Multi-Honeypot Platform with Containment & ELK Stack Analysis
This project documents the design, implementation, and deployment of a multi-honeypot platform capable of luring attackers across three protocols (SSH, HTTP, FTP), containing compromised services at the kernel level, and centralizing all captured events in a full ELK stack for real-time analysis.
1. Architecture of the Platform
The architecture separates responsibilities into two distinct layers: the host machine running custom honeypots and a Docker Compose stack handling log ingestion.
| Port | Service |
|---|---|
| 5000 | HTTP Honeypot (Flask / E-Shop Pro) |
| 2222 | SSH Honeypot (Paramiko) |
| 2121 | FTP Honeypot |
| 2223 | Cowrie SSH/Telnet |
| 5601 | Kibana |
| 9200 | Elasticsearch |
2. HTTP E-Commerce Application
app.py simulates E-Shop Pro, an intentionally vulnerable store built with Flask.
Figure 2: The E-Shop Pro entry point.
Implemented Vulnerabilities
| Vulnerability | Severity | Impact | | :— | :— | :— | | SQL Injection | Critical | DB dump / deletion | | Unrestricted File Upload | Critical | RCE / malware staging | | Stored & Reflected XSS | High | Session theft | | Insecure Flask session | High | Account impersonation |
3. SSH & FTP Honeypots
- SSH (Paramiko): Port 2222. Intercepts authentication and provides a fake shell.
- FTP: Port 2121. Full dialogue support with an in-memory fake filesystem.
- Cowrie: Port 2223. Interactive TTY recording.
Figure 3: SSH connection behavior on port 2222.
Figure 4: Manual FTP interaction on port 2121.
Figure 5: Interactive Cowrie session on port 2223.
4. Containment: AppArmor & Seccomp
We apply kernel-level hardening to prevent pivot attacks:
- AppArmor: Limits directory access to only the project root.
- Seccomp: Blacklists
execveandptracefor the HTTP service, preventing RCE-spawned shells.
5. Log Collection with ELK
Figure 6: Confirmed log ingestion via _cat/indices.
Figure 8: Live event monitoring in Kibana.
6. Attack Campaign Highlights
We validated the platform using standard offensive techniques:
Figure 11: Service fingerprinting with Nmap.
Figure 14: Stored XSS injection in the comments section.
Figure 20: Brute-forcing the Flask secret_key to forge admin cookies.
7. Future Perspectives
- New Protocols: Add RDP, SMB, and Redis support.
- Automation: Implement automated cross-protocol correlation alerts (e.g., via Telegram).
- Threat Intel: Integrate ASN and GeoIP enrichment.