I’ve never been brave enough to run an SSH honeypot myself. Anything which is even pretending to be “open” to the world to attract bad guys is probably just too much of a risk for a network. Having said that, it’s clear there is a lot of interesting data which could be gathered and a lot we could learn about the standard approaches to system compromise attempts. I recently came across a fascinating blog article which reviews the data captured using a honeypot. It gives some insight into how these attacks are carried out and clearly shows that most of them are “script kiddies” without much clue. As my recent talk (Do bad guys work weekends?) presented at the FLOSS UK Spring Conference in Newcastle showed, there are some very simple strategies for completely blocking most of these attacks.