README

A Laravel honeypot package that simulates realistic admin pages (WordPress, phpMyAdmin) to detect and block attackers.

Detect threats, automatically

• 3-level alert system — Probing → Intrusion Attempt → Attacking, each with configurable thresholds, block durations, and log levels
• Leaked credential detection — truncated SHA256 comparison against known password lists; immediate escalation to Attacking on match

Protect your real features

• Automatic IP blocking — detected attackers are blocked for configurable durations (minutes for probing, days for intrusion, weeks for attacking)
• nottodayhoney.block middleware — deny blocked IPs globally or per route group with a single line

Honeypot traps that fool scanners

• Realistic decoys — fake WordPress wp-login, phpMyAdmin, and generic admin pages with HTTP fingerprinting to attract CVE scanners and credential-stuffing bots
• Event-driven alerts — Laravel events at each alert level; wire up Slack, mail, or any channel via listeners

Requirements

• PHP 8.4+
• Laravel 12+

Installation

composer require vinksyunit/not-today-honey
php artisan vendor:publish --tag="not-today-honey-config"
php artisan vendor:publish --tag="not-today-honey-migrations"
php artisan migrate

→ Full documentation

Sponsors

Special Sponsors

Blue team best practices

NotTodayHoney detects and signals — it is one layer of a defense-in-depth strategy. A honeypot without complementary layers is a smoke detector with no sprinklers.

• Understand your attack surface — the OWASP Top 10 covers the most common application-layer risks; the ASVS gives you a structured checklist
• Review code for security — authentication, authorisation boundaries, and input handling deserve attention on every change, not just security-focused sprints
• Run penetration tests — a pentest finds what automated scanners miss: logic flaws, misconfigurations, privilege escalation paths
• Monitor and respond — route AttackerAttackingEvent to an alerting pipeline; define a runbook for what your team does when an attacker is detected
• Keep dependencies clean — attackers scan for known CVEs before trying credentials; run composer audit regularly

→ Blue Team Practices in the documentation for further reading and OWASP references.

License

The MIT License (MIT). Please see License File for more information.