A multi-protocol honeypot with advanced tracking and authorized strike-back capabilities
π§ Work in Progress: This project is under active development. Core functionality is operational (HTTP, SSH, FTP honeypots with Docker deployment), but some features are still being implemented. See Development Status section below for details.
BlkBox is a next-generation honeypot system combining high-performance Rust FFI with Deno TypeScript orchestration to provide:
- πΈοΈ Multi-Protocol Emulation: HTTP/HTTPS, SSH, PostgreSQL, MySQL, MongoDB, FTP/SFTP
- π Advanced Tracking: IP geolocation, browser fingerprinting, behavioral analysis
- βοΈ Strike-Back Capabilities: Authorized reconnaissance payloads for intelligence gathering
- βοΈ Cloudflare Integration: DDoS protection, enhanced tracking, dynamic DNS
- πΎ SQLite Storage: Local-first persistence and analytics
# Build Rust library
cargo build --release
# Run honeypot
deno task start
# Development mode with auto-reload
deno task devBlkBox uses a layered architecture:
βββββββββββββββ
β main.ts β β Orchestration
ββββββββ¬βββββββ
β
βββββ΄ββββ¬βββββββββ¬ββββββββββββ
βΌ βΌ βΌ βΌ
ββββββββ ββββββ ββββββββ ββββββββββ
βMelitaβ βCookβ βTrackaβ βlib_denoβ
βsphex β βjar β βsuarusβ β FFI β
ββββββββ ββββββ ββββββββ βββββ¬βββββ
βΌ
ββββββββββββ
βlib_rust β
β Core β
ββββββββββββ
For complete architecture documentation, see ARCHITECTURE.md.
Rust FFI library providing:
- Protocol implementations (HTTP, SSH, databases, FTP)
- SQLite persistence layer
- Fingerprinting and tracking
- Cryptography for payloads
- Cloudflare API integration
Location: lib_rust/
Deno FFI bindings providing type-safe interface to Rust core:
- FFI symbol definitions
- Type marshaling
- Error handling
- Event management
Location: lib_deno/
Metaphor: Bee/Wasp - The hive attracts, the stinger defends
- Hive: Honeypot service implementations and orchestration
- Stinger: Strike-back payload generation and delivery
Location: packages/melittasphex/
Metaphor: Bakery - Dough β Oven β Bake β Jar
- Dough: Raw configuration input
- Oven: Payload templates
- Bake: Compilation and obfuscation
- Jar: Storage and serving
Location: packages/cookiejar/
Purpose: Track attackers without revealing honeypot nature
- Tracker: IP geolocation, fingerprinting, MAC collection, session correlation
- Mask: Anti-fingerprinting and concealment
Location: packages/trackasuarus/
Deployable application integrating all packages:
- Configuration management
- HTTP server for management API
- Dashboard/client interface
Location: blkbox/
- Attacker connects to honeypot service (HTTP, SSH, DB, FTP)
- Protocol handler (Rust) processes request with realistic responses
- Event captured with IP, headers, payload, timestamp
- Trackasuarus fingerprints attacker (tool detection, geolocation, scoring)
- Cookiejar analyzes threat and makes decision
- Action taken:
- Store event in SQLite for analysis
- OR Deploy stinger payload for intelligence gathering
When proxied through Cloudflare:
- DDoS protection at edge
- Bot detection and management
- Enhanced headers (CF-Connecting-IP, CF-IPCountry, CF-Threat-Score)
- Automatic firewall rule updates for high-threat attackers
BlkBox integrates with Cloudflare for:
- DDoS Protection: Edge-level attack mitigation
- Enhanced Tracking: Real IP, country, threat score via headers
- Dynamic DNS: Automatic routing and failover
- WAF Rules: Programmatic firewall updates based on threat intelligence
Setup:
- Create Cloudflare account and add domain
- Generate API token with Zone.DNS and Zone.Firewall permissions
- Update
config.jsonwith credentials - Point DNS A record to honeypot server
- MaxMind GeoLite2 for IP geolocation
- Fallback to Cloudflare headers when available
- Provides country, region, city, ASN, ISP data
Edit config.json:
{
"honeypots": [
{ "type": "HTTP", "port": 8080, "enabled": true },
{ "type": "SSH", "port": 2222, "enabled": true },
{ "type": "PostgreSQL", "port": 5432, "enabled": true }
],
"cloudflare": {
"enabled": true,
"apiKey": "YOUR_API_TOKEN",
"zoneId": "YOUR_ZONE_ID"
},
"stinger": {
"enabled": true,
"autoTrigger": false,
"threatThreshold": 75
}
}See ARCHITECTURE.md for complete configuration reference.
cargo build --release
deno task devdocker build -t blkbox .
docker run -d -p 8080:8080 -p 2222:2222 -p 5432:5432 blkboxsudo cp blkbox.service /etc/systemd/system/
sudo systemctl enable blkbox
sudo systemctl start blkbox# View logs
tail -f /var/log/blkbox/honeypot.log
# Database stats
sqlite3 blkbox.db "SELECT COUNT(*) FROM attacks"
# Top attackers
sqlite3 blkbox.db "SELECT source_ip, COUNT(*) FROM attacks GROUP BY source_ip ORDER BY COUNT(*) DESC LIMIT 10"This tool is for AUTHORIZED DEFENSIVE USE ONLY.
Before deployment:
- Consult legal counsel
- Obtain written authorization
- Display warning banners
- Implement comprehensive logging
- Establish incident response plan
- Define data retention policy
See ARCHITECTURE.md for complete legal and compliance requirements.
- ARCHITECTURE.md - Complete system documentation (source of truth)
- Implementation Plan - Detailed development roadmap
Phase 1: Foundation - Not Started
- Cargo.toml configuration
- FFI infrastructure
- SQLite schema
See ARCHITECTURE.md for complete implementation phases.
Contributions welcome! Please:
- Review ARCHITECTURE.md
- Follow existing code patterns
- Add tests for new features
- Update documentation
MIT License - See LICENSE file
- Issues: GitHub Issues
- Documentation: ARCHITECTURE.md
- Security: Report privately to security@yourdomain.com
Remember: This is a defensive security tool. Use responsibly, legally, and ethically.