Docs / Security / How to Set Up a Honeypot to Detect Intrusions

How to Set Up a Honeypot to Detect Intrusions

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 187 views · 2 min read

A honeypot is a decoy system designed to attract attackers and alert you to intrusion attempts. By deploying a honeypot on your VPS, you can detect unauthorized access attempts, learn about attack techniques, and receive early warnings.

Types of Honeypots

  • Low-interaction — Simulates services (SSH, HTTP) without full OS. Safer, easier to deploy.
  • Medium-interaction — Simulates service responses more realistically
  • High-interaction — Full OS/service for attackers to interact with. More risk, more intel.

Option 1: Cowrie SSH/Telnet Honeypot

# Install dependencies
sudo apt install python3-virtualenv python3-dev libssl-dev libffi-dev

# Create honeypot user
sudo adduser --disabled-password cowrie

# Install Cowrie
sudo su - cowrie
git clone https://github.com/cowrie/cowrie.git
cd cowrie
python3 -m venv cowrie-env
source cowrie-env/bin/activate
pip install --upgrade pip
pip install -r requirements.txt

# Configure
cp etc/cowrie.cfg.dist etc/cowrie.cfg
# Set hostname = webserver01
# Set listen_endpoints = tcp:2222:interface=0.0.0.0

# Start Cowrie
bin/cowrie start

Redirect Real SSH to Cowrie

# Move real SSH to a different port
sudo sed -i "s/#Port 22/Port 22222/" /etc/ssh/sshd_config
sudo systemctl restart sshd

# Redirect port 22 to Cowrie (port 2222)
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Option 2: Artillery (Simple Honeypot)

# Artillery monitors ports and alerts on connections
git clone https://github.com/BinaryDefense/artillery.git
cd artillery
sudo python3 setup.py install
# Configure ports, alert method, and email address
sudo python3 artillery.py

Option 3: Dionaea (Malware Honeypot)

# Capture malware samples by emulating vulnerable services
docker run -d --name dionaea \
  -p 21:21 -p 23:23 -p 1433:1433 -p 3306:3306 \
  -v dionaea-data:/opt/dionaea/var/lib/dionaea \
  dinotools/dionaea

Monitoring and Alerting

# Monitor Cowrie login attempts
tail -f ~/cowrie/var/log/cowrie/cowrie.log | grep "login attempt"

# Set up email alerts via cron script that checks for new log entries
# Run every 5 minutes to alert on new honeypot activity

Security Considerations

  1. Isolate the honeypot — Use iptables to prevent it from reaching internal services
  2. Monitor resource usage — Attackers may try to use it for DDoS or mining
  3. Use fake data only — Never use production credentials
  4. Log everything — Honeypot logs are valuable for threat intelligence
  5. Keep it updated — Update honeypot software to fix its own vulnerabilities

Was this article helpful?

Related Articles