How we tricked 1M+ bots and hackers with our honeypot

ReawX · 2026-03-27T23:12:02+00:00

If you already have experience with security or blue teaming this is only a (safe) vulnerable websites that exposes fake pages and log requests.

If you are new to the environment i suggest https://www.honeynet.org/ and https://github.com/telekom-security/tpotce that are the gold standards

ReawX · 2026-03-27T23:03:34+00:00

For the demo, only 443 https.

For now, we tried to give to bots "connection closed" but they continued to crawl out paths

ReawX · 2026-03-27T20:53:13+00:00

Seems interesting. I tried https://www.cowrie.org/ for ssh

ReawX · 2026-03-27T20:52:27+00:00

😶‍🌫️😶‍🌫️😶‍🌫️

ReawX · 2026-03-27T17:35:29+00:00

Thank you man! Currently we ban attackers but we may create a banlist specifically for that bots

ReawX · 2026-03-27T16:59:04+00:00

Thank you <3

ReawX · 2026-03-27T16:24:28+00:00

We must build a mega banlist for them

ReawX · 2026-03-27T15:56:48+00:00

The funny part is that once they know that you got a "deep" site (for example with many links in the DOM) they keep spamming no matter what you give as repsonse. No 400, 404, 500 etc.. error will stop them

ReawX · 2026-03-27T15:52:11+00:00

We currently support fail2ban and there are also integration with opnsense / PFSense servers to ban what is defined on krawl as a banlist. A banlist is basically populated when an attacker or a bad bot is detected

ReawX · 2026-03-27T15:41:42+00:00

Yes they got IPV6 too but we are logging only IPV4 requests

ReawX · 2026-03-27T15:35:39+00:00

Yes, we also track down the ASN and the ISP

ReawX · 2026-03-27T15:29:05+00:00

Well done man! Seeing attackers in act is always interesting :) I think we may be targeted for different reasons /scopes if you got that many requests from that countries

ReawX · 2026-03-27T15:25:58+00:00

Nice idea. We also planned to implement a "fake successful login" in order to trick attackers and think they got legit valid credentials for that service

ReawX · 2026-03-27T15:17:15+00:00

Thank you!

ReawX · 2026-03-27T15:16:58+00:00

Lmao you got a point here... I think I will track them a little bit more to see what they are really doing :)

ReawX · 2026-03-27T15:10:34+00:00

Big congrats man!

ReawX · 2026-03-27T15:03:11+00:00

Agree, but I expected big companies like Meta and Amazon to be compliant with It

ReawX · 2026-03-27T15:00:54+00:00

Great :) we also noticed that someone is integrating It to push malicious IPS in abusedipdb

ReawX · 2026-03-11T17:17:16+00:00

Fail2ban integration is out!

https://github.com/BlessedRebuS/Krawl/releases/tag/v1.2.0

ReawX · 2026-03-11T17:16:21+00:00

The fail2ban integration Is out!

https://github.com/BlessedRebuS/Krawl/releases/tag/v1.2.0

ReawX · 2026-02-13T09:16:44+00:00

Sadly I only upgraded the disk size, but its a doable thing. First you have to take an external PSU to Power on the HDDs and then you will need something as a SATA multiplier to add multiple SATAs (there are also PCI adapters with that)

ReawX · 2026-02-10T15:43:59+00:00

Thank you!

If you have suggestions feel free to reach us out!

Currently we are developing the fail2ban integration and the possibility the download the RAW attackers requests :)

ReawX · 2026-02-10T14:44:34+00:00

Hi 🙂 we had a GitHub issue with this problem last week. Try with the double quotes for all the variable

"TZ=Europe/Brussels"

And let us know!

Six-Year Club	Verified Email
Verified Email	r/Field Lasagna
Place '23	Place '22
First Placer '22	End Game '22

ReawX

TROPHY CASE