Self-hosted Django honeypot and attacker intelligence platform
Project description
HoneyDjango
Self-hosted Django honeypot and attacker intelligence platform. Serves decoy
endpoints (/.env, /wp-admin/, canary tokens, …), captures and enriches
every hit via Celery (GeoIP, JA3/User-Agent fingerprinting, threat feeds),
builds attacker profiles, and shows it all live in the Django admin — real-time
map, alert rules with Slack/email/webhook notifiers, and CSV/JSON/STIX export.
Requirements
- Python 3.11+
- PostgreSQL (models use
ArrayField; JSONB for payloads) - Redis (Channels layer + Celery broker)
Install
pip install honeydj # host project already has a Postgres driver
pip install "honeydj[postgres]" # or bring psycopg 3 along
Quickstart (~5 minutes)
1. Settings — at the end of your settings.py:
from honeydj.contrib.quickstart import apply_honeydj_settings
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"honeydj.honeypot.middleware.HoneyMiddleware", # right after SecurityMiddleware
# ... the rest of your middleware ...
]
REDIS_URL = "redis://localhost:6379/0" # optional; defaults derive from this
apply_honeydj_settings(globals())
The helper appends the honeydj apps (plus unfold and channels) to
INSTALLED_APPS and fills in Channels/Celery/honeydj defaults without
overwriting anything you already set. Your DATABASES must point at
PostgreSQL.
2. URLs — decoys go at the site root, last, so they never shadow real routes and their attack paths look authentic:
urlpatterns = [
# ... your real routes ...
path("intel/dashboard/", include("honeydj.dashboard.urls", namespace="dashboard")),
path("api/events/", include("honeydj.events.urls", namespace="events")),
path("api/feeds/", include("honeydj.feeds.urls", namespace="feeds")),
path("", include("honeydj.honeypot.urls", namespace="honeypot")), # keep last
]
Mount the dashboard behind a non-obvious prefix — it shares the admin's auth.
3. Migrate and run:
python manage.py migrate
python manage.py seed_decoy_routes # optional starter decoys
celery -A yourproject worker -Q default,enrichment,alerts -l info
celery -A yourproject beat -l info # hourly threat-feed purge
The live map needs an ASGI server (Daphne/Uvicorn) with a
ProtocolTypeRouter routing honeydj.events.routing.websocket_urlpatterns
— see config/asgi.py for a working example. Everything
else works under plain WSGI.
GeoIP (optional)
The GeoLite2 database is not distributable on PyPI. Download
GeoLite2-City.mmdb from MaxMind
(free account) and set GEOIP_PATH to its directory. Without it, events are
simply captured without geo data.
Configuration
apply_honeydj_settings documents every setting it touches. The ones you'll
most likely override: GEOIP_PATH, ABUSEIPDB_API_KEY, VIRUSTOTAL_API_KEY
(feed adapters self-disable while empty), ALERT_REFIRE_WINDOW_SECONDS, and
ADMIN_BASE_URL (absolute base URL used to build clickable links in alerts).
Development
This repo doubles as the dev/demo project (config/ holds the harness — it is
not part of the PyPI package):
cp .env.example .env
docker compose up
docker compose run --rm web pytest
Lint and types: ruff check . && mypy . (config lives in pyproject.toml).
Releasing
CI (.github/workflows/ci.yml) runs ruff, mypy, and pytest with a coverage
gate on every push and PR. Publishing (.github/workflows/publish.yml)
triggers only on tags matching v*.*.*:
# bump __version__ in honeydj/__init__.py (single source of truth), then:
git tag v0.1.0 && git push origin v0.1.0
Requires a PYPI_API_TOKEN repository secret (PyPI → Account settings → API
tokens; use __token__ scoped to this project after the first upload).
License
MIT — see LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file honeydj-0.1.0.tar.gz.
File metadata
- Download URL: honeydj-0.1.0.tar.gz
- Upload date:
- Size: 64.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f0339a180a5b48edea1665cf0a564fe67f963e4ff061bb4a7b65dc793d6e20a9
|
|
| MD5 |
d5545283f9d5bd6e57fae292c2bbfaf3
|
|
| BLAKE2b-256 |
61896aea46f1c4f2ac30b2bfa0450873c42c7d92e73ffa0d99d79a7cbe428b2b
|
File details
Details for the file honeydj-0.1.0-py3-none-any.whl.
File metadata
- Download URL: honeydj-0.1.0-py3-none-any.whl
- Upload date:
- Size: 92.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
edd861f2cd67a694dd6c2c833acf8b0859866c7eca4fd3204aa627da3f06b39e
|
|
| MD5 |
31312cffff6c6a2f9a3b91c326d7195a
|
|
| BLAKE2b-256 |
beeb178ccaeaea7af74c2b7cf42c4e922430f965f333ad0c3cbb1211ccac6b99
|