Smart Scalable Honeypot Platform β capture, classify, and visualise attack traffic across SSH, FTP, HTTP, Telnet, SMTP, and RDP using Rust, Axum, SQLx Postgres database connection pooling, ML threat scoring, real-time WebSockets, and attacker intelligence profiling.
- Architecture
- Project Structure
- Quick Start
- Configuration
- API Reference
- Attacker Profiling
- Analytics Engine
- ML Threat Engine
- MITRE ATT&CK Integration
- WebSocket Feed
- Dashboard UI
- Honeypot Modules
- Testing & Build CLI
- Deployment
- Security Notes
HoneyCloud is a unified platform written entirely in high-performance Rust, utilizing the Axum web framework and Tokio async runtime. Axum acts as a single web server that serves both the JSON API endpoints and the static HTML dashboard files.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Honey Cloud β
β β
β Browser Rust Axum Backend Database β
β ββββββββββ HTTPS/WS ββββββββββββββββββββββββ ββββββββββββββββ β
β βDashboardβββββββββββββΊβ API Layer β βPostgres β β
β β(Static) β β auth Β· events β β(SQLx Pool) β β
β ββββββββββ β analytics Β· profilesββββ β β
β β ml Β· reports Β· mitreβ ββββββββββββββββ β
β Honeypots ββββββββ¬ββββββββββββββββ β
β βββββββββ Internal Ingest β Services layer β
β βSSH ββββββββββββββββΊ Event Ingestion β
β βFTP β Profiler Engine β
β βHTTP β AlertService (Telegram) β
β βTELNET β Mitre ATT&CK Engine β
β βSMTP β Report Generation β
β βRDP β β
β βββββββββ β
β β β
β Attackers β ML Engine β
β (Internet) ββTCPβββΊ Honeypotsβ Heuristic Fallback Predictor β
β β 10 semantic features β
β Telegram ββββ Alerts βββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Ingest pipeline per attack event:
TCP β Honeypot Task β Async Ingestion (sqlx)
β
βββββββββββββββ΄βββββββββββββββββββββββββββββ
β async β
β IP Geo-lookup β
β Heuristic ML Evaluation β
β MITRE ATT&CK Mapping β
β DB Persistent Storage β
β Real-time WebSocket Broadcast β
β Telegram & Email Notifications β
ββββββββββββββββββββββββββββββββββββββββββββ
honeycloud/
βββ docker-compose.yml β Production stack definition
βββ docker-compose.dev.yml β Development overrides
βββ .env.example β Sample configurations
βββ .env β Active environment file
βββ .gitignore
βββ README.md
βββ DEPLOYMENT.md
β
βββ backend-rust/
βββ Cargo.toml β Rust project cargo manifest
βββ Dockerfile β Multi-stage lean Debian runtime image builder
βββ static/ β Frontend Dashboard SPA assets (served by Axum)
β βββ index.html β Login redirector
β βββ login.html β Dashboard authentication UI
β βββ dashboard.html β Full analytics view
β βββ trap.html β HTTP honeypot landing page
βββ src/
βββ main.rs β Entry point, Axum routes, TCP server spawners
βββ config.rs β Configuration loader from env
βββ models.rs β SQLx row struct representations
βββ db.rs β Database seeder, pools, migrations run
βββ auth.rs β JWT encoding/decoding and request extractors
βββ mitre.rs β Regex-based MITRE ATT&CK technique mapper
βββ ml.rs β Semantic feature extractor and ML stubs
βββ services.rs β Telegram webhooks, SMTP alerts, GeoIP
βββ websocket.rs β WebSocket connection registry and broadcaster
βββ handlers.rs β Axum REST endpoint handler functions
βββ honeypots.rs β Asynchronous background TCP honeypot workers
- Docker & Docker Compose (recommended)
- OR Rust (1.75+) and PostgreSQL (15+) for local compilation
Copy the sample environment file and adjust the parameters:
cp .env.example .env
# Edit .env and supply a strong SECRET_KEY (at least 32 characters)Warning
Database Password Constraint: Avoid special characters like @, :, /, or ? in your POSTGRES_PASSWORD since it is interpolated directly into the database connection string. A password like Ganesh@123 will result in database connection parse errors. Use alphanumeric characters or underscores instead (e.g., Ganesh123).
Deploy the entire HoneyCloud stack in a single command:
docker compose up --build -d| URL / Service | Port | Description |
|---|---|---|
| http://localhost/ | 80 |
Unified Frontend Dashboard UI |
| http://localhost:8000/api/v1/ | 8000 |
REST API Endpoints / WebSockets |
| http://localhost:8080/ | 8080 |
Fake Web Server Honeypot |
| ssh://localhost:2222 | 2222 |
SSH Honeypot (Credential Harvester) |
| ftp://localhost:2121 | 2121 |
FTP Honeypot |
| telnet://localhost:2323 | 2323 |
Telnet Honeypot |
| smtp://localhost:2525 | 2525 |
SMTP Honeypot |
| rdp://localhost:3389 | 3389 |
RDP Honeypot |
Make sure you have a local PostgreSQL instance running and configured in your .env.
cd backend-rust
cargo runAccess the dashboard locally at http://localhost:8000/.
On initial startup, default accounts are seeded into the database:
| Username | Password | Role | Description |
|---|---|---|---|
owner |
owner123 |
Owner | Superuser (User management, configuration) |
admin |
admin123 |
Admin | Threat mitigation (Blocking, ML retraining) |
analyst |
analyst123 |
Analyst | Read-only analytics dashboard |
Settings are parsed from .env on boot:
| Variable | Default | Required | Description |
|---|---|---|---|
SECRET_KEY |
β | Yes | JWT signing key (min 32 chars) |
DATABASE_URL |
postgres://honeycloud:honeycloud@localhost:5432/honeycloud |
No | PostgreSQL connection URL |
ENVIRONMENT |
production |
No | development | staging | production |
DEBUG |
false |
No | Verbose logs if set to true |
JWT_EXPIRATION_MINUTES |
60 |
No | JWT access token life |
RATE_LIMIT_PER_MINUTE |
60 |
No | Global REST endpoint request limit |
TELEGRAM_ALERTS_ENABLED |
false |
No | Enable real-time notification warnings |
TELEGRAM_BOT_TOKEN |
β | No | Telegram HTTP Bot token |
TELEGRAM_CHAT_ID |
β | No | Target Chat ID channel |
SSH_HONEYPOT_PORT |
2222 |
No | Custom TCP Port for SSH |
FTP_HONEYPOT_PORT |
2121 |
No | Custom TCP Port for FTP |
HTTP_HONEYPOT_PORT |
8080 |
No | Custom TCP Port for HTTP |
TELNET_HONEYPOT_PORT |
2323 |
No | Custom TCP Port for Telnet |
SMTP_HONEYPOT_PORT |
2525 |
No | Custom TCP Port for SMTP |
RDP_HONEYPOT_PORT |
3389 |
No | Custom TCP Port for RDP |
All protected endpoints require authorization header: Authorization: Bearer <JWT_TOKEN>.
POST /api/v1/auth/login- Returns JWT token (JSON credentials payload).GET /api/v1/auth/me- Details of current logged-in user.POST /api/v1/auth/logout- Revokes current JWT token (blacklists it).
POST /api/v1/events/ingest- External honeypot ingestion API.GET /api/v1/events- Lists stored attack events with dynamic filtering.GET /api/v1/events/ws- WebSocket real-time connection endpoint.
GET /api/v1/analytics/summary- Statistical card counts.GET /api/v1/analytics/timeline- Series timeline of events.GET /api/v1/analytics/geo- Geographic count of IPs.GET /api/v1/analytics/heatmap- 24x7 event matrix mapping.GET /api/v1/analytics/credentials- Top usernames, passwords, commands.GET /api/v1/analytics/service-trend- Service trend patterns.POST /api/v1/reports/generate- Creates exports (CSV/TXT).GET /api/v1/reports/download- Downloads reports with path-traversal safeguards.
GET /api/v1/profiles- Lists profiled threat actors.GET /api/v1/profiles/summary- Risk tiers distribution.GET /api/v1/profiles/:ip- Aggregated threat logs for a specific IP.POST /api/v1/profiles/:ip/block- Blocks IP.POST /api/v1/profiles/:ip/unblock- Unblocks IP.
HoneyCloud aggregates threat history under persistent AttackerProfile mappings. Incoming attack streams dynamically update profiles.
Score = (Critical Severity * 4) + (High Severity * 2)
+ Scanner Bonus (8) + Brute Force Bonus (15) + Credential Stuffing Bonus (10)
-
Brute Force Detection:
$\ge 10$ events from a single IP within 60 seconds. -
Credential Stuffing:
$\ge 5$ unique credentials attempted within 5 minutes. -
Port Scanner:
$\ge 3$ distinct protocols targeted within 5 minutes.
HoneyCloud uses a dual-model machine learning architecture to score incident risks based on a 10-dimensional semantic feature vector:
service_portβ targeted service port.username_lenβ length of username.password_lenβ length of password.command_lenβ command string length.source_portβ client port.hour_of_dayβ incident hour.dangerous_pattern_countβ count of dangerous matched string patterns.is_root_userβ boolean indicating admin/root account checks.is_anonymous_userβ boolean indicating anonymous credentials.has_commandβ command presence boolean.
Heuristic Fallback: If model weights (data/ml_model.onnx, data/rf_model.onnx) are not loaded, HoneyCloud triggers a deterministic rule-based threat evaluation so services remain active.
Honeypot events map to MITRE ATT&CK techniques:
- T1110 (Brute Force): Multiple credentials supplied during connection.
- T1059 (Command & Scripting Interpreter): Commands containing shells (
bash,zsh,cmd,powershell). - T1003 (OS Credential Dumping): Reading system files (
shadow,passwd,lsass). - T1046 (Network Service Discovery): Network scanning utilities (
nmap,nc). - T1190 (Exploit Public-Facing Application): Web server path injections (
../,union select). - T1078 (Valid Accounts): Logging attempts matching default administrative credentials (
root,admin).
To stream events asynchronously in the frontend:
const ws = new WebSocket(`ws://${location.host}/api/v1/events/ws`);
ws.onmessage = (event) => {
const payload = JSON.parse(event.data);
if (payload.type === 'new_attack') {
console.log("New attack event caught: ", payload.data);
}
};For compilation check and packaging:
# Verify build correctness
cargo check
# Compile release builds
cargo build --release
# Run unit tests (when added)
cargo testDeploying is streamlined using the Dockerfile inside the backend-rust context. A single slim runtime layer runs the optimized binary directly.
See DEPLOYMENT.md for full hosting blueprints.
- JWT Verification: Handlers validate JWT authorization headers on all
/api/v1/*paths except login and ingest. - Password Cryptography: Cryptographic password generation using adaptive
bcrypt. - Database Security: Compile-checked database query parameterization via SQLx Postgres.
- Path Traversal Protection: Secure reports folder path resolution prevents path escape attempts.
- No Root Privilege: The production image runs under a dedicated, limited non-root user account (
appuser).