Live data · two honeypots
Security
Two honeypots feed this page. This site logs scans on paths like
/wp-admin and /.env that don't exist
here — never did, this is static HTML. AMvpn
runs a real SSH honeypot that's been catching attack traffic since
April. Everything below is aggregate — no individual IPs, ever.
This site
Loading…
Daily activity
This site, last 30 days.
What's getting probed
This site, most-hit paths, all time.
AMvpn's SSH honeypot
Loading…
Where it's coming from
AMvpn, top attacking countries, all time.
How it works
This site: a handful of paths that only ever get hit by automated scanners — common WordPress, PHP, and admin-panel probes — are logged like any other request, but return the exact same 404 status a real typo would. The only difference: they get a slightly different page. A script tallies hits every 15 minutes, and a weekly summary goes to me directly.
AMvpn: a real Cowrie SSH/Telnet honeypot on a separate VM, enriched with GeoIP data, feeding a live dashboard and Telegram alerts. Once an hour, an aggregate summary — never raw IPs or session data — gets pushed here over a restricted SSH connection that can only overwrite that one file. Full write-up on the case study page.