HoneyDjango¶
HoneyDjango is a self-hosted honeypot and attacker-intelligence platform that lives inside a Django project. It serves convincing decoy endpoints — a fake /.env file, a fake WordPress login, a fake admin panel, a fake debug API — and silently records everyone who touches them. Legitimate users never see these paths; the only traffic they receive is scanners, bots, and humans probing your site for weaknesses.
Every hit is captured with full request detail, then enriched asynchronously: GeoIP location, JA3 TLS fingerprinting, User-Agent tool detection, threat-feed reputation lookups (AbuseIPDB, VirusTotal), and regex-based TTP classification of the payload. The results roll up into per-IP attacker profiles with a cumulative threat score, feed a real-time dashboard with a live world map, and can trigger Slack/email/webhook alerts the moment something interesting happens.
What it catches¶
- Automated scanners — sqlmap, nikto, masscan, nuclei, zgrab, and friends, identified by JA3 TLS fingerprint and default User-Agent.
- Secret hunters — bots sweeping the internet for leaked
/.envfiles,wp-config.php,/.git/, SSH keys, and AWS credentials. - CMS probes — WordPress (
/wp-admin/,/wp-login.php), phpMyAdmin, and generic admin-panel login attempts. - Exploit attempts — SQL injection, XSS, path traversal, command injection, Log4Shell, Shellshock, SSRF, and webshell uploads, classified from the request path and body.
- Insiders and data thieves — via canary tokens: unique trip-wire URLs planted inside bait files that fire the moment someone opens what they shouldn't have.
How it works¶
The system is a four-layer pipeline:
- Trap — decoy surfaces attract the hit.
HoneyMiddlewarematches incoming request paths against database-configured decoy routes (with explicit fallback views for well-known paths) and always answers with a realistic fake response — never a 404, so the attacker keeps digging. - Capture — the hit is stored synchronously as a
HoneyEvent: full path and query string, method, headers (minus cookies and auth), body (truncated at 64 KB), JA3 hash, and User-Agent. A per-IP rate limit keeps a hammering scanner from flooding the database. - Enrich — a Celery task picks the event up off the queue and adds GeoIP location, threat-feed reputation, TTP tags, and scanner fingerprinting, folding everything into a per-IP
AttackerProfilewith a 0–100 threat score. Alert rules are evaluated against the updated profile. - Visualise — the enriched event is pushed over a WebSocket to every open dashboard: a new row slides into the live event table and a marker pulses on the Leaflet attack map.
Features¶
- Decoy endpoints — database-configured routes with exact or regex matching, served by middleware with realistic fake responses
- Canary tokens — single-use trip-wire URLs to plant in bait files, with immediate alerting on trigger
- Live attack map — Leaflet world map of geolocated attackers, updating in real time over WebSockets
- Attacker profiles — per-IP dossiers with threat score, TTP tags, tool identification, and geo/ASN data
- JA3 + User-Agent fingerprinting — identifies the actual scanning tool even behind a forged User-Agent
- Pluggable threat feeds — AbuseIPDB and VirusTotal built in; add your own with one adapter class
- Alert rules — JSON conditions evaluated on every event, delivered via Slack, email, or generic webhook
- Export — CSV, JSON, and STIX 2.1 bundles for downstream threat-intel tooling
- Hardened by design — obscured admin URL, sanitised stored payloads, rate-limited writes, zero blocking I/O in the request hot path
Ready to try it? Head to the Quickstart.