Skip to content

HoneyDjango

HoneyDjango is a self-hosted honeypot and attacker-intelligence platform that lives inside a Django project. It serves convincing decoy endpoints — a fake /.env file, a fake WordPress login, a fake admin panel, a fake debug API — and silently records everyone who touches them. Legitimate users never see these paths; the only traffic they receive is scanners, bots, and humans probing your site for weaknesses.

Every hit is captured with full request detail, then enriched asynchronously: GeoIP location, JA3 TLS fingerprinting, User-Agent tool detection, threat-feed reputation lookups (AbuseIPDB, VirusTotal), and regex-based TTP classification of the payload. The results roll up into per-IP attacker profiles with a cumulative threat score, feed a real-time dashboard with a live world map, and can trigger Slack/email/webhook alerts the moment something interesting happens.

What it catches

  • Automated scanners — sqlmap, nikto, masscan, nuclei, zgrab, and friends, identified by JA3 TLS fingerprint and default User-Agent.
  • Secret hunters — bots sweeping the internet for leaked /.env files, wp-config.php, /.git/, SSH keys, and AWS credentials.
  • CMS probes — WordPress (/wp-admin/, /wp-login.php), phpMyAdmin, and generic admin-panel login attempts.
  • Exploit attempts — SQL injection, XSS, path traversal, command injection, Log4Shell, Shellshock, SSRF, and webshell uploads, classified from the request path and body.
  • Insiders and data thieves — via canary tokens: unique trip-wire URLs planted inside bait files that fire the moment someone opens what they shouldn't have.

How it works

The system is a four-layer pipeline:

  1. Trap — decoy surfaces attract the hit. HoneyMiddleware matches incoming request paths against database-configured decoy routes (with explicit fallback views for well-known paths) and always answers with a realistic fake response — never a 404, so the attacker keeps digging.
  2. Capture — the hit is stored synchronously as a HoneyEvent: full path and query string, method, headers (minus cookies and auth), body (truncated at 64 KB), JA3 hash, and User-Agent. A per-IP rate limit keeps a hammering scanner from flooding the database.
  3. Enrich — a Celery task picks the event up off the queue and adds GeoIP location, threat-feed reputation, TTP tags, and scanner fingerprinting, folding everything into a per-IP AttackerProfile with a 0–100 threat score. Alert rules are evaluated against the updated profile.
  4. Visualise — the enriched event is pushed over a WebSocket to every open dashboard: a new row slides into the live event table and a marker pulses on the Leaflet attack map.

Features

  • Decoy endpoints — database-configured routes with exact or regex matching, served by middleware with realistic fake responses
  • Canary tokens — single-use trip-wire URLs to plant in bait files, with immediate alerting on trigger
  • Live attack map — Leaflet world map of geolocated attackers, updating in real time over WebSockets
  • Attacker profiles — per-IP dossiers with threat score, TTP tags, tool identification, and geo/ASN data
  • JA3 + User-Agent fingerprinting — identifies the actual scanning tool even behind a forged User-Agent
  • Pluggable threat feeds — AbuseIPDB and VirusTotal built in; add your own with one adapter class
  • Alert rules — JSON conditions evaluated on every event, delivered via Slack, email, or generic webhook
  • Export — CSV, JSON, and STIX 2.1 bundles for downstream threat-intel tooling
  • Hardened by design — obscured admin URL, sanitised stored payloads, rate-limited writes, zero blocking I/O in the request hot path

Ready to try it? Head to the Quickstart.