Cowrie Honeypot
A deception environment that lures attackers and logs everything they do.
Build · 2025 · Cowrie / ELK
A high-interaction honeypot built on Cowrie — a system deliberately set up to look like an easy, vulnerable target. It exposes fake SSH and Telnet services, and when an attacker takes the bait, every login attempt, command, and file interaction is recorded for analysis.
I hardened the real administration channel onto a non-standard port, stood Cowrie up in an isolated environment, and piped its logs into the ELK stack so attacker behaviour could be explored visually rather than grepped out of raw log files.
SSH & Telnet simulation
Mimics real services to capture brute-force login attempts.
Full command logging
Every command an attacker runs is recorded for later analysis.
Filesystem interaction
Attackers can browse, download, and attempt exploits in a sandbox.
Real-time monitoring
Sessions stream to the logs live as they happen.
ELK visualization
Cowrie logs ingested into Elasticsearch and explored in Kibana dashboards.
Isolated by design
Runs off the production network so the bait can never become a foothold.


Built for research and education. A honeypot should never be exposed on a production network.