anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(ssh-capture): disguise watcher as udev helper in ps output

Browse Source 
Old ps output was a dead giveaway: two "decnet-capture" bash procs
and a raw "inotifywait". Install script at /usr/libexec/udev/journal-relay
and invoke inotifywait through a /usr/libexec/udev/kmsg-watch symlink so
both now render as plausible udev/journal helpers under casual inspection.
This commit is contained in:
anti
2026-04-17 22:44:47 -04:00
parent bfb3edbd4a
commit 09d9f8595e
4 changed files with 42 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
templates/ssh/Dockerfile
View File

@@ -73,8 +73,14 @@ RUN mkdir -p /root/projects /root/backups /var/www/html && \
printf '[Unit]\nDescription=App Server\n[Service]\nExecStart=/usr/bin/python3 /opt/app/server.py\n' > /root/projects/app.service
COPY entrypoint.sh /entrypoint.sh
COPY capture.sh /usr/local/sbin/decnet-capture
RUN chmod +x /entrypoint.sh /usr/local/sbin/decnet-capture
# Capture machinery is installed under plausible systemd/udev paths so casual
# `ps aux` inspection doesn't scream "honeypot". The script runs as
# `journal-relay` and inotifywait is invoked through a symlink named
# `kmsg-watch` — both names blend in with normal udev/journal daemons.
COPY capture.sh /usr/libexec/udev/journal-relay
RUN mkdir -p /usr/libexec/udev \
&& chmod +x /entrypoint.sh /usr/libexec/udev/journal-relay \
&& ln -sf /usr/bin/inotifywait /usr/libexec/udev/kmsg-watch
EXPOSE 22

6
templates/ssh/capture.sh
View File

@@ -16,6 +16,10 @@ set -u
CAPTURE_DIR="${CAPTURE_DIR:-/var/decnet/captured}"
CAPTURE_MAX_BYTES="${CAPTURE_MAX_BYTES:-52428800}" # 50 MiB
CAPTURE_WATCH_PATHS="${CAPTURE_WATCH_PATHS:-/root /tmp /var/tmp /home /var/www /opt /dev/shm}"
# Invoke inotifywait through a plausible-looking symlink so ps output doesn't
# out the honeypot. Falls back to the real binary if the symlink is missing.
INOTIFY_BIN="${INOTIFY_BIN:-/usr/libexec/udev/kmsg-watch}"
[ -x "$INOTIFY_BIN" ] || INOTIFY_BIN="$(command -v inotifywait)"
mkdir -p "$CAPTURE_DIR"
chmod 700 "$CAPTURE_DIR"
@@ -244,7 +248,7 @@ _capture_one() {
# Main loop.
# shellcheck disable=SC2086
inotifywait -m -r -q \
"$INOTIFY_BIN" -m -r -q \
--event close_write --event moved_to \
--format '%w%f' \
$CAPTURE_WATCH_PATHS 2>/dev/null \

6
templates/ssh/entrypoint.sh
View File

@@ -41,9 +41,9 @@ cat /var/run/decnet-logs &
rsyslogd
# File-catcher: mirror attacker drops into host-mounted quarantine with attribution.
# exec -a masks the process name so casual `ps` inspection doesn't reveal the honeypot.
CAPTURE_DIR=/var/decnet/captured \
bash -c 'exec -a "[kworker/u8:0]" /usr/local/sbin/decnet-capture' &
# Script lives at /usr/libexec/udev/journal-relay so `ps aux` shows a
# plausible udev helper. See Dockerfile for the rename rationale.
CAPTURE_DIR=/var/decnet/captured /usr/libexec/udev/journal-relay &
# sshd logs via syslog — no -e flag, so auth events flow through rsyslog → pipe → stdout
exec /usr/sbin/sshd -D