docs/dashboard.md

# Dashboard

Access the dashboard at `http://<server-ip>:<port>/<dashboard-path>`

The Krawl dashboard is a single-page application with **5 tabs**: Overview, Attacks, IP Insight, Tracked IPs, and IP Banlist. The last two tabs are only visible after authenticating with the dashboard password.

---

## Overview

The default landing page provides a high-level summary of all traffic and suspicious activity detected by Krawl.

### Stats Cards

Seven metric cards are displayed at the top:

- **Total Accesses** — total number of requests received
- **Unique IPs** — distinct IP addresses observed
- **Unique Paths** — distinct request paths
- **Suspicious Accesses** — requests flagged as suspicious
- **Honeypot Caught** — requests that hit honeypot endpoints
- **Credentials Captured** — login attempts captured by the honeypot
- **Unique Attackers** — distinct IPs classified as attackers

### Search

A real-time search bar lets you search across attacks, IPs, patterns, and locations. Results are loaded dynamically as you type.

### IP Origins Map

An interactive world map (powered by Leaflet) displays the geolocation of top IP addresses. You can filter by category:

- Attackers
- Bad Crawlers
- Good Crawlers
- Regular Users
- Unknown

The number of displayed IPs is configurable (top 10, 100, 1,000, or all).

![Overview — Stats and Map](../img/geoip_dashboard.png)

### Recent Suspicious Activity

A table showing the last 10 suspicious requests with IP address, path, user-agent, and timestamp. Each entry provides actions to view the raw HTTP request or inspect the IP in detail.

### Top IP Addresses

A paginated, sortable table ranking IPs by access count. Each IP shows its category badge and can be clicked to expand inline details or open the IP Insight tab.

### Top Paths

A paginated table of the most accessed HTTP paths and their request counts.

### Top User-Agents

A paginated table of the most common user-agent strings with their frequency.

![Overview — Tables](../img/overview_tables_dashboard.png)

---

## Attacks

The Attacks tab focuses on detected malicious activity, attack patterns, and captured credentials.

### Attackers by Total Requests

A paginated table listing all detected attackers ranked by total requests. Columns include IP, total requests, first seen, last seen, and location. Sortable by multiple fields.

![Attacks — Attackers and Credentials](../img/top_attackers_dashboard.png)

### Captured Credentials

A table of usernames and passwords captured from honeypot login forms, with timestamps. Useful for analyzing common credential stuffing patterns.

### Honeypot Triggers by IP

Shows which IPs accessed honeypot endpoints and how many times, sorted by trigger count.

### Detected Attack Types

A detailed table of individual attack detections showing IP, path, attack type classifications, user-agent, and timestamp. Each entry can be expanded to view the raw HTTP request.

### Most Recurring Attack Types

A Chart.js visualization showing the frequency distribution of detected attack categories (e.g., SQL injection, path traversal, XSS).

### Most Recurring Attack Patterns

A paginated table of specific attack patterns and their occurrence counts across all traffic.

![Attacks — Attack Types and Patterns](../img/attack_types_dashboard.png)

---

## IP Insight

The IP Insight tab provides a deep-dive view for a single IP address. It is activated by clicking "Inspect IP" from any table in the dashboard.

### IP Information Card

Displays comprehensive details about the selected IP:

- **Activity** — total requests, first seen, last seen, last analysis timestamp
- **Geo & Network** — location, region, timezone, ISP, ASN, reverse DNS
- **Category** — classification badge (Attacker, Good Crawler, Bad Crawler, Regular User, Unknown)

### Ban & Track Actions

When authenticated, admin actions are available:

- **Ban/Unban** — immediately add or remove the IP from the banlist
- **Track/Untrack** — add the IP to your watchlist for ongoing monitoring

### Blocklist Memberships

Shows which threat intelligence blocklists the IP appears on, providing external reputation context.

### Access Logs

A filtered view of all requests made by this specific IP, with full request details.

![IP Insight — Detail View](../img/ip_insight_dashboard.png)

---

## Tracked IPs

> Requires authentication with the dashboard password.

The Tracked IPs tab lets you maintain a watchlist of IP addresses you want to monitor over time.

### Track New IP

A form to add any IP address to your tracking list for ongoing observation.

### Currently Tracked IPs

A paginated table of all manually tracked IPs, with the option to untrack each one.

![Tracked IPs](../img/tracked_ips_dashboard.png)

---

## IP Banlist

> Requires authentication with the dashboard password.

The IP Banlist tab provides tools for managing IP bans. Bans are exported every 5 minutes.

### Force Ban IP

A form to immediately ban any IP address by entering it manually.

### Detected Attackers

A paginated list of all IPs detected as attackers, with quick-ban actions for each entry.

![IP Banlist — Detected](../img/banlist_attackers_dashboard.png)

### Active Ban Overrides

A table of currently active manual ban overrides, with options to unban or reset the override status for each IP.

![IP Banlist — Overrides](../img/banlist_overrides_dashboard.png)

### Export Banlist

A dropdown menu to download the current banlist in two formats:

- **Raw IPs List** — plain text, one IP per line
- **IPTables Rules** — ready-to-use firewall rules

---

## Authentication

The dashboard uses session-based authentication with secure HTTP-only cookies. Protected features (Tracked IPs, IP Banlist, ban/track actions) require entering the dashboard password. The login includes brute-force protection with IP-based rate limiting and exponential backoff.

Click the lock icon in the top-right corner of the navigation bar to authenticate or log out.

![Authentication Modal](../img/auth_prompt.png)
docs: add comprehensive documentation for API, backups, canary token, dashboard, honeypot, reverse proxy, and wordlist customization 2026-03-01 21:20:33 +01:00			`# Dashboard`

			Access the dashboard at `http://<server-ip>:<port>/<dashboard-path>`

feat: enhance dashboard documentation and add new images for improved visualization 2026-03-10 11:00:47 +01:00			`The Krawl dashboard is a single-page application with 5 tabs: Overview, Attacks, IP Insight, Tracked IPs, and IP Banlist. The last two tabs are only visible after authenticating with the dashboard password.`
docs: add comprehensive documentation for API, backups, canary token, dashboard, honeypot, reverse proxy, and wordlist customization 2026-03-01 21:20:33 +01:00
feat: enhance dashboard documentation and add new images for improved visualization 2026-03-10 11:00:47 +01:00			`---`
docs: add comprehensive documentation for API, backups, canary token, dashboard, honeypot, reverse proxy, and wordlist customization 2026-03-01 21:20:33 +01:00
feat: enhance dashboard documentation and add new images for improved visualization 2026-03-10 11:00:47 +01:00			`## Overview`
docs: add comprehensive documentation for API, backups, canary token, dashboard, honeypot, reverse proxy, and wordlist customization 2026-03-01 21:20:33 +01:00
feat: enhance dashboard documentation and add new images for improved visualization 2026-03-10 11:00:47 +01:00			`The default landing page provides a high-level summary of all traffic and suspicious activity detected by Krawl.`
docs: add comprehensive documentation for API, backups, canary token, dashboard, honeypot, reverse proxy, and wordlist customization 2026-03-01 21:20:33 +01:00
feat: enhance dashboard documentation and add new images for improved visualization 2026-03-10 11:00:47 +01:00			`### Stats Cards`
docs: add comprehensive documentation for API, backups, canary token, dashboard, honeypot, reverse proxy, and wordlist customization 2026-03-01 21:20:33 +01:00
feat: enhance dashboard documentation and add new images for improved visualization 2026-03-10 11:00:47 +01:00			`Seven metric cards are displayed at the top:`
docs: add comprehensive documentation for API, backups, canary token, dashboard, honeypot, reverse proxy, and wordlist customization 2026-03-01 21:20:33 +01:00
feat: enhance dashboard documentation and add new images for improved visualization 2026-03-10 11:00:47 +01:00			`- Total Accesses — total number of requests received`
			`- Unique IPs — distinct IP addresses observed`
			`- Unique Paths — distinct request paths`
			`- Suspicious Accesses — requests flagged as suspicious`
			`- Honeypot Caught — requests that hit honeypot endpoints`
			`- Credentials Captured — login attempts captured by the honeypot`
			`- Unique Attackers — distinct IPs classified as attackers`

			`### Search`

			`A real-time search bar lets you search across attacks, IPs, patterns, and locations. Results are loaded dynamically as you type.`

			`### IP Origins Map`

			`An interactive world map (powered by Leaflet) displays the geolocation of top IP addresses. You can filter by category:`

			`- Attackers`
			`- Bad Crawlers`
			`- Good Crawlers`
			`- Regular Users`
			`- Unknown`

			`The number of displayed IPs is configurable (top 10, 100, 1,000, or all).`

			`![Overview — Stats and Map](../img/geoip_dashboard.png)`

			`### Recent Suspicious Activity`

			`A table showing the last 10 suspicious requests with IP address, path, user-agent, and timestamp. Each entry provides actions to view the raw HTTP request or inspect the IP in detail.`

			`### Top IP Addresses`

			`A paginated, sortable table ranking IPs by access count. Each IP shows its category badge and can be clicked to expand inline details or open the IP Insight tab.`

			`### Top Paths`

			`A paginated table of the most accessed HTTP paths and their request counts.`

			`### Top User-Agents`

			`A paginated table of the most common user-agent strings with their frequency.`

			`![Overview — Tables](../img/overview_tables_dashboard.png)`

			`---`

			`## Attacks`

			`The Attacks tab focuses on detected malicious activity, attack patterns, and captured credentials.`

			`### Attackers by Total Requests`

			`A paginated table listing all detected attackers ranked by total requests. Columns include IP, total requests, first seen, last seen, and location. Sortable by multiple fields.`

			`![Attacks — Attackers and Credentials](../img/top_attackers_dashboard.png)`

			`### Captured Credentials`

			`A table of usernames and passwords captured from honeypot login forms, with timestamps. Useful for analyzing common credential stuffing patterns.`

			`### Honeypot Triggers by IP`

			`Shows which IPs accessed honeypot endpoints and how many times, sorted by trigger count.`

			`### Detected Attack Types`

			`A detailed table of individual attack detections showing IP, path, attack type classifications, user-agent, and timestamp. Each entry can be expanded to view the raw HTTP request.`

			`### Most Recurring Attack Types`

			`A Chart.js visualization showing the frequency distribution of detected attack categories (e.g., SQL injection, path traversal, XSS).`

			`### Most Recurring Attack Patterns`

			`A paginated table of specific attack patterns and their occurrence counts across all traffic.`

			`![Attacks — Attack Types and Patterns](../img/attack_types_dashboard.png)`

			`---`

			`## IP Insight`

			`The IP Insight tab provides a deep-dive view for a single IP address. It is activated by clicking "Inspect IP" from any table in the dashboard.`

			`### IP Information Card`

			`Displays comprehensive details about the selected IP:`

			`- Activity — total requests, first seen, last seen, last analysis timestamp`
			`- Geo & Network — location, region, timezone, ISP, ASN, reverse DNS`
			`- Category — classification badge (Attacker, Good Crawler, Bad Crawler, Regular User, Unknown)`

			`### Ban & Track Actions`

			`When authenticated, admin actions are available:`

			`- Ban/Unban — immediately add or remove the IP from the banlist`
			`- Track/Untrack — add the IP to your watchlist for ongoing monitoring`

			`### Blocklist Memberships`

			`Shows which threat intelligence blocklists the IP appears on, providing external reputation context.`

			`### Access Logs`

			`A filtered view of all requests made by this specific IP, with full request details.`

			`![IP Insight — Detail View](../img/ip_insight_dashboard.png)`

			`---`

			`## Tracked IPs`

			`> Requires authentication with the dashboard password.`

			`The Tracked IPs tab lets you maintain a watchlist of IP addresses you want to monitor over time.`

			`### Track New IP`

			`A form to add any IP address to your tracking list for ongoing observation.`

			`### Currently Tracked IPs`

			`A paginated table of all manually tracked IPs, with the option to untrack each one.`

			`![Tracked IPs](../img/tracked_ips_dashboard.png)`

			`---`

			`## IP Banlist`

			`> Requires authentication with the dashboard password.`

			`The IP Banlist tab provides tools for managing IP bans. Bans are exported every 5 minutes.`

			`### Force Ban IP`

			`A form to immediately ban any IP address by entering it manually.`

			`### Detected Attackers`

			`A paginated list of all IPs detected as attackers, with quick-ban actions for each entry.`

			`![IP Banlist — Detected](../img/banlist_attackers_dashboard.png)`

			`### Active Ban Overrides`

			`A table of currently active manual ban overrides, with options to unban or reset the override status for each IP.`

			`![IP Banlist — Overrides](../img/banlist_overrides_dashboard.png)`

			`### Export Banlist`

			`A dropdown menu to download the current banlist in two formats:`

			`- Raw IPs List — plain text, one IP per line`
			`- IPTables Rules — ready-to-use firewall rules`

			`---`

			`## Authentication`

			`The dashboard uses session-based authentication with secure HTTP-only cookies. Protected features (Tracked IPs, IP Banlist, ban/track actions) require entering the dashboard password. The login includes brute-force protection with IP-based rate limiting and exponential backoff.`

			`Click the lock icon in the top-right corner of the navigation bar to authenticate or log out.`

			`![Authentication Modal](../img/auth_prompt.png)`