Lantana is a honeypot-as-code platform. Deploy IPv4/IPv6 dual-stack honeypots from an Ansible inventory, capture attacker behavior into a typed datalake, and ship intelligence as Discord briefs, STIX bundles, and a Streamlit dashboard. Aligned with MITRE Engage — honeypots are treated as disposable infrastructure that gets rotated and reshaped as narratives evolve.
This is the first production release, validated on a live operation over three weeks (June 2–19, 2026).
What's in v1.0.0
Infrastructure
- Single-node and multi-node deployment from an inventory-per-operation model (clone
op_singleorop_multi, configure, deploy) - Zoned architecture: Honeywall (nftables + Suricata), Sensor, Collector
- IPv4/IPv6 dual-stack throughout, enforced at the firewall layer
- Rootless Podman containers via Quadlets + user-scoped systemd
- Three post-deploy validation playbooks:
validate-single-node,validate-sensor-runtime,validate-pipeline-cycle - Terraform provisioning module for Proxmox
Sensors
- Cowrie (SSH + Telnet): credential harvesting, command capture, file download/upload, TTY session transcripts
- Dionaea (FTP, HTTP, EPMAP, SMB, MSSQL, MySQL): binary artifact capture, credential logging, multi-protocol emulation
file_intenttagging (malware/persistence/probe) on captured file events
Data Pipeline (Python 3.13+)
- Three-tier datalake: Bronze (raw NDJSON via Vector), Silver (OCSF-inspired Parquet, enriched, redacted), Gold (per-IP daily aggregates)
- MaxMind GeoLite2 at wire speed (Vector); AbuseIPDB, VirusTotal, GreyNoise, Shodan via daily batch HTTP
- SQLite enrichment cache with tiered TTLs: 7 days (benign) → 28–180 days (malicious, by IOC type)
- Composite risk scoring: per-provider sub-scores → enrichment mean + behavioral score → final
risk_score(0–100) - Dual rate-limit circuit breakers (consecutive + cumulative) to prevent runaway API quota consumption
- WAN IP redaction and infrastructure IP filtering before any data leaves the pipeline (OPSEC layers 1–3)
- STIX 2.1 bundle export
Intelligence Output
- Daily Discord report: pipeline health, top attackers, credentials, malware captures, attacker persistence — posted as a Markdown file attachment
- Streamlit dashboard with 7 tabs: Overview, Geography (world map colored by risk score), IP Reputation, Progression funnel, Findings (Suricata alerts), Credentials, STIX Export
Known Limitations
Six items were intentionally deferred; see the Roadmap for full context:
- Dionaea binary download URLs not surfaced in bronze/silver (custom ihandler needed)
- Dionaea binary hashes are MD5/SHA-512; VT hash enrichment queries files on disk
- Dashboard has no date-range selector (fixed trailing-7-day window)
- Multi-day slow-burn detection is a proxy (daily gold aggregation), not a stage-progression signal
- SIP module disabled — upstream Dionaea sqlite race condition between supervisor and worker process
- Honeypot images use rolling upstream tags (
cowrie:latest,dionaea:nightly); self-built pinned images are on the roadmap
Getting Started
See the Setup Guide for a first-deploy walkthrough.