Honeypot Threat Analysis — April 24, 2026
Galah HTTP LLM honeypot goes live with 54 web requests. Full tri-honeypot stack now operational across SSH, multi-protocol, and HTTP.
Threat Landscape Overview
The complete honeypot stack is now online. Galah HTTP honeypot launched, capturing 54 web requests from 24 IPs. Combined with 1,488 SSH connections (73 IPs) and 183 OpenCanary events (59 IPs), the lab now monitors three attack vectors simultaneously.
SSH Brute Force Analysis
1,838 login attempts with 189 post-auth commands. The Cowrie honeypot continues to attract heavy traffic. Password dictionary: 123456, admin, 123, password, 1234. The 87.251.64.x scanning network maintained persistent presence alongside 80.66.66.10.
Web Scanner Activity
Galah’s first day revealed immediate scanning for:
/sitemap.xml— reconnaissance for site structure/.git/config— hunting for exposed Git repositories/wp-login.php— WordPress admin panel discovery/zc?action=getInfo— ZeroConfig/device discovery/og-default.png— content scraping
The Galah honeypot uses a local qwen2.5 AI model to generate realistic responses, keeping scanners engaged and collecting more intelligence.
Notable Trends
Having all three honeypots live creates a comprehensive attack funnel: scanners that probe HTTP also attempt SSH and other protocols. The overlap analysis between Galah, Cowrie, and OpenCanary IPs will become a valuable intelligence source.
Community Defense
All attacker IPs shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.