You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Autonomous Multi-Protocol Defense System – honeypot deception + live threat scoring + adaptive response.
Built by Aidan, Lathe, Nick, Andrew
What it does
GhostWall detects and responds to network attacks across SSH, HTTP, and FTP. It has two runtime modes that can be used independently or together:
Mode
Description
Docker stack
Two-container setup (Cowrie honeypot + FastAPI app) that watches Cowrie's JSON log, scores threats, and serves a web dashboard
Native runtime
Standalone Python process that sniffs packets with Scapy, runs a fake SSH proxy (fssh) that transparently routes attackers to Cowrie, and displays a live curses TUI with LLM-powered debrief
Dry-run (default) or real nftables bans at ORANGE/RED levels
Dashboard
Single-page web UI at http://localhost:8000
tui.py
Optional Textual terminal UI that polls the FastAPI backend
# 1. Clone and enter the repo
git clone <repo-url>&&cd GhostWall
# 2. Build and start everything
docker compose up --build
# 3. Open dashboard
open http://localhost:8000
# 4. (Optional) run the Textual TUI
pip install textual httpx
python3 tui.py
# 5. Simulate an attack (from another terminal)foriin$(seq 1 50);do
ssh -p 2222 -o StrictHostKeyChecking=no root@localhost exit2>/dev/null
sleep 0.3
done
Option B — Native runtime (requires root + Scapy)
# 1. Install dependencies
pip install -r requirements-tui.txt # for TUI# scapy also required for scanner# 2. Move real SSH off port 22 first (example: port 47832)# 3. Run the TUI (packet sniffing + fssh + curses dashboard)
./run.sh
run.sh sets all required env vars and launches TUI/tui.py:
Live threat status (score, level, why, actions, metrics, top IPs, top usernames)
GET
/api/events
Recent raw events from SQLite
GET
/api/timeline
Score snapshots for the timeline graph
GET
/api/sessions
Honeypot sessions grouped by session ID (last 24 h)
POST
/api/score/reset
Manually reset threat score to 0
Configuration
Docker stack environment variables
Env var
Default
Description
COWRIE_LOG_PATH
/cowrie-logs/cowrie.json
Path to Cowrie JSON log (mounted read-only)
DB_PATH
/data/shield.db
SQLite database path
DRY_RUN
true
Set to false to enable real nftables enforcement
Native runtime environment variables
Env var
Default
Description
DEFENSE_MODE
detect
detect = log actions only; auto-block = enforce via nftables
DEFENSE_FIREWALL_BACKEND
nftables
Firewall backend for enforcement
FSSH_LISTEN_PORT
22
Port the fake SSH proxy binds
FSSH_REAL_SSH_PORT
47832
Port real SSH is running on (for whitelisted IPs)
FSSH_WHITELIST
``
Comma-separated IPs routed to real SSH
FSSH_FORCE_HONEYPOT
``
Comma-separated IPs forced to Cowrie even if whitelisted
FSSH_BLACKLIST_FILE
fssh_blacklist.txt
Persistent blacklist path
DEFENSE_COWRIE_PORT
2222
Cowrie port for SSH redirect
GHOSTWALL_LLM_BACKEND
heuristic
heuristic or ollama for post-attack debrief
GHOSTWALL_LLM_MODEL
llama3.2:3b
Ollama model name
Responsible use
The fake SSH proxy (fssh) listens on port 22 and transparently forwards traffic — move real SSH to another port (e.g. 47832) before starting the native runtime.
The Cowrie honeypot runs on port 2222 only.
The defense module defaults to dry-run / detect – all bans are logged, not enforced, unless DRY_RUN=false (Docker) or DEFENSE_MODE=auto-block (native runtime).
For production exposure, place behind a VPN or IP allowlist; never expose honeypot ports publicly without understanding the implications.