Back to Portfolio
🛡
Cybersecurity

Virtual Honeypot Security Monitoring Lab

A virtualized cybersecurity lab that captures, logs, and analyzes real-world attack behavior using honeypot systems and SIEM monitoring tools.

View on GitHub

System Architecture

Honeypot Lab Architecture

Kali Linux (Attacker)

Simulates real-world attack patterns using Nmap port scanning and Hydra brute-force tools against the honeypot.

IP: 10.0.0.20

Cowrie Honeypot

Medium-interaction SSH/Telnet honeypot that captures credentials, logs shell commands, and emulates a fake filesystem.

IP: 10.0.0.10 • Ports: 2222, 2223

ELK Stack (SIEM)

Elasticsearch, Logstash, and Kibana centralize log ingestion, indexing, and dashboard visualization of attack data.

IP: 10.0.0.30 • Kibana: :5601

About The Project

This project deploys a multi-VM security environment simulating an enterprise network using VirtualBox. SSH honeypot services collect intrusion attempts, and attack traffic is analyzed through centralized logging dashboards to identify attacker behavior patterns.

Implementation Steps

  1. VM Provisioning: Created three VirtualBox VMs (Kali, Ubuntu Server, ELK) connected via an isolated internal-only network (10.0.0.0/24).
  2. Honeypot Deployment: Installed Cowrie SSH honeypot on the Ubuntu VM with iptables port forwarding (22 → 2222) and JSON-formatted logging.
  3. SIEM Setup: Deployed the ELK Stack (Elasticsearch + Logstash + Kibana) with a custom Logstash pipeline for Cowrie log ingestion and GeoIP enrichment.
  4. Attack Simulation: Executed controlled reconnaissance (Nmap), brute-force (Hydra), and post-auth simulation scripts from the Kali VM.
  5. Analysis & Visualization: Built Kibana dashboards showing login timelines, top attacker IPs, most-attempted credentials, and event distributions.

Key Results

500+

Credential attempts captured per run

150+

Unique passwords attempted

100%

Nmap scan detection rate

< 30s

Avg. time to first attack

Key Observations

  • Password Patterns: Attackers primarily use dictionary-based attacks, with 123456, password, admin, and root being the most attempted credentials.
  • Brute-Force Behavior: Automated tools follow predictable timing patterns with rapid sequential attempts.
  • Scanning Fingerprints: Nmap SYN scans and service version detection are clearly identifiable in Cowrie logs.
  • Session Behavior: Post-authentication, attackers attempt common commands (uname -a, cat /etc/passwd, wget).

Tools & Technologies

VirtualBoxUbuntu 22.04Kali LinuxCowrieElasticsearchLogstashKibanaNmapHydraBashJSON