Within the first hour of exposing SSH port 22, I had login attempts taking place from all over the world. The more time that had passed had me thinking about the popularity of Kippo and given the fact it hasn't been updated in a while, it's most likely detectable and lacking simulated features used by attackers. A quick web search confirmed all these suspicions, so I replaced Kippo with Cowrie. Cowrie is directly based off of Kippo with several important updates that include:

SFTP and SCP support for file upload

Support for SSH exec commands

Logging of direct-tcp connection attempts (SSH proxying)

Logging in JSON format for easy processing in log management solutions

Many more additional commands and most importantly, a fix for the previous Kippo detection

The switch went real smooth as Cowrie is basically a drop in replacement for Kippo and scripts like Kippo-Graph work with it. In addition to switching to Cowrie, I had updated the included fs.pickle file to not be the out-of-the box file system you get by default.

As the week progressed the honeypot continued to rack up login attempts, a few successful, but most were not successful. Because of this I had added a few of the more common username/password combinations to hopefully entice attackers to interact with the honeypot.