Cowrie
Honeypots
Honeypot Diaries: SSH Authorized Keys
Analyzing threat actor activity and malware observed in geographically dispersed honeypots.
Honeypots
Honeypot Diaries: Masscan
A honeypot observations post documenting a threat actor attempting to install and use the masscan port scanner on a compromised host to scan for RDP and SSH targets, with SSH hardening mitigations.
Network Security
DIY IP Threat Feed
This post describes building a DIY IP threat feed by aggregating honeypot SSH login data in Splunk, enriching it with geo and reputation context, and exporting it as a regularly updated CSV blacklist.