Observing the Wolves: Why Honeypots Matter in the Fight for Privacy

by liphrax

"Most people want to keep strangers out.  I started letting them use my things."

That's what I tell friends when they ask why I'm running a honeypot.  But this isn't some aging Raspberry Pi tucked in a closet.  For me, it's deeper than that.  It's a mission, one that takes me back to what first drew me to hacking as a kid.  Driven by a relentless curiosity to understand why things happen, honeypots provide a rare blend of monitoring real attack traffic, contributing to global threat intelligence, and caring about more than just my own devices.

In a world where cybersecurity has become synonymous with reaction, regulation, and red tape, honeypots are a form of quiet resistance.  It's a radical shift from my early twenties as a hacktivist, but with familiar parallels: hands-on, decentralized, and surprisingly effective.  Honeypots are also deeply educational.  Running one forces you to think like an attacker, respect their craft, and recognize your own blind spots.  It's humbling.

So, I'd like to make a case.  Not just for honeypots in general, but for honeypots as a mission.  A tool for privacy.  For defense.  For building community in a field that too often forgets what it's fighting for.

What is a Honeypot, Really?

Let's clear this up first.

A honeypothoneypot isn't just "bait."  It's not a honeynet, a honeytoken, or some security theater in a PowerPoint deck.  It's an intentionally vulnerable system - preferably isolated - designed to detect, log, and study unauthorized access attempts.

There are different flavors:

  • Low-Interaction:  Emulate services (e.g., SSH, SMB) without running full OS environments.  Lightweight.  Great for trend visibility.

  • Medium-Interaction:  Limited shells or fake filesystems.  Better data, slightly higher risk.

  • High-Interaction:  Real systems with real vulnerabilities, air-gapped or firewalled to hell.  Fantastic insight, but don't screw it up.

If you're serious, you segment it.  You log it.  You learn from it.  And if you're motivated, you contribute the data to something bigger.

Why Honeypots Matter Today

Honeypots feel almost retro, like something from the halcyon days of firewalls and IRC.  But they've never been more relevant.  Here's why:

  • Perimeter security is dead.  Attackers are already inside.  Detection is now king.

  • IoT is everywhere.  And it's insecure by default.  A honeypot shows you just how quickly it gets scanned, fingerprinted, and hit.

  • The cloud fogs everything.  Logs disappear.  Traffic is abstracted.  A honeypot gives you raw, local, in-your-face proof of scanning and exploitation attempts.

  • Mass surveillance isn't just state-level.  It's corporate.  It's embedded.  Honeypots show you what's being probed and how.

Even if no one breaks in, the attempts themselves are telling.  It's telemetry from the adversary.

Enter DShield

DShield is a community honeypot project operated by the SANS Internet Storm Center (ISC).  It aggregates attack logs from thousands of volunteers around the world to track global threat activity.

I started because it's simple, open, and built on the idea that defense should be shared.  You can run it on a Raspberry Pi or whatever old hardware you have lying around.  It uses Fail2Ban-style logs to report suspicious traffic.

Setting it up was straightforward:

  1. Burn the SD card image.

  2. Plug it into a segmented VLAN with an Internet-routable IP.

  3. Set up dynamic DNS and register your sensor.

  4. Watch the wolves arrive.

And they do.  It takes about two hours before the first logs trickle in.  Within minutes of being online, the honeypot was hit: SSH brute-force.  Telnet scans.  Malformed HTTP requests.  It felt like leaving your windows down and watching what people try to take.

But what draws me in isn't the tech - it's the ethos.  This is grassroots intelligence.  Quiet.  Unbranded.  No corporate logo.  No one selling you features.  Just packets, data, and people who care.

What the Wolves Look Like

My current build has been running for over a year.  In one five-minute stretch, my honeypot captured over 30 distinct probes.  A few highlights:

  • Censys scans: Mozilla/5.0 (compatible; "CensysInspect/1.1; https://about.censys.io/)  Hitting paths like /, /favicon.ico, /robots.txt, and /wiki.

  • Proxies and scraping frameworks: Mozilla/5.0 (Windows NT 6.1; rv:16.0)... (https://best-proxies.ru/faq/#from)  Multiple hits to ip.bablosoft.com and api.ipify.org.

  • Old-school scanners: python-requests/2.32.4, zgrab/0.x, and other reconnaissance tools.

  • Botnet indicators: Attempts to reach /cgi-bin/login, /boaform/admin/formLogin, /_profiler/phpinfo, and .git/HEAD.

These aren't targeted.  They're automated.  But they never stop.

What They're Trying

One early morning, my honeypot logged over 70 distinct login attempts from different IPs, each trying brute-force credentials.  Samples included:

   Admin : Admin6
 Default : 12345
  Centos : administrator
    Ubnt : 987654321
   Guest : !Qaz2wsx
  Config : Config2003
Operator : password321
    User : raspberry

If you've ever combed through rockyou.txt, you've seen this stuff.  Pulled from firmware defaults, setup guides, and credential dumps.

They came from all over: South Korea, Brazil, France, China, the U.S., Russia.  Some IPs returned repeatedly with new combos.  Others sprayed once and vanished.

They weren't after a high-value compromise.  Just entry.  Any entry.  Because even one successful login means persistence, botnet recruitment, lateral movement, or crypto mining.

DShield's logic allows this learning.  After a set number of failed attempts, attackers may be granted limited access.  Why?  Because it's more useful to observe what they do once they're in than to block them outright.

What I've Learned

Technically:

  • Isolate your honeypot.  Log everything.  Trust nothing.

  • Attack traffic is noisy but predictable - and familiar.  Mirai.  Masscan.  Password spraying.

  • Even stupid attacks have value.  They map the digital terrain.

Personally:

  • Patience is mandatory.  It's not glamorous.  But it's fascinating.

  • There's a quiet kinship with others doing the same.  A distributed neighborhood watch.

  • Most of all, I remembered why I was drawn to this in the first place.  Curiosity, understanding, purpose.

A Quiet Call to Arms

If you've made it this far, here's my ask:

Set one up.

Run a honeypot.  Contribute to DShield.  Or T-Pot.  Or roll your own with Cowrie or OpenCanary.

Do it not for applause.  Not for your recognition.  Do it because it's useful.  Because it helps.  Because it teaches.

You'll gain visibility into the constant hostility of the Internet, and maybe, like me, you'll find yourself watching the logs at all hours of the day realizing this isn't just about security.

It's about awareness.

The wolves are already at the door.  Locking it isn't enough - study them and adapt.
Return to $2600 Index