fix(telnet): replace Cowrie with real busybox telnetd + rsyslog logging

Cowrie was exposing an SSH daemon on port 22 alongside the telnet service even when COWRIE_SSH_ENABLED=false, contaminating deployments that did not request an SSH service. New implementation mirrors the SSH service pattern: - busybox telnetd in foreground mode on port 23 - /bin/login for real PAM authentication (brute-force attempts logged) - rsyslog RFC 5424 bridge piped to stdout for Docker log capture - Configurable root password and hostname via env vars - No Cowrie dependency
2026-04-12 00:34:45 -04:00
parent c384a3103a
commit 65d585569b
68 changed files with 142 additions and 271 deletions
--- a/templates/telnet/Dockerfile
+++ b/templates/telnet/Dockerfile
@@ -0,0 +1,48 @@
+ARG BASE_IMAGE=debian:bookworm-slim
+FROM ${BASE_IMAGE}
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    busybox \
+    rsyslog \
+    procps \
+    net-tools \
+    && rm -rf /var/lib/apt/lists/*
+
+# rsyslog: forward auth.* and user.* to named pipe in RFC 5424 format
+RUN printf '%s\n' \
+    '# DECNET log bridge — auth + user events → named pipe as RFC 5424' \
+    '$template RFC5424fmt,"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"' \
+    'auth,authpriv.*  |/var/run/decnet-logs;RFC5424fmt' \
+    'user.*           |/var/run/decnet-logs;RFC5424fmt' \
+    > /etc/rsyslog.d/99-decnet.conf
+
+# Silence default catch-all rules
+RUN sed -i \
+    -e 's|^\(\*\.\*;auth,authpriv\.none\)|#\1|' \
+    -e 's|^auth,authpriv\.\*|#auth,authpriv.*|' \
+    /etc/rsyslog.conf
+
+# Realistic motd and issue banner
+RUN echo "Ubuntu 20.04.6 LTS" > /etc/issue.net && \
+    echo "Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-150-generic x86_64)" > /etc/motd && \
+    echo "" >> /etc/motd && \
+    echo " * Documentation:  https://help.ubuntu.com" >> /etc/motd
+
+# Fake lived-in files
+RUN mkdir -p /root/scripts /root/backups && \
+    printf '#!/bin/bash\n# DB backup script\nmysqldump -u root -padmin prod_db > /root/backups/db.sql\n' > /root/scripts/backup.sh && \
+    printf 'DB_HOST=10.0.0.5\nDB_USER=admin\nDB_PASS=changeme123\n' > /root/.env && \
+    printf 'alias ll="ls -alF"\nalias la="ls -A"\nexport HISTSIZE=1000\n' >> /root/.bashrc
+
+# Log bash commands via syslog
+RUN echo 'PROMPT_COMMAND='"'"'logger -p user.info -t bash "CMD uid=$UID pwd=$PWD cmd=$(history 1 | sed "s/^ *[0-9]* *//")";'"'" >> /root/.bashrc
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 23
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD kill -0 1 || exit 1
+
+ENTRYPOINT ["/entrypoint.sh"]
--- a/templates/telnet/entrypoint.sh
+++ b/templates/telnet/entrypoint.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+set -e
+
+# Configure root password (default: admin)
+ROOT_PASSWORD="${TELNET_ROOT_PASSWORD:-admin}"
+echo "root:${ROOT_PASSWORD}" | chpasswd
+
+# Optional: override hostname inside container
+if [ -n "$TELNET_HOSTNAME" ]; then
+    echo "$TELNET_HOSTNAME" > /etc/hostname
+    hostname "$TELNET_HOSTNAME"
+fi
+
+# Fake bash history so the box looks used
+if [ ! -f /root/.bash_history ]; then
+    cat > /root/.bash_history <<'HIST'
+apt update && apt upgrade -y
+systemctl status mysql
+tail -f /var/log/syslog
+df -h
+ps aux
+cd /root/scripts
+bash backup.sh
+crontab -e
+ls /root/backups
+cat /root/.env
+HIST
+fi
+
+# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout
+mkfifo /var/run/decnet-logs
+
+# Relay pipe to stdout so Docker captures all syslog events
+cat /var/run/decnet-logs &
+
+# Start rsyslog
+rsyslogd
+
+# busybox telnetd: foreground mode, real /bin/login for PAM auth logging
+exec busybox telnetd -F -l /bin/login -p 23