How to Use a Honeypot to Detect Intrusions on Your Personal Network

Introduction 

In the modern interconnected landscape, home networks are increasingly vulnerable to cyber threats. Although we typically depend on antivirus software and firewalls to safeguard our digital existence, an advanced yet surprisingly straightforward method can yield significant insights into your network's security: the honeypot.

A honeypot is a deceptive system or service crafted to seem susceptible and appealing to attackers. When an individual engages with the honeypot, it triggers an alert—you have drawn the attention of a potential intruder.

This guide will provide you with comprehensive instructions on how to establish a personal honeypot at home, identify unauthorized access, and glean knowledge from these attempts— similar to what genuine cybersecurity professionals do.

What You Will Learn

-The definition of a honeypot and its utility

-Tools for setting up a honeypot (both beginner-friendly and advanced options)

-Steps to install and monitor a honeypot on your home network

-Recommended practices and safety measures

-Techniques for analyzing activity and maintaining vigilance

Who Is This For?

-Cybersecurity students or interns

-Tech-savvy individuals interested in home network security

-Anyone seeking real-time intrusion detection within their home 

 What Is a Honeypot?

A honeypot is a system or service that simulates a vulnerable device or software (such as a login page, a file server, or an open port) to deceive hackers into engaging with it. Given that there is no legitimate reason for anyone to interact with it, any engagement is deemed suspicious or malicious.

It assists you in:

-Detecting suspicious activity in real time

-Gaining insights into attacker behavior and tools

-Assessing the security (or lack thereof) of your home network

Popular Honeypot Tools

Below are several tools suitable for both beginners and advanced users:

-Cowrie best for SSH/Telnet honeypot with Intermediate skill level 

-Honeyd best for Simulating fake hosts with Intermediate to Advanced skill level 

-T-Pot best for All-in-one honeypot suite with Advanced skill level 

-OpenCanary best for Simple, fast honeypot with Beginner skill level 

-Glastopf best for Web application honeypot with Intermediate skill level  

In this guide, we will concentrate on OpenCanary—simple to install, lightweight, and ideal for novices.

 Step-by-Step Guide: Setting Up a Honeypot with OpenCanary

Step 1: Prepare Your Environment

You will require:

A PC or Raspberry Pi (preferably a device separate from your primary computer)

Linux OS (Ubuntu/Debian is recommended)

Python 3 installed

Admin/root access

Local network access

Step 2: Install Dependencies

On your Linux device, launch a terminal and update the packages:

sudo apt update sudo apt upgrade

Next, install Python pip and the virtual environment: sudo apt install python3-pip python3-venv

Step 3: Install OpenCanary

Clone the OpenCanary repository: git clone https://github.com/thinkst/opencanary Navigate into the directory and install:

cd opencanary

sudo pip3 install .

You may also choose to install opencanary-correlator (optional) for log analysis: sudo pip3 install opencanary-correlator

Step 4: Configure Your Honeypot

Execute the configuration generator: opencanaryd --copyconfig

This action will generate a JSON configuration file in your home directory: ~/.opencanary.conf Modify it using a text editor: nano ~/.opencanary.conf

In the configuration file, activate the services you wish to simulate. For instance, to emulate an FTP server:

"ftp.enabled": true, "ftp.port": 21,

You can also enable:

HTTP: "http.enabled": true

MySQL: "mysql.enabled": true

SMB file shares: "smb.enabled": true

Telnet or SSH

Each of these will appear to attackers as genuine and potentially vulnerable.

Enable the services you want (e.g., FTP):

Step 5: Initiate OpenCanary

Execute the following command: opencanaryd --start

You can monitor its logs by using:

tail -f /var/tmp/opencanary.log

Every connection attempt or any suspicious activity will be documented here.

Step 6: Conduct Your Own Test

To mimic an attack, attempt to connect from a different computer on your home network to the honeypot's IP address via FTP or HTTP, depending on the services you have activated. If FTP is enabled: ftp <honeypot-IP>

Observe the logs become active!

Understanding the Logs

The logs contain:

Source IP

Timestamp

Accessed service (e.g., FTP, HTTP)

Payload or commands utilized

Example log entry:

{"dst_port": 21, "local_time": "2025-06-03 16:30:00", "logdata": {"USERNAME": "admin",

"PASSWORD": "1234"}, "src_ip": "192.168.0.15", "sensor": "OpenCanary"}

This indicates that an individual (potentially you during the testing phase) attempted to log into the honeypot's FTP service using the username "admin" and a weak password. 

Recommended Practices :

• Keep the honeypot isolated within your network.

• Utilize VLANs or place it on a guest Wi-Fi network.

• Avoid exposing your honeypot to the internet unless you are fully aware of the implications. This could render you a target for legal or security issues.

• Regularly review the logs.

• Establish automatic notifications via email or Slack using OpenCanary Correlator.

• Refrain from engaging with attackers.

• Never attempt to "hack back." Simply monitor the situation.

Insights Gained from a Honeypot :

• Determine if your home router or IoT devices are leaking information.

• Identify if any internal network devices are probing ports (e.g., a rogue device).

• Understand the types of brute-force tools that attackers employ.

• Ascertain if malware is present on another machine attempting to propagate.

Additional Advanced Features :

Install Grafana and Loki to visualize the honeypot logs.

Set up a Raspberry Pi with T-Pot for a comprehensive honeypot stack (which includes Cowrie,

Dionaea, etc.).

Automate incident response using fail2ban or email alerts. 

Example Use Case: Raspberry Pi Honeypot for IoT Attacks :

IoT devices, such as smart cameras, frequently represent the most vulnerable point. By deploying a honeypot within the same network segment as your IoT devices, you can monitor for unauthorized access attempts—particularly from foreign locations or dubious ports.

Establishing a honeypot is akin to installing a motion detector in your digital residence. It not only prevents intrusions but also alerts you to any attempted breaches. This serves as an exceptional hands-on learning resource for cybersecurity and functions as an effective early-warning mechanism.

Utilizing OpenCanary or comparable tools allows you to gain insights into actual attack patterns, even from the comfort of your home. Regardless of whether you are a student, intern, or hobbyist, this initiative enhances your practical ethical hacking capabilities within your cybersecurity toolkit.

Written by: Ishu Thakur And Vanshika

Disclaimer: This post was authored by interns participating in the Infosec Dot Internship Program. Infosec Dot does not verify the accuracy, originality, or authenticity of the content. The views expressed are solely those of the authors and do not necessarily reflect those of Infosec Dot.