes ~ 1,575 IP addresses at time of writing. I downloaded this blocklist and simply compared intrusion attempt sources to it (I did not use the blocklist to make firewall decisions). I expected a decent number to be on the Snort list, maybe around 50% or so.
However, according to my honeypot on the front lines, only 4 out of 1,578 unique IP addresses were actually on the Snort blocklist - meaning that Snort would have saved me 0.253% of the time.
This tells me that the Snort "Community Ruleset" may not be comprehensive, but perhaps the paid subscription to the ruleset backed by Cisco Talos includes the IP addresses that have been attacking my honeypot for the past two months.
IPs Using TOR
The graph may look a little off here, showing a value of "100%" - but this is actually how many were NOT using TOR (so the data label is "false"). So 100% of attempts did NOT use TOR.
This was surprising to me. If you don't know, the TOR project (standing for "The Onion Router") is an anonymity-first network and browser that lets you surf the web almost undetected. The way it works is through a large network of proxies and servers that carries your traffic around the world. Once connected to the TOR network, a "circuit" will be produced for you that proxies your traffic through three nodes across the globe. The first node (entry node) knows who you are, but not what you are searching. The last node (exit node) knows what you are searching but not who you are. In a perfect world, this would give you 100% anonymity. TOR is infamous as a hacker favorite and is even referenced within the first five minutes of Mr. Robot.
So why are none of these real-life threat actors using it? It could be because there are large, well-founded rumors that the U.S. government along with INTERPOL control quite a large number of TOR nodes. If you control the exit node, you can see traffic as it leaves the TOR network, and if you also control the entry node, you can see the de-anonymized traffic as it enters. Supposedly the government allows TOR to operate independently, but you never know.
Additionally, maybe TOR is just the middle man here. I'm only tracking known exit node IP addresses, but if a threat actor used TOR initially and then after leaving the circuit they use another VPN, I would only see the VPN address. However, I don't think this is the case as routing traffic through at least four proxies across the globe is extremely slow and inefficient.
SSH Attack Origins Worldwide
This graph does not give any more information than previous graphs, but it is a quick and helpful visual into where these attacks are originating. Of course, the darker a country appears, the more honeypot intrusion attempts originated from there.
As expected, the largest geopolitical superpowers (that also quite-publicly flame one another) attempt to hack the most. Makes you wonder if the rest of the global Internet is merely a medium for the U.S. and China to attack one another, but I digress.
Conclusions
I would be remiss if I did not discuss conclusions from this honeypot experiment.
1. Change default usernames. As shown above, attackers will try "user", "admin", etc. quite frequently. Changing the username to something non-obvious and ensuring the password is highly secure will knock out 99% of these attacks easily.
2. Employ a defense-in-depth strategy. Don't use the single Snort IP blocklist as your only defense mechanism, even if it is backed by a community of security professionals. If you had, attackers would be able to intrude 99.7% of the time. Similarly, don't ONLY block TOR exit nodes. None of these attacks used TOR, telling me that threat actors may just be staying off of the TOR network altogether or adding in another layer off the network.
Next Steps
I will attempt to set up an automated pipeline to accurately report potentially malicious IP addresses to some open source threat intelligence community so that I can contribute to more comprehensive blocklists. Stay tuned for more as I set up this pipeline and bake in logic to not report false positives or academic sources.
