Skip to content

LogSentinel Honeypot

The LogSentinel Collector supports а honeypot functionality that allows it to collect threat information by acting as a fake exposed service.

Supported services

The LogSentinel Honeypot supports the following services on their default ports:

  • FTP (21)
  • SSH (22)
  • Telnet (23)
  • SMTP (25, 465, 587)
  • HTTP(S) (80, 443)
  • POP3 (110)
  • SMB (139, 445)
  • IMAP (143)
  • RDP (3389)

Network configuration requirements

In order for the honeypot to work, it has to be exposed to the internet and all firewall restrictions for the selected ports should be lifted.

Information sharing

Once a potentially malicious actor accesses the open ports, their IP is sent to LogSentinel SIEM to include in the threat database, with the assumption that anyone trying to find open ports of popular services by scanning random IPs is doing that with malicious intent.