Honeypot Threat Analysis System

A honeypot project designed to analyze cyber threats by monitoring and logging connection attempts on various network ports. This project demonstrates how honeypots can be used to detect, analyze, and report potential security threats.

📸 Screenshot

Console output showing the honeypot server starting up and listening on multiple ports

🎯 Features

• Multi-Port Monitoring: Listens on multiple common ports (SSH, HTTP, HTTPS, FTP, Telnet, MySQL, PostgreSQL, RDP, etc.)
• Threat Detection: Automatically detects suspicious connection patterns and potential attacks
• Real-time Logging: Comprehensive logging of all connection attempts and threats
• Threat Analysis: Periodic analysis and reporting of detected threats
• Connection Tracking: Tracks connections by IP address, port, and behavior patterns
• Easy to Extend: Modular design allows easy addition of new features

📋 Requirements

• Python 3.7 or higher
• No external dependencies (uses only Python standard library)

🚀 Quick Start

1. Clone the repository

   git clone https://github.com/yourusername/honey.git
   cd honey

2. Run the honeypot

   python run.py

   Or directly:

   python main.py

3. Monitor the logs Logs are automatically created in the logs/ directory:

   • honeypot.log - General system logs
   • connections.log - All connection attempts
   • threats.log - Detected threats
   • connection_data.json - Structured connection data
   • analysis_report.json - Threat analysis reports

📁 Project Structure

honey/
├── main.py              # Main honeypot server
├── config.py            # Configuration settings
├── logger.py            # Logging module
├── analyzer.py          # Threat analysis module
├── detectors.py         # Threat detection logic
├── database.py          # Data storage module
├── run.py               # Simple entry point
├── requirements.txt     # Dependencies (optional)
├── README.md            # This file
├── LICENSE              # MIT License
└── .gitignore          # Git ignore rules

🔧 Configuration

Edit config.py to customize:

• Ports to monitor: Modify the PORTS list
• Threat threshold: Adjust THREAT_THRESHOLD for sensitivity
• Logging: Configure log files and verbosity
• Analysis interval: Set how often reports are generated

📊 How It Works

1. Connection Monitoring: The honeypot listens on configured ports and accepts all incoming connections
2. Threat Detection: Each connection is analyzed for suspicious patterns:
   • Multiple rapid connections from same IP
   • Port scanning behavior
   • Connections to sensitive ports
   • Automated attack patterns
3. Logging: All connections and threats are logged with timestamps
4. Analysis: Periodic reports are generated showing:
   • Total connections
   • Unique IP addresses
   • Most attacked ports
   • Top attacking IPs
   • Threat level distribution

🔍 Threat Levels

The system uses a 0-10 threat level scale:

• 0-2: Normal/suspicious activity
• 3-5: Moderate threat (multiple connections)
• 6-8: High threat (port scanning detected)
• 9-10: Critical threat (automated attack pattern)

📝 Logging

All logs are stored in the logs/ directory:

• honeypot.log: System events and errors
• connections.log: Detailed connection logs
• threats.log: Detected threats with details
• connection_data.json: Machine-readable connection data
• analysis_report.json: Threat analysis reports

⚠️ Disclaimer

This is a showcase project for educational purposes.

• Do not use on production systems without proper security measures
• This honeypot is designed to be discovered and interacted with
• Ensure you have proper authorization before deploying
• The honeypot will log all connection attempts, which may include legitimate traffic

🤝 Contributing

Contributions are welcome! This is an open-source project, and the community is encouraged to:

• Add new threat detection rules
• Improve analysis algorithms
• Add new features (web dashboard, API, etc.)
• Fix bugs and improve code quality
• Add documentation and examples

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🛠️ Future Enhancements

Potential improvements for the community:

• Web dashboard for visualizing threats
• IP geolocation integration
• Integration with threat intelligence feeds
• Machine learning-based threat detection
• REST API for external systems
• Database backend (PostgreSQL, MongoDB)
• Email/Slack alerts for high-threat events
• Docker containerization
• Kubernetes deployment manifests
• Enhanced logging with ELK stack integration

📧 Support

For issues, questions, or contributions, please open an issue on GitHub.

🙏 Acknowledgments

Built as a showcase project to demonstrate honeypot concepts for cybersecurity analysis.

---

Note: This project is intentionally simple and extensible. Feel free to fork, modify, and enhance according to your needs!