Honeypots: Baited and logged

Why use a honeypot?

Whether you’re defending the family NAS or a small organisation’s file server, honeypots help:

  • Detect intrusions before they cause harm.

  • Study attacker tactics without putting live systems at risk.

  • Waste their time, bandwidth, and hope.

  • Trigger alerts for unauthorised activity—ideally before damage occurs.

Even modest setups benefit. Just because you’re not MI6 doesn’t mean you’re not on someone’s Shodan list.

What to deploy

There are several flavours of honeypots, from “just enough to look interesting” to “full-blown attack playground”. Choose your spice level:

Low-interaction honeypots

These mimic basic services (e.g. SSH, HTTP) without fully running them. Lightweight, easy to deploy, and safe as houses.

  • Honeyd – Simulates entire systems.

  • Cowrie – Fake SSH/Telnet server. Logs everything. Very chatty.

  • Dionaea – Malware catcher posing as vulnerable services.

Perfect for:

  • Home routers/NAS

  • Small office gateways

  • Raspberry Pis with delusions of grandeur

High-interaction honeypots

These run real operating systems and services—essentially sacrificial lambs with Wireshark.

  • OpenCanary – Dead simple, logs to syslog.

  • T-Pot – All-in-one honeypot platform, runs via Docker.

  • Cuckoo Sandbox – Malware analysis and detonation (if you like to live dangerously).

Perfect for:

  • Security research

  • Blue teams with a masochistic streak

  • Enthusiasts with an isolated VLAN and too much time

  • Warning: High-interaction honeypots are great research tools but can be turned against you if improperly isolated. Always sandbox.

Tools of the trade

  • Honeyd for masochists who love config files

  • Cowrie for SSH voyeurs

  • Dionaea for malware hoarders

  • OpenCanary for the terminally lazy

  • T-Pot for people who think Docker is a lifestyle

  • Cuckoo for those who enjoy playing with fire

Where to place honeypots

Strategic placement is key:

  • DMZ – External-facing honeypots bait outside attackers.

  • Internal network – Catch compromised insiders or lateral movement.

  • IoT subnet – Because your “smart” lightbulbs aren’t.

Be clear what you’re simulating, and don’t run honeypots on production ports unless you’re keen on debugging broken user logins.

Integration & alerting

Don’t just run a honeypot and hope for the best. Integrate it:

  • Log to Syslog, Splunk, or ELK

  • Use fail2ban to block IPs hitting the honeypot

  • Set up email or Slack alerts when activity is detected

  • Tag honeypot traffic with Suricata or Zeek for deeper inspection

Honeypots in small environments

Home and small business networks are soft targets—ripe for botnets, brute force, and crypto-rubbish. Honeypots offer:

  • A canary in the coal mine—spot attacks early.

  • A cheap deterrent—low cost, high value.

  • Intel collection—learn what attackers are actually doing.

You don’t need a datacentre. A Raspberry Pi, an old laptop, or a corner of your ESXi box will do nicely.

What a honeypot is not

  • It’s not a silver bullet.

  • It won’t stop an attack on its own.

  • It’s not a replacement for patching, hardening, and good logging.

  • And no, it’s not a reason to skip the firewall.

Think of it as bait. Useful bait, clever bait—but bait nonetheless.