A study using eleven SSH honeypots has revealed that successful SSH compromises rarely involve the interactive shell sessions security teams typically watch for. Instead of attackers manually typing commands to explore systems, the research shows that post-login activity is predominantly automated and non-interactive, challenging conventional assumptions about SSH attack patterns.
SSH servers exposed to the internet face constant automated scanning and login attempts from distributed IP addresses worldwide. Security professionals have long operated under the assumption that successful breaches lead to interactive sessions where attackers manually navigate file systems, examine configurations, and execute commands. The honeypot data contradicts this mental model of SSH attacks.
The eleven research honeypots were deployed on cloud infrastructure to observe real-world SSH attack behavior. By allowing attackers to successfully authenticate, researchers could monitor post-compromise activities without the filtering effect of strong defenses. The honeypots recorded what attackers actually do after gaining access, rather than what security teams assume they do based on incident response scenarios or penetration testing methodologies.
The dominance of non-interactive attacks suggests that compromised SSH servers are being integrated into automated attack infrastructure rather than being individually explored by human operators. This pattern indicates that attackers prioritize scale and automation over careful reconnaissance of individual targets. The automated nature of these attacks allows threat actors to compromise and weaponize large numbers of systems efficiently.
Organizations should adjust their SSH security monitoring to detect non-interactive post-login patterns rather than focusing exclusively on interactive shell activity. Detection strategies should include monitoring for automated script execution, unusual process spawning patterns, and network connections initiated immediately after authentication. Security teams should also implement rate limiting, key-based authentication instead of passwords, and network segmentation to limit the impact of compromised SSH access.
Source: https://www.helpnetsecurity.com/2026/07/03/research-non-interactive-ssh-attacks/


