Monitoring Honeypots?

Skip to first unread message


Nov 19, 2010, 11:31:59 AM11/19/10
to kippo users

just wondering how you usually monitor your honeypot installations for
service uptime & connectivity?

Obviously usual (remote) method is to connect to a running service and
see if you get the expected response, but doing this with honeypots
will skew the gathered data.

Any suggestions?


Leon v/d Eijk

Nov 19, 2010, 12:39:23 PM11/19/10
I use ssh-service on a high port. I connect to the Apache webserver
using ssh for tunneling. I still screw things up connecting to my
kippo SSH in stead from time to time :)

> --
> You received this message because you are subscribed to the Google Groups "kippo users" group.
> To post to this group, send email to
> To unsubscribe from this group, send email to
> For more options, visit this group at

Miguel Jacq

Nov 19, 2010, 6:16:50 PM11/19/10
Hey Andrew,

I run a Nagios server that uses NRPE to do low level service checks on the target host.

The target host listens on port 5666 and the nagios server tells it what checks to run. Thus the service checks are run locally on the target host and the return codes are sent back to the nagios server.

Let me know if you are interested, I can provide you with example configurations.

Otherwise google around for Nagios and NRPE. other examples might include SNMP.



Miguel Jacq

Nov 19, 2010, 9:29:35 PM11/19/10
Hi again Andrew,

I read your original email a bit closer and realised I didn't really answer the question :)

re: where you want to check a service that is actually a honeypot service, yes that'll skew the data.

In the case of SSH (which was really all I was thinking about when I mentioned NRPE), I'd be running the real ssh on a nonstandard port and would check that.

I guess I haven't been in the situation where I've actually monitored the 'fake' ports the honeypot is running - never really thought about it :)

I don't know if there's a real way you could monitor a socket/port without it being aware of it, unless your honeypot was either not logging (and then what's the point) or clever enough to not log traffic coming from a certain IP.

Let me know where you go with it, will be interesting


Tomasz Miklas

Nov 20, 2010, 10:30:19 AM11/20/10
netstat and pid file + ps results, all wrapped in a shell script (cron) and if the pid is stale socket should be dead as well, restart kippo

I stat away from connecting to my own sensors ;)

Btw so far one instance but soon more to follow - my sensors reporting stats to

Will add daily stats soon, for now just sensor lifetime blob goes up shortly after midnight UTC and expires after 24h.

When I finish I'll share my scripts if you are interested. They are (w)hacky but do work better or worse - good for me anyway ;)

Tomasz Miklas

Reply all
Reply to author
0 new messages