Python Honeypot
A multi-threaded deception system that simulates real network services to trap, fingerprint, and log attacker behaviour in real time.
This honeypot simulates common network services — FTP (21), SSH (22), HTTP (80), and HTTPS (443) — with realistic service banners designed to look like genuine servers. When an attacker connects, the honeypot captures everything: their IP, port, timestamp, and any data they send, all logged in structured JSON format.
The goal is not just logging — it is deception and intelligence gathering. By keeping connections open and mimicking real service behaviour, the honeypot wastes attacker time while collecting actionable data about their techniques and tools.
- ► Listens on FTP/21, SSH/22, HTTP/80, HTTPS/443 simultaneously
- ► Emits realistic service banners per protocol
- ► Multi-threaded — handles concurrent connections without blocking
- ► JSON structured logs with IP, port, timestamp, and payload
- ► Keeps connections open to gather more attacker data
- ► Clean shutdown with log flushing
[*] Listening on 0.0.0.0:80 (HTTP)
[+] Connection from 203.0.113.47:54812 on port 22
[+] Data received: SSH-2.0-OpenSSH_7.4
[!] Logged to honeypot_logs/2026-04-30.json
Building this taught me how socket programming actually works at the OS level — binding to ports, accepting connections, and managing concurrent I/O with threading. More importantly, it gave me a tangible feel for attacker behaviour: what ports they probe first, what banners they respond to, and how automated scanners differ from human operators.
Understanding deception as a legitimate defensive strategy, where honeypots generate real threat intelligence and can buy time during an active incident, makes you a better defender.