Modules

Modules#

The choice of modular, containerized deployment means that contributors can easily develop new modules. There are currently 6 native honeypot modules, 1 CVE module, and 3 system services.

Note

Port conflict rule: Modules that bind the same host port cannot be deployed together. For example, telnet and cve-2026-24061 both use port 23 — the CLI will reject conflicting combinations.

Summary#

Type

Service / Container

Port(s)

Exposure

Notes

Honeypot

melissae_proxy, melissae_apache1, melissae_apache2

80

Public

Web stack via Nginx + Apache

Honeypot

melissae_ssh

22

Public

Weak creds by design

Honeypot

melissae_ftp

21

Public

Weak creds by design

Honeypot

melissae_modbus

502

Public

PLC emulation

Honeypot

melissae_mqtt

1883

Public

Mosquitto

Honeypot

melissae_telnet

23

Public

Weak creds by design

CVE

melissae_cve_2026_24061

23

Public

CVE-2026-24061 Telnet auth bypass

System

melissae_mongo

127.0.0.1:27017

Manager only

Data store

System

melissae_api

127.0.0.1:5000

Manager only

Flask API

System

melissae_dashboard

0.0.0.0:443, 0.0.0.0:8443

HTTPS + basic auth

Dashboard (:443) + mTLS ingestion (:8443)

System

melissae_agent (daemon)

8444

Agent only

Health endpoint

Web#

Type

Image

Container Name

Proxy

nginx:latest

melissae_proxy

Web Server

httpd:2.4-alpine

melissae_apache1

Web Server

httpd:2.4-alpine

melissae_apache2

Log format:

[
  {
    "protocol": "http",
    "date": "2025-04-16",
    "hour": "11:47:08",
    "ip": "192.168.X.X",
    "action": "GET",
    "path": "/",
    "user-agent": "Mozilla/5.0"
  }
]

Usage:

  • By default, Melissae provides a basic configuration for both proxy and web server containers, located in modules/web/conf.

  • Add the files you need for the website to be exposed via honeypot in modules/web/server.

SSH#

Type

Image

Container Name

SSH Server

ubuntu:latest + openssh

melissae_ssh

Log format:

[
  {
    "protocol": "ssh",
    "date": "2025-04-16",
    "hour": "11:48:09",
    "ip": "192.168.X.X",
    "action": "Login failed with invalid user",
    "user": "test"
  }
]

Usage:

  • Modify module credentials in modules/ssh/Dockerfile (default: user:admin).

FTP#

Type

Image

Container Name

FTP Server

debian:bookworm-slim + vsftpd (custom image)

melissae_ftp

Log format:

[
  {
    "protocol": "ftp",
    "date": "2025-04-16",
    "hour": "11:48:37",
    "ip": "192.168.X.X",
    "action": "Login failed",
    "user": "test"
  }
]

Usage:

  • The shared repository with the FTP container is modules/ftp/server.

  • The image is built locally from modules/ftp/Dockerfile (Debian slim + vsftpd with an explicit PAM stack); base configuration lives in modules/ftp/conf/vsftpd.conf.

  • Modify module credentials in modules/ftp/Dockerfile (default: ftpuser:ftppass).

Modbus#

Type

Image

Container Name

Modbus TCP Server

python:3.11-slim

melissae_modbus

Log format:

[
  {
    "protocol": "modbus",
    "date": "2025-05-30",
    "hour": "10:38:23",
    "ip": "192.168.X.X",
    "action": "Read request - Read Holding Registers"
  },
  {
    "protocol": "modbus",
    "date": "2025-05-30",
    "hour": "10:41:22",
    "ip": "192.168.X.X",
    "action": "Write attempt - Write Multiple Registers"
  }
]

Features:

  • Industrial PLC Emulation — Simulates Siemens S7-1200 and Schneider Electric M340 PLCs.

  • Randomized Device Identifiers — Generates unique serial numbers and firmware versions on each startup.

  • Protocol Detection — Logs all Modbus function codes (read/write operations).

  • Threat Escalation — Write attempts trigger high-severity threat alerts.

Usage:

  • Default Profile: Siemens S7-1200 (modify in modules/modbus/Dockerfile to use schneider profile).

  • Port: Standard Modbus TCP port 502.

  • Device Profiles:

    • Siemens — S7-xxxxxx serials, V3.x-V4.x firmware, 1000 registers.

    • Schneider — M340-xxxxx-X serials, V2.x-V3.x firmware, 2000 registers.

MQTT#

Type

Image

Container Name

Mosquitto Server

eclipse-mosquitto:latest

melissae_mqtt

Log format:

[
  {
    "protocol": "mqtt",
    "date": "2025-09-12",
    "hour": "08:56:25",
    "ip": "192.168.X.X",
    "action": "Client connected"
  },
  {
    "protocol": "mqtt",
    "date": "2025-09-12",
    "hour": "08:57:17",
    "ip": "192.168.X.X",
    "action": "Subscribe",
    "user": "auto-XX"
  }
]

Telnet#

Type

Image

Container Name

Telnet Server

ubuntu:24.04 + inetutils-telnetd

melissae_telnet

Log format:

[
  {
    "protocol": "telnet",
    "date": "2026-02-15",
    "hour": "09:12:34",
    "ip": "192.168.X.X",
    "action": "Connection established"
  },
  {
    "protocol": "telnet",
    "date": "2026-02-15",
    "hour": "09:12:41",
    "ip": "192.168.X.X",
    "action": "Login failed",
    "user": "admin"
  },
  {
    "protocol": "telnet",
    "date": "2026-02-15",
    "hour": "09:13:02",
    "ip": "192.168.X.X",
    "action": "Login successful",
    "user": "admin"
  }
]

Usage:

  • Modify credentials in modules/telnet/Dockerfile (default: admin:telnet).

  • Logs are written to agent/logs/telnet/auth.log (mounted from the container).

CVE Modules#

CVE modules are a dedicated category of honeypots that reproduce specific, real-world vulnerabilities. Unlike generic protocol honeypots, they are designed to attract and detect exploitation attempts targeting known CVEs.

Each CVE module lives under modules/cve/<CVE-ID>/ and follows a standard structure:

modules/cve/CVE-YYYY-XXXXX/
    |-- Dockerfile
    |-- startup.sh
    |-- logs/

Log entries from CVE modules include a cve field in addition to the standard fields, enabling CVE-specific filtering in the dashboard search engine (e.g. cve:CVE-2026-24061).

CVE-2026-24061 — Telnet Auth Bypass#

Property

Value

CVE

CVE-2026-24061

CVSS

9.8 CRITICAL

CWE

CWE-88 Improper Neutralization of Argument Delimiters in a Command

Affected

GNU Inetutils telnetd ≤ 2.7

Container

melissae_cve_2026_24061

Port

23 (Telnet)

Image

Ubuntu 24.04 + inetutils-telnetd 2:2.5-3ubuntu4

Vulnerability: The -f flag in GNU inetutils telnetd allows an attacker to bypass authentication entirely by injecting -froot as the USER environment variable during connection. The flag is interpreted by login as “pre-authenticated”, granting immediate root access without credentials.

Log format:

[
  {
    "protocol": "telnet",
    "date": "2026-01-15",
    "hour": "14:32:08",
    "ip": "192.168.X.X",
    "action": "Connection opened",
    "cve": "CVE-2026-24061"
  },
  {
    "protocol": "telnet",
    "date": "2026-01-15",
    "hour": "14:32:12",
    "ip": "192.168.X.X",
    "action": "Root login successful",
    "user": "root",
    "cve": "CVE-2026-24061"
  }
]

Usage:

  • No configuration needed — the module runs with default settings.

Contents