Inspiration
I wanted to proactive research tool that studies attackers. I was inspired to see what happens when a bot actually wins and what they try to do next.
What it does
honey_py is a versatile security tool that mimics common vulnerabilities. It opens multiple "fake" doors (Honeypots) on ports like 2223, 2224, and 80. When a bot tries to log in via SSH or access a web portal, the script logs their IP, username, and password. If they "log in," they are greeted with a restricted emulated shell that records every command they attempt to execute, providing a clear window into modern automated attack patterns.
How I built it
The project was built using Python’s socket library to handle concurrent connections. The SSH Trap: I implemented a custom handshake protocol to capture credentials before the bot realizes it's in a sandbox. The Web Trap: A lightweight HTTP server was built to serve a fake administrative login page. Process Management: To ensure 24/7 uptime, I utilized Unix nohup and background process decoupling, allowing the traps to run independently of the terminal session. Analysis: I used grep and awk pipelines to parse system auth.log files and custom audit logs to extract attack frequencies and common credential sets.
Challenges I ran into
The biggest hurdle was managing Port Conflicts and Permissions. Initially, running the web trap on port 80 required navigating sudo privileges and ensuring no other services were squatting on the port. I also faced challenges with Process Persistence, learning how to keep the script alive after closing my PowerShell window was a steep but rewarding learning curve involving Unix signals and orphaning.
Accomplishments that I'm proud of
I successfully stabilized a "Triple-Port Honeynet" that caught its first automated attack from a Brazilian IP within 30 minutes of deployment. I’m particularly proud of the Timestamping Engine I wrote, which allows for precise forensic analysis of when attacks peak during a 24-hour cycle.
What I learned
I gained a deep understanding of Unix System Administration and the TCP/IP stack. I learned that security isn't just about firewalls; it’s about visibility. I also improved my ability to use the command line as a surgical tool, using regex and pipelines to turn thousands of lines of raw log data into actionable security stats.
What's next for honey_py
The next phase involves adding Telegram/Discord API integration so that I receive a real-time notification on my phone whenever a bot successfully logs in to a trap. I also plan to implement a Geo-IP mapping dashboard to visualize exactly where in the world these attacks are originating from on a global map.
Built With
- css
- digitalocean
- grep
- html
- linux(ubuntu)
- nohup/processmanagement
- python
- unixsockets
Log in or sign up for Devpost to join the conversation.