A Rust-based SSH honeypot server with virtual filesystem emulation powered by SQLite, implementing a micro-DB architecture for scalable and deceptive Linux environment simulation.
- SSH Server: Accepts connections on configurable port (default: 2222)
- Virtual Filesystem: Segregated SQLite databases for system files and per-user home directories
- Micro-DB Structure:
- Central
os.dbfor Debian system files (excludes auth files for deception) - Per-user
users_<username>.dbfor isolated personas
- Central
- Tiered Command Resolution:
- Tier 1: Native in-memory commands (pwd, whoami, uname, echo, etc.)
- Tier 2: Virtual filesystem operations (ls, cat, touch, mkdir, chmod, mv)
- Tier 3: Not implemented (returns "command not found")
- Session Logging: Encrypted JSON logs with HMAC signatures
- Memory Safety: Written in Rust for protection against buffer overflows
mayajal-core/
├── Cargo.toml # Dependencies and build config
├── Cargo.lock # Locked dependency versions
├── Dockerfile # Container setup
├── README.md # This file
├── src/
│ ├── main.rs # Entry point and CLI args
│ ├── db.rs # Database initialization and connections
│ ├── fs.rs # Filesystem operations (read/write/ls/etc)
│ ├── server.rs # SSH server implementation
│ ├── commands.rs # Command parsing and resolution
│ ├── logging.rs # Session and auth logging
│ ├── state.rs # Session state management
│ └── utils.rs # Utilities (timestamps, HMAC, path normalization)
├── db/ # Database files (created at runtime)
│ ├── os.db # Central OS database
│ └── users_alice.db # Sample per-user database
└── logs/ # Output logs (created at runtime)
├── honeypot.log # Command execution logs
└── auth.log # Authentication attempt logs
- Rust 1.75+ (stable)
- Cargo (comes with Rust)
- SQLite3 (bundled via rusqlite)
cd mayajal-core
cargo build --releaseThe project automatically creates and seeds databases on first run:
cargo run --release -- --initThis will:
- Create/initialize
db/os.dbwith Debian system files - Create/initialize
db/users_alice.dbwith alice's home directory - Start the SSH server on
0.0.0.0:2222
# With default settings
cargo run --release -- --init
# Or with custom paths
cargo run --release -- \
--os-db db/os.db \
--user-db db/users_alice.db \
--bind 127.0.0.1 \
--port 2222 \
--init
# Set log level
RUST_LOG=debug cargo run --release -- --init# SSH to honeypot
ssh -p 2222 alice@localhost
# Use password: alice123
# Or via SSH client:
# ssh -p 2222 -o StrictHostKeyChecking=no alice@localhostpwd- Print working directorywhoami- Current useruname [-a]- System informationcd <path>- Change directoryecho <text>- Echo texthistory- Show command historyclear- Clear screenhelp- Show available commandsexit,quit,logout- Disconnect
ls [path]- List directory contentscat <file>- Read file (text/binary)touch <file>- Create empty filemkdir <path>- Create directorychmod <perms> <file>- Change permissionsmv <src> <dst>- Move/rename filewrite <file>- (Future) Write file
$ ssh -p 2222 alice@localhost
password: alice123
Welcome to Debian Honeypot!
last login: never
$ pwd
/home/alice
$ ls
projects Documents .bashrc .ssh
$ cat projects/notes.txt
Project ideas:
- Implement VFS
- Add LLM integration
- Docker scaling
$ cd projects
$ mkdir archive
$ touch archive/backup.txt
$ exitdocker build -t mayajal-honeypot .# Mount os.db from host
docker run -p 2222:2222 \
-v $(pwd)/db/os.db:/app/db/os.db \
-v $(pwd)/logs:/app/logs \
mayajal-honeypot
# Or with custom environment variables
docker run -p 2222:2222 \
-e RUST_LOG=info \
-v $(pwd)/db/os.db:/app/db/os.db \
-v $(pwd)/logs:/app/logs \
mayajal-honeypot \
--os-db /app/db/os.db \
--user-db /app/db/users_alice.db| Column | Type | Notes |
|---|---|---|
| id | INTEGER | Primary key, auto-increment |
| path | TEXT | Unique file path |
| content | BLOB | File content (NULL for dirs) |
| permissions | TEXT | Unix permissions (e.g., 0755) |
| owner | TEXT | File owner (e.g., root, alice) |
| owner_group | TEXT | File group (e.g., root, users) |
| size | INTEGER | File size in bytes |
| mtime | TEXT | Modification time (ISO 8601) |
| atime | TEXT | Access time (ISO 8601) |
| ctime | TEXT | Change time (ISO 8601) |
| is_dir | BOOLEAN | 1 if directory, 0 if file |
| Column | Type | Notes |
|---|---|---|
| username | TEXT | Primary key |
| password_hash | TEXT | Password (plain for PoC) |
| home_dir | TEXT | Home directory path |
| description | TEXT | User description/full name |
| role | TEXT | Job role (for personas) |
| company | TEXT | Company name |
| location | TEXT | Geographic location |
JSON entries with HMAC signature for command execution:
{"timestamp":"2026-02-08T10:30:15Z","user":"alice","ip_address":"127.0.0.1","cwd":"/home/alice","command":"ls","output":"projects Documents","user_db_path":"db/users_alice.db"}|<HMAC_SIGNATURE>Simple text format for authentication attempts:
[2026-02-08T10:30:10Z] AUTH SUCCESS - User: alice, IP: 127.0.0.1
[2026-02-08T10:30:20Z] AUTH FAILED - User: bob, IP: 192.168.1.10
cargo run --release -- --helpOptions:
--os-db <PATH>- Central OS database (default: db/os.db)--user-db <PATH>- Per-user database (default: db/users_alice.db)--bind <ADDR>- SSH server bind address (default: 0.0.0.0)--port <PORT>- SSH server port (default: 2222)--init- Initialize/seed databases on startup
RUST_LOG- Set logging level (debug, info, warn, error)RUST_LOG=debug cargo run --release -- --init
cargo test
cargo test -- --nocapture # Show output
cargo test -- --test-threads=1 # Serial executioncargo doc --opencargo fmtcargo clippy- Password Storage: Passwords stored as plaintext in user DB (use hash in production)
- Command Parsing: No pipe/redirect support (
|,>,<) - Interactive Commands: No vim, nano, less, bash REPL
- Network: No actual network operations (
curl,wget, etc.) - Process Management: No background jobs,
ps,kill - Cross-DB Operations: File moves limited to same DB
- No LLM Integration: Tier 3 commands not delegated to LLM
- Single User: Pre-configured for single user (alice); extend via container-per-user
- Integration with Deception Engine (LLM-1) for Tier 3 commands
- Persona Factory for diverse user profiles
- Docker container-per-user scaling
- Full bash parsing and execution
- Network simulation (TCP/UDP, DNS)
- Process and job management
- Lateral movement detection
- Production-grade authentication (bcrypt, OTP)
- Metrics and alerting integration
- Real-time visualization of attacks
# Use a different port
cargo run --release -- --port 3333 --init# Recreate databases
rm -rf db/
cargo run --release -- --init# Check server is running and listening
lsof -i :2222
netstat -tlnp | grep 2222RUST_LOG=debug cargo run --release -- --init- Run in Isolated VM: Never expose to untrusted networks
- User Isolation: Per-container user DBs prevent cross-user data leaks
- No Real Credentials: Honeypot passwords are fake; don't reuse elsewhere
- Log Encryption: HMAC signatures verify log integrity (not for secrets)
- Memory Safety: Rust prevents buffer overflows and use-after-free
- Māyājāl Research Paper: See
Māyājāl Research Paper - 1st Draft.pdf - Russh SSH Library: https://github.com/warp-tech/russh
- Rusqlite: https://github.com/rusqlite/rusqlite
- Tokio Async Runtime: https://tokio.rs
Internal Use / Research Project
- Implementation: Param Jasani, Nihar Kore
- Original Research: Māyājāl Framework
For questions or contributions, contact: [research team email]
Last Updated: February 8, 2026
Version: 0.1.0 (PoC - Micro-DB Structure)
State: Active Development