Real-time intrusion detection system with Discord alerts for Linux environments
Features β’ Installation β’ Quick Start β’ Usage β’ Deployment
Honeyfile Security Monitor is a lightweight, Python-based intrusion detection tool that monitors decoy files (honeypots) and sends instant Discord alerts when unauthorized access is detected. Built for Raspberry Pi and home lab security monitoring.
What is a honeyfile? A decoy file designed to look valuable (like "CreditCards_2026.xlsx") that contains fake data. When someone accesses or modifies it, you immediately know there's a potential security breach.
- π Home Lab Security - Monitor sensitive directories on your Raspberry Pi or home server
- π Intrusion Detection - Get instant alerts via Discord when files are accessed
- π Security Learning - Hands-on experience with security monitoring and incident response
- π¬ Threat Research - Study attacker behavior and file access patterns
- β Instant Detection - Alerts triggered immediately on file modifications, moves, and deletions
- β Discord Integration - Real-time notifications sent to your security channel β TESTED & WORKING
- β Low Resource Usage - Minimal CPU/memory footprint (~20MB RAM, <1% CPU)
- β 24/7 Operation - Runs as systemd service with automatic restart on failure
- β Multiple Event Types - Tracks MODIFIED, DELETED, MOVED, and CREATED events
When an intrusion is detected, the system automatically captures:
-
π₯οΈ System Information
- Hostname and operating system details
- OS version and architecture (x86_64, ARM, etc.)
- System uptime
-
π Network Context
- Local IP address of the machine
- MAC address of network interface
- Count of active network connections
-
π€ User Attribution
- Username of the file accessor
- User ID (UID) and Group ID (GID)
-
π Process Context
- Top 5 running processes at time of access
- Helps identify malicious processes or scripts
-
β° Precise Timestamps
- Millisecond-accurate event logging
- ISO 8601 format for easy parsing
- π¬ Discord Webhooks - Instant team notifications with rich embedded messages
- π Structured Logging - Machine-readable logs at
/var/log/honeyfile.log - π₯οΈ Console Output - Beautifully formatted terminal alerts with emojis
- π§ Email Alerts (Optional) - SMTP notifications via Gmail, Outlook, or custom servers
βββββββββββββββββββββββββββββββ
β Honeypot File β
β "CreditCards_2026.xlsx" β β Appears to contain sensitive data
β (Actually fake data) β
ββββββββββββ¬βββββββββββββββββββ
β
β Attacker/Process accesses file
β
βββββββββββββββββββββββββββββββ
β Watchdog File Monitor β β Python library monitoring filesystem
β (inotify on Linux) β
ββββββββββββ¬βββββββββββββββββββ
β
β File event detected (modify/move/delete)
β
βββββββββββββββββββββββββββββββ
β Forensic Data Collection β β Gather intelligence
β β’ IP & MAC addresses β
β β’ Username & UID β
β β’ Running processes β
β β’ System state β
ββββββββββββ¬βββββββββββββββββββ
β
β Format alert with forensic data
β
βββββββββββββββββββββββββββββββ
β Multi-Channel Alerts β
βββββββββββββββββββββββββββββββ€
β β Discord (instant) β
β β Log file (persistent) β
β β Terminal (if running) β
β β Email (optional) β
βββββββββββββββββββββββββββββββ
Key advantage: Unlike simple file monitoring, this system provides full forensic context, making it easy to identify WHO accessed the file, WHEN, and WHAT else was running on the system.
# Python 3.7 or higher
python3 --version
# Linux-based OS (tested on Raspberry Pi OS, Ubuntu, Debian)
uname -a# Method 1: pip (recommended for most users)
pip3 install watchdog requests
# Method 2: System packages (for Raspberry Pi)
sudo apt update
sudo apt install python3-watchdog python3-requests -ygit clone https://github.com/AlexPGAO/honeyfile-monitor.git
cd honeyfile-monitor# Create a convincing decoy file
cat > ~/Desktop/CreditCards_2026.xlsx << EOF
Account Number,Cardholder Name,CVV,Expiry Date,Balance
4532-1234-5678-9010,John Doe,123,12/27,$15,234.56
5555-4444-3333-2222,Jane Smith,456,06/28,$8,901.23
6011-7777-8888-9999,Bob Johnson,789,03/29,$42,567.89
3782-822463-10005,Alice Williams,321,09/26,$23,456.78
EOFImportant: This file contains FAKE data. Never use real sensitive information.
Get your webhook URL:
- Open Discord β Right-click server β Server Settings
- Integrations β Webhooks β New Webhook
- Name: "Honeyfile Security Alert"
- Channel: Select your security/alerts channel
- Copy Webhook URL
Update the script:
nano honeyfile.pyFind and update these lines:
# Line 18: Update with your username
HONEYPATH = "/home/YOUR_USERNAME/Desktop/CreditCards_2026.xlsx"
# Line 22: Paste your Discord webhook URL
DISCORD_WEBHOOK_URL = "https://discord.com/api/webhooks/YOUR_WEBHOOK_HERE"
# Line 23: Enable Discord alerts
ENABLE_DISCORD = True # Change from False to TrueSave and exit (Ctrl+O, Enter, Ctrl+X)
python3 honeyfile.pyYou should see:
π― Enhanced Honeyfile Watcher Starting...
π Monitoring: /home/username/Desktop/CreditCards_2026.xlsx
π Log file: /var/log/honeyfile.log
π Discord alerts: β
ENABLED
π§ Email alerts: β DISABLED
Press Ctrl+C to stop
==================================================
Open another terminal and trigger an alert:
echo "9999-8888-7777-6666,Hacker,999,01/30,$999,999.99" >> ~/Desktop/CreditCards_2026.xlsxYou should see:
- π¨ Detailed alert in the terminal
- π¬ Message appear in your Discord channel
- π Entry written to
/var/log/honeyfile.log
# Line 18: Honeyfile location
HONEYPATH = "/home/username/Desktop/CreditCards_2026.xlsx"
# Line 19: Log file location
LOGFILE = "/var/log/honeyfile.log"
# Note: You may need sudo permissions for /var/log/
# Alternative: LOGFILE = "/home/username/honeyfile.log"# Lines 22-23
DISCORD_WEBHOOK_URL = "https://discord.com/api/webhooks/1234567890/AbCdEfGhI..."
ENABLE_DISCORD = True # Set to False to disable Discord alertsFor Gmail:
# Lines 26-31
ENABLE_EMAIL = True
EMAIL_FROM = "your-email@gmail.com"
EMAIL_PASSWORD = "abcd efgh ijkl mnop" # 16-char App Password
EMAIL_TO = "security-alerts@example.com"
SMTP_SERVER = "smtp.gmail.com"
SMTP_PORT = 587Gmail setup:
- Enable 2FA: https://myaccount.google.com/security
- Generate App Password: https://myaccount.google.com/apppasswords
- Select "Mail" β Generate β Copy 16-character password
Other providers:
| Provider | SMTP Server | Port |
|---|---|---|
| Gmail | smtp.gmail.com | 587 |
| Outlook | smtp.office365.com | 587 |
| Yahoo | smtp.mail.yahoo.com | 587 |
# Start the monitor
python3 honeyfile.py
# Run in background
nohup python3 honeyfile.py &
# Check if running
ps aux | grep honeyfile
# Stop background process
pkill -f honeyfile# View entire log file
sudo cat /var/log/honeyfile.log
# Last 20 alerts
sudo tail -n 20 /var/log/honeyfile.log
# Follow log in real-time (watch for new alerts)
sudo tail -f /var/log/honeyfile.log
# Search for specific username
grep "User: pi" /var/log/honeyfile.log
# Search by event type
grep "MODIFIED" /var/log/honeyfile.log
# Count total alerts
grep -c "ALERT:" /var/log/honeyfile.log
# Alerts from last hour
grep "$(date -d '1 hour ago' '+%Y-%m-%d %H')" /var/log/honeyfile.logLog entries are structured for easy parsing:
2026-02-02 15:42:17,234 - ALERT: MODIFIED | User: username | Host: raspberrypi | IP: 192.168.1.100 | MAC: B8:27:EB:12:34:56
Fields:
- Timestamp (ISO 8601 format)
- Alert type (MODIFIED, MOVED, DELETED, CREATED)
- Username
- Hostname
- IP address
- MAC address
π¨ HONEYFILE ALERT: MODIFIED π¨
ββββββββββββββββββββββββββββββββββββββββ
β° Timestamp: 2026-02-02 15:42:17
π File: /home/theshefu/Desktop/CreditCards_2026.xlsx
π Event: MODIFIED
βββ SYSTEM INFORMATION βββ
π» Hostname: raspberrypi
π₯οΈ OS: Linux 6.1.0-rpi7-rpi-v8 (aarch64)
π‘ Local IP: 192.168.1.100
π MAC Address: B8:27:EB:12:34:56
βββ USER INFORMATION βββ
π€ Username: theshefu
π UID/GID: 1000/1000
βββ SYSTEM STATUS βββ
β±οΈ Uptime: 12.45 hours
π Active Connections: 5
βββ TOP PROCESSES βββ
β’ python3
β’ bash
β’ sshd
β’ systemd
β’ dhcpcd
ββββββββββββββββββββββββββββββββββββββββ
β οΈ POTENTIAL SECURITY BREACH DETECTED β οΈ
2026-02-02 15:42:17,234 - ALERT: MODIFIED | User: theshefu | Host: raspberrypi | IP: 192.168.1.100 | MAC: B8:27:EB:12:34:56
Discord receives a rich embedded message with:
- Red color-coded alert banner
- Full timestamp
- File path and event type
- Complete system information
- User and network context
- Running processes
- @everyone mention for immediate attention
Running as a service ensures the monitor starts automatically on boot and restarts if it crashes.
1. Copy service file:
sudo cp examples/honeyfile.service /etc/systemd/system/2. Edit service file with your paths:
sudo nano /etc/systemd/system/honeyfile.serviceUpdate these lines:
[Service]
User=YOUR_USERNAME # Your Linux username
WorkingDirectory=/home/YOUR_USERNAME/honeyfile-monitor
ExecStart=/usr/bin/python3 /home/YOUR_USERNAME/honeyfile-monitor/honeyfile.py3. Enable and start service:
# Reload systemd configuration
sudo systemctl daemon-reload
# Enable service (start on boot)
sudo systemctl enable honeyfile.service
# Start service now
sudo systemctl start honeyfile.service
# Check status
sudo systemctl status honeyfile.service4. Service management commands:
# Stop service
sudo systemctl stop honeyfile.service
# Restart service
sudo systemctl restart honeyfile.service
# Disable auto-start on boot
sudo systemctl disable honeyfile.service
# View service logs in real-time
sudo journalctl -u honeyfile.service -f
# View last 50 service log entries
sudo journalctl -u honeyfile.service -n 50# Terminal 1: Start the monitor
python3 honeyfile.py
# Terminal 2: Trigger various events
echo "test data" >> ~/Desktop/CreditCards_2026.xlsx # MODIFIED β
mv ~/Desktop/CreditCards_2026.xlsx /tmp/test.xlsx # MOVED β
mv /tmp/test.xlsx ~/Desktop/CreditCards_2026.xlsx # MOVED β
rm ~/Desktop/CreditCards_2026.xlsx # DELETED β
chmod +x tests/test_honeyfile.sh
./tests/test_honeyfile.shThe test script will:
- Backup your honeyfile
- Run 8 different test scenarios
- Show which events trigger alerts
- Restore the original honeyfile
- Display expected vs actual results
| Action | Triggers Alert? | Event Type | Why? |
|---|---|---|---|
Read file (cat) |
β No | N/A | Read-only operations don't modify filesystem |
Append data (echo >>) |
β Yes | MODIFIED | File contents changed |
Edit file (nano, vim) |
β Yes | MODIFIED | File saved with changes |
Copy file (cp) |
β No | N/A | Creates new file, doesn't modify original |
Move file (mv) |
β Yes | MOVED | File path changed |
Delete file (rm) |
β Yes | DELETED | File removed from filesystem |
Touch file (touch) |
β Yes | MODIFIED | Timestamp updated (metadata change) |
| Rename file | β Yes | MOVED | Path/name changed |
Check if Discord is enabled:
grep "ENABLE_DISCORD" honeyfile.py
# Should show: ENABLE_DISCORD = TrueTest webhook URL manually:
curl -X POST -H "Content-Type: application/json" \
-d '{"content":"Test message from terminal"}' \
"YOUR_WEBHOOK_URL"If this works, your webhook is valid. If not, regenerate it in Discord.
Common issues:
ENABLE_DISCORD = Falseβ Change toTrue- Invalid/expired webhook URL β Create new webhook in Discord
- Firewall blocking HTTPS β Check
sudo ufw status - Missing
requestslibrary β Runpip3 install requests
# Create log file with proper permissions
sudo touch /var/log/honeyfile.log
sudo chown $USER:$USER /var/log/honeyfile.log
sudo chmod 644 /var/log/honeyfile.log
# Alternative: Use home directory
# Edit honeyfile.py line 19:
# LOGFILE = "/home/YOUR_USERNAME/honeyfile.log"# Verify honeyfile exists
ls -lh ~/Desktop/CreditCards_2026.xlsx
# If missing, recreate it
cat > ~/Desktop/CreditCards_2026.xlsx << EOF
Account,Name,CVV
1234-5678-9012,Test,123
EOF
# Update path in script if needed
nano honeyfile.py
# Edit line 18: HONEYPATH = "..."# Install missing dependencies
pip3 install watchdog requests
# For Raspberry Pi
sudo apt install python3-watchdog python3-requests# Check service status and errors
sudo systemctl status honeyfile.service
# View detailed error logs
sudo journalctl -xe -u honeyfile.service
# Common fixes:
# 1. Verify Python path
which python3 # Should be /usr/bin/python3
# 2. Test script manually first
python3 /path/to/honeyfile.py
# 3. Check file permissions
ls -l /path/to/honeyfile.py
chmod +x /path/to/honeyfile.pyFor more help, see docs/TROUBLESHOOTING.md
- Python 3.7+ - Core programming language
- Watchdog - Cross-platform file system monitoring library
- Requests - HTTP library for webhook/API calls
- Linux inotify - Kernel subsystem for filesystem event monitoring
- systemd - Service management and auto-restart
- Discord Webhooks - Real-time notification delivery
- SMTP - Email protocol for alert delivery
- RAM: ~20-30 MB
- CPU: <1% on idle, ~2-5% during alert processing
- Disk: <1 MB for script, logs grow ~500 bytes per alert
- Network: Outbound HTTPS (port 443) for Discord/Email
- Honeyfile contains NO real sensitive data
- Script runs with user-level permissions (not root)
- Logs may contain usernames and IP addresses
- Discord webhooks should be kept private
- Email credentials stored in plaintext (use app passwords)
- Consider using environment variables for credentials
Contributions are welcome! See CONTRIBUTING.md for guidelines.
- Slack/Microsoft Teams webhook support
- SMS alerts via Twilio
- Web dashboard for alert visualization
- SQLite database for historical analysis
- Monitor multiple honeyfiles simultaneously
- Geolocation lookup for IP addresses
- Integration with Splunk/ELK Stack
- Automated incident response actions
- Machine learning anomaly detection
- Docker container deployment
MIT License - see LICENSE file for details.
This project is free and open-source. You may use, modify, and distribute it for any purpose.
- Repository: https://github.com/AlexPGAO/honeyfile-monitor
- Issues: https://github.com/AlexPGAO/honeyfile-monitor/issues
- Discussions: https://github.com/AlexPGAO/honeyfile-monitor/discussions
- Watchdog - Python library for file system monitoring
- Discord Developer Documentation - Webhook API reference
- Raspberry Pi Community - Testing environment and feedback
Status: β Active Development | Last Updated: February 2026