DShield Honeypot

The DShield Honeypot is a low interaction honeypot that allows us to collect data for research purposes. The honeypot by default runs the following clients:

• Collecting SSH and Telnet usernames and passwords via Cowrie
• An HTTP honeypot collecting full http requests
• We also collect firewall logs from the honeypot

The honeypot can be installed on a Raspberry Pi using Raspbian OS or a system running Ubuntu 20.04 LTS. For more details and up to date instructions, see our GitHub repository.

Complete Install Video via YouTube (long/thorough)

Honeypot FAQs

• Will running a honeypot increase my risk of an attack?
  It should not. This is not an actual vulnerable system. But instead, we are using scripts like Cowrie to simulate a vulnerable system.
• Is it useful to DShield to have a honeypot on a residential DSL/Cable connection or do you need data from large networks?
  Absolutely. We need a large number of diverse participants to make this project useful. Even a normal home connection will likely see several attacks a day.
• Can I run the honeypot on a free AWS instance (or other cloud service)?
  Yes. The honeypot uses little resources. It should work well on a minimum cloud instanace. It needs only little disk storage. Logs are sent to DShield every 30 minutes and no longer term log storage is needed.
• Can the honeypot be hacked? Can it be used to attack others?
  We hope not. The honeypot uses scripts to simulate vulnerable services. This is not a vulnerable machine or "full interaction" honeypot.
• How do I report a problem or ask for help?
  Report any problems as an "issue" via GitHub. This is the best way for us to track any problems. Or use our Slack channel.