What HoneyOpus is
HoneyOpus is a pocket-sized SSH + Telnet honeypot that runs on cheap ESP32 boards. It captures every brute-force login attempt and every shell command the attacker types, records the whole session as an asciicast, geolocates the source, and optionally reports the IP to AbuseIPDB and AlienVault OTX.
The HoneyOpus Hub (this site) aggregates the feeds from many honeypots — yours and, if you opt in, other people's too.
Supported boards
| Board | MCU | Display | Flash / PSRAM | Notes |
|---|---|---|---|---|
| ESP32-C3 SuperMini OLED | esp32-c3 |
ssd1306-72x40 (built-in 0.42″ mono OLED) |
4 MB / 0 MB | Original target. Cheapest path in. |
| LilyGO T-QT Pro | esp32-s3 |
st7735-128x128 (1.14″ colour IPS) |
4 MB / 2 MB | Colour panel, room for animated icons. |
| ESP32-S3-N16R8 | esp32-s3 |
none (headless) |
16 MB / 8 MB | Big flash + PSRAM; keeps long sessions. |
Sending attacks to this hub
- Sign up & register a honeypot — you'll get a
hop_…bearer token. - Configure your device's hub reporter with that token and this
hub's
/api/v1/ingestURL. - Captures show up in your dashboard seconds after each attack disconnects.
The wire format is documented in the
v1 ingest protocol contract.
Re-sending the same (honeypot, attack.id) pair is
idempotent — safe to retry on flaky links.
Privacy
- Accounts are anonymous — username and password only, no email, no recovery questions.
- Your feed is private by default. Flip it public in settings to contribute to the home page.
- LAN-sourced attacks (RFC 1918, loopback, link-local, CGNAT, IPv6 ULA) are tagged with a 🏠 badge and never reported to public threat-intel feeds.
HoneyOpus Hub · open feed: / · API: /api · ingest contract: /about · firmware: github.com/KaSt/HoneyOpus