Honeypot Threat Analysis — April 23, 2026
OpenCanary goes live — 412 multi-protocol events detected. Attack surface expands to FTP, Telnet, MySQL, Redis, VNC, and Git.
Threat Landscape Overview
A milestone day: OpenCanary multi-protocol honeypot activated, immediately capturing 412 events from 89 unique IPs across FTP, Telnet, MySQL, Redis, VNC, and Git protocols. Combined with 876 SSH connections from 143 IPs on Cowrie, total unique attackers reached approximately 232 — a massive increase in visibility.
SSH Brute Force Analysis
2,104 login attempts from 143 IPs — the highest login count we’ve seen. Password trends shifted: admin, root, 1234, test, guest. The appearance of test and guest credentials suggests scanning for development and staging environments that were never hardened for production.
Top attacker 185.220.101.47 is a known Tor exit node used for scanning. 45.128.232.171 and 194.165.16.78 are from hosting providers frequently associated with scanning operations. The 9 IPs reported to AbuseIPDB mark the beginning of automated community reporting.
Multi-Protocol Activity
The OpenCanary deployment immediately revealed attacks across:
- FTP: Credential spraying against anonymous and default accounts
- Telnet: IoT-style login attempts targeting embedded devices
- MySQL/Redis: Database service scanning for exposed instances
- VNC: Remote desktop brute force
- Git: Repository scanning for exposed
.gitdirectories
Notable Trends
Having both Cowrie (SSH) and OpenCanary running simultaneously provides a comprehensive view of the threat landscape. The 89 multi-protocol IPs show significant overlap with SSH attackers — many botnets scan all common ports in a single sweep.
Community Defense
9 IPs reported to AbuseIPDB — automated reporting pipeline is now operational. All data also shared with AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.