Build a Web-Based Honeypot: Track and Analyze Attack Patterns

In today's cybersecurity landscape understanding how attackers operate is critical. One effective method to gather this intelligence is by deploying honeypots, decoy systems that attract and study attackers without putting actual systems at risk. Honeypots simulate vulnerable or valuable resources and the interactions they gather can provide important insights for security teams.

In this example, we'll focus on building a web based honeypot that can detect scanning, brute force attempts and unauthorized access attempts.

One common attack vector is brute forcing login pages. We’ll create a fake admin login page designed to attract attackers. The page won’t authenticate users but will log every request, capturing details like the IP address headers, and attempted credentials. We can use RapidForge's drag and drop editor to create a simple page and POST endpoint to log the request.

Simple login screen

Create POST endpoint called /webhook/login inside of the block and add the following script. Don't forget to set form action to this endpoint.

# Create JSON payload
payload=$(cat <<EOF
{
  "ip": "$HEADER_X_REAL_IP",
  "user_agent": "$HEADER_USER_AGENT",
  "method": "$HEADER_X_FORWARDED_METHOD",
  "path": "$HEADER_X_FORWARDED_PATH",
  "query": "$HEADER_X_FORWARDED_QUERY",
  "referer": "$HEADER_REFERER",
  "user": "$HEADER_AUTHORIZATION",
  "body": "$PAYLOAD_DATA"
}

# We can send the payload to Slack through webhooks
# https://api.slack.com/messaging/webhooks

# Return a fake "Unauthorized" message
# Set end point to return 401 Unauthorized through UI
echo "Unauthorized"

We can also save some data to a database for further analysis.

IP_ADDRESS=$(echo $HEADER_REMOTE_ADDR)

# Check if IP already has a login attempt count
sqlite3 "$RF_KV_URL"
INSERT INTO KV (key, value) VALUES ('$IP_ADDRESS', 1)
ON CONFLICT(key) DO UPDATE SET value = value + 1;"

# You can store more data like timestamp, user-agent, etc.

# Return a fake "Unauthorized" message
# Set end point to return 401 Unauthorized through UI
echo "Unauthorized"

You can either create another end point to return saved data like in system metrics example or use periodic task to query the database and send alerts.