Honeypot Threat Analysis — May 1, 2026
Labour Day brings no rest for attackers — 1,993 SSH connections, 4,235 multi-protocol events, and Hikvision camera exploits detected.
Threat Landscape Overview
International Workers’ Day offered no reprieve: 1,993 SSH connections (89 IPs), 4,235 OpenCanary events (13 IPs), and 85 Galah web requests (35 IPs). The honeypot confirms what security researchers have always known — automated attacks don’t observe holidays.
SSH Brute Force Analysis
2,432 login attempts with 365 post-auth commands. Consistent attackers: 45.156.87.254 (bulletproof hosting), 176.65.132.254, 87.251.64.176. The Vietnamese IP cluster (27.79.x.x) maintains its persistent presence, confirming a long-running SOHO router botnet.
The 1qaz@WSX password appeared — a diagonal keyboard walk that satisfies complexity requirements (uppercase, lowercase, number, symbol) while being completely predictable. This pattern is found in countless enterprise credential databases.
Multi-Protocol Activity
The 4,235 OpenCanary events from just 13 IPs show targeted protocol sweeps. These scanners are methodically testing FTP, Telnet, MySQL, Redis, VNC, and Git — a standard reconnaissance pattern for identifying exploitable services.
Web Scanner Activity
Galah caught 85 requests including continued /SDK/webLanguage probes (Hikvision CVE-2017-7921). The persistence of IoT camera exploit attempts highlights how attackers target the full spectrum of internet-connected devices, not just traditional servers.
Community Defense
7 IPs reported to AbuseIPDB. All data shared with AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.