One of the smartest and most satisfying defensive tricks is turning an attacker’s own reconnaissance against them. Instead of just closing exposed banners (RDP, SSH, SMB, databases, etc.), you can deliberately leave realistic-looking ones active, but turn them into controlled honey pots that log, alert, and trap the attacker.
Why This Works So Well
Attackers scan for banners because they are fast, low-risk, and give immediate intelligence. When you control the banner, you control the interaction. You decide what the attacker sees, how long they stay, and what you learn about them.
Practical Ways to Turn Banners into Honey Pots
Here are the most common and effective setups used by blue teams and researchers:
1. Cowrie (Best for SSH/Telnet banners)
a) Deploy Cowrie as a medium-interaction SSH honeypot.
b) It emulates a real SSH server and logs every command the attacker types.
c) You can make the banner look exactly like your real servers (e.g., “OpenSSH 9.2p1 Ubuntu-2ubuntu0.1”).
2. Dionaea (Great for SMB, MSSQL, MySQL, HTTP)
a) Imitates several different services and records any malware that attackers have downloaded.
b) Helpful in detecting SMB (445) or database banner exploits by capturing the exploit and using it as bait.
3. T-Pot (Full-service solution)
a) A single Docker container with multiple honeypots: Cowrie, Dionaea, Honeytrap, Conpot, etc.
b) Fastest way to deploy a large number of realistic service banners at the same time.
4. Canarytokens (Lightweight and easy to set up)
a) Fake files (AWS credentials, DB credentials, password.txt) with embedded tokens.
b) When the attacker accesses or downloads an attacker will receive an immediate notification of the attacker's IP address and user agent.
Live Examples
1. RDP (port 3389): Rather than just shutting down the port, you create a heavily interactive Windows honeypot with weak credentials for the attacker. The attacker logs in to your honeypot, you capture everything that they are doing with their own tools and record the commands they execute and their attempts to lateral move. Many ransomware groups have been tracked this way.
2. SMB (port 445): Either create a Dionaea honeypot with exposed SMB shares (e.g., enticing filenames like “passwords.xlsx” and “admin_creds.txt”) or use a fake SMB share to lure attackers into attempting to copy files from it, so that you can log their activity and have samples of the malware used in the attack.
3. MySQL (port 3306) / PostgreSQL (port 5432): You create a fake database with a number of tables (e.g., “users”, “credit_cards”, “api_keys”) that would attract attackers. If an attacker attempts to dump the database, you would receive an alert, and log all queries made by the attacker.
4. Docker API banner (2375) Leave a fake unauthenticated Docker daemon exposed. Attackers who try to run containers get trapped in a monitored environment.
Quick Exercise You Can Try to Complete This Week
1. Quick SSH Honey Pot Exercise (10 Minutes)
a. Set up a Cowrie honey pot using Docker (Use the official quick start guide as a reference)
b. Configure the honey pot banner to match for one of your real SSH servers.
c. Expose the honey pot server on a non-production IP or through a firewall rule restricting the address to only specific countries.
d. Review the logs from the first 24 to 48 hours after launching your honeypot.
2. Canarytokens (File Trap) Exercise
a. Access canarytokens.org
b. Create a "DNS" or "HTTP" canary token that is disguised as either "aws_credentials.csv" or "passwords.txt"
c. Store the file on a server that has an exposed SMB share or a weakly secured URL for file access
d. Wait for someone to download the canary token.
3. Database Honey Pot Exercise
a. Use an open-source database system (e.g. MariaDB, PostgreSQL) with weak credentials and fake data
b. Configure the database to log all connections and queries
c. Monitor for attempts to dump all table records for any table named users or secrets.
Tips for More Effective Honeypot Results
1. Ensure the honeypots resemble real servers/have some level of normal log noise.
2. Use canarytokens on the fake server so you receive notifications when anyone interacts with them.
3. Send all honeypot logs to your SIEM system or send alerts using simple alerting system (Slack / Telegram).
4.Never use production credentials or real data in the honeypot.
Turning exposed banners into honey pots changes the game from “hide and hope” to “watch and learn.” You stop being purely defensive and start gathering real intelligence about who is targeting you and how.
It’s one of the highest return-on-effort techniques available to defenders.