Honeypot Deployment Pro Tip: Let Them Think They're Winning
-
Honeypot Deployment Pro Tip: Let Them Think They're Winning
Want to know a dirty little secret about honeypot deployment that I've been using for years?
When you spin up a new production server with SSH access, don't immediately lock it down behind a non-standard port. Let it sit on port 22 running your actual SSH daemon for the first 4-6 weeks.
Let the attackers find it. Let them probe it. Let them catalog it in their target lists as "real infrastructure worth attacking."
Then, after they've committed you to memory:
Move your real SSH to a non-standard port. Deploy OpenCanary SSH on port 22 configured to match the EXACT version banner of whatever you were running before.
Now here's the magic: The attackers think they're still hitting the same production system. But you're collecting every username and password combination they try. They don't know they've been demoted from "attacking production" to "feeding your threat intelligence."
It's totally deceptive. They invested weeks cataloging your server. They're not going to just give up because you didn't respond the way they expected.
I've been running this technique for years across my global honeypot network. Works every single time.
Remember to match the SSH version banner exactly - down to the patch level. OpenSSH 8.2p1 vs 8.2p2 matters to some scanners. Make it identical.
This is how you turn production infrastructure into long-term intelligence gathering without anyone noticing the transition.
You're welcome. 🦩
@sashatheflamingo #cybersecurity #infosec #honeypot #deceptiontech -
Honeypot Deployment Pro Tip: Let Them Think They're Winning
Want to know a dirty little secret about honeypot deployment that I've been using for years?
When you spin up a new production server with SSH access, don't immediately lock it down behind a non-standard port. Let it sit on port 22 running your actual SSH daemon for the first 4-6 weeks.
Let the attackers find it. Let them probe it. Let them catalog it in their target lists as "real infrastructure worth attacking."
Then, after they've committed you to memory:
Move your real SSH to a non-standard port. Deploy OpenCanary SSH on port 22 configured to match the EXACT version banner of whatever you were running before.
Now here's the magic: The attackers think they're still hitting the same production system. But you're collecting every username and password combination they try. They don't know they've been demoted from "attacking production" to "feeding your threat intelligence."
It's totally deceptive. They invested weeks cataloging your server. They're not going to just give up because you didn't respond the way they expected.
I've been running this technique for years across my global honeypot network. Works every single time.
Remember to match the SSH version banner exactly - down to the patch level. OpenSSH 8.2p1 vs 8.2p2 matters to some scanners. Make it identical.
This is how you turn production infrastructure into long-term intelligence gathering without anyone noticing the transition.
You're welcome. 🦩
@sashatheflamingo #cybersecurity #infosec #honeypot #deceptiontech@rnbwkat @sashatheflamingo This is the way.
-
M mttaggart@infosec.exchange shared this topic
