A comprehensive cybersecurity monitoring solution that combines the Dionaea honeypot with the ELK (Elasticsearch, Logstash, Kibana) stack for real-time attack detection and visualization.
This project deploys a production-ready honeypot system that:
- Captures cyber attacks on multiple protocols (HTTP, SMB, MySQL, MSSQL, FTP, Telnet, RPC)
- Logs attacks in real-time using Dionaea honeypot
- Visualizes attack data through Kibana dashboards
- Provides threat intelligence for security monitoring
┌─────────────────┐ ┌──────────────┐ ┌──────────────┐ ┌─────────────┐
│ Attackers │────▶│ Dionaea │────▶│ Logstash │────▶│Elasticsearch│
│ (Internet/LAN) │ │ (Honeypot) │ │ (Processing) │ │ (Storage) │
└─────────────────┘ └──────────────┘ └──────────────┘ └─────────────┘
│
▼
┌─────────────┐
│ Kibana │
│(Visualization)
└─────────────┘
- Docker and Docker Compose installed
- Python 3.x installed
- At least 4GB RAM available
- Ports 80, 443, 21, 23, 135, 445, 1433, 3306, 5060-5061, 9200, 5601 available
# Clone the repository (if using git)
cd dionaea-stack
# Start all services
docker compose up -d
# Verify all containers are running
docker ps# Set password for kibana_system user (required for Kibana)
curl -X POST -u elastic:changeme "http://localhost:9200/_security/user/kibana_system/_password" \
-H "Content-Type: application/json" \
-d '{"password":"changeme"}'# In one terminal, start the log monitor
./scripts/start_realtime_monitoring.sh
# In another terminal, simulate some attacks
python3 scripts/simulate_attacts.py- Open http://localhost:5601
- Login with:
- Username:
elastic - Password:
changeme
- Username:
- Go to Discover
- Select "Honeypot Attack Logs" data view
- Adjust time range to "Today" or "Last 7 days"
dionaea-stack/
├── docker-compose.yml # Main configuration file
├── logs/
│ └── dionaea/ # Honeypot log files
│ ├── dionaea.json # JSON formatted attack logs
│ └── dionaea.sqlite # SQLite database of attacks
├── logstash/
│ ├── pipeline/
│ │ └── logstash.conf # Log processing pipeline
│ └── config/
│ └── logstash.yml # Logstash configuration
├── scripts/
│ ├── simulate_attacts.py # Basic attack simulation
│ ├── advanced_attack_sim.py # Advanced attack patterns
│ ├── realtime_log_pusher.py # Real-time log monitoring
│ ├── start_realtime_monitoring.sh # Monitor launcher
│ └── refresh_kibana_data.sh # Refresh Kibana data view
└── PROJECT_README.md # This file
| Service | Container | Exposed Ports | Purpose |
|---|---|---|---|
| Dionaea | honeypot_http | 21, 23, 80, 135, 443, 445, 1433, 3306, 5060-5061 | Honeypot services |
| Elasticsearch | dionaea-stack-elasticsearch-1 | 9200 | Data storage |
| Kibana | dionaea-stack-kibana-1 | 5601 | Web UI |
| Logstash | dionaea-stack-logstash-1 | 5044 | Log processing |
- Elasticsearch/Kibana: elastic / changeme
- Kibana System User: kibana_system / changeme
Dionaea simulates the following vulnerable services:
| Port | Service | Protocol | Attack Types |
|---|---|---|---|
| 21 | FTP | Blackhole | Brute force, anonymous access |
| 23 | Telnet | Blackhole | Brute force, command injection |
| 80 | HTTP | httpd | SQL injection, XSS, directory traversal |
| 135 | RPC | epmapper | RPC enumeration, vulnerability scans |
| 443 | HTTPS | httpd | SSL/TLS attacks, web exploits |
| 445 | SMB | smbd | EternalBlue, ransomware, file sharing |
| 1433 | MSSQL | mssqld | Database attacks, SQL injection |
| 3306 | MySQL | mysqld | Database attacks, credential stuffing |
| 5060 | SIP | SIP | VoIP attacks, SIP scanning |
-
Discover Tab: View raw attack logs
- Select "Honeypot Attack Logs" data view
- Use time picker to adjust date range
- Click on entries to see full details
-
Common Queries:
connection.protocol: "httpd" # Show only HTTP attacks dst_port: 445 # Show SMB attacks src_ip: "192.168.*" # Show local network attacks -
Creating Visualizations:
- Go to Visualize Library
- Click Create visualization
- Choose visualization type (pie chart, bar graph, etc.)
- Select "Honeypot Attack Logs" as data source
-
Attack Overview Dashboard:
- Total attacks counter
- Attacks by protocol (pie chart)
- Attacks over time (line graph)
- Top targeted ports (bar chart)
-
Threat Intelligence Dashboard:
- Top attacker IPs (data table)
- Geographic map of attacks (if using GeoIP)
- Attack patterns by time of day
# Check all containers are running
docker compose ps
# View logs from any service
docker compose logs honeypot_http
docker compose logs elasticsearch
docker compose logs kibana
docker compose logs logstash
# Check attack log growth
ls -lah logs/dionaea/# Push all logs to Elasticsearch manually
cat logs/dionaea/dionaea.json | while read line; do
echo "$line" | curl -X POST -u elastic:changeme \
"http://localhost:9200/dionaea-attacks-$(date +%Y.%m.%d)/_doc" \
-H "Content-Type: application/json" -d @-
done
# Check document count
curl -u elastic:changeme "http://localhost:9200/dionaea-attacks-*/_count"python3 scripts/simulate_attacts.pypython3 scripts/advanced_attack_sim.py# Test specific service
nc localhost 80 # Test HTTP
nc localhost 445 # Test SMB
nc localhost 3306 # Test MySQL# Stop all containers
docker compose stop
# Remove all containers (preserves data)
docker compose down
# Remove everything including volumes (DELETES ALL DATA)
docker compose down -v- Disk Space: Logs can grow quickly under heavy attack
- Memory: Elasticsearch requires at least 2GB RAM
- CPU: Logstash processing can be CPU intensive
- Network: Exposed ports will attract real attacks
- Deploy only in isolated environments
- Use firewall rules to limit exposure
- Monitor system resources regularly
- Never use production credentials
- Consider network segmentation
- Regular backup of attack data
To extend this project:
- Add new attack simulations in
scripts/ - Modify Logstash pipeline for additional parsing
- Create custom Kibana dashboards
- Add alerting rules for specific attack patterns
This project is for educational and research purposes. Ensure compliance with local laws and regulations when deploying honeypots.
Remember: A honeypot is designed to be attacked. Always deploy responsibly! 🛡️