FortiGate SSL-VPN honeypot adds AI summaries May 19

Pedro Gabaldon said on May 19 that he had updated his FortiGate SSL-VPN honeypot with AI summaries, real-time LDAP or Active Directory validation, and support tied to AbuseIPDB and VirusTotal collections. The code is published in Gabaldon’s public GitHub repository for a project that mimics a FortiGate SSL-VPN login portal and records attacker activity. (trendshift.io) The repository describes the tool as a deception honeypot built with Python and Flask for the portal, Nginx for TLS fronting, Docker Compose for deployment, and SQLite for storing captured telemetry. (github.com) ### What exactly was updated on May 19? (trendshift.io) Trendshift’s capture of Gabaldon’s May 19 social post listed the new items as “AI summaries via OpenRouter,” “real-time LDAP/AD validation + alerts,” and “AbuseIPDB & VT Collections support.” The same post also referenced a Python parser and protections for XSS, SQL injection and log injection. GitHub’s repository page identifies the project as “FortiGate VPN-SSL Honeypot” and says it is designed to trap brute-force attempts, detect use of deliberately exfiltrated credentials, and report malicious activity to outside intelligence feeds. The repository’s existing README already described VirusTotal and AlienVault OTX reporting, along with email dashboards and counter-intelligence checks for reused bait credentials. (trendshift.io) ### What does this honeypot actually do? The GitHub README says the project imitates a FortiGate VPN-SSL device closely enough to collect login attempts and related probes from hostile traffic. (trendshift.io) The setup uses a web portal written in Python and Flask, Nginx as the TLS-facing layer, and SQLite to store raw data including credentials and exploit probes. The repository also says operators can run the service with Docker Compose, expose the portal on port 10443 by default, and parse captured logs into a local database with a helper script. GitHub’s page says login attempts are written to a credentials log before being loaded into SQLite, while Nginx access logs are stored separately. (github.com) ### Why add AI summaries and LDAP validation? The May 19 feature list suggests Gabaldon is trying to reduce the manual work of reviewing attack sessions by adding automated summaries and quick checks on submitted credentials. The OpenRouter reference in the social post indicates the AI summaries are generated through that service, while the LDAP or AD validation feature is meant to test whether captured usernames and passwords resolve against a directory source in real time. (github.com) AbuseIPDB and VirusTotal integrations point to a second workflow: enriching suspicious source IPs after they hit the decoy. (github.com) The repository had already included VirusTotal and OTX reporting; the May 19 post indicates that enrichment and collection support were expanded in the latest update. ### Who is behind the project? GitHub identifies the repository owner as PeterGabaldon, and the profile links that account to Pedro Gabaldon and his personal site, pgj11.com. Gabaldon’s site also hosts an earlier post about the FortiGate VPN-SSL honeypot, showing the project predates this week’s update. (trendshift.io) The repository was public as of May 20, and GitHub showed it under an MIT license. Trendshift’s snapshot said the repository had been created about 10 months earlier and had received a fresh commit shortly before the social mention it captured. (trendshift.io) ### Where can defenders inspect the changes themselves? The GitHub repository contains the code, deployment files, and README for the honeypot, including usage steps for cloning, generating TLS material, launching with Docker Compose, and parsing logs. Gabaldon’s GitHub profile and blog provide the named public endpoints tied to the project. (github.com) May 19 is the key date for this update. Gabaldon’s social post flagged the new features that day, and the public repository remains the place where defenders can review the implementation and release notes directly. (github.com) (trendshift.io)