In this blog post, we will show you how to create decoy file system in Linux using FUSE step by step.
Imagine you’re running a cloud server for your startup. One day, you drop a fake file called client_credentials.txt into a shared folder. Inside it, you put something like this:
AWS_KEY=FAKE123 SECRET_KEY=GOTCHA456
Now, if someone tries to use it, you immediately get a notification. That tells you someone’s poking around your stuff—and now you can investigate or shut things down.
That’s exactly what a decoy file or honey token does.
What is a Decoy File System?
A decoy filesystem is a virtual system masquerading as a real filesystem that looks like the real thing but is actually fake. Its purpose is to deceive intruders, observe attack behavior, or induce attackers to reveal their identity.
You can think of it as a “digital trap”.
It can lure malicious actors into opening it.
Prerequisites
- Ubuntu Server: This guide uses Ubuntu 24.04 Server LTS version. A quick reminder, Ubuntu Server comes with a different set of packages pre-installed than a usual Ubuntu Desktop. You can use Vagrant to spin up an Ubuntu server quickly.
- Install Fuse
$ sudo apt install fuse
- Set up a Python environment
$ python3 -m venv venv $ source venv/bin/activate $ pip install fusepy
Create Decoy File System In Linux Using FUSE
Technically, this type of file system is usually created using:
- FUSE (Filesystem in User Space) to create a “real-looking” filesystem
- Python to write the logic for the behavior of the files
- A logging system to record accesses. With this guide, we’ll use Slack notifications to notify our team about any suspicious attempts.
1) Create a Python file
Create a file decoy_fs.py with the contents:
from fuse import FUSE, Operations
import time, os
class DecoyFS(Operations):
def __init__(self):
now = time.time()
self.files = {
'/salary_report_2024.xlsx': self._make_file(b'Fake salary data inside\n', now),
'/admin_passwords.txt': self._make_file(b'admin: admin123\n', now),
'/project/secret_notes.txt': self._make_file(b'Confidential: Do not distribute\n', now)
}
def _make_file(self, content, timestamp):
return {
'content': content,
'st_mode': 0o100644,
'st_nlink': 1,
'st_size': len(content),
'st_ctime': timestamp,
'st_mtime': timestamp,
'st_atime': timestamp
}
def getattr(self, path, fh=None):
if path == '/':
return dict(st_mode=(0o40555), st_nlink=2)
elif path in self.files:
return self.files[path]
elif path == '/project':
return dict(st_mode=(0o40555), st_nlink=2)
else:
raise FileNotFoundError
def readdir(self, path, fh):
if path == '/':
return ['.', '..', 'salary_report_2024.xlsx', 'admin_passwords.txt', 'project']
elif path == '/project':
return ['.', '..', 'secret_notes.txt']
else:
raise FileNotFoundError
def open(self, path, flags):
if path in self.files:
msg = f" *Decoy file accessed:* `{path}` at {time.ctime()}"
print(msg)
return 0
else:
raise FileNotFoundError
def read(self, path, size, offset, fh):
return self.files[path]['content'][offset:offset + size]
if __name__ == '__main__':
import sys
if len(sys.argv) != 2:
print("Usage: python3 decoy_fs.py /mount/point")
exit(1)
mountpoint = sys.argv[1]
FUSE(DecoyFS(), mountpoint, nothreads=True, foreground=True)
This code simulates a directory with fake sensitive files and logs when someone tries to access them. In a real-world scenario, we can set up alerts using Slack or send notifications via email to the team member. We created three fake files: salary_report_2024.xlsx, admin_passwords.txt, and secret_notes.txt.
2) Run Python Script
Create a mount point and run above created python script to create decoy file system
$ mkdir /tmp/decoymount $ python3 decoy_fs.py /tmp/decoymount
3) Try to Read file
Now go into that folder, and try reading a file:
$ cd /tmp/decoymount $ ls $ cat admin_passwords.txt
Why Use Decoy File system?
You might ask why not use a real file system with fake details to lure attackers? While this may sound like a good idea, there are several issues that make it less efficient for use in a decoy file system.
Real files are part of the actual file system. So, they are visible to regular users, applications, or even automated scripts that might scan or list files (e.g., using ls, find, or other system tools).
With FUSE, you can intercept and control every single interaction with the files. For example, when a user tries to read a file, you can decide whether to allow it, trigger alerts, or log the access.
You can even return different data based on certain conditions or time stamps.
The features of the Decoy file system are:
- More proactive than antivirus: it’s not just a defense, it’s a “lure”
- Detects insider threats: e.g., employees messing around with company data
- Detects problems early in the attack
- Contains no real data, very low risk
Final Thoughts
Decoy file system is a deception technique in network security. It lures attackers in by constructing fake files and folders. It’s like leaving a glowing red briefcase in the middle of a room full of cameras — only the guilty will open it.
“You hope no one triggers it, but when they do, the danger is immediately apparent.”
