Protocol Honeypots

Detect credential theft and lateral movement by deploying fake database and service credentials.

How Protocol Honeypots Work

Protocol honeypots create realistic-looking credentials for common database and service protocols. When an attacker discovers and attempts to use these credentials, the connection attempt is detected and you receive an alert.

Detection Flow

1. Create
Generate credentials
2. Plant
Place in config files
3. Detect
Attacker connects
4. Alert
Instant notification

Available Protocols

Tripwires supports the following protocol honeypots:

Databases

🐘

PostgreSQL

Most popular open-source database. Port 5432.
🐬

MySQL

World's most popular database. Port 3306.
💾

MSSQL

Microsoft SQL Server for enterprise. Port 1433.
🔍

Elasticsearch

Distributed search and analytics engine. Port 9200.
🍃

MongoDB

Popular NoSQL document database. Port 27017.
🔴

Redis

In-memory data store and cache. Port 6379.

Memcached

Distributed memory caching system. Port 11211.

Remote Access

🔑

SSH

Secure remote server access. Port 22.
📟

Telnet

Legacy remote access for network gear. Port 23.
🖥️

RDP

Microsoft Remote Desktop Protocol. Port 3389.
📺

VNC

VNC remote desktop access. Port 5900.

Network Services

📂

LDAP

Enterprise directory services. Port 389.
🗂️

SMB

Windows file sharing protocol. Port 445.
📧

SMTP

Email sending protocol. Port 25/587.
📁

FTP

File Transfer Protocol for legacy systems. Port 21.
🐳

Docker API

Docker daemon remote API. Port 2375.
🔐

HTTP Admin

HTTP admin panels and dashboards. Port 8080.

Coming Soon

We're constantly expanding our protocol support. The following honeypots are coming soon:

🔶
Oracle
🐰
RabbitMQ
📊
Kafka

What Gets Detected

When someone attempts to connect using your honeypot credentials, Tripwires captures:

  • Source IP address - Where the connection came from
  • Timestamp - Exact time of the connection attempt
  • Username used - The username in the connection attempt
  • Protocol details - Additional protocol-specific information

Choosing the Right Protocol

Select protocols that match your actual infrastructure to make the honeypot credentials believable:

If you use... Create honeypots for...
PostgreSQL or MySQL databases PostgreSQL / MySQL (looks like backup/staging DB)
Microsoft SQL Server MSSQL (looks like ERP or reporting DB)
Redis or Memcached for caching Redis / Memcached (looks like session store)
ELK stack or MongoDB Elasticsearch / MongoDB (looks like log archive or data store)
SSH for server access SSH (looks like jump server or bastion host)
Remote desktop (Windows) RDP / VNC (looks like admin workstation)
Active Directory or LDAP LDAP (looks like corporate directory)
Windows file shares SMB (looks like finance or HR share)
Docker containers Docker API (looks like container registry)
Web admin panels HTTP Admin (looks like admin dashboard)
Legacy file transfers or email FTP / SMTP (looks like backup or mail server)
Network equipment (switches, IoT) Telnet (looks like network management interface)

Pro Tip

Create multiple honeypots of the same type with different names to catch attackers at various points in your infrastructure.

Tripwire Details PostgreSQL