OpenSSH Honeypot on Unraid
I built an OpenSSH honeypot on Unraid to observe and control real-world attacker behavior hitting exposed services. The goal was not just to block access, but to study how automated and manual intrusion attempts behave when given time and interaction. This project turned my server into both a defensive system and a learning platform.
The honeypot was designed to capture detailed authentication and session logs from constant login attempts. Instead of immediately rejecting attackers, connections were intentionally slowed and held in a tarpit. This reduced scanning effectiveness while giving me visibility into credential spraying patterns, command attempts, and persistence behavior.
To support monitoring, I deployed Prometheus with a Prometheus exporter to collect metrics from the honeypot services. Endless Go was downloaded first and used as part of the service chain. Prometheus was cached locally, and all services ran on standard ports to reduce unnecessary complexity and make behavior predictable.
Metrics and activity were visualized using Grafana dashboards. This allowed me to track connection rates, authentication failures, session duration, and attack volume over time. Having structured metrics alongside raw logs made it easier to distinguish background noise from meaningful activity.
This project reinforced how effective layered defense can be when combined with observation. Instead of blindly blocking traffic, I was able to slow attackers down, gather intelligence, and harden my environment based on real data. Running this on Unraid made it easy to integrate with my existing infrastructure and security tooling.
Links
Watch the full demo on YouTube