ShiroBlank/honeypot-dashboard

# 🍯 Honeypot Dashboard ## Screenshots ## Features ### Dashboard & Analytics - **Overview** — total connections, unique IPs, login attempts, successful logins, commands executed, and malware sample count, all with "today" deltas - **Activity timeline** — 14-day chart of connections and unique IPs - **Top attacking countries** — doughnut chart showing unique IP counts per country with flag emojis - **Top credential pairs, top commands, top attacking IPs** — live leaderboard tables - **Recent sessions** — last 20 sessions with duration, login count, and geo data ### Sessions Browser - Full paginated table of every SSH session - Sortable by IP, connect time, duration, login count, command count - Full-text search across IP, session ID, and SSH fingerprint (HASSH) - Click any IP to open a **detailed IP view** with geo info, all sessions, logins, commands, downloads, and VirusTotal results ### Log Browser - Calendar view of all indexed log dates - Per-day event viewer filtered by type: connects, logins, commands, downloads, uploads - Full-text search within a day's events ### Attack Map - World map (Leaflet + CartoDB dark tiles) with clustered attack markers - Marker colour and size scale with connection intensity - Date filters: all time, today, last 7 days, last 30 days, custom range - Click any marker to view the full IP detail panel ### Malware Samples ### Settings - All configuration editable from the UI (no manual config file editing needed) - API key fields with show/hide toggle and live connection test buttons - Cache TTL controls for geo and VT data - Change password form - Re-index logs button ## Integrations ### ipinfo.io — Geolocation Used to resolve attacker IPs to country, city, region, organisation, and coordinates. - Works without an API key (anonymous tier, rate-limited) - Add an API key in Settings for higher request limits - Results cached in SQLite (default TTL: 7 days) - Background bulk-fetch on startup ensures flags and country data appear immediately ### VirusTotal — Malware Intelligence - Requires a [VirusTotal API key](https://www.virustotal.com/gui/join-us) (free tier supported: 4 requests/minute) - Rate limiter built in — no manual throttling needed - Results cached in SQLite (default TTL: 24 hours, configurable) - Detection results shown on the Samples tab and in the IP detail view - Also used by the Threat.rip uploader to pre-filter samples that are too old before uploading ## Requirements - **Node.js** 18 or later - **Cowrie** SSH honeypot writing JSON logs (NDJSON format) - A machine with access to the Cowrie log directory ## Installation git clone honeypot-dashboard cd honeypot-dashboard npm install npm start The dashboard will be available at `http://localhost:3000`. On first startup the database is created automatically and all existing Cowrie log files are indexed before the server begins accepting requests. ## Configuration All settings are available in the dashboard UI under **Settings**. On first run a `data/config.json` is created with defaults. The file can also be edited manually (requires restart for path changes). | Setting | Default | Description | |---------|---------|-------------| | Dashboard Title | `Honeypot Dashboard` | Shown in the browser tab and sidebar | | Port | `3000` | HTTP port to listen on | | Cowrie Log Directory | — | Path to the directory containing `cowrie.json` log files | | Cowrie Downloads Directory | — | Path to the directory containing SHA256-named malware samples | | VirusTotal API Key | — | Free tier key from virustotal.com | | ipinfo.io API Key | — | Optional; increases geo request limits | | Geo Cache TTL | `7` days | How long IP geo data is cached | | VT Cache TTL | `24` hours | How long VirusTotal results are cached | | Threat.rip API Key | — | API key for threat.rip uploads | | Threat.rip Enabled | `false` | Toggle the background upload service | | Upload Interval | `30` minutes | How often the uploader service runs | | VT Max Age | `180` days | Samples older than this are never uploaded to threat.rip | ## Default Credentials | Username | Password | |----------|----------| | `admin` | `honeypot` | **Change the password immediately** after first login via Settings → Change Password. ## Architecture Notes - **No build step** — vanilla JS/CSS served directly; Chart.js and Leaflet loaded from CDN - **SQLite** (via `better-sqlite3`) — all queries are synchronous; no ORM - **Real-time indexing** — `chokidar` watches the live `cowrie.json` for new lines and indexes them within ~2 seconds - **Log rotation** — Cowrie renames `cowrie.json` → `cowrie.json.YYYY-MM-DD` at midnight; a periodic re-index every 5 minutes catches newly rotated files automatically - **Background services** — geo fetching and threat.rip uploads run as async background timers and never block HTTP responses - **Session auth** — server-side sessions with httpOnly cookies; login rate-limited to 20 attempts per 15 minutes ## License MIT

标签：自定义脚本