Monday, 11 May 2026 🟠 medium 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 11, 2026

Moderate attack activity with sustained brute force campaigns targeting SSH and web services.

🌍 120 unique attackers ⚡ 398 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningthreat-intelligence

Threat Landscape Overview

Today’s threat landscape in our Raspberry Pi 5 honeypots continues to be dynamic and challenging. The data reflects a medium-level activity level across multiple protocols: SSH honeypot saw 205 connections and 160 login attempts, with an impressive tally of 18 commands executed and 63 unique IPs involved. On the multi-protocol front, OpenCanary registered 30 events and 9 IPs associated with FTP/Telnet/MySQL/Redis/VNC/Git.

The HTTP LLM honeypot witnessed a significant influx with 163 requests, indicating heightened activity in this area as well. The total unique attackers identified are approximately 120, and while all of these IPs have been reported to AbuseIPDB, none have yet triggered our Canarytoken alerts for post-exploitation credential harvesting.

SSH Brute Force Analysis

The SSH honeypot has proven particularly effective in detecting brute force attacks. With over 160 login attempts, attackers are using common passwords like “admin”, “solana”, and “password” to gain access. Despite the robust security measures implemented, these simple passwords remain a frequent target for novice hackers seeking quick gains.

Web Scanner Activity

The HTTP scanning activity on the OpenCanary honeypot is noteworthy. Scanning patterns suggest that attackers are looking for accessible services and vulnerabilities in the environment. The top paths scanned include ”/”, “/sitemap.xml”, “/login”, “/favicon.ico”, and “/m5gbhlkoet8”. These scans indicate a focus on finding vulnerable systems to exploit.

One of the interesting trends observed is the increasing use of fake credentials planted by attackers in the honeypot. The Canarytoken triggers (0 > 0) confirm that these tactics are being used for post-exploitation purposes, highlighting the importance of continuous threat intelligence and defense mechanisms.

Community Defense

The identified IPs have been reported to multiple community-based threat monitoring services:

  • AbuseIPDB: All IP addresses were reported.
  • AlienVault OTX: The honeypot’s presence was noted.
  • Blocklist.de: This service monitors for malicious activity, ensuring that our environment remains secure.
  • SANS DShield: This tool tracks the dissemination of malware and security threats.

Rules

This blog post is based on data gathered from a Raspberry Pi 5 honeypot in Spain. The use of open-source tools like OpenCanary and Galah ensures maximum transparency and allows for continuous improvement of our threat intelligence feed. Stay tuned for further updates as we continue to monitor and enhance our cybersecurity defenses.

Conclusion

Today’s blog post provides insights into the evolving landscape of cyber threats, emphasizing the importance of robust security measures in a dynamic environment. By sharing these findings with the community, we hope to strengthen collective efforts against cyber attacks and protect users from potential risks. Stay vigilant!

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →