What if you used port knocking, but instead of opening a closed port on a correct knock sequence, you switch the service listening to the target port from honeypot mode to normal mode? Anyone connecting and presenting genuine authorization credentials during that window gets genuine access, while everyone else gets routed to the honeypot.
The 40th basement door from the left opens to a storage closet until someone says, "swordfish" at the 30th door from the left, then 15 seconds later, it opens to a vestibule with an imposing, riveted-iron door for the next 60 seconds. That locked door requires a genuine invitation to admit you to the speakeasy.
If you didn't know the speakeasy was there, you might not bother trying to dig through the back wall of the closet with a pickaxe. If you watched someone else go in, and copied their actions, you still don't have the invitation. Any noise you make banging around trying to fool the automated bouncer is much more noticeable when all the casual traffic and robot-driven attackers are mostly just stealing boxes of detergent out of the decoy closet.
The 40th basement door from the left opens to a storage closet until someone says, "swordfish" at the 30th door from the left, then 15 seconds later, it opens to a vestibule with an imposing, riveted-iron door for the next 60 seconds. That locked door requires a genuine invitation to admit you to the speakeasy.
If you didn't know the speakeasy was there, you might not bother trying to dig through the back wall of the closet with a pickaxe. If you watched someone else go in, and copied their actions, you still don't have the invitation. Any noise you make banging around trying to fool the automated bouncer is much more noticeable when all the casual traffic and robot-driven attackers are mostly just stealing boxes of detergent out of the decoy closet.