Cobian Honeypot

What is Cobian Honeypot?

Important: his is an advanced tool that will add blocking rules to your firewall. Adding the wrong rule could result in restricted access to the server from any remote computer you use to work on it. Always double-check the exception lists and make sure to add your IP address (or a subnet) to them.

Cobian Honeypot is a cross-platform security application designed to detect and prevent unauthorized connections to your machine. It currently supports Windows and Linux, with possible macOS support planned for the future.

The application is plugin-based and runs as a Windows Service on Windows systems or as a daemon on Linux.

Cobian Honeypot allows you to open one or more ports and deploy a honeypot on them. Any incoming connection that is not explicitly excluded is handed off to the configured plugins for processing. Once handled, the connection is immediately terminated.

At present, one plugin is included. Its function is to automatically add a blocking rule to the system firewall—Windows Firewall on Windows or ufw on Linux—preventing the offending IP address from making future connections. The plugin also supports blocking an entire IP range using CIDR notation. For example, 134.32.24.0/24 blocks all 256 IP addresses within that network.

Currently, Cobian Honeypot is configured exclusively via the command line. A full graphical configuration tool is planned for a future release as well as an installation program.

The problem

Port scanning and attempted intrusions are a daily occurrence on the internet—especially when running a publicly accessible server or home network service. Attackers routinely scan for open ports to identify potentially vulnerable services, such as outdated FTP servers (port 21), unsecured web applications, remote desktops, or other exposed endpoints. Once discovered, these can become prime targets for exploitation.One effective way to detect and deter such probing is by deploying a honeypot — a decoy service designed to attract and log malicious activity without exposing your real systems.

A practical tool for this purpose is Cobian Honeypot. Here's how you can use it to improve your defenses:

Install and configure an active honeypot that listens on commonly targeted ports (e.g., port 21 is a good one). Please be aware that no other service should be using the chosen port!
Enable and configure the Blocker plugin for the honeypot.
Open the port in your firewall, so it will be seen by outsiders
When an unauthorized connection attempt is made to the honeypot (including port scans or service probes), the system immediately drops the connection.
The plugin then automatically adds a DENY rule to your firewall, blocking the offending IP address (or even a subnet/range, such as x.x.x.0/24).

The solution works on both Windows and Linux (On Linux, ufw needs to be running and enabled).

The program is FREEWARE and can be used even in commercial environments.

If you want to purchase the source code, contact me by mail cobian@cobiansoft.com.

You can download the installer or install it manually by downloading and unzipping the compressed version. Windows Defender SmartScreen may occasionally flag the installer (.exe version) due to the ZIP file being included as an embedded resource inside it. This is typically a false positive and does not indicate any actual security issue. If you decide to download the zip-version and install it manually, look for the readme.txt file for instructions.