Live data · two honeypots

Security

Two honeypots feed this page. This site logs scans on paths like /wp-admin and /.env that don't exist here — never did, this is static HTML. AMvpn runs a real SSH honeypot that's been catching attack traffic since April. Everything below is aggregate — no individual IPs, ever.

01

This site

Loading…

Total hits
Last 30 days
Unique sources
02

Daily activity

This site, last 30 days.

03

What's getting probed

This site, most-hit paths, all time.

04

AMvpn's SSH honeypot

Loading…

Total events
Last 30 days
Unique sources
05

Where it's coming from

AMvpn, top attacking countries, all time.

06

How it works

This site: a handful of paths that only ever get hit by automated scanners — common WordPress, PHP, and admin-panel probes — are logged like any other request, but return the exact same 404 status a real typo would. The only difference: they get a slightly different page. A script tallies hits every 15 minutes, and a weekly summary goes to me directly.

AMvpn: a real Cowrie SSH/Telnet honeypot on a separate VM, enriched with GeoIP data, feeding a live dashboard and Telegram alerts. Once an hour, an aggregate summary — never raw IPs or session data — gets pushed here over a restricted SSH connection that can only overwrite that one file. Full write-up on the case study page.