βββ βββ βββββββ ββββ ββββββββββββββ βββββββ ββββββββββββββββββββ
βββ βββββββββββββββββ βββββββββββββββ βββββββββ ββββββββββββββββββββ
βββββββββββ βββββββββ βββββββββ βββββββ ββββββ βββββββββ βββ
βββββββββββ βββββββββββββββββββ βββββ ββββββββββββββββ βββ
βββ βββββββββββββββ ββββββββββββββ βββ βββ ββββββββββββββ βββ
βββ βββ βββββββ βββ βββββββββββββ βββ βββ βββββββββββββ βββ 
Multi-protocol honeypot network that simulates six real services, captures attacker behavior, maps to MITRE ATT&CK, extracts IOCs, and visualizes everything through a real-time dashboard.
This is a quick overview. Security theory, architecture, and full walkthroughs are in the learn modules.
- Simulates 6 services: SSH (fake shell with 25+ commands), HTTP (WordPress/phpMyAdmin fakes), FTP (PASV file capture), SMB (negotiate), MySQL (wire protocol), Redis (RESP)
- Captures every attacker interaction: credentials, commands, file uploads, scanning patterns, tool fingerprints
- Maps behavior to 27 MITRE ATT&CK techniques across 8 tactics with single-event and sliding-window detection
- Extracts IOCs (IPs, URLs, domains, user-agents, credentials) with confidence scoring and deduplication
- Exports threat intelligence as STIX 2.1 bundles and firewall blocklists (iptables, nginx deny, plain text, CSV)
- Records SSH sessions in asciicast v2 format, replayable in the browser via xterm.js
- Streams events in real time via WebSocket to a React dashboard with attack maps, MITRE heatmaps, and session replay
git clone https://github.com/CarterPerez-dev/Cybersecurity-Projects.git
cd PROJECTS/advanced/honeypot-network
cp .env.example .env
docker compose -f dev.compose.yml up -dDashboard loads at http://localhost:3000 or the live demo at honeypot-network.carterperez-dev.com. Connect to the SSH honeypot to see your first captured session:
ssh root@localhost -p 2222Use any password. Run commands like ls, cat /etc/passwd, wget http://example.com/payload.sh, and watch events stream into the dashboard.
Tip
This project uses just as a command runner. Type just to see all available commands.
Install: curl -sSf https://just.systems/install.sh | bash -s -- --to ~/.local/bin
βββββββββββββββββββββββββββββββββββββββββββββββ
Attackers β Hive Backend β
β β
ββββββββ β ββββββββ ββββββββ ββββββββ ββββββββ β
β SSH βββββ2222ββββββ sshd β β httpdβ β ftpd β β smbd β β
βClientβ β ββββ¬ββββ ββββ¬ββββ ββββ¬ββββ ββββ¬ββββ β
ββββββββ β β β β β β
ββββββββ β ββββ΄ββββ ββββ΄ββββ β
βMySQL βββββ3307ββββββmysqldβ βredisdβ β
βClientβ β ββββ¬ββββ ββββ¬ββββ β
ββββββββ β β β β
β βΌ βΌ β
β βββββββββββββββββββ β
β β Event Bus β (fan-out pub/sub) β
β ββββββββββ¬βββββββββ β
β β β
β βββββββ΄ββββββ β
β β Processor β (4 worker goroutines) β
β β GeoIP β β
β β MITRE β β
β β Store β β
β β Stream β β
β βββββββββββββ β
β β
β βββββββββββββββββββ β
β β REST API β Chi router :8000 β
β β WebSocket β /ws/events β
β βββββββββββββββββββ β
ββββββββββββββββ¬βββββββββββββββββββββββββββββββ
β
ββββββββββββββββ΄βββββββββββββββββββ
β Frontend β
β React 19 + TypeScript β
β Dashboard β’ Events β’ Sessions β
β MITRE Heatmap β’ Intel Export β
βββββββββββββββββββββββββββββββββββ
| Service | Port | Protocol | Interaction Depth |
|---|---|---|---|
| SSH | 2222 | x/crypto/ssh | Full shell with filesystem, 25+ commands, session recording |
| HTTP | 8080 | net/http | WordPress/phpMyAdmin fakes, scanner detection, vulnerability path traps |
| FTP | 2121 | Raw TCP | AUTH + PASV data channel, file upload capture (1MB cap) |
| SMB | 4450 | Raw TCP | NetBIOS framing + negotiate response, SMB1/SMB2 detection |
| MySQL | 3307 | Raw TCP | Binary wire protocol greeting, auth capture, query handling |
| Redis | 6380 | tidwall/redcon | RESP protocol, PING/AUTH/INFO/CONFIG/SET/GET/KEYS |
Backend: Go 1.25, Chi v5, nhooyr.io/websocket, pgxpool (PostgreSQL), go-redis, zerolog, Cobra CLI
Frontend: React 19, TypeScript, Vite 6, SCSS (OKLCH tokens), TanStack Query v5, Zustand, Recharts, react-leaflet, xterm.js
Infrastructure: Docker Compose, PostgreSQL 17, Redis 7.4, nginx reverse proxy, multi-stage builds
| Endpoint | Description |
|---|---|
GET /api/health |
Health check with version and sensor ID |
GET /api/stats/overview |
Total events, events by service, active sessions |
GET /api/stats/countries |
Event counts by country |
GET /api/stats/credentials |
Top captured username/password pairs |
GET /api/events |
Paginated events with IP filtering |
GET /api/sessions |
Paginated session list |
GET /api/sessions/{id} |
Session detail with commands and techniques |
GET /api/sessions/{id}/replay |
Asciicast v2 recording for session replay |
GET /api/attackers |
Attacker list with geo and tool info |
GET /api/mitre/techniques |
Full technique catalog |
GET /api/mitre/heatmap |
Technique detection counts for heatmap |
GET /api/iocs |
Paginated IOC list |
GET /api/iocs/export/stix |
STIX 2.1 bundle export |
GET /api/iocs/export/blocklist |
Blocklist export (plain, iptables, nginx, csv) |
WS /ws/events |
Real-time event stream |
Hive detects 27 techniques across 8 tactics:
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1595, T1595.002 |
| Initial Access | T1078, T1190 |
| Execution | T1059.004 |
| Persistence | T1053.003, T1543.002, T1098.004 |
| Credential Access | T1110, T1110.001, T1110.003, T1552.001 |
| Discovery | T1082, T1083, T1046, T1018, T1049, T1016 |
| Lateral Movement | T1021.004 |
| Command and Control | T1105, T1071.001 |
| Impact | T1496, T1485, T1489 |
Detection uses two strategies: single-event pattern matching (command β technique) and multi-event sliding windows (5+ auth attempts in 5 minutes β T1110 Brute Force, 3+ distinct services in 60 seconds β T1046 Network Service Discovery).
hive serve # Start all services
hive serve --config hive.yml # Custom config file
hive migrate up # Apply database migrations
hive migrate down # Rollback last migration
hive migrate status # Show migration status
hive keygen # Generate SSH host keyAll settings can be set via YAML config file or environment variables:
| Variable | Default | Description |
|---|---|---|
HIVE_SENSOR_ID |
hive-01 |
Sensor identifier |
HIVE_SSH_ENABLED |
true |
Enable SSH honeypot |
HIVE_SSH_PORT |
2222 |
SSH listen port |
HIVE_HTTP_ENABLED |
true |
Enable HTTP honeypot |
HIVE_HTTP_PORT |
8080 |
HTTP listen port |
HIVE_FTP_ENABLED |
true |
Enable FTP honeypot |
HIVE_FTP_PORT |
2121 |
FTP listen port |
HIVE_SMB_ENABLED |
true |
Enable SMB honeypot |
HIVE_SMB_PORT |
4450 |
SMB listen port |
HIVE_MYSQL_ENABLED |
true |
Enable MySQL honeypot |
HIVE_MYSQL_PORT |
3307 |
MySQL listen port |
HIVE_REDIS_ENABLED |
true |
Enable Redis honeypot |
HIVE_REDIS_PORT |
6380 |
Redis listen port |
HIVE_API_ADDR |
:8000 |
Dashboard API listen address |
HIVE_DB_DSN |
postgres://... |
PostgreSQL connection string |
HIVE_REDIS_URL |
redis://... |
Infrastructure Redis URL |
HIVE_GEOIP_PATH |
data/GeoLite2-City.mmdb |
MaxMind database path |
HIVE_SSH_HOSTKEY_PATH |
data/hostkey_ed25519 |
SSH host key path |
HIVE_LOG_LEVEL |
info |
Log level (debug, info, warn, error) |
honeypot-network/
βββ cmd/hive/ # CLI entry point
βββ pkg/types/ # Shared domain types (Event, Session, IOC)
βββ internal/
β βββ sshd/ # SSH honeypot (shell, filesystem, commands)
β βββ httpd/ # HTTP honeypot (WordPress, phpMyAdmin fakes)
β βββ ftpd/ # FTP honeypot (auth capture, upload logging)
β βββ smbd/ # SMB honeypot (negotiate-only)
β βββ mysqld/ # MySQL honeypot (wire protocol, query logging)
β βββ redisd/ # Redis honeypot (RESP commands)
β βββ event/ # Event bus + processor pipeline
β βββ store/ # PostgreSQL + Redis persistence
β βββ mitre/ # ATT&CK technique detection engine
β βββ intel/ # IOC extraction, STIX export, blocklists
β βββ api/ # REST + WebSocket dashboard API
β βββ ... # config, geo, ratelimit, session, ui
βββ frontend/ # React 19 + TypeScript dashboard
βββ migrations/ # PostgreSQL schema (goose format)
βββ infra/ # Docker, nginx, Redis configs
βββ learn/ # Learning modules
βββ compose.yml # Production Docker Compose
| Module | Topic |
|---|---|
| 00 - Overview | Prerequisites, quick start, project structure |
| 01 - Concepts | Honeypot theory, protocol emulation, MITRE ATT&CK, IOC types |
| 02 - Architecture | Event-driven design, data flow, design patterns |
| 03 - Implementation | SSH shell emulation, MySQL wire protocol, FTP state machine |
| 04 - Challenges | Add Telnet/SMTP, deploy to VPS, ML anomaly detection |
SSH host key error on repeated starts
ssh: handshake failed: ssh: no common algorithm for host key
Delete data/hostkey_ed25519 and restart. A new key will be auto-generated.
PostgreSQL connection refused
Make sure the database is running. With Docker: docker compose up -d postgres. Check that PostgreSQL is listening on port 5432.
Frontend WebSocket not connecting
The Vite dev server proxies /ws/* to the backend. Make sure the backend is running on port 8000 before starting the frontend.
This tool is designed for authorized security research and educational purposes. Deploying honeypots on networks you do not own or control may violate local laws and regulations. Before deploying:
- Ensure you have authorization from network owners
- Check your cloud provider's acceptable use policy (some prohibit honeypots)
- Be aware that honeypots collect attacker data, which may include personal information subject to privacy regulations (GDPR, CCPA)
- Do not use captured data for offensive purposes
- If deploying on a public IP, understand that you are inviting connections from potentially hostile actors
The authors are not responsible for misuse of this software.
AGPL 3.0