Advanced Honeypot System with Real-time Threat Detection and Analysis
HoneyGuard is a sophisticated honeypot platform designed to attract, detect, and analyze cyber threats in real-time. It combines deceptive services with comprehensive logging and monitoring capabilities to provide valuable threat intelligence.
- Fake Web Applications: WordPress, Drupal, Joomla, Magento login pages
- Administrative Interfaces: phpMyAdmin, admin panels, and control dashboards
- API Endpoints: Vulnerable-looking REST APIs and services
- File Upload Services: Honeypot file upload functionality
- CVE Simulation: Fake vulnerable services mimicking known CVEs
- Real-time Threat Detection: Advanced pattern matching and behavioral analysis
- IP Reputation Checking: Integration with AbuseIPDB for threat intelligence
- Attack Pattern Recognition: Automated classification of attack types
- Geolocation Tracking: Geographic analysis of attack sources
- Comprehensive Logging: Detailed attack logs with metadata
- Real-time Dashboard: Live monitoring of threats and system status
- Telegram Notifications: Instant alerts for critical threats
- Historical Analysis: Trend analysis and reporting capabilities
- Rate Limiting: Protection against resource exhaustion
- Secure Authentication: JWT-based authentication for admin access
- Environment Isolation: Docker containerization for security
- Configurable Security: Adjustable security parameters
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β Frontend β β Backend β β External β
β (React) βββββΊβ (Flask) βββββΊβ Services β
β β β β β β
β β’ Honeypot UI β β β’ API Routes β β β’ Redis Cache β
β β’ Admin Panel β β β’ Detection β β β’ AbuseIPDB β
β β’ Real Dashboardβ β β’ Logging β β β’ Telegram β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
Backend:
- Framework: Flask (Python)
- Database: SQLite + Redis
- Server: Gunicorn with Gevent workers
- Security: Flask-Limiter, JWT authentication
- Monitoring: Custom logging and detection engine
Frontend:
- Framework: React 19 with Vite
- Styling: TailwindCSS
- Routing: React Router DOM
- HTTP Client: Axios
- Icons: Lucide React
- Docker (for production deployment)
- Python 3.10+ (for development)
- Node.js 18+ (for frontend development)
- Redis Cloud account (recommended) or local Redis instance
- AbuseIPDB API key (optional, for IP reputation analysis)
- Clone the repository:
git clone https://github.com/casaislabs/HoneyGuard.git
cd HoneyGuard- Configure backend:
cd backend
cp .env.example .env
# Edit .env with your production settings- Sign up at Redis Cloud
- Create a new database
- Copy the endpoint, port, username, and password from your database details
- Use these credentials in your
.envfile
- Register at AbuseIPDB
- Verify your email address
- Go to API Settings
- Generate a new API key
- Copy the key to your
.envfile asABUSEIPDB_API_KEY
Note: AbuseIPDB provides IP reputation data to enhance threat analysis. Free accounts have rate limits.
- Deploy backend with Docker:
# Using the provided start script
./start.sh
# Or manually with Docker
docker build -t honeyguard-backend .
docker run -d --name honeyguard-backend --env-file .env -p 5000:5000 honeyguard-backend- Configure and build frontend:
cd ../frontend
cp env.example .env
# Edit .env with your settings
npm install
npm run build
npm run previewFor detailed development instructions, see:
Backend (.env):
# Redis Cloud Configuration (Required)
REDIS_HOST=your-redis-cloud-endpoint.redislabs.com
REDIS_PORT=15845
REDIS_USERNAME=default
REDIS_PASSWORD=your-redis-cloud-password
# Rate Limiting (Production Security)
RATELIMIT_STORAGE_URL=redis://default:password@your-redis-cloud-endpoint.redislabs.com:15845
# Note: Honeypot routes use permissive limits, dashboard routes use strict limits
# Security
SECRET_KEY=your-secret-key
AUTH_ROUTE_PREFIX=your-custom-auth-prefix
UNLOCK_PASSWORD=your-admin-password
# AbuseIPDB API (Optional - for IP reputation analysis)
ABUSEIPDB_API_KEY=your-abuseipdb-api-key
# Telegram Notifications (Optional)
TELEGRAM_BOT_TOKEN=your-telegram-bot-token
TELEGRAM_CHAT_ID=your-telegram-chat-idFrontend (.env):
VITE_API_URL=http://localhost:5000
VITE_AUTH_ROUTE_PREFIX=your-custom-auth-prefix
VITE_REAL_DASHBOARD_ROUTE=/your-real-dashboard-route- Frontend:
https://honeyguard.casaislabs.com/ - Backend:
http://api-honeyguard.casaislabs.com/- Requests Logged
- Access the admin dashboard using your configured route
- Authenticate with your unlock password
- Monitor real-time attacks and analyze patterns
- Review historical data and trends
The backend provides RESTful APIs for:
- Attack log retrieval
- System statistics
- Configuration management
- Real-time monitoring data
HoneyGuard/
βββ backend/ # Flask backend application
β βββ core/ # Core detection and logging modules
β βββ routes/ # API routes and honeypot endpoints
β βββ services/ # External service integrations
β βββ utils/ # Utility functions and helpers
β βββ logs/ # Application logs
β βββ uploads/ # File upload honeypot storage
β βββ requirements.txt # Python dependencies
βββ frontend/ # React frontend application
β βββ src/
β β βββ components/ # Reusable React components
β β βββ pages/ # Page components (honeypot & real)
β β βββ services/ # API service functions
β β βββ utils/ # Frontend utilities
β βββ package.json # Node.js dependencies
βββ README.md # This file
Modify the authentication route prefix to hide admin endpoints:
AUTH_ROUTE_PREFIX=my-secret-admin-pathThe system uses dual rate limiting strategy:
- Honeypot routes: Permissive limits to allow attackers
- Real dashboard: Strict limits for security (10 login attempts/minute)
Adjust rate limits in backend/main.py:
default_limits=["5000 per hour", "500 per minute", "50 per second"]Customize attack detection patterns in backend/patterns.py
The system uses Docker with Gunicorn for production deployment:
Dockerfile highlights:
- Multi-stage build for optimized image size
- Non-root user for security
- Gunicorn WSGI server for production
- Automatic configuration based on environment
Start script (start.sh):
- Automated Docker build and deployment
- Environment validation
- Container lifecycle management
- Port configuration from .env
Gunicorn configuration:
- Auto-adaptive worker scaling
- Environment-specific optimizations
- Comprehensive logging
- SSL/TLS support
# View application logs
docker logs -f honeyguard-backend
# Monitor system resources
docker stats honeyguard-backend
# Check container status
docker ps | grep honeyguard- Create a Telegram bot via @BotFather
- Get your chat ID
- Configure in
.envfile - Receive real-time attack notifications
- SQLite Database:
backend/logs.db - Application Logs:
backend/logs/app.log - Gunicorn Logs:
backend/logs/gunicorn_*.log
See backend/README.md for detailed backend documentation.
See frontend/README.md for detailed frontend documentation.
- Network Isolation: Deploy in isolated network segments
- Regular Updates: Keep dependencies updated
- Access Control: Secure admin routes with strong authentication
- Monitoring: Monitor the honeypot itself for compromise
- Data Protection: Secure sensitive configuration data
- Concurrent Connections: Supports high concurrent loads with Gunicorn + Gevent
- Resource Usage: Optimized for minimal resource consumption
- Scalability: Horizontal scaling support with Redis clustering
- Caching: Redis-based caching for improved performance
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
This software is intended for educational and research purposes. Users are responsible for ensuring compliance with applicable laws and regulations. The authors are not responsible for any misuse of this software.
- Flask and React communities for excellent frameworks
- AbuseIPDB for threat intelligence API
- Redis for high-performance caching
- All contributors and security researchers
Made with β€οΈ for cybersecurity research and education