Step 1: Locate Honeypot Logs
sudo find /var/log -name "*honeypot*" -o -name "*cowrie*"Step 2: Extract Attacker IPs
cat /var/log/cowrie/cowrie.log | grep -oP 'd+.d+.d+.d+' | sort | uniq -c | sort -nrStep 3: Review Commands Attempted
grep "Command" /var/log/cowrie/cowrie.logStep 4: Generate Timeline
awk '{print $1, $2, $NF}' /var/log/honeypot.log > timeline.txtStep 5: Feed to Fail2ban
sudo fail2ban-client set sshd banip attacker-ip