A 4-Month Dataset of Interactive SSH Honeypot Logs and Command Payloads Preprint

This article describes a longitudinal dataset of high-interaction SSH honeypot logs collected over a four-month period from July to November 2025. The data was captured using a custom modular multi-threaded honeypot developed in Python 3.10, utilizing the Paramiko library to simulate an interactive SSHv2 environment. Unlike low-interaction systems, this dataset records the full spectrum of adversary activity, including initial connection attempts, authentication brute-forcing, and post-authentication command execution. The resulting dataset contains 145,425 security events, structured to support session reconstruction via unique identifiers. The telemetry includes source IPv4 addresses, credential pairs, and granular command-line payloads, featuring rare instances of file-less exploitation via bash sockets. This data provides a ground-truth source for training machine learning models for anomaly detection, enhancing SIEM rule-sets, and conducting empirical research into botnet orchestration and manual intrusion tactics in cloud infrastructures. This is a preprint of a paper submitted to Data in Brief. This preprint describes the dataset available at DOI: 10.5281/zenodo.19815504 and utilizes the software framework archived at DOI: 10.5281/zenodo.19817625.