⚠️ Work in Progress
This project is under active development and may contain bugs. I'm building this in my free time and will continue to update and improve it as time permits. Contributions and feedback are welcome!
Transform suspicious network traffic into actionable security intelligence.
Features • Quick Start • Architecture • Documentation • Security • Repository
FakeIT-Collector is a comprehensive cybersecurity tool that deploys decoy services (HTTP and SMB honeypots) in your network to detect unauthorized access attempts, lateral movement, and malicious activity. All interactions are logged with full context and displayed in a modern web dashboard with real-time email alerts.
- 🎯 Early Threat Detection: Catch attackers before they reach critical systems
- 📊 Actionable Intelligence: Full context of every interaction (IPs, headers, files accessed)
- ⚡ Real-Time Alerts: Email notifications on every honeypot access
- 🔐 Secure by Design: Strong authentication for dashboard, weak credentials for honeypots
- 🚀 Easy Deployment: Docker-based, ready in 5 minutes
Monitor all honeypot interactions in real-time with detailed event logging and statistics
Convincing fake corporate intranet that attracts and logs attacker interactions
|
HTTP Honeypot
|
SMB Honeypot
|
- Central Logger: RESTful API collecting all honeypot events
- SQLite Database: Persistent storage with optimized schema
- Email Alerts: SMTP notifications for every interaction
- Web Dashboard: Modern UI with authentication
- Event Filtering: By service type, IP address, date range
- Statistics: Total events, service breakdown, unique IPs
graph TB
subgraph "External Network"
A[Attacker/User]
end
subgraph "Docker Network - FakeIT"
subgraph "Honeypots"
B[HTTP Honeypot<br/>Port 8080<br/>Flask]
C[SMB Honeypot<br/>Port 4445<br/>Impacket]
end
D[Logger Service<br/>Port 5000 internal<br/>REST API + Email]
E[(SQLite DB<br/>Events & Users)]
F[Dashboard<br/>Port 3000<br/>Web UI + Auth]
B -->|Log Events| D
C -->|Log Events| D
D -->|Store| E
F -->|Query| D
D -->|Read/Write| E
end
A -->|Access Honeypots| B
A -->|Access Honeypots| C
G[Security Team] -->|Monitor| F
D -.->|Email Alerts| H[SMTP Server]
H -.->|Notifications| G
style B fill:#e74c3c,stroke:#c0392b,color:#fff
style C fill:#e67e22,stroke:#d35400,color:#fff
style D fill:#3498db,stroke:#2980b9,color:#fff
style E fill:#2ecc71,stroke:#27ae60,color:#fff
style F fill:#9b59b6,stroke:#8e44ad,color:#fff
style A fill:#95a5a6,stroke:#7f8c8d,color:#fff
style G fill:#1abc9c,stroke:#16a085,color:#fff
| Component | Technology | Purpose | Port |
|---|---|---|---|
| HTTP Honeypot | Flask 3.0 | Simulates corporate intranet | 8080 |
| SMB Honeypot | Impacket 0.11 | Simulates file server | 4445 |
| Logger | Flask + SQLite | Central event collection | 5000 (internal) |
| Dashboard | Flask + Bcrypt | Web interface with auth | 3000 |
- Docker 20.10+
- Docker Compose 2.0+
- 500MB disk space
- Ports: 3000, 8080, 4445
1. Clone and Configure
# Clone repository
git clone https://github.com/jacobobb/fakeIt-collector.git
cd fakeIt-collector
# Create environment file
cat > .env << 'EOF'
# SMTP Configuration for Email Alerts
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=your-email@gmail.com
SMTP_PASSWORD=your-app-password
ALERT_EMAIL=security@company.com
# Flask Secret Key (change this!)
SECRET_KEY=your-random-secret-key-here
# Database Path
DATABASE_PATH=/app/data/fakeit.db
# Dashboard Admin Credentials (CHANGE THESE!)
ADMIN_USER=admin
ADMIN_PASSWORD=YourStrongPassword123!
ADMIN_EMAIL=admin@company.com
EOF💡 Gmail Users: Use an App Password instead of your regular password.
🔒 Security: Change the default admin credentials! The admin user will be created automatically on first startup.
2. Start the System
docker-compose up -d3. Access Dashboard
Open your browser: http://localhost:3000
4. Login
Use the credentials you configured in the .env file to access the dashboard.
5. Verify Logs
# Check that admin user was created
docker-compose logs dashboard | grep "Admin user created"6. Test the Honeypots
# Test HTTP Honeypot
curl http://localhost:8080/
# Test SMB Honeypot (Linux/Mac)
smbclient //localhost/CompanyFiles -U admin%admin -p 4445 -c "ls"
# Test SMB Honeypot (Windows)
net use Z: \\localhost@4445\CompanyFiles /user:admin admin7. View Events
Refresh the dashboard to see logged interactions with full details!
Edit .env file to configure the system:
# Email Alerts (Required for notifications)
SMTP_HOST=smtp.gmail.com # Your SMTP server
SMTP_PORT=587 # SMTP port (usually 587 or 465)
SMTP_USER=your-email@gmail.com # SMTP username
SMTP_PASSWORD=your-app-password # SMTP password
ALERT_EMAIL=alerts@company.com # Where to send alerts
# Security (Required)
SECRET_KEY=change-this-secret # Flask session secret (use random string)
# Dashboard Admin Credentials (Required)
ADMIN_USER=admin # Dashboard username
ADMIN_PASSWORD=strong-password # Dashboard password (use strong password!)
ADMIN_EMAIL=admin@company.com # Admin email address
# Database (Optional - use defaults)
DATABASE_PATH=/app/data/fakeit.db🔒 Important Security Notes:
- Admin credentials are configured via
.envfile- Change default credentials before deployment
- Use strong, unique passwords for the dashboard
services:
dashboard:
ports:
- "3000:3000" # Dashboard - Accessible on your network
http-honey:
ports:
- "8080:8080" # HTTP Honeypot - ACCESSIBLE FROM YOUR NETWORK
smb-honey:
ports:
- "4445:445" # SMB Honeypot - ACCESSIBLE FROM YOUR NETWORKHow does it work?
- Internal Docker Network: Containers communicate with each other on a private network
- Port Mapping to Host: Ports are mapped to the host server with
-p HOST:CONTAINER - Accessibility: If your host server is on the network
192.168.1.100:- HTTP honeypot:
http://192.168.1.100:8080✅ Accessible - SMB honeypot:
\\192.168.1.100@4445\CompanyFiles✅ Accessible - Dashboard:
http://192.168.1.100:3000✅ Accessible
- HTTP honeypot:
Deployment Options:
Option 1: Full Network (Recommended for Testing)
# Leave ports as they are - accessible from the entire network
ports:
- "8080:8080" # Any IP on your network can access
- "4445:445"
- "3000:3000"✅ Useful for: Testing, small networks, laboratories
Option 2: Localhost Only (Local Testing)
# Only accessible from the host server
ports:
- "127.0.0.1:8080:8080" # Localhost only
- "127.0.0.1:4445:445"
- "127.0.0.1:3000:3000"✅ Useful for: Development, local testing ❌ Not suitable for: Detecting network attacks
Option 3: Specific IPs
# Only accessible from a specific host IP
ports:
- "192.168.1.100:8080:8080" # This IP only
- "192.168.1.100:4445:445"
- "10.0.0.50:3000:3000" # Dashboard on another interface✅ Useful for: Multiple network interfaces, fine-grained control
Gmail Configuration
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=your-email@gmail.com
SMTP_PASSWORD=your-app-password # Generate at https://myaccount.google.com/apppasswords
ALERT_EMAIL=security@company.comMicrosoft 365 Configuration
SMTP_HOST=smtp.office365.com
SMTP_PORT=587
SMTP_USER=your-email@company.com
SMTP_PASSWORD=your-password
ALERT_EMAIL=security@company.comSendGrid Configuration
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USER=apikey
SMTP_PASSWORD=your-sendgrid-api-key
ALERT_EMAIL=security@company.comfakeIt-collector/
├── docker-compose.yml # Service orchestration
├── .env # Configuration (create from .env.example)
├── README.md # This file
├── TESTING.md # Comprehensive testing guide
├── verify.sh # Project verification script
│
├── data/ # SQLite database (auto-created)
│ └── fakeit.db
│
├── honeypots/
│ ├── http-honey/ # HTTP honeypot service
│ │ ├── app.py # Flask application
│ │ ├── templates/ # HTML pages (7 files)
│ │ └── static/ # CSS & JS
│ │
│ └── smb-honey/ # SMB honeypot service
│ └── smb_server.py # Impacket SMB server
│
├── logger/ # Central logging service
│ ├── collector.py # REST API
│ ├── db_manager.py # Database operations
│ └── email_notifier.py # Email alerts
│
└── dashboard/ # Web dashboard
├── app.py # Flask application
├── auth.py # Authentication
├── models.py # User management
├── templates/ # HTML pages (4 files)
└── static/ # CSS & JS
-- Users Table (Dashboard Authentication)
CREATE TABLE users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT UNIQUE NOT NULL,
password_hash TEXT NOT NULL, -- Bcrypt hashed
email TEXT NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Events Table (Honeypot Interactions)
CREATE TABLE events (
id INTEGER PRIMARY KEY AUTOINCREMENT,
service_type TEXT NOT NULL, -- HTTP or SMB
ip_address TEXT NOT NULL,
timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
honeypot_name TEXT,
method TEXT, -- HTTP: GET, POST, etc.
path TEXT, -- HTTP: /login, /documents, etc.
user_agent TEXT,
headers TEXT, -- JSON
post_data TEXT,
username_attempted TEXT, -- SMB: attempted username
file_accessed TEXT, -- SMB: accessed file
action TEXT, -- SMB: connection type
request_details TEXT -- JSON: additional data
);
-- Indexes for performance
CREATE INDEX idx_timestamp ON events(timestamp DESC);
CREATE INDEX idx_service_type ON events(service_type);
CREATE INDEX idx_ip_address ON events(ip_address);The logger service exposes the following REST API:
| Method | Endpoint | Description | Auth |
|---|---|---|---|
| GET | /health |
Health check | No |
| POST | /api/log |
Log new event | No |
| GET | /api/events |
List events (filterable) | No |
| GET | /api/events/<id> |
Get event details | No |
| GET | /api/stats |
Get statistics | No |
Example: Query Events
# Get all events
curl http://localhost:5000/api/events
# Filter by service type
curl http://localhost:5000/api/events?service_type=HTTP
# Filter by IP
curl http://localhost:5000/api/events?ip_filter=192.168.1.100
# Pagination
curl http://localhost:5000/api/events?limit=10&offset=20The honeypots use admin:admin credentials BY DESIGN to attract attackers. This is expected and intentional behavior.
The dashboard implements strong security:
- Bcrypt Password Hashing: All passwords hashed with cost factor 12
- Session-Based Authentication: Secure session management
- No Public Registration: Admin credentials configured via environment variables
- Single Admin User: Prevents unauthorized account creation
- SQL Injection Protection: Parameterized queries
- XSS Prevention: Template escaping enabled
- Login Required: Protected routes with decorators
- Use Strong Passwords: Configure strong admin credentials in
.envfile - Secure
.envFile: Never commit.envto version control, use.env.exampleas template - Change Default Credentials: Always change default admin username and password
- Network Isolation: Deploy honeypots in monitored DMZ or separate VLAN
- Firewall Rules: Prevent honeypot-to-production network access
- Regular Monitoring: Review dashboard daily for suspicious activity
- HTTPS in Production: Use reverse proxy (Nginx/Traefik) with SSL certificates
- Change Secret Key: Always change
SECRET_KEYin production - Restrict Dashboard Access: Limit dashboard to trusted networks only
Your WiFi/LAN Network (192.168.1.0/24)
├── Router (192.168.1.1)
├── Your PC (192.168.1.50)
├── Docker Server (192.168.1.100) ← FakeIT-Collector here
│ ├── HTTP Honeypot :8080
│ ├── SMB Honeypot :4445
│ └── Dashboard :3000
└── Other devices...
Result: Any device on 192.168.1.x can access
Configuration:
# docker-compose.yml - No changes, use default ports
ports:
- "8080:8080"
- "4445:445"
- "3000:3000"Access:
- From any PC on your network:
http://192.168.1.100:8080 - ✅ Perfect for detecting malware, scans, internal attacks
⚠️ Dashboard is also accessible (use strong passwords)
┌─────────────────────────────────────────────────────┐
│ Production Network (10.0.1.0/24) │
│ ├── Critical servers │
│ ├── Applications │
│ └── Users │
└──────────────┬──────────────────────────────────────┘
│ Firewall: Allows monitoring →
┌──────────────┴──────────────────────────────────────┐
│ Honeypot Network (10.0.99.0/24) - ISOLATED │
│ └── Docker Server (10.0.99.10) │
│ ├── HTTP Honeypot :80 ← Standard port │
│ ├── SMB Honeypot :445 ← Standard port │
│ └── Dashboard :3000 │
└─────────────────────────────────────────────────────┘
↓ Firewall: BLOCKS access to production
[Only monitoring and alerts allowed]
Configuration:
# docker-compose.yml - Standard ports for more realism
services:
http-honey:
ports:
- "80:8080" # Standard HTTP port 80
smb-honey:
ports:
- "445:445" # Standard SMB port 445
privileged: true # Required for port < 1024
dashboard:
ports:
- "3000:3000"Critical Firewall Rules:
# BLOCK: Honeypots → Production Network
iptables -A FORWARD -s 10.0.99.0/24 -d 10.0.1.0/24 -j DROP
# ALLOW: Production → Honeypots (so attackers can reach them)
iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.99.0/24 -j ACCEPT
# ALLOW: Dashboard → Logger (monitoring)
iptables -A OUTPUT -p tcp --dport 5000 -j ACCEPTDocker Server with 2 interfaces:
├── eth0: 192.168.1.100 (Internal Network - Production)
└── eth1: 10.10.10.50 (DMZ Network - Honeypots)
Bind honeypots only to DMZ:
Configuration:
services:
http-honey:
ports:
- "10.10.10.50:8080:8080" # DMZ interface only
smb-honey:
ports:
- "10.10.10.50:445:445"
dashboard:
ports:
- "192.168.1.100:3000:3000" # Internal network onlyAfter deployment, verify from another computer on your network:
# From another machine on your network
ping 192.168.1.100 # Docker server IP
# Test HTTP honeypot
curl http://192.168.1.100:8080/
# Test SMB honeypot
smbclient //192.168.1.100/CompanyFiles -U admin%admin -p 4445
# Access dashboard
# Open browser: http://192.168.1.100:3000If NOT accessible:
- Verify server firewall:
sudo ufw status - Verify Docker is listening:
sudo netstat -tlnp | grep docker-proxy - Verify iptables rules
If IS accessible: ✅ Working! Attackers will also be able to reach it.
# Run verification script
./verify.sh
# Check all services are running
docker-compose ps
# View logs
docker-compose logs -f# Test various endpoints
curl http://localhost:8080/
curl http://localhost:8080/login
curl http://localhost:8080/employees
curl http://localhost:8080/documents
# Test authentication
curl -X POST http://localhost:8080/login \
-d "username=admin&password=admin" -L
# Test with custom headers
curl -H "User-Agent: CustomBot/1.0" http://localhost:8080/Linux/Mac:
# Install smbclient
# Ubuntu: sudo apt-get install smbclient
# Mac: brew install samba
# Connect to share
smbclient //localhost/CompanyFiles -U admin%admin -p 4445
# List files
smbclient //localhost/CompanyFiles -U admin%admin -p 4445 -c "ls"
# Download a file
smbclient //localhost/CompanyFiles -U admin%admin -p 4445 -c "get passwords.txt"Windows:
# Map network drive
net use Z: \\localhost@4445\CompanyFiles /user:admin admin
# List files
dir Z:
# View file content
type Z:\passwords.txt
# Disconnect
net use Z: /delete- Login at http://localhost:3000 with credentials from
.envfile - Verify events appear in the dashboard
- Test filters (service type, IP address)
- Click "View" to see event details
# Make a request to trigger alert
curl http://localhost:8080/
# Check logger logs
docker-compose logs logger | grep -i email
# Check your alert email inboxFor comprehensive testing instructions, see TESTING.md
# Start services
docker-compose up -d
# Stop services
docker-compose down
# Restart services
docker-compose restart
# View logs (all services)
docker-compose logs -f
# View logs (specific service)
docker-compose logs -f http-honey
# Rebuild after code changes
docker-compose up -d --build
# Check resource usage
docker stats# Backup database
cp data/fakeit.db data/fakeit_backup_$(date +%Y%m%d).db
# Compact database
docker exec -it fakeit-logger sqlite3 /app/data/fakeit.db "VACUUM;"
# View database statistics
docker exec -it fakeit-logger sqlite3 /app/data/fakeit.db "
SELECT
COUNT(*) as total_events,
COUNT(DISTINCT ip_address) as unique_ips,
service_type,
COUNT(*) as count_by_service
FROM events
GROUP BY service_type;
"
# Clean old events (older than 30 days)
docker exec -it fakeit-logger sqlite3 /app/data/fakeit.db "
DELETE FROM events WHERE timestamp < datetime('now', '-30 days');
"# Pull latest code
git pull
# Rebuild containers
docker-compose down
docker-compose up -d --build
# Verify everything works
./verify.shServices won't start
# Check logs for errors
docker-compose logs
# Verify ports are available
sudo lsof -i :3000
sudo lsof -i :8080
sudo lsof -i :4445
# Rebuild from scratch
docker-compose down -v
docker-compose up -d --buildEmail alerts not working
- Verify SMTP settings in
.env - Check logger logs:
docker-compose logs logger | grep -i email - Test SMTP connection manually
- For Gmail, ensure App Passwords are enabled
- Check firewall isn't blocking SMTP port
Can't access dashboard
- Check service is running:
docker-compose ps - View logs:
docker-compose logs dashboard - Verify port 3000 isn't blocked
- Try accessing via IP:
http://YOUR-IP:3000 - Check browser console for errors
SMB honeypot connection fails
- Verify service is running:
docker-compose ps - Check logs:
docker-compose logs smb-honey - Ensure port 4445 is accessible
- Try different SMB client (smbclient vs Windows net use)
- Check if antivirus is blocking connection
Database locked errors
# Stop all services
docker-compose down
# Remove lock file
rm data/fakeit.db-journal
# Restart
docker-compose up -dEvents not appearing in dashboard
- Check honeypots can reach logger:
docker-compose logs http-honey - Verify logger is receiving events:
docker-compose logs logger - Check database:
ls -lh data/fakeit.db - Refresh dashboard page
- Check browser console for JavaScript errors
- Edit docker-compose.yml to use production ports
- Configure firewall rules to isolate honeypots
- Set up reverse proxy (Nginx/Traefik) with SSL
- Configure monitoring and alerting
- Document honeypot IPs for incident response team
Forward events to your SIEM system:
# Custom script to forward events
import requests
import time
while True:
# Fetch events from API
response = requests.get('http://localhost:5000/api/events?limit=100')
events = response.json()['events']
# Forward to SIEM
for event in events:
send_to_siem(event)
time.sleep(60)Deploy multiple instances across network segments:
# docker-compose-segment-a.yml
services:
http-honey:
environment:
- LOGGER_URL=http://central-logger.company.local:5000# Daily event summary
docker exec -it fakeit-logger sqlite3 /app/data/fakeit.db "
SELECT
DATE(timestamp) as date,
service_type,
COUNT(*) as events,
COUNT(DISTINCT ip_address) as unique_ips
FROM events
WHERE timestamp >= date('now', '-7 days')
GROUP BY date, service_type
ORDER BY date DESC;
"
# Top attacking IPs
docker exec -it fakeit-logger sqlite3 /app/data/fakeit.db "
SELECT
ip_address,
COUNT(*) as attempts,
GROUP_CONCAT(DISTINCT service_type) as services,
MIN(timestamp) as first_seen,
MAX(timestamp) as last_seen
FROM events
GROUP BY ip_address
ORDER BY attempts DESC
LIMIT 10;
"This project is provided for educational and authorized security testing purposes only.
- Built with Flask, Impacket, and Docker
- Inspired by modern honeypot projects and threat detection systems
- Created to help security teams detect lateral movement and unauthorized access
