Anyone Tried Honeypots?

I have some ports forwarded on my firewall so I’m constantly looking for was to stay as secure as possible. For the one use I have for RDP it’s a whitelist from a single remote network, and for HTTP/HTTPS services I have them all behind a reverse proxy based on requested uri, so only NGINX is exposed directly. I’m also running Suricata and pfBlockerNG with FireHOL lists on my pfSense firewall. Also running custom pfBlockerNG lists to block Shodan.

I was thinking about setting up a SSH honeypot so I can trap and block intrusion attempts. Has anyone tried this before or have any advice on how to do it? I’m just looking for a way to open port 22 to a VM running some kind of SSH honeypot that logs all IPs to a list that pfBlockerNG can fetch every 5 minutes or so. I don’t have any use for SSH directly through my firewall so any connection attempt would be an IP I would want to blacklist.


I think a honeypot is a lot of work to maintain properly.

Normally I would avoid exposing servers to the internet and access the servers internally from a VPN connection instead.

Restricting your RDP from only one IP is good, but not practical if you require to connect from a second location later.