DEV Community

Patrick Di Fazio
Patrick Di Fazio

Posted on

Krawl: A modern Honeypot and Deception server 🍯

#security #selfhosted #opensource #webdev

I wanted to share an open‑source project I’ve been working on and get feedback from people interested in web security, self‑hosting, and deception techniques :)

GitHub repository:
https://github.com/BlessedRebuS/Krawl

What is Krawl?

Krawl is a cloud‑native deception server designed to detect, delay, and analyze malicious web crawlers and automated scanners.

It exposes realistic fake web applications populated with common “low‑hanging fruit” such as admin panels, configuration files, and exposed (fake) credentials. These decoys attract suspicious activity and make it easier to clearly distinguish malicious behavior from legitimate crawlers.

By intentionally wasting attacker resources, Krawl helps surface useful signals such as attack paths, IP addresses, and user agents.

Demo and Project

You can see a demo here:

Live demo:
http://demo.krawlme.com

Dashboard:
http://demo.krawlme.com/das_dashboard

Key Features

  • Spider trap pages with infinite random links to exhaust automated crawlers
  • Fake login pages including WordPress, phpMyAdmin, and generic admin panels
  • Honeypot paths advertised via robots.txt to attract scanners
  • Realistic fake credentials and secrets
  • Optional canary token integration for external alerting
  • Real‑time dashboard for monitoring suspicious activity
  • JSON‑based wordlists for easy customization
  • Random error injection to mimic real server misconfigurations

Real‑World Results

We've been running a self‑hosted instance of Krawl in a homelab for about two weeks, and the results have been interesting:

  • A very clear separation between legitimate crawlers (such as Meta and Amazon) and malicious scanners
  • Over 350,000 total requests logged
  • Many attempts to access sensitive or deceptive paths

The goal is to make deception realistic enough to fool automated tools, while remaining useful for defenders and researchers who want to detect and blacklist malicious actors.

If you’re interested in honeypots, web security, or deception‑based defense, I’d love to hear your thoughts or see you contribute :)

Top comments (0)