Honeypot Threat Analysis — May 2, 2026
Sustained critical-level attacks — consistent 2,000+ SSH attempts and MikroTik reconnaissance commands dominate post-auth activity.
Threat Landscape Overview
Attack patterns remain elevated: 1,993 SSH connections (89 IPs), 4,235 OpenCanary events (13 IPs), and 85 Galah web requests (35 IPs). The consistency across multiple days confirms our honeypot is embedded in persistent botnet target lists.
SSH Brute Force Analysis
2,432 login attempts continuing the critical-level trend. The 45.156.87.x bulletproof hosting network rotates final octets daily but maintains constant pressure. Post-auth commands are dominated by MikroTik-specific reconnaissance (/ip cloud print) alongside standard Unix fingerprinting.
The abc123 password remains a crowd favorite — simple, memorable, and found in virtually every leaked credential database since the 2010s. Combined with qwe123, these keyboard-pattern passwords reveal just how predictable human password choice remains.
Persistent Threat Actors
The same core IP ranges have been hitting the honeypot consistently for over a week:
- 45.156.87.x: Bulletproof hosting infrastructure rotating octets
- 176.65.132.x: Dedicated scanning network
- 87.251.64.176: Daily persistent scanner
- 27.79.x.x: Vietnamese SOHO router botnet
This persistence suggests automated infrastructure that maintains target lists indefinitely.
Community Defense
7 IPs reported to AbuseIPDB. All data shared with AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.