bump hellpot to latest master, hardening

docker/glutton/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21-alpine as builder
+FROM golang:1.23-alpine AS builder
 #
 # Include dist
 COPY dist/ /root/dist/
@@ -16,34 +16,27 @@ RUN apk -U --no-cache add \
     cd /opt/ && \
     git clone https://github.com/mushorg/glutton && \
     cd /opt/glutton/ && \
-    git checkout c1204c65ce32bfdc0e08fb2a9abe89b3b8eeed62 && \
+    git checkout b3b5944b79893ccb1da19e112571674841bbe124 && \
     cp /root/dist/system.go . && \
     make build && \
-	mv /root/dist/config.yaml /opt/glutton/config/
+	cp /root/dist/*.yaml /opt/glutton/config/
 #
-FROM alpine:3.19
+FROM alpine:3.20
 #
 COPY --from=builder /opt/glutton/bin /opt/glutton/bin
 COPY --from=builder /opt/glutton/config /opt/glutton/config
-COPY --from=builder /opt/glutton/rules /opt/glutton/rules
 #
-RUN apk -U --no-cache add \
-		iptables-dev \
+RUN apk -U --no-cache upgrade && \
+	apk -U --no-cache add \
+		iptables \
+		libcap \
   		libpcap-dev && \
 		setcap cap_net_admin,cap_net_raw=+ep /opt/glutton/bin/server && \
 		setcap cap_net_admin,cap_net_raw=+ep /sbin/xtables-nft-multi && \
 		mkdir -p /var/log/glutton \
-		         /opt/glutton/payloads && \
-#
-# Setup user, groups and configs
-    addgroup -g 2000 glutton && \
-    adduser -S -s /bin/ash -u 2000 -D -g 2000 glutton && \
-#
-# Clean up
-    rm -rf /var/cache/apk/* \
-           /root/*
+		         /opt/glutton/payloads
 #
 # Start glutton 
 WORKDIR /opt/glutton
-USER glutton:glutton
+USER 2000:2000
 CMD exec bin/server -d true -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }') -l /var/log/glutton/glutton.log > /dev/null 2>&1

docker/glutton/dist/config.yaml

@@ -1,6 +1,7 @@
 ports:
   tcp: 5000
-#  udp: 5001
+  udp: 5001
+  ssh: 2222
 
 rules_path: config/rules.yaml
 

docker/glutton/dist/rules.yaml

@@ -0,0 +1,36 @@
+rules:
+  - match: tcp dst port 23 or port 2323 or port 23231
+    type: conn_handler
+    target: telnet
+  - match: tcp dst port 1883
+    type: conn_handler
+    target: mqtt
+  - match: tcp dst port 6969
+    type: conn_handler
+    target: bittorrent
+  - match: tcp dst port 25
+    type: conn_handler
+    target: smtp
+  - match: tcp dst port 3389
+    type: conn_handler
+    target: rdp
+  - match: tcp dst port 445
+    type: conn_handler
+    target: smb
+  - match: tcp dst port 21
+    type: conn_handler
+    target: ftp
+  - match: tcp dst port 5060
+    type: conn_handler
+    target: sip
+  - match: tcp dst port 5222 or port 5223
+    type: conn_handler
+    target: jabber
+  - match: tcp dst port 11211
+    type: conn_handler
+    target: memcache
+  - match: tcp
+    type: conn_handler
+    target: tcp
+  - match: udp
+    type: drop

docker/glutton/dist/system.go

@@ -27,12 +27,12 @@ func (g *Glutton) startMonitor(quit chan struct{}) {
 		for {
 			select {
 			// case <-ticker.C:
-				// openFiles, err := countOpenFiles()
-				// if err != nil {
-					// fmt.Printf("Failed :%s", err)
-				// }
-				// runningRoutines := runtime.NumGoroutine()
-				// g.Logger.Info(fmt.Sprintf("running Go routines: %d, open files: %d", openFiles, runningRoutines))
+			// 	openFiles, err := countOpenFiles()
+			// 	if err != nil {
+			// 		fmt.Printf("Failed :%s", err)
+			// 	}
+			// 	runningRoutines := runtime.NumGoroutine()
+			// 	g.Logger.Info(fmt.Sprintf("running Go routines: %d, open files: %d", openFiles, runningRoutines))
 			case <-quit:
 				g.Logger.Info("monitoring stopped...")
 				ticker.Stop()

docker/go-pot/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21-alpine AS builder
+FROM golang:1.23-alpine AS builder
 RUN <<EOF
 apk -U add git
 mkdir -p /opt
@@ -11,19 +11,13 @@ RUN go get github.com/ua-parser/uap-go/uaparser
 RUN go mod download
 RUN CGO_ENABLED=0 GOOS=linux go build -o /opt/go-pot/go-pot
 #
-FROM alpine:3.20
+FROM scratch
 #
 COPY --from=builder /opt/go-pot/go-pot /opt/go-pot/go-pot
 COPY --from=builder /opt/go-pot/config.yml /opt/go-pot/config.yml
 #
-# Setup user, groups and configs
-RUN <<EOF
-addgroup -g 2000 go-pot
-adduser -S -s /bin/ash -u 2000 -D -g 2000 go-pot
-EOF
-#
 STOPSIGNAL SIGINT
-USER go-pot:go-pot
+USER 2000:2000
 WORKDIR /opt/go-pot
 CMD ["start", "--host", "0.0.0.0", "--config-file", "config.yml"]
 ENTRYPOINT ["./go-pot"]

docker/go-pot/Dockerfile.dev

@@ -0,0 +1,21 @@
+FROM golang:1.23-alpine AS builder
+RUN <<EOF
+apk -U add git
+mkdir -p /opt
+cd /opt
+git clone https://github.com/ryanolee/go-pot
+EOF
+WORKDIR /opt/go-pot
+#
+RUN CGO_ENABLED=0 GOOS=linux go build -o /opt/go-pot/go-pot
+#
+FROM scratch
+#
+COPY --from=builder /opt/go-pot/go-pot /opt/go-pot/go-pot
+COPY dist/config.yml /opt/go-pot/config.yml
+#
+STOPSIGNAL SIGINT
+USER 2000:2000
+WORKDIR /opt/go-pot
+CMD ["start", "--host", "0.0.0.0", "--config-file", "config.yml"]
+ENTRYPOINT ["./go-pot"]

docker/go-pot/dist/config.yml

@@ -0,0 +1,308 @@
+# Configuration reference file for go-pot
+# Please refer to config/config.go for more specifics on each field
+# Each value is the default value for the field if not specified in the configuration file
+
+# Configuration for the go-pot server
+server:
+  # If the http staller should be enabled
+  enabled: true
+
+  # Port for the go-pot server to listen on
+  port: 8080
+
+  # Host for the go-pot server to listen on
+  host: 127.0.0.1
+
+  # The network stack to listen on. One of: tcp, tcp4, tcp6
+  network: "tcp4"
+
+  # Trusted proxies for the server. This is a comma separated list of CIDR ranges, or Ip addresses (v4 or v6)
+  trusted_proxies: ""
+
+  # The header to use for the proxy header. This is the header that will be used to determine the IP address of the client
+  proxy_header: "X-Forwarded-For"
+
+  # Configuration related to access logging for the server
+  access_log:
+
+    # Given the nature of how requests are designed to hang by this service
+    # there are a number of different ways to log requests. The following are the available modes
+    #  - end: Logs the request after the request has been completed
+    #  - start: Logs the request as soon as the request is received
+    #  - both: Logs the request at both the start and the end of the request
+    #  - none: Disables access logging
+    mode: "both"
+
+    # The path to write the access log to. If this is not specified then the access log will be written to stdout
+    path: "/opt/go-pot/log/go-pot.json"
+
+    # Comma deliminated list of fields to log. The following fields are available:
+    #   - id: UUIDv4 generated for the request
+    #   - timestamp: The time the request was received in RFC3339 format
+    #   - status: The status code of the request
+    #   - src_ip: The ip of the connecting client
+    #   - method: The HTTP method of the request
+    #   - path: The path of the request
+    #   - qs: The query string of the request
+    #   - dest_port: The port the request was sent to
+    #   - type: The type of request (Always http)
+    #   - host: The host of the request
+    #   - user_agent: The user agent of the client
+    #   - browser: The browser of the client (Inferred from the user agent)
+    #   - browser_version: The version of the browser (Inferred from the user agent)
+    #   - os: The operating system of the client (Inferred from the user agent)
+    #   - os_version: The version of the operating system (Inferred from the user agent)
+    #   - device: The device of the client (Inferred from the user agent)
+    #   - device_brand: The type of device of the client (Inferred from the user agent)
+    #   - phase: "start" or "end" depending on the phase of the request
+    #   - duration: The duration of the request in milliseconds (Only available as a part of the end phase of a request)
+    #fields: "src_ip,method,path,qs,duration"
+    fields: "timestamp,id,status,src_ip,method,path,qs,dest_port,type,host,user_agent,browser,browser_version,os,os_version,device,device_brand,phase,duration"
+
+# Configuration for logging related settings for go-pot
+logging:
+  # One of: debug, info, warn, error, dpanic, panic, fatal
+  level: info
+
+  # The path to write protocol specific logs to. If this is not specified then the log will be written to stdout
+  # note that this will be overridden by protocol specific log paths
+  path: ""
+
+  # If the startup log should be enabled. This log is not written to the access log
+  startup_log_enabled: true
+
+# Clustering related settings for go-pot
+cluster:
+  # Whether or not to enable clustering
+  enabled: false
+
+  # One of: lan, wan, fargate_ecs. Please refer to config/config.go for what each mode means
+  mode: "lan"
+
+  # The cluster communication port. Please note this should not be accessible from the internet
+  bind_port: 7946
+
+  # The cluster advertise port. This should be a valid ipv4 address the pot can be reached on
+  advertise_ip: ""
+
+  # Atleast one known peer is required for clustering to work upon startup
+  known_peer_ips: ""
+
+  # If logging should be enabled for cluster communication
+  enable_logging: false
+
+  # The maximum number of connection attempts to make to a peer before giving up
+  connection_attempts: 5
+
+  # The amount of time to wait before retrying a connection to a peer
+  connection_timeout_secs: 5
+
+timeout_watcher:
+  # If the timeout watcher is enabled. In the event that this is disabled
+  enabled: true
+
+  # The number of requests that are allowed before things begin slowing down
+  grace_requests: 3
+
+  # The timeout given by requests that are in the grace set of requests in milliseconds
+  grace_timeout_ms: 100
+
+  # The TTL (in seconds) for the hot cache pool [Memory of recent requests]
+  # 1 hour
+  hot_pool_ttl_sec: 3600 
+
+  # The TTL (in seconds) for the cold cache pool [Long term memory of requests]
+  #2 days
+  cold_pool_ttl_sec: 172800 
+
+  # The maximum amount of time a given IP can be hanging before we consider the IP
+  # to be vulnerable to hanging forever on a request. Any ips that get past this threshold
+  # will always be given the longest timeout
+  # 3 minutes
+  instant_commit_threshold_ms: 180000 
+
+  # The upper bound for increasing timeouts in milliseconds. Once the timeout increases to reach this bound we will hang forever.
+  # 1 minute
+  upper_timeout_bound_ms: 60000
+
+  # The smallest timeout we will ever give im milliseconds
+  # 1 second
+  lower_timeout_bound_ms: 1000
+
+  # The amount of time to wait when hanging an IP "forever"
+  # 7 days
+  longest_timeout_ms: 604800000
+
+  # The increment we will increase timeouts by for requests with timeouts larger than 30 seconds
+  # 10 seconds
+  timeout_over_thirty_increment_ms: 10000
+
+  # The increment we will increase timeouts by for requests with timeouts smaller than 30 seconds
+  # 5 seconds
+  timeout_sub_thirty_increment_ms: 5000
+
+  # The increment we will increase timeouts by for requests with timeouts smaller than 10 seconds
+  # 1 second
+  timeout_sub_ten_increment_ms: 1000
+
+  # The number of samples to take to detect a timeout
+  sample_size: 3
+
+  # How standard deviation of the last "sample_size" requests to take before committing to a timeout
+  sample_deviation_ms: 1000
+
+# Telemetry specific configuration
+telemetry:
+  # If telemetry is enabled or not
+  enabled: false
+
+  # The node name for identifying the said node
+  node_name: ""
+
+  # Using with prometheus push gateway
+  push_gateway:
+    enabled: false
+
+    # The address of the push gateway
+    endpoint: ""
+
+    # The username for the push gateway (For basic auth)
+    username: ""
+
+    # The password for the push gateway (For basic auth)
+    password: ""
+
+    # The interval in seconds to push metrics to the push gateway
+    # Default: 60
+    push_interval_secs: 60
+
+  prometheus:
+    # If the prometheus server is enabled
+    enabled: false
+
+    # The port for the prometheus collection endpoint
+    port: 9001
+
+    # The path for the prometheus endpoint
+    path: "/metrics"
+
+  metrics:
+    # If prometheus should expose the secrets generated metric
+    track_secrets_generated: true
+
+    # If prometheus should expose the time wasted metric
+    track_time_wasted: true
+
+# "Recast" specific configuration 
+# Recasting in this context is the process of shutting down the server after a certain amount of time
+# in the event the server has not wasted enough time
+recast:
+  # If the recast system is enabled or not
+  enabled: false
+
+  # The minimum interval in minutes to wait before recasting
+  minimum_recast_interval_min: 30
+
+  # The maximum interval in minutes to wait before recasting
+  maximum_recast_interval_min: 120
+
+  # The ratio of time wasted to time spent. If the ratio is less than this value then the node should recast
+  time_wasted_ratio: 0.05
+
+# Staller specific configuration
+staller:
+  # The maximum number of open connections that can be made to the pot at any given time
+  maximum_connections: 200
+
+  # The transfer rate for the staller (bytes per second)
+  bytes_per_second: 8
+
+# Metric configuration for the FTP side of the staller
+ftp_server:
+
+  # If the fep server should be enabled or not
+  enabled: false
+
+  # Port the FTP server should bind to
+  port: 2121
+
+  # The host for the go pot server
+  host: 0.0.0.0
+
+  # The range passive FTP connections should be exposed on
+  passive_port_range: 50000-50100
+
+  # The common certificate name for Sftp connections
+  common_cert_name: ""
+
+  # Throttle related configuration. Relates to rate limiting how fast commands to the FTP server can be made
+  throttle:
+
+    # The maximum number of open pending operations
+    max_pending_operations: 10
+
+    # The amount of time to wait between operations
+    wait_time: 1000
+
+  # Options relating to file downloads
+  transfer:
+
+    # The size of each chunk to transfer (in bytes)
+    chunk_size: 1
+
+    # The rate to send each chunk with (in MS)
+    chunk_rate: 1000
+
+    # The file size in bytes (20 MB by default)
+    file_size: 20971520
+
+  # Logging configuration for the FTP server
+  logging:
+    # The path to write the command log to. If this is not specified then the command log will be written to stdout
+    path: ""
+
+    # Comma delimitated commands to log (No spaces). Please note that commands to not 1 to 1 map to FTP commands 
+    # but relate to internal commands made to the "fake" filesystem the FTP client exposes.
+    # The following commands are available:
+    # - all: Logs all commands (Except for commands that are called often)
+    # - all_detailed: Logs all commands (Including commands that are called often)
+    # - create_file: Logs when a file is created including the file name as "path"
+    # - create_directory: Logs when a directory is created including the directory name as "path" and the permissions as "perm"
+    # - create_directory_recursive: Logs when a directory is created recursively including the directory name as "path"  and the permissions as "perm"
+    # - open: Called when a resource is opened includes the resource name as "path"
+    # - open_file: Called when a file is opened includes the file name as "path"
+    # - remove: Called when a resource is removed includes the resource name as "path"
+    # - remove_all: Called when a resource is removed recursively includes the resource name as "path"
+    # - rename: Called when a resource is renamed includes the resource name as "path" and the new name as "new_path"
+    # - stat: Called when a resource status is checked includes the resource name as "path"
+    # - chown: Called when a resource owner is changed includes the resource name as "path" and the new owner id as "uid" and the owner group id as "gid"
+    # - chtimes: Called when a resource time is changed includes the resource name as "path" and the new times as "atime" (Access time) and "mtime" (Modified time)
+    # - close_file: Called when a file is closed includes the file name as "path"
+    # - read_file: [Called often!] Called when a file is read includes the file name as "path" and the number of bytes requested as "data_requested"
+    # - read_file_at: [Called often!] Called when a file is read at a specific location includes the file name as "path" and the number of bytes requested as "data_requested" and the offset as "offset"
+    # - seek_file: Called when a file is seeked includes the file name as "path" and the offset as "offset" and the where to read to as "whence"
+    # - write_file: [Called often!] Called when a file is written to includes the file name as "path" and the number of bytes written as "data_written"
+    # - write_file_at: [Called often!] Called when a file is written to at a specific location includes the file name as "path" and the number of bytes written as "data_written" and the offset as "offset"
+    # - read_dir: Called when a directory is listed includes the directory name as "path" 
+    # - read_dir_names: Called when a directory is listed includes the directory name as "path"
+    # - sync: Called when a resource is synced includes the resource name as "path"
+    # - truncate: Called when a file is truncated includes the file name as "path" and the new size as "size"
+    # - write_string: Called when a string is written to a file includes the file name as "path" and the number of bytes written as "data_written"
+    # - client_connected: Called when a client connects to the FTP server 
+    # - client_disconnected: Called when a client disconnects from the FTP server
+    # - auth_user: Called when a user authenticates includes includes the client ip as "client_ip", the client version as "client_version", the client username as "user", the client password as "pass"
+    commands_to_log: "all"
+
+    # Comma delimitated fields to log (No spaces). Thease are extra fields added to EVERY log line for the FTP server
+    # The following fields are available:
+    #  - id: The ID of the connected client
+    #  - dest_addr: The destination address of the client
+    #  - dest_port: The destination port of the client
+    #  - dest_host: The destination host of the client
+    #  - src_addr: The source address of the client
+    #  - src_port: The source port of the client
+    #  - src_host: The source host of the client
+    #  - client_version: The version of the client if one is given
+    #  - type: always "ftp"
+    #  - none: No fields
+    additional_fields: "id"

docker/h0neytr4p/Dockerfile

@@ -1,8 +1,8 @@
-FROM golang:1.21-alpine AS builder
+FROM golang:1.23-alpine AS builder
 WORKDIR /app
 #
 RUN apk -U add git openssl
-RUN git clone https://github.com/t3chn0m4g3/h0neytr4p -b v0.32 /app
+RUN git clone https://github.com/t3chn0m4g3/h0neytr4p -b v0.33 /app
 RUN go mod download
 RUN go mod tidy
 RUN go build -o /app/main

docker/hellpot/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21-alpine AS builder
+FROM golang:1.23-alpine AS builder
 #
 # Include dist
 COPY dist/ /root/dist/
@@ -13,8 +13,7 @@ RUN apk --no-cache -U add \
     cd /root && \
     git clone https://github.com/yunginnanet/HellPot && \
     cd HellPot && \
-    git checkout 3673ab0228664fb3acd33102be5c7a5867137eb5 && \
-    # git checkout 49433bf499b6af314786cbbc3cb8566cdb18c40c && \
+    git checkout c48b70110148918255f93df4fa49c675ba5a5754 && \
     sed -i 's#logFileName := "HellPot"#logFileName := "hellpot"#g' internal/config/logger.go && \
     go mod download && \
     go vet -v ./... && \
@@ -25,17 +24,12 @@ RUN apk --no-cache -U add \
 		-ldflags "-s -w -X main.version=$VERSION" \
 		cmd/HellPot/HellPot.go
 #
-FROM alpine:3.19
+FROM scratch
 #
 COPY --from=builder /root/HellPot/HellPot /opt/hellpot/
 COPY --from=builder /root/dist/config.toml /opt/hellpot/config/
 #
-# Setup user, groups and configs
-RUN addgroup -g 2000 hellpot && \
-    adduser -S -s /bin/ash -u 2000 -D -g 2000 hellpot && \
-    mkdir -p /var/log/hellpot
-#
 # Start hellpot
 WORKDIR /opt/hellpot
-USER hellpot:hellpot
+USER 2000:2000
 CMD ["./HellPot", "-c","config/config.toml"]

docker/tpotinit/dist/bin/rules.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 ### Vars, Ports for Standard services
-myHOSTPORTS="7634 64294 64295"
+myHOSTPORTS="7634 64294 64295 64296 64297 64298 64299 64303 64305"
 myDOCKERCOMPOSEYML="$1"
 myRULESFUNCTION="$2"