A distributed honeypot and security-event monitoring platform that captures real-world attackers, harvests credentials, and fires real-time alerts via Email and Telegram.
Project Sentinel is a full-stack cybersecurity monitoring system. It deploys low-interaction honeypots (SSH and HTTP) that lure attackers, captures everything they do, and streams the intelligence to a central API β which stores events in PostgreSQL/TimescaleDB and instantly notifies your team.
- π΅οΈ Decoy services that look real to attackers
- π GeoIP resolution per attacker IP
- π Automatic IP blocking at the sensor level
- π Grafana dashboards with provisioned alert rules
- π§ Email + Telegram push notifications
π Developed by DAani Sam β Cybersecurity Project (STU)
β
SSH honeypot (Paramiko) β captures credentials & blocks repeat attackers
β
HTTP honeypot (Flask) β fake admin login panel that logs every attempt
β
Central Go/Gin REST API for event ingestion
β
PostgreSQL + TimescaleDB for time-series event storage
β
Per-IP sliding-window rate limiting and auto-blocking
β
Country detection via ip-api.com
β
HTML email alerts to all registered users (Gmail SMTP)
β
Telegram bot real-time push alerts
β
Grafana alerting β brute-force, traffic spikes, multi-service attack detection
β
Deployed Core API on Render
π Sensors connect to the Core API and stream events in real-time. Grafana visualises attack patterns across all honeypots.
| Layer | Technology |
|---|---|
| SSH Sensor | Python 3, Paramiko |
| HTTP Sensor | Python 3, Flask |
| Core API | Go 1.25, Gin, pgx/v5, gomail |
| Database | PostgreSQL 14 + TimescaleDB |
| Monitoring | Grafana (provisioned via YAML) |
| Notifications | Gmail SMTP, Telegram Bot API |
| GeoIP | ip-api.com |
| Deployment | Render (Core API) |
project-sentinel/
βββ core-api/ # Go REST API
β βββ main.go # Routes, handlers, email & Telegram
β βββ database/db.go # DB connection + migration
β βββ handlers/handlers.go # IngestLog, HealthCheck, GetLogs
β βββ go.mod / go.sum
β βββ .env # Secrets
βββ sensors/
β βββ ssh/main.py # SSH honeypot (Paramiko)
β βββ http/main.py # HTTP honeypot (Flask)
βββ database-schema/schema.sql # Canonical PostgreSQL schema
βββ grafana/provisioning/
β βββ alerting/ssh.yaml
β βββ alerting/traffic-spike.yaml
β βββ alerting/multiservice-attack.yaml
β βββ datasources/postgres.yaml
βββ infrastructure/init-db.sql # TimescaleDB init
βββ sentinel_dump.sql # Full DB dump
βββ README.md
git clone https://github.com/DaniSam-STU/project-sentinel.git
cd project-sentinelpsql -U postgres -c "CREATE DATABASE sentinel_db;"
psql -U postgres -d sentinel_db -f infrastructure/init-db.sql
psql -U postgres -d sentinel_db -f database-schema/schema.sqlcd core-api
# Fill in your .env (DATABASE_URL, EMAIL, APP_PASSWORD, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID)
go mod download
go run main.go
# Starts on :8000cd sensors/ssh
pip install paramiko requests
python main.py
# Listens on 0.0.0.0:2222cd sensors/http
pip install flask requests
python main.py
# Listens on 0.0.0.0:8080Point Grafana's provisioning path to grafana/provisioning/. The PostgreSQL datasource and all alert rules load automatically on startup.
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/v1/ingest |
Sensors send security events here |
GET |
/health |
Liveness check |
GET |
/api/v1/logs |
View recent attack logs (optional ?protocol=SSH) |
GET |
/api/v1/health |
Sensor registry + online/offline status |
{
"event_id": "550e8400-e29b-41d4-a716-446655440000",
"timestamp": "2025-05-10T12:00:00Z",
"sensor_id": "ssh-eu-1",
"sensor_location": "london",
"source_ip": "45.33.32.156",
"attacker_country": "United States",
"vector": "ssh",
"interaction_level": "low",
"payload": {
"username_attempted": "root",
"password_attempted": "admin123",
"commands_executed": [],
"files_dropped": []
}
}
vectormust be one of:ssh,http
sudo python3 sensors/ssh/main.py
sudo python3 sensors/http/main.py- Run terminal as Administrator
- Ensure port 2222 and 8080 are not blocked by firewall
| Channel | Trigger | Content |
|---|---|---|
| Email (Gmail SMTP) | Every ssh or http event |
HTML report β sensor, IP, country, credentials |
| Telegram Bot | Every event regardless of vector | Plain-text alert with vector and source IP |
Both are dispatched in background goroutines β they never block the API response.
| Alert | Trigger Condition | Check Interval |
|---|---|---|
| SSH Brute-Force | >3 auth attempts from same IP in 5 min | 1 min |
| Traffic Spike | Current rate >3Γ hourly baseline | 5 min |
| Multi-Service Attack | Same IP hits >2 sensor types in 10 min | 10 min |
pip install paramikopip install flask requests- Verify
DATABASE_URLincore-api/.env - Ensure PostgreSQL is running and accessible
- Check
EMAILandAPP_PASSWORDin.env - Use a Gmail App Password, not your account password
- Enable "Less secure app access" or use OAuth2
- Verify
TELEGRAM_BOT_TOKENandTELEGRAM_CHAT_IDin.env - Start a conversation with your bot first so it can message you
- The Core API on Render may be sleeping β the sensor sends a
/healthping first to wake it - Check
API_URLin the sensor'smain.py
- Pull requests are welcome!
- Fork the repo, create a feature branch, and open a PR.
- For major changes, open an issue first to discuss what you'd like to change.
- DAani Sam
This project is licensed under the MIT License.
Intended for educational and ethical use only. Do not deploy honeypots on networks you do not own or have explicit permission to monitor.
If you find this project useful, give it a β on GitHub!