GhostWall

A HenHacks Submission by Aidan L, Lathe E, Nicholas C, Andrew X

GhostWall is a port-migration honeypot solution for cybersecurity professionals, designed to support the continuous improvement of cyber-attack countermeasures while preserving secure uptime for critical services. GhostWall bridges the gap between advanced and beginner defenders with smart alerts, clear threat explanations, and an easy-to-use interface.

If you value your security and uptime, trust GhostWall.

Inspiration

Traditional defenses are often static: they block known bad behavior, but give defenders limited visibility into what attackers are trying to do. We wanted to build a system that both protects live services and learns from real attack traffic. GhostWall was inspired by the idea that deception can be practical, not just experimental, especially for teams that need security without sacrificing availability.

What it does

GhostWall detects and responds to suspicious activity across SSH, HTTP, and FTP. Its fake SSH front door routes trusted users to the real SSH service while sending unknown traffic to a honeypot, then scores threat activity in real time and can escalate defenses automatically. Teams can monitor everything through a web dashboard or terminal UI, with incident summaries that explain what happened and why it matters.

How we built it

We built GhostWall as a modular Python-based defense platform. The core combines a fake SSH proxy, packet/event collection, protocol-specific defense modules, and a policy layer that can run in detect-only or auto-block mode. We integrated Cowrie for honeypot telemetry, FastAPI + SQLite for data and APIs, and a live UI layer for real-time monitoring and post-attack debriefs.

Challenges we ran into

One major challenge was preserving legitimate access while safely intercepting attacker traffic on standard service ports. Another was tuning detection logic to avoid false positives during noisy but normal network bursts. We also had to coordinate multiple runtime components (proxying, scoring, logging, and UI updates) so responses stayed fast, consistent, and reliable.

Accomplishments that we're proud of

We shipped an end-to-end autonomous loop: detect, score, respond, and explain. GhostWall successfully combines deception with adaptive enforcement while keeping legitimate service paths available. We’re especially proud of delivering both technical depth and usability, so newer defenders can understand threats while advanced users still have fine-grained control.

What we learned

We learned that strong defense is as much about visibility and context as it is about blocking traffic. Building across proxying, honeypots, threat scoring, and policy enforcement taught us how tightly reliability and security are connected. We also learned how valuable clear threat communication is when designing tools for mixed-skill teams.

What's next for GhostWall

Next, we plan to expand protocol coverage, improve anomaly detection, and add richer attack timelines and reporting. We also want tighter integrations with SOC tooling (SIEM/alerts), more deployment options, and stronger production hardening for real-world environments. Long term, we see GhostWall evolving into a collaborative defense platform that continuously learns and adapts from every engagement.