u/liranzozz

Deployed an SSH Honeypot on a VPS to collect & analyze IOCs. Aiming for a role in Threat Intel / OSINT and would love industry feedback!

Deployed an SSH Honeypot on a VPS to collect & analyze IOCs. Aiming for a role in Threat Intel / OSINT and would love industry feedback!

Hi everyone,
I'm a Computer Science student currently working towards a career in Threat Intelligence and OSINT. I do a lot of self-studying using AI tools, and I focus on building hands-on projects to gain as much practical experience (and knowledge) as possible and familiarize myself with the tools and the industry landscape.

The Setup:
I deployed an SSH honeypot directly on a cloud VPS. The repository primarily outlines my deployment methodology, configuration settings, isolation, and how I structured the environment to capture data.

My Main Observation (and a question):
An interesting finding so far: the payloads dropped by the automated bots were almost exclusively RedTail cryptominers. I honestly haven't fully figured out yet why this specific malware was pretty much the only thing they attempted to install on my machine. Any insights on this would be highly appreciated!

My questions for the industry pros:
I want to make sure my approach is sound. I would love your critiques on the repository and methodology:

  1. Setup & Methodology: Looking at my configuration and deployment steps, is this an effective way to gather reliable IOCs? Are there any glaring security risks in how the VPS is configured?
  2. Next Steps in Analysis: What features, data enrichments, or integrations (e.g., SIEM, specific threat feeds) would a real Intel team expect to see applied to this raw data?
  3. Interview Prep: If you saw this setup and methodology on a junior applicant's resume, what technical questions would you ask to test if they truly understand the underlying networking and OSINT processes?

Here is the repository: https://github.com/liranzoz/ssh-honeypot-research.git

Thank you! I highly appreciate any critiques or advice on how to make this portfolio-ready.

u/liranzozz — 8 days ago