fix(telnet): replace Cowrie with real busybox telnetd + rsyslog logging

Cowrie was exposing an SSH daemon on port 22 alongside the telnet service even when COWRIE_SSH_ENABLED=false, contaminating deployments that did not request an SSH service. New implementation mirrors the SSH service pattern: - busybox telnetd in foreground mode on port 23 - /bin/login for real PAM authentication (brute-force attempts logged) - rsyslog RFC 5424 bridge piped to stdout for Docker log capture - Configurable root password and hostname via env vars - No Cowrie dependency
2026-04-12 00:34:45 -04:00
parent c384a3103a
commit 65d585569b
68 changed files with 142 additions and 271 deletions
--- a/decnet.db-shm
+++ b/decnet.db-shm
--- a/decnet.db-wal
+++ b/decnet.db-wal
--- a/decnet/services/telnet.py
+++ b/decnet/services/telnet.py
@@ -1,31 +1,47 @@
 from pathlib import Path
 from decnet.services.base import BaseService
 TEMPLATES_DIR = Path(__file__).parent.parent.parent / "templates" / "telnet"
 class TelnetService(BaseService):
    """
    Real telnetd using busybox telnetd + rsyslog logging pipeline.
    Replaced Cowrie emulation (which also started an SSH daemon on port 22)
    with a real busybox telnetd so only port 23 is exposed and auth events
    are logged as RFC 5424 via the same rsyslog bridge used by the SSH service.
    service_cfg keys:
        password    Root password (default: "admin")
        hostname    Override container hostname
    """
    name = "telnet"
    ports = [23]
-    default_image = "cowrie/cowrie"
+    default_image = "build"
-    def compose_fragment(self, decky_name: str, log_target: str | None = None, service_cfg: dict | None = None) -> dict:
+    def compose_fragment(
        self,
        decky_name: str,
        log_target: str | None = None,
        service_cfg: dict | None = None,
    ) -> dict:
        cfg = service_cfg or {}
        env: dict = {
-            "COWRIE_HONEYPOT_HOSTNAME": decky_name,
+            "TELNET_ROOT_PASSWORD": cfg.get("password", "admin"),
            "COWRIE_TELNET_ENABLED": "true",
            "COWRIE_TELNET_LISTEN_ENDPOINTS": "tcp:23:interface=0.0.0.0",
            # Disable SSH so this container is telnet-only
            "COWRIE_SSH_ENABLED": "false",
        }
-        if log_target:
+        if "hostname" in cfg:
-            host, port = log_target.rsplit(":", 1)
+            env["TELNET_HOSTNAME"] = cfg["hostname"]
-            env["COWRIE_OUTPUT_TCP_ENABLED"] = "true"
+
            env["COWRIE_OUTPUT_TCP_HOST"] = host
            env["COWRIE_OUTPUT_TCP_PORT"] = port
        return {
-            "image": "cowrie/cowrie",
+            "build": {"context": str(TEMPLATES_DIR)},
            "container_name": f"{decky_name}-telnet",
            "restart": "unless-stopped",
            "cap_add": ["NET_BIND_SERVICE"],
            "environment": env,
        }
-    def dockerfile_context(self):
+    def dockerfile_context(self) -> Path:
-        return None
+        return TEMPLATES_DIR
--- a/templates/telnet/Dockerfile
+++ b/templates/telnet/Dockerfile
@@ -0,0 +1,48 @@
 ARG BASE_IMAGE=debian:bookworm-slim
 FROM ${BASE_IMAGE}
 RUN apt-get update && apt-get install -y --no-install-recommends \
    busybox \
    rsyslog \
    procps \
    net-tools \
    && rm -rf /var/lib/apt/lists/*
 # rsyslog: forward auth.* and user.* to named pipe in RFC 5424 format
 RUN printf '%s\n' \
    '# DECNET log bridge — auth + user events → named pipe as RFC 5424' \
    '$template RFC5424fmt,"<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"' \
    'auth,authpriv.*  |/var/run/decnet-logs;RFC5424fmt' \
    'user.*           |/var/run/decnet-logs;RFC5424fmt' \
    > /etc/rsyslog.d/99-decnet.conf
 # Silence default catch-all rules
 RUN sed -i \
    -e 's|^\(\*\.\*;auth,authpriv\.none\)|#\1|' \
    -e 's|^auth,authpriv\.\*|#auth,authpriv.*|' \
    /etc/rsyslog.conf
 # Realistic motd and issue banner
 RUN echo "Ubuntu 20.04.6 LTS" > /etc/issue.net && \
    echo "Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-150-generic x86_64)" > /etc/motd && \
    echo "" >> /etc/motd && \
    echo " * Documentation:  https://help.ubuntu.com" >> /etc/motd
 # Fake lived-in files
 RUN mkdir -p /root/scripts /root/backups && \
    printf '#!/bin/bash\n# DB backup script\nmysqldump -u root -padmin prod_db > /root/backups/db.sql\n' > /root/scripts/backup.sh && \
    printf 'DB_HOST=10.0.0.5\nDB_USER=admin\nDB_PASS=changeme123\n' > /root/.env && \
    printf 'alias ll="ls -alF"\nalias la="ls -A"\nexport HISTSIZE=1000\n' >> /root/.bashrc
 # Log bash commands via syslog
 RUN echo 'PROMPT_COMMAND='"'"'logger -p user.info -t bash "CMD uid=$UID pwd=$PWD cmd=$(history 1 | sed "s/^ *[0-9]* *//")";'"'" >> /root/.bashrc
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 EXPOSE 23
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD kill -0 1 || exit 1
 ENTRYPOINT ["/entrypoint.sh"]
--- a/templates/telnet/entrypoint.sh
+++ b/templates/telnet/entrypoint.sh
@@ -0,0 +1,40 @@
 #!/bin/bash
 set -e
 # Configure root password (default: admin)
 ROOT_PASSWORD="${TELNET_ROOT_PASSWORD:-admin}"
 echo "root:${ROOT_PASSWORD}" | chpasswd
 # Optional: override hostname inside container
 if [ -n "$TELNET_HOSTNAME" ]; then
    echo "$TELNET_HOSTNAME" > /etc/hostname
    hostname "$TELNET_HOSTNAME"
 fi
 # Fake bash history so the box looks used
 if [ ! -f /root/.bash_history ]; then
    cat > /root/.bash_history <<'HIST'
 apt update && apt upgrade -y
 systemctl status mysql
 tail -f /var/log/syslog
 df -h
 ps aux
 cd /root/scripts
 bash backup.sh
 crontab -e
 ls /root/backups
 cat /root/.env
 HIST
 fi
 # Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout
 mkfifo /var/run/decnet-logs
 # Relay pipe to stdout so Docker captures all syslog events
 cat /var/run/decnet-logs &
 # Start rsyslog
 rsyslogd
 # busybox telnetd: foreground mode, real /bin/login for PAM auth logging
 exec busybox telnetd -F -l /bin/login -p 23
--- a/tests/.hypothesis/constants/071376f7808c803b
+++ b/tests/.hypothesis/constants/071376f7808c803b
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/cli.py
 # hypothesis_version: 6.151.11
 [8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--log-target', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']
--- a/tests/.hypothesis/constants/0ba82ca4ea63f3bc
+++ b/tests/.hypothesis/constants/0ba82ca4ea63f3bc
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/.venv/bin/pytest
 # hypothesis_version: 6.151.12
 ['__main__']
--- a/tests/.hypothesis/constants/0ddcef3521551894
+++ b/tests/.hypothesis/constants/0ddcef3521551894
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/env.py
 # hypothesis_version: 6.151.11
 ['.env', '.env.local', '0.0.0.0', '8000', '8080', 'DECNET_ADMIN_USER', 'DECNET_API_HOST', 'DECNET_API_PORT', 'DECNET_DEVELOPER', 'DECNET_JWT_SECRET', 'DECNET_WEB_HOST', 'DECNET_WEB_PORT', 'False', 'admin', 'true']
--- a/tests/.hypothesis/constants/15d50d1e53b9b5c3
+++ b/tests/.hypothesis/constants/15d50d1e53b9b5c3
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/tftp.py
 # hypothesis_version: 6.151.12
 ['LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'restart', 'templates', 'tftp', 'unless-stopped']
--- a/tests/.hypothesis/constants/19d5adc9efd5ec68
+++ b/tests/.hypothesis/constants/19d5adc9efd5ec68
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/web/ingester.py
 # hypothesis_version: 6.151.11
 ['.json', 'decnet.web.ingester', 'r', 'replace', 'utf-8']
--- a/tests/.hypothesis/constants/1f005a833d034313
+++ b/tests/.hypothesis/constants/1f005a833d034313
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/logging/forwarder.py
 # hypothesis_version: 6.151.12
 [2.0, ':']
--- a/tests/.hypothesis/constants/1f12b014d4fe2068
+++ b/tests/.hypothesis/constants/1f12b014d4fe2068
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/mongodb.py
 # hypothesis_version: 6.151.12
 [27017, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'mongodb', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/219a36e8b671f84b
+++ b/tests/.hypothesis/constants/219a36e8b671f84b
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/web/repository.py
 # hypothesis_version: 6.151.11
 []
--- a/tests/.hypothesis/constants/2220ccbe8a25f02d
+++ b/tests/.hypothesis/constants/2220ccbe8a25f02d
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/snmp.py
 # hypothesis_version: 6.151.12
 [161, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'restart', 'snmp', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/2db3d63e8d96a289
+++ b/tests/.hypothesis/constants/2db3d63e8d96a289
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/deployer.py
 # hypothesis_version: 6.151.12
 [5.0, ', ', '--build', '--no-cache', '--watch', '-d', '-f', 'DECNET Deckies', 'Decky', 'Deployed Deckies', 'Hostname', 'IP', 'IPvlan', 'IPvlan L2', 'MACVLAN', 'Services', 'Status', '[green]up[/]', '[red]degraded[/]', 'absent', 'bold', 'build', 'cmdline', 'compose', 'decnet-compose.yml', 'decnet.cli', 'decnet.web.api:app', 'docker', 'down', 'green', 'manifest for', 'manifest unknown', 'mutate', 'name', 'not found', 'pid', 'pull access denied', 'red', 'rm', 'running', 'stop', 'up', 'uvicorn']
--- a/tests/.hypothesis/constants/2f0b53ebdb35c4e1
+++ b/tests/.hypothesis/constants/2f0b53ebdb35c4e1
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/sip.py
 # hypothesis_version: 6.151.12
 [5060, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'restart', 'sip', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/30a7ffe86227f7f1
+++ b/tests/.hypothesis/constants/30a7ffe86227f7f1
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/mssql.py
 # hypothesis_version: 6.151.12
 [1433, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'mssql', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/349ec22a74b50191
+++ b/tests/.hypothesis/constants/349ec22a74b50191
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/composer.py
 # hypothesis_version: 6.151.11
 ['/var/log/decnet', '3.8', 'BASE_IMAGE', 'DECNET_LOG_FILE', 'HOSTNAME', 'NET_ADMIN', 'args', 'bridge', 'build', 'cap_add', 'command', 'container_name', 'decnet_logs', 'depends_on', 'driver', 'environment', 'external', 'hostname', 'image', 'infinity', 'internal', 'ipv4_address', 'network_mode', 'networks', 'restart', 'services', 'sleep', 'sysctls', 'unless-stopped', 'version', 'volumes']
--- a/tests/.hypothesis/constants/37d6bf6c6c0b58e6
+++ b/tests/.hypothesis/constants/37d6bf6c6c0b58e6
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/elasticsearch.py
 # hypothesis_version: 6.151.12
 [9200, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'elasticsearch', 'environment', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/3cc47bb868bcb8f4
+++ b/tests/.hypothesis/constants/3cc47bb868bcb8f4
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/telnet.py
 # hypothesis_version: 6.151.12
 [':', 'COWRIE_SSH_ENABLED', 'NET_BIND_SERVICE', 'cap_add', 'container_name', 'cowrie/cowrie', 'environment', 'false', 'image', 'restart', 'telnet', 'true', 'unless-stopped']
--- a/tests/.hypothesis/constants/42a1dcb5c22b1ac1
+++ b/tests/.hypothesis/constants/42a1dcb5c22b1ac1
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/ini_loader.py
 # hypothesis_version: 6.151.11
 [100, 512, 1024, ',', '.', '1', '[', ']', 'amount', 'archetype', 'binary', 'custom-', 'exceeds maximum', 'exec', 'general', 'gw', 'interface', 'ip', 'log-target', 'log_target', 'mutate-interval', 'mutate_interval', 'net', 'nmap-os', 'nmap_os', 'ports', 'services']
--- a/tests/.hypothesis/constants/507a3145954fca93
+++ b/tests/.hypothesis/constants/507a3145954fca93
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/http.py
 # hypothesis_version: 6.151.12
 [443, '/opt/html_files', 'CUSTOM_BODY', 'EXTRA_HEADERS', 'FAKE_APP', 'FILES_DIR', 'LOG_TARGET', 'NODE_NAME', 'RESPONSE_CODE', 'SERVER_HEADER', 'build', 'container_name', 'context', 'custom_body', 'environment', 'extra_headers', 'fake_app', 'files', 'http', 'response_code', 'restart', 'server_header', 'templates', 'unless-stopped', 'volumes']
--- a/tests/.hypothesis/constants/53a42446f9f19b20
+++ b/tests/.hypothesis/constants/53a42446f9f19b20
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/ftp.py
 # hypothesis_version: 6.151.12
 ['LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'ftp', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/574dbe54f9b23d3e
+++ b/tests/.hypothesis/constants/574dbe54f9b23d3e
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/correlation/engine.py
 # hypothesis_version: 6.151.11
 [3600, ',', 'Attacker IP', 'Deckies', 'Duration', 'Events', 'First Seen', 'Traversal Path', 'bold red', 'correlator', 'cyan', 'decnet-correlator', 'dim', 'events_indexed', 'lines_parsed', 'right', 'stats', 'traversal_detected', 'traversals', 'unique_ips', 'yellow']
--- a/tests/.hypothesis/constants/5a5554db0771f35b
+++ b/tests/.hypothesis/constants/5a5554db0771f35b
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/web/repository.py
 # hypothesis_version: 6.151.11
 []
--- a/tests/.hypothesis/constants/5feefba3d1c668ca
+++ b/tests/.hypothesis/constants/5feefba3d1c668ca
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/web/ingester.py
 # hypothesis_version: 6.151.11
 ['.json', 'attacker_ip', 'bounty_type', 'credential', 'decky', 'decnet.web.ingester', 'fields', 'password', 'payload', 'r', 'replace', 'service', 'username', 'utf-8']
--- a/tests/.hypothesis/constants/62e387790ed5b79f
+++ b/tests/.hypothesis/constants/62e387790ed5b79f
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/vnc.py
 # hypothesis_version: 6.151.12
 [5900, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'restart', 'templates', 'unless-stopped', 'vnc']
--- a/tests/.hypothesis/constants/66bd79275cd609e8
+++ b/tests/.hypothesis/constants/66bd79275cd609e8
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/correlation/parser.py
 # hypothesis_version: 6.151.11
 ['"', '-', '\\', '\\"', '\\\\', '\\]', ']', 'client_ip', 'ip', 'remote_ip', 'src', 'src_ip']
--- a/tests/.hypothesis/constants/76302489300fdc45
+++ b/tests/.hypothesis/constants/76302489300fdc45
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/config.py
 # hypothesis_version: 6.151.11
 [0.0, ':', 'compose_path', 'config', 'debian', 'debian:bookworm-slim', 'decnet-state.json', 'linux', 'log_target', 'services', 'swarm', 'unihost']
--- a/tests/.hypothesis/constants/77b4b42ea3b9c9bf
+++ b/tests/.hypothesis/constants/77b4b42ea3b9c9bf
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/llmnr.py
 # hypothesis_version: 6.151.12
 [5353, 5355, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'llmnr', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/79661beef79449a5
+++ b/tests/.hypothesis/constants/79661beef79449a5
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/registry.py
 # hypothesis_version: 6.151.11
 ['base', 'decnet.services.', 'registry']
--- a/tests/.hypothesis/constants/7f9302a54093ce41
+++ b/tests/.hypothesis/constants/7f9302a54093ce41
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/correlation/__init__.py
 # hypothesis_version: 6.151.11
 ['AttackerTraversal', 'CorrelationEngine', 'LogEvent', 'TraversalHop', 'parse_line']
--- a/tests/.hypothesis/constants/8029f0494746966f
+++ b/tests/.hypothesis/constants/8029f0494746966f
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/ldap.py
 # hypothesis_version: 6.151.12
 [389, 636, 'LOG_TARGET', 'NET_BIND_SERVICE', 'NODE_NAME', 'build', 'cap_add', 'container_name', 'context', 'environment', 'ldap', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/87dce71ef389d477
+++ b/tests/.hypothesis/constants/87dce71ef389d477
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/mqtt.py
 # hypothesis_version: 6.151.12
 [1883, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'mqtt', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/8b9368be0f77a253
+++ b/tests/.hypothesis/constants/8b9368be0f77a253
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/custom_service.py
 # hypothesis_version: 6.151.12
 ['-', 'LOG_TARGET', 'NODE_NAME', '_', 'command', 'container_name', 'environment', 'image', 'restart', 'unless-stopped']
--- a/tests/.hypothesis/constants/8c8bf0135bf44b74
+++ b/tests/.hypothesis/constants/8c8bf0135bf44b74
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/web/api.py
 # hypothesis_version: 6.151.11
 [0.5, 400, 404, 500, 512, 1000, 1024, '*', '/api/v1/auth/login', '/api/v1/bounty', '/api/v1/deckies', '/api/v1/logs', '/api/v1/stats', '/api/v1/stream', '/docs', '/openapi.json', '/redoc', '1.0.0', 'Authentication', 'Authorization', 'Bearer', 'Bearer ', 'Bounty Vault', 'Decky not found', 'Fleet Management', 'Logs', 'No active deployment', 'Observability', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'decnet.web.api', 'histogram', 'id', 'lastEventId', 'limit', 'logs', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'stats', 'text/event-stream', 'token', 'token_type', 'total', 'type', 'unihost', 'username', 'uuid']
--- a/tests/.hypothesis/constants/8c9335cb8231944a
+++ b/tests/.hypothesis/constants/8c9335cb8231944a
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/docker_api.py
 # hypothesis_version: 6.151.12
 [2375, 2376, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'docker_api', 'environment', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/8e330e30c399dccc
+++ b/tests/.hypothesis/constants/8e330e30c399dccc
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/real_ssh.py
 # hypothesis_version: 6.151.12
 ['NET_BIND_SERVICE', 'SSH_HOSTNAME', 'SSH_ROOT_PASSWORD', 'admin', 'build', 'cap_add', 'container_name', 'context', 'environment', 'hostname', 'password', 'real_ssh', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/9193e12e937c9da2
+++ b/tests/.hypothesis/constants/9193e12e937c9da2
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/logging/syslog_formatter.py
 # hypothesis_version: 6.151.11
 [255, '"', '-', '1', '\\', '\\"', '\\\\', '\\]', ']', 'decnet@55555']
--- a/tests/.hypothesis/constants/952b61539a326753
+++ b/tests/.hypothesis/constants/952b61539a326753
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/ssh.py
 # hypothesis_version: 6.151.12
 [2222, ':', 'COWRIE_HOSTNAME', 'COWRIE_SSH_VERSION', 'NET_BIND_SERVICE', 'NODE_NAME', 'build', 'cap_add', 'container_name', 'context', 'cowrie', 'environment', 'hardware_platform', 'kernel_build_string', 'kernel_version', 'restart', 'ssh', 'ssh_banner', 'templates', 'true', 'unless-stopped', 'users']
--- a/tests/.hypothesis/constants/95eb634544ca6000
+++ b/tests/.hypothesis/constants/95eb634544ca6000
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/smb.py
 # hypothesis_version: 6.151.12
 [139, 445, 'LOG_TARGET', 'NET_BIND_SERVICE', 'NODE_NAME', 'build', 'cap_add', 'container_name', 'context', 'environment', 'restart', 'smb', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/996aa9c745349122
+++ b/tests/.hypothesis/constants/996aa9c745349122
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/base.py
 # hypothesis_version: 6.151.11
 []
--- a/tests/.hypothesis/constants/9f85e820bb1eb903
+++ b/tests/.hypothesis/constants/9f85e820bb1eb903
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/distros.py
 # hypothesis_version: 6.151.11
 ['Alpine Linux 3.19', 'Arch Linux', 'CentOS 7', 'Debian 12 (Bookworm)', 'Fedora 39', 'Kali Linux (Rolling)', 'Rocky Linux 9', 'alpha', 'alpine', 'alpine:3.19', 'arch', 'archlinux:latest', 'backup', 'bravo', 'centos7', 'centos:7', 'charlie', 'db', 'debian', 'debian:bookworm-slim', 'delta', 'dev', 'echo', 'fedora', 'fedora:39', 'files', 'foxtrot', 'generic', 'golf', 'hotel', 'india', 'juliet', 'kali', 'kilo', 'lima', 'mail', 'mike', 'minimal', 'monitor', 'nova', 'oscar', 'prod', 'proxy', 'rhel', 'rocky9', 'rockylinux:9-minimal', 'rolling', 'stage', 'ubuntu20', 'ubuntu22', 'ubuntu:20.04', 'ubuntu:22.04', 'web']
--- a/tests/.hypothesis/constants/a115dde40ee13bf8
+++ b/tests/.hypothesis/constants/a115dde40ee13bf8
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/mysql.py
 # hypothesis_version: 6.151.12
 [3306, 'LOG_TARGET', 'MYSQL_VERSION', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'mysql', 'restart', 'templates', 'unless-stopped', 'version']
--- a/tests/.hypothesis/constants/a3207e9522fed10c
+++ b/tests/.hypothesis/constants/a3207e9522fed10c
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/web/api.py
 # hypothesis_version: 6.151.11
 [1000, '*', '/api/v1/auth/login', '/api/v1/logs', '/api/v1/stats', '1.0.0', 'Bearer', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'limit', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'token_type', 'total', 'username', 'uuid']
--- a/tests/.hypothesis/constants/a36433a7a8a46f4d
+++ b/tests/.hypothesis/constants/a36433a7a8a46f4d
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/smtp.py
 # hypothesis_version: 6.151.12
 [587, 'LOG_TARGET', 'NET_BIND_SERVICE', 'NODE_NAME', 'SMTP_BANNER', 'SMTP_MTA', 'banner', 'build', 'cap_add', 'container_name', 'context', 'environment', 'mta', 'restart', 'smtp', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/a36bdeb88e27cda2
+++ b/tests/.hypothesis/constants/a36bdeb88e27cda2
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/postgres.py
 # hypothesis_version: 6.151.12
 [5432, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'postgres', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/a4b0cd024dec37b3
+++ b/tests/.hypothesis/constants/a4b0cd024dec37b3
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/pop3.py
 # hypothesis_version: 6.151.12
 [110, 995, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'pop3', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/a92a9b5d6ef7fbda
+++ b/tests/.hypothesis/constants/a92a9b5d6ef7fbda
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/os_fingerprint.py
 # hypothesis_version: 6.151.11
 ['128', '2', '255', '3', '6', '64', 'bsd', 'cisco', 'embedded', 'linux', 'windows']
--- a/tests/.hypothesis/constants/ad18d933a368774b
+++ b/tests/.hypothesis/constants/ad18d933a368774b
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/archetypes.py
 # hypothesis_version: 6.151.11
 [', ', 'Database Server', 'DevOps Host', 'Domain Controller', 'File Server', 'IoT Device', 'Linux Server', 'Mail Server', 'Monitoring Node', 'Network Printer', 'VoIP Server', 'Web Server', 'Windows Server', 'Windows Workstation', 'alpine', 'conpot', 'database-server', 'deaddeck', 'debian', 'devops-host', 'docker_api', 'domain-controller', 'embedded', 'fedora', 'file-server', 'ftp', 'http', 'imap', 'industrial-control', 'iot-device', 'k8s', 'ldap', 'linux', 'linux-server', 'llmnr', 'mail-server', 'monitoring-node', 'mqtt', 'mysql', 'pop3', 'postgres', 'printer', 'rdp', 'real_ssh', 'redis', 'rocky9', 'sip', 'smb', 'smtp', 'snmp', 'ssh', 'telnet', 'ubuntu20', 'ubuntu22', 'voip-server', 'web-server', 'windows', 'windows-server', 'windows-workstation']
--- a/tests/.hypothesis/constants/b0cdd7ca461ac3a7
+++ b/tests/.hypothesis/constants/b0cdd7ca461ac3a7
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/k8s.py
 # hypothesis_version: 6.151.12
 [6443, 8080, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'k8s', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/b3ae76f264e289ba
+++ b/tests/.hypothesis/constants/b3ae76f264e289ba
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/redis.py
 # hypothesis_version: 6.151.12
 [6379, 'LOG_TARGET', 'NODE_NAME', 'REDIS_OS', 'REDIS_VERSION', 'build', 'container_name', 'context', 'environment', 'os_string', 'redis', 'restart', 'templates', 'unless-stopped', 'version']
--- a/tests/.hypothesis/constants/b4fbfe7d71d1fde1
+++ b/tests/.hypothesis/constants/b4fbfe7d71d1fde1
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/correlation/graph.py
 # hypothesis_version: 6.151.11
 [' → ', 'attacker_ip', 'deckies', 'decky', 'decky_count', 'duration_seconds', 'event_type', 'first_seen', 'hop_count', 'hops', 'last_seen', 'path', 'service', 'timestamp']
--- a/tests/.hypothesis/constants/c1bae63b725863f0
+++ b/tests/.hypothesis/constants/c1bae63b725863f0
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/imap.py
 # hypothesis_version: 6.151.12
 [143, 993, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'imap', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/cac20128001ccd85
+++ b/tests/.hypothesis/constants/cac20128001ccd85
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/network.py
 # hypothesis_version: 6.151.11
 ['/', 'add', 'addr', 'bridge', 'decnet_ipvlan0', 'decnet_lan', 'decnet_macvlan0', 'default', 'del', 'dev', 'inet ', 'inet6', 'ip', 'ipvlan', 'ipvlan_mode', 'l2', 'link', 'macvlan', 'mode', 'parent', 'route', 'set', 'show', 'type', 'up', 'via']
--- a/tests/.hypothesis/constants/ceb1d0465029fa83
+++ b/tests/.hypothesis/constants/ceb1d0465029fa83
@@ -1,4 +0,0 @@
 # file: /home/anti/.local/bin/pytest
 # hypothesis_version: 6.151.11
 ['__main__']
--- a/tests/.hypothesis/constants/cf9d3e39a6bf6308
+++ b/tests/.hypothesis/constants/cf9d3e39a6bf6308
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/web/sqlite_repository.py
 # hypothesis_version: 6.151.11
 [' AND ', ' WHERE ', ':', '[^a-zA-Z0-9_]', 'active_deckies', 'attacker', 'attacker-ip', 'attacker_ip', 'bounty_type', 'bounty_type = ?', 'bucket_time', 'count', 'decky', 'decnet.db', 'deployed_deckies', 'event', 'event_type', 'fields', 'id > ?', 'max_id', 'msg', 'must_change_password', 'password_hash', 'payload', 'raw_line', 'role', 'service', 'time', 'timestamp', 'timestamp <= ?', 'timestamp >= ?', 'total', 'total_logs', 'unique_attackers', 'username', 'uuid']
--- a/tests/.hypothesis/constants/d479b632891acb05
+++ b/tests/.hypothesis/constants/d479b632891acb05
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/logging/file_handler.py
 # hypothesis_version: 6.151.11
 [1024, '%(message)s', 'DECNET_LOG_FILE', 'decnet.syslog', 'utf-8']
--- a/tests/.hypothesis/constants/da39a3ee5e6b4b0d
+++ b/tests/.hypothesis/constants/da39a3ee5e6b4b0d
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/__init__.py
 # hypothesis_version: 6.151.11
 []
--- a/tests/.hypothesis/constants/da43cd4d80a43169
+++ b/tests/.hypothesis/constants/da43cd4d80a43169
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/web/sqlite_repository.py
 # hypothesis_version: 6.151.11
 ['SELECT * FROM logs', 'active_deckies', 'attacker_ip', 'decky', 'decnet.db', 'event_type', 'fields', 'msg', 'must_change_password', 'password_hash', 'raw_line', 'role', 'service', 'timestamp', 'total', 'total_logs', 'unique_attackers', 'username', 'uuid']
--- a/tests/.hypothesis/constants/df40fa14165138c7
+++ b/tests/.hypothesis/constants/df40fa14165138c7
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/web/auth.py
 # hypothesis_version: 6.151.11
 [1440, 'DECNET_SECRET_KEY', 'HS256', 'exp', 'iat', 'utf-8']
--- a/tests/.hypothesis/constants/e04c4b026eeb7e26
+++ b/tests/.hypothesis/constants/e04c4b026eeb7e26
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/rdp.py
 # hypothesis_version: 6.151.12
 [3389, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'rdp', 'restart', 'templates', 'unless-stopped']
--- a/tests/.hypothesis/constants/f9f2aace37ce402b
+++ b/tests/.hypothesis/constants/f9f2aace37ce402b
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/web/auth.py
 # hypothesis_version: 6.151.11
 [1440, 'HS256', 'exp', 'iat', 'utf-8']
--- a/tests/.hypothesis/constants/fb7b3bbd8bd7b0f3
+++ b/tests/.hypothesis/constants/fb7b3bbd8bd7b0f3
@@ -1,4 +0,0 @@
 # file: /home/anti/Tools/DECNET/decnet/services/conpot.py
 # hypothesis_version: 6.151.12
 [161, 502, 'CONPOT_TEMPLATE', 'conpot', 'container_name', 'default', 'environment', 'honeynet/conpot', 'image', 'restart', 'unless-stopped']
--- a/tests/.hypothesis/unicode_data/16.0.0/charmap.json.gz
+++ b/tests/.hypothesis/unicode_data/16.0.0/charmap.json.gz
--- a/tests/.hypothesis/unicode_data/16.0.0/codec-utf-8.json.gz
+++ b/tests/.hypothesis/unicode_data/16.0.0/codec-utf-8.json.gz
--- a/tests/test_composer.py
+++ b/tests/test_composer.py
@@ -20,13 +20,13 @@ APT_COMPATIBLE = {
 }
 BUILD_SERVICES = [
-    "ssh", "http", "rdp", "smb", "ftp", "smtp", "elasticsearch",
+    "ssh", "telnet", "http", "rdp", "smb", "ftp", "smtp", "elasticsearch",
    "pop3", "imap", "mysql", "mssql", "redis", "mongodb", "postgres",
    "ldap", "vnc", "docker_api", "k8s", "sip",
    "mqtt", "llmnr", "snmp", "tftp", "conpot"
 ]
-UPSTREAM_SERVICES = ["telnet"]
+UPSTREAM_SERVICES: list = []
 def _make_config(services, distro="debian", base_image=None, build_base=None):
--- a/tests/test_services.py
+++ b/tests/test_services.py
@@ -31,9 +31,7 @@ def _is_build_service(name: str) -> bool:
 # Tier 1: upstream-image services (non-build)
 # ---------------------------------------------------------------------------
-UPSTREAM_SERVICES = {
+UPSTREAM_SERVICES: dict = {}
    "telnet": ("cowrie/cowrie",  [23]),
 }
 # ---------------------------------------------------------------------------
 # Tier 2: custom-build services (including ssh, which now uses build)
@@ -41,6 +39,7 @@ UPSTREAM_SERVICES = {
 BUILD_SERVICES = {
    "ssh":           ([22],         "ssh"),
    "telnet":        ([23],         "telnet"),
    "http":          ([80, 443],    "http"),
    "rdp":           ([3389],       "rdp"),
    "smb":           ([445, 139],   "smb"),
@@ -155,7 +154,8 @@ def test_build_service_restart_policy(name):
    assert frag.get("restart") == "unless-stopped"
-_NODE_NAME_SERVICES = [n for n in BUILD_SERVICES if n not in ("ssh", "real_ssh")]
+_RSYSLOG_SERVICES = {"ssh", "real_ssh", "telnet"}
 _NODE_NAME_SERVICES = [n for n in BUILD_SERVICES if n not in _RSYSLOG_SERVICES]
@pytest.mark.parametrize("name", _NODE_NAME_SERVICES)
@@ -166,8 +166,8 @@ def test_build_service_node_name_env(name):
    assert env["NODE_NAME"] == "test-decky"
-# ssh and real_ssh do not use LOG_TARGET (rsyslog handles log forwarding inside the container)
+# ssh, real_ssh, and telnet do not use LOG_TARGET (rsyslog handles log forwarding inside the container)
-_LOG_TARGET_SERVICES = [n for n in BUILD_SERVICES if n not in ("ssh", "real_ssh")]
+_LOG_TARGET_SERVICES = [n for n in BUILD_SERVICES if n not in _RSYSLOG_SERVICES]
@pytest.mark.parametrize("name", _LOG_TARGET_SERVICES)
@@ -339,21 +339,24 @@ def test_redis_default_no_extra_env():
 # Telnet ---------------------------------------------------------------------
-def test_telnet_log_target_uses_cowrie_tcp_output():
+def test_telnet_uses_build_context():
-    """Telnet forwards logs via Cowrie TCP output, same pattern as SSH."""
+    """Telnet uses a build context (no Cowrie image)."""
-    env = _fragment("telnet", log_target="10.0.0.1:5140").get("environment", {})
+    frag = _fragment("telnet")
-    assert env.get("COWRIE_OUTPUT_TCP_ENABLED") == "true"
+    assert "build" in frag
-    assert env.get("COWRIE_OUTPUT_TCP_HOST") == "10.0.0.1"
+    assert "image" not in frag
    assert env.get("COWRIE_OUTPUT_TCP_PORT") == "5140"
-def test_telnet_no_log_target_omits_tcp_output():
+def test_telnet_default_password():
    env = _fragment("telnet").get("environment", {})
-    assert "COWRIE_OUTPUT_TCP_ENABLED" not in env
+    assert env.get("TELNET_ROOT_PASSWORD") == "admin"
    assert "COWRIE_OUTPUT_TCP_HOST" not in env
-def test_telnet_ssh_disabled_in_telnet_only_container():
+def test_telnet_custom_password():
    env = _fragment("telnet", service_cfg={"password": "s3cr3t"}).get("environment", {})
    assert env.get("TELNET_ROOT_PASSWORD") == "s3cr3t"
 def test_telnet_no_cowrie_env_vars():
    """Ensure no Cowrie env vars bleed into the real telnet service."""
    env = _fragment("telnet").get("environment", {})
-    assert env.get("COWRIE_SSH_ENABLED") == "false"
+    assert not any(k.startswith("COWRIE_") for k in env)
    assert env.get("COWRIE_TELNET_ENABLED") == "true"