Python Honeypot
A multi-threaded deception system that simulates real network services to trap, fingerprint, and log attacker behaviour.
This honeypot simulates common network services - FTP (21), SSH (22), HTTP (80), and HTTPS (443) - with realistic service banners designed to look like genuine servers. When an attacker connects, the honeypot captures everything: their IP, port, timestamp, and any data they send, all logged in structured JSON format.
The goal is not just logging - it is deception and intelligence gathering. By keeping connections open and mimicking real service behaviour, the honeypot wastes attacker time while collecting actionable data about their techniques and tools.
- ▸ Listens on FTP/21, SSH/22, HTTP/80, HTTPS/443 simultaneously
- ▸ Emits realistic service banners per protocol
- ▸ Multi-threaded - handles concurrent connections without blocking
- ▸ JSON structured logs with IP, port, timestamp, and payload
- ▸ Keeps connections open to gather more attacker data
- ▸ Clean CTRL+C shutdown with log flushing
[*] Listening on 0.0.0.0:80 (HTTP)
[*] Listening on 0.0.0.0:443 (HTTPS)
[*] Listening on 0.0.0.0:21 (FTP)
[+] Connection from 203.0.113.47:54812 on port 22
[+] Data received: SSH-2.0-OpenSSH_7.4
[+] Connection from 198.51.100.9:61203 on port 80
[!] Logged to honeypot_logs/2026-02-20.json
Building this taught me how socket programming actually works at the OS level - binding to ports, accepting connections, and managing concurrent I/O with threading. More importantly, it gave me a tangible feel for attacker behaviour: what ports they probe first, what banners they respond to, and how automated scanners differ from human operators.
The project also reinforced why deception is a legitimate defensive strategy - honeypots generate real threat intelligence and can buy time during an active incident. Understanding this from the builder's side makes me a better defender.