Honeypot Threat Analysis — April 25, 2026
High-severity activity with 1,492 SSH connections and 83 Galah web requests. Funny password highlight: 1234567890%*().
Threat Landscape Overview
Full-spectrum attack day: 1,492 SSH connections (46 IPs), 173 multi-protocol events (39 IPs), and 83 Galah web requests (46 IPs). Approximately 177 unique attackers total. Activity remains elevated across all three honeypot services.
SSH Brute Force Analysis
1,454 login attempts with 182 post-auth commands. Password trends: admin, 123456, 1234, password, 12345. The Vietnamese IP cluster continues: 27.79.41.201 and 116.99.169.192. Known scanning infrastructure 87.251.64.176 and 103.228.36.205 maintain daily presence.
The comedy corner delivers: someone tried 1234567890%*() — literally the number row plus shift-key symbols. Other gems: P@ssw0rd, azerty147, and chi1234567890.
Web Scanner Activity
Galah caught 83 requests from 46 IPs. Top paths scanned: /, /og-default.png, /wp-login.php, /favicon.ico. The /og-default.png hits are content scrapers checking Open Graph metadata. ClaudeBot and Edge-based scanners dominated the user agent strings.
Notable Trends
The 1234567890%*() password is an interesting case — it’s a “complex” password that satisfies requirements (numbers + symbols) while being trivially guessable. This pattern appears in many credential databases from enterprise environments where users meet minimum complexity requirements with maximum laziness.
Community Defense
All attacker IPs shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.