depth 3,800m // sensor active

Something is
always out there.

A honeypot sitting quietly in the dark. No announcements. No inbound links. The scanners find it anyway — drawn to any open port like creatures to a light at the bottom of the sea. This is what they do when they think no one is watching.

view live feed how it works ↓
865
sessions
day one
55
unique IPs
day one
805
login attempts
day one
176
commands run
day one
threat feed

What they do
when they get in.

Cowrie grants every attacker a convincing shell. What follows is a reliable playbook: enumerate the host, check for miners, drop a payload, disappear. Sometimes they’re hunting Solana nodes. Sometimes Telegram sessions. Always automated.

honeypot-pi // cowrie  • loading
Full event stream available in the live feed →
architecture

A trap in the dark.

A Raspberry Pi 4 running Cowrie, exposed on a non-standard port. Events stream through Cloudflare Workers, enriched with geo and threat intel, and stored permanently in D1 for analysis and historical search.

01
Raspberry Pi 4 // Cowrie SSH honeypot
A low-interaction SSH/Telnet honeypot that presents a convincing shell. Logs every keystroke, credential attempt, and uploaded file in structured JSON. Running on port 2222, visible to the open internet.
02
Log pusher // tail → ingest Worker
A lightweight Python script tails cowrie.json and POSTs batches to a Cloudflare Worker every 30 seconds. Events are authenticated, geo-enriched via ip-api.com, and scored against AbuseIPDB before storage.
03
Cloudflare Workers + KV + D1
An ingest Worker writes events to both KV (rolling live feed window) and D1 (permanent archive). ATT&CK technique mapping and IoC signature matching run inline on every event. No origin server — everything runs at the edge.
04
Cloudflare Pages // this site
Three views into the data: a live feed with session grouping, a searchable event archive with date range filtering and CSV export, and a signal page where Claude generates weekly research notes on notable sessions.
sensors

What’s listening.

The honeynet is expanding. Each node exposes a different attack surface. All events flow into the same feed.

SSH / Telnet
Cowrie on a Raspberry Pi 4. Port 2222. The original sensor — collecting since day one.
SMB // port 445
Dionaea on a dedicated Pi node. Coming online soon. Capturing EternalBlue scans, ransomware precursors, and lateral movement attempts.
Expanding
Additional attack surfaces planned across a stack of Pi nodes, each feeding this feed.
FTP // credential sprays
Web server // scanner fingerprints
DNS // amplification & exfil
Redis & Elasticsearch
Database honeypots (MySQL / PostgreSQL)
MQTT // IoT broker targeting
ready

See what’s out there.

The feed is live. Events are real. All IPs are anonymized. No accounts, no tracking — just the data.

open live feed source on github →