A lightweight, professional-grade honeynet built using Docker Compose. This project emulates vulnerable SSH, FTP, and HTTP services to attract attackers, log behavior, and support blue team analysis. Ideal for labs, research, or security monitoring use cases.

• Dockerized honeypots: SSH, FTP, HTTP
• Modular architecture: each service runs independently
• Logs attacker interactions in real-time
• SIEM-ready: logs can be forwarded to external systems
• VLAN-ready for isolated deployment

• Ubuntu Server 20.04+
• Docker & Docker Compose
• Root or sudo privileges

# Install Docker and Docker Compose
sudo apt update && sudo apt install -y docker.io docker-compose

# Clone the honeynet repository
git clone https://github.com/Rzfn2/Honeynet.git
cd honeynet

# Build honeypot containers
sudo docker-compose build

# Start the honeynet
sudo docker-compose up -d

To avoid SSH permission issues during testing:

# Generate key pair if needed
ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa

Isolate your honeynet from the host or production environment:

# Create VLAN interface (e.g. VLAN ID 10)
sudo ip link add link ens33 name ens33.10 type vlan id 10

# Assign IP
sudo ip addr add 192.168.10.1/24 dev ens33.10

# Activate VLAN
sudo ip link set up ens33.10

Ensure Docker containers are bridged to this VLAN manually or through custom network configurations.

From your attacker machine (e.g., Kali Linux):

# SSH
ssh test@<ip> -p 2222

# FTP
ftp <ip>

# HTTP
curl http://<ip>:8080

Access logs with:

sudo docker exec -it ssh_honeypot cat audit.log

• Deploy in a VLAN for network isolation
• Restrict outbound container traffic
• Forward logs to ELK/Splunk/SIEM

MIT License — for academic, SOC testing, and cybersecurity research use only.

Made by Abdullah

Feedback and professional collaboration are welcome. ⭐