diff --git a/.claude/settings.local.json b/.claude/settings.local.json
index 4236e84..7214fda 100644
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -17,7 +17,11 @@
       "Bash(xxd)",
       "Bash(curl -s http://192.168.1.200:2375/version)",
       "Bash(python3 -m json.tool)",
-      "Bash(curl -s http://192.168.1.200:9200/)"
+      "Bash(curl -s http://192.168.1.200:9200/)",
+      "Bash(docker image:*)",
+      "Read(//home/anti/Tools/cowrie/src/cowrie/data/txtcmds/**)",
+      "Read(//home/anti/Tools/cowrie/src/cowrie/data/txtcmds/bin/**)",
+      "mcp__plugin_context-mode_context-mode__ctx_index"
     ]
   }
 }
diff --git a/.hypothesis/constants/2107e411391c4391 b/.hypothesis/constants/2107e411391c4391
new file mode 100644
index 0000000..9fa3139
--- /dev/null
+++ b/.hypothesis/constants/2107e411391c4391
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/cli.py
+# hypothesis_version: 6.151.11
+
+[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--parallel', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']
\ No newline at end of file
diff --git a/.hypothesis/constants/390b2f90b99b41d6 b/.hypothesis/constants/390b2f90b99b41d6
new file mode 100644
index 0000000..ad0d9fe
--- /dev/null
+++ b/.hypothesis/constants/390b2f90b99b41d6
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/deployer.py
+# hypothesis_version: 6.151.11
+
+[5.0, ', ', '--build', '--no-cache', '--watch', '-d', '-f', '1', 'DECNET Deckies', 'DOCKER_BUILDKIT', 'Decky', 'Deployed Deckies', 'Hostname', 'IP', 'IPvlan', 'IPvlan L2', 'MACVLAN', 'Services', 'Status', '[green]up[/]', '[red]degraded[/]', 'absent', 'bold', 'build', 'cmdline', 'compose', 'decnet-compose.yml', 'decnet.cli', 'decnet.web.api:app', 'decnet_logging.py', 'docker', 'down', 'green', 'manifest for', 'manifest unknown', 'mutate', 'name', 'not found', 'pid', 'pull access denied', 'red', 'rm', 'running', 'stop', 'templates', 'up', 'uvicorn']
\ No newline at end of file
diff --git a/.hypothesis/constants/4dac674385794ba3 b/.hypothesis/constants/4dac674385794ba3
new file mode 100644
index 0000000..7c9e91a
--- /dev/null
+++ b/.hypothesis/constants/4dac674385794ba3
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/cli.py
+# hypothesis_version: 6.151.11
+
+[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--parallel', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '.collector.log', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', '__main__', 'a', 'archetypes', 'bold cyan', 'collect', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']
\ No newline at end of file
diff --git a/.hypothesis/constants/582281e144215c53 b/.hypothesis/constants/582281e144215c53
new file mode 100644
index 0000000..a6c9ecc
--- /dev/null
+++ b/.hypothesis/constants/582281e144215c53
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/web/collector.py
+# hypothesis_version: 6.151.11
+
+['"', '%Y-%m-%d %H:%M:%S', '-', '.json', '/', 'Actor', 'Attributes', 'Collector error: %s', 'Unknown', '[', '\\', '\\"', '\\\\', '\\]', '\\]\\s+(.+)$', ']', 'a', 'attacker_ip', 'client_ip', 'container', 'decky', 'decnet', 'decnet.web.collector', 'event', 'event_type', 'fields', 'id', 'ip', 'msg', 'name', 'raw_line', 'remote_ip', 'replace', 'service', 'src', 'src_ip', 'start', 'timestamp', 'type', 'utf-8']
\ No newline at end of file
diff --git a/.hypothesis/constants/60a3c86a584e294c b/.hypothesis/constants/60a3c86a584e294c
new file mode 100644
index 0000000..34a6ce5
--- /dev/null
+++ b/.hypothesis/constants/60a3c86a584e294c
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/archetypes.py
+# hypothesis_version: 6.151.11
+
+[', ', 'Database Server', 'DevOps Host', 'Domain Controller', 'File Server', 'IoT Device', 'Linux Server', 'Mail Server', 'Monitoring Node', 'Network Printer', 'VoIP Server', 'Web Server', 'Windows Server', 'Windows Workstation', 'alpine', 'conpot', 'database-server', 'deaddeck', 'debian', 'devops-host', 'docker_api', 'domain-controller', 'embedded', 'fedora', 'file-server', 'ftp', 'http', 'imap', 'industrial-control', 'iot-device', 'k8s', 'ldap', 'linux', 'linux-server', 'llmnr', 'mail-server', 'monitoring-node', 'mqtt', 'mysql', 'pop3', 'postgres', 'printer', 'rdp', 'redis', 'rocky9', 'sip', 'smb', 'smtp', 'snmp', 'ssh', 'telnet', 'ubuntu20', 'ubuntu22', 'voip-server', 'web-server', 'windows', 'windows-server', 'windows-workstation']
\ No newline at end of file
diff --git a/.hypothesis/constants/6ba706253a49285d b/.hypothesis/constants/6ba706253a49285d
new file mode 100644
index 0000000..1c432ff
--- /dev/null
+++ b/.hypothesis/constants/6ba706253a49285d
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/os_fingerprint.py
+# hypothesis_version: 6.151.12
+
+['0', '1', '128', '15', '2', '255', '3', '30', '6', '60', '64', 'bsd', 'cisco', 'embedded', 'linux', 'net.ipv4.tcp_ecn', 'net.ipv4.tcp_sack', 'windows']
\ No newline at end of file
diff --git a/.hypothesis/constants/791b462f64ea40d5 b/.hypothesis/constants/791b462f64ea40d5
new file mode 100644
index 0000000..1c432ff
--- /dev/null
+++ b/.hypothesis/constants/791b462f64ea40d5
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/os_fingerprint.py
+# hypothesis_version: 6.151.12
+
+['0', '1', '128', '15', '2', '255', '3', '30', '6', '60', '64', 'bsd', 'cisco', 'embedded', 'linux', 'net.ipv4.tcp_ecn', 'net.ipv4.tcp_sack', 'windows']
\ No newline at end of file
diff --git a/.hypothesis/constants/8fed64ad712afb13 b/.hypothesis/constants/8fed64ad712afb13
new file mode 100644
index 0000000..67dd0b5
--- /dev/null
+++ b/.hypothesis/constants/8fed64ad712afb13
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/cli.py
+# hypothesis_version: 6.151.11
+
+[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--parallel', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'collect', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']
\ No newline at end of file
diff --git a/.hypothesis/constants/b2a5c1b311f8c5a5 b/.hypothesis/constants/b2a5c1b311f8c5a5
new file mode 100644
index 0000000..3fe508a
--- /dev/null
+++ b/.hypothesis/constants/b2a5c1b311f8c5a5
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/os_fingerprint.py
+# hypothesis_version: 6.151.12
+
+['0', '1', '1000', '128', '15', '2', '250', '255', '3', '30', '6', '60', '6168', '64', 'bsd', 'cisco', 'embedded', 'linux', 'net.ipv4.tcp_ecn', 'net.ipv4.tcp_sack', 'windows']
\ No newline at end of file
diff --git a/.hypothesis/constants/b3253f4311be6feb b/.hypothesis/constants/b3253f4311be6feb
new file mode 100644
index 0000000..0581c5a
--- /dev/null
+++ b/.hypothesis/constants/b3253f4311be6feb
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/web/collector.py
+# hypothesis_version: 6.151.11
+
+['"', '%Y-%m-%d %H:%M:%S', '-', '.json', '/', 'Actor', 'Attributes', 'Collector error: %s', 'Unknown', '[', '\\', '\\"', '\\\\', '\\]', '\\]\\s+(.+)$', ']', 'a', 'attacker_ip', 'client_ip', 'container', 'decky', 'decnet.web.collector', 'event', 'event_type', 'fields', 'id', 'ip', 'msg', 'name', 'raw_line', 'remote_ip', 'replace', 'service', 'src', 'src_ip', 'start', 'timestamp', 'type', 'utf-8']
\ No newline at end of file
diff --git a/.hypothesis/constants/b73e974453072677 b/.hypothesis/constants/b73e974453072677
new file mode 100644
index 0000000..7c9e91a
--- /dev/null
+++ b/.hypothesis/constants/b73e974453072677
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/cli.py
+# hypothesis_version: 6.151.11
+
+[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--parallel', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '.collector.log', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', '__main__', 'a', 'archetypes', 'bold cyan', 'collect', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']
\ No newline at end of file
diff --git a/.hypothesis/constants/c7dc8a77b9584727 b/.hypothesis/constants/c7dc8a77b9584727
new file mode 100644
index 0000000..67dd0b5
--- /dev/null
+++ b/.hypothesis/constants/c7dc8a77b9584727
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/cli.py
+# hypothesis_version: 6.151.11
+
+[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--parallel', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'collect', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']
\ No newline at end of file
diff --git a/.hypothesis/constants/de34182254a7e1ec b/.hypothesis/constants/de34182254a7e1ec
new file mode 100644
index 0000000..99bc6fd
--- /dev/null
+++ b/.hypothesis/constants/de34182254a7e1ec
@@ -0,0 +1,4 @@
+# file: /home/anti/Tools/DECNET/decnet/composer.py
+# hypothesis_version: 6.151.11
+
+['10m', '3.8', '5', 'BASE_IMAGE', 'HOSTNAME', 'NET_ADMIN', 'args', 'build', 'cap_add', 'command', 'container_name', 'depends_on', 'driver', 'environment', 'external', 'hostname', 'image', 'infinity', 'ipv4_address', 'json-file', 'logging', 'max-file', 'max-size', 'network_mode', 'networks', 'options', 'restart', 'services', 'sleep', 'sysctls', 'unless-stopped', 'version']
\ No newline at end of file
diff --git a/.hypothesis/unicode_data/16.0.0/codec-utf-8.json.gz b/.hypothesis/unicode_data/16.0.0/codec-utf-8.json.gz
index f534d58..c5b5bd7 100644
Binary files a/.hypothesis/unicode_data/16.0.0/codec-utf-8.json.gz and b/.hypothesis/unicode_data/16.0.0/codec-utf-8.json.gz differ
diff --git a/decnet.collector.log b/decnet.collector.log
new file mode 100644
index 0000000..bac1371
--- /dev/null
+++ b/decnet.collector.log
@@ -0,0 +1 @@
+Collector starting → /home/anti/Tools/DECNET/decnet.log
diff --git a/decnet/archetypes.py b/decnet/archetypes.py
index d581ff3..00f9c41 100644
--- a/decnet/archetypes.py
+++ b/decnet/archetypes.py
@@ -148,7 +148,7 @@ ARCHETYPES: dict[str, Archetype] = {
         slug="deaddeck",
         display_name="Deaddeck (Entry Point)",
         description="Internet-facing entry point with real interactive SSH — no honeypot emulation",
-        services=["real_ssh"],
+        services=["ssh"],
         preferred_distros=["debian", "ubuntu22"],
         nmap_os="linux",
     ),
diff --git a/decnet/services/real_ssh.py b/decnet/services/real_ssh.py
deleted file mode 100644
index 328fb30..0000000
--- a/decnet/services/real_ssh.py
+++ /dev/null
@@ -1,46 +0,0 @@
-from pathlib import Path
-
-from decnet.services.base import BaseService
-
-TEMPLATES_DIR = Path(__file__).parent.parent.parent / "templates" / "real_ssh"
-
-
-class RealSSHService(BaseService):
-    """
-    Fully interactive OpenSSH server — no honeypot emulation.
-
-    Used for the deaddeck (entry-point machine). Attackers get a real shell.
-    Credentials are intentionally weak to invite exploitation.
-
-    service_cfg keys:
-        password      Root password (default: "admin")
-        hostname      Override container hostname
-    """
-
-    name = "real_ssh"
-    ports = [22]
-    default_image = "build"
-
-    def compose_fragment(
-        self,
-        decky_name: str,
-        log_target: str | None = None,
-        service_cfg: dict | None = None,
-    ) -> dict:
-        cfg = service_cfg or {}
-        env: dict = {
-            "SSH_ROOT_PASSWORD": cfg.get("password", "admin"),
-        }
-        if "hostname" in cfg:
-            env["SSH_HOSTNAME"] = cfg["hostname"]
-
-        return {
-            "build": {"context": str(TEMPLATES_DIR)},
-            "container_name": f"{decky_name}-real-ssh",
-            "restart": "unless-stopped",
-            "cap_add": ["NET_BIND_SERVICE"],
-            "environment": env,
-        }
-
-    def dockerfile_context(self) -> Path:
-        return TEMPLATES_DIR
diff --git a/decnet/services/ssh.py b/decnet/services/ssh.py
index 427e92e..db2ce54 100644
--- a/decnet/services/ssh.py
+++ b/decnet/services/ssh.py
@@ -2,7 +2,7 @@ from pathlib import Path
 
 from decnet.services.base import BaseService
 
-TEMPLATES_DIR = Path(__file__).parent.parent.parent / "templates" / "real_ssh"
+TEMPLATES_DIR = Path(__file__).parent.parent.parent / "templates" / "ssh"
 
 
 class SSHService(BaseService):
diff --git a/development/DEVELOPMENT.md b/development/DEVELOPMENT.md
index 67d84d2..7e664bf 100644
--- a/development/DEVELOPMENT.md
+++ b/development/DEVELOPMENT.md
@@ -4,7 +4,7 @@
 *Goal: Ensure every service is interactive enough to feel real during manual exploration.*
 
 ### Remote Access & Shells
-- [x] **SSH (Cowrie)** — Custom filesystem, realistic user database, and command execution.
+- [ ] **SSH (Cowrie)** — Custom filesystem, realistic user database, and command execution.
 - [ ] **Telnet (Cowrie)** — Realistic banner and command emulation.
 - [ ] **RDP** — Realistic NLA authentication and screen capture (where possible).
 - [ ] **VNC** — Realistic RFB protocol handshake and authentication.
diff --git a/development/nmap-output-post-fixes.txt b/development/nmap-output-post-fixes.txt
new file mode 100644
index 0000000..65bc975
--- /dev/null
+++ b/development/nmap-output-post-fixes.txt
@@ -0,0 +1,476 @@
+Nmap scan report for 192.168.1.200
+Host is up (0.0000020s latency).
+Not shown: 65515 closed tcp ports (reset)
+PORT      STATE SERVICE       VERSION
+21/tcp    open  ftp           vsftpd (before 2.0.8) or WU-FTPD
+23/tcp    open  telnet?
+| fingerprint-strings: 
+|   DNSStatusRequestTCP, DNSVersionBindReqTCP, DistCCD, JavaRMI, LANDesk-RC, LDAPBindReq, NULL, NotesRPC, RPCCheck, Radmin, TerminalServer, WMSRequest, X11Probe, mydoom, tn3270: 
+|     login:
+|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, LDAPSearchReq, RTSPRequest: 
+|     login: 
+|     Password: 
+|     Login incorrect
+|     login:
+|   Hello, Help, Kerberos, LPDString, NessusTPv10, NessusTPv11, NessusTPv12, SSLSessionReq, SSLv23SessionReq, TerminalServerCookie, Verifier, VerifierAdvanced, WWWOFFLEctrlstat: 
+|     login: 
+|     Password:
+|   SIPOptions: 
+|     login: 
+|     Password: 
+|     Login incorrect
+|     login: Password: 
+|     Login incorrect
+|     login: Password: 
+|     Login incorrect
+|     login: Password: 
+|     Login incorrect
+|     login: Password: 
+|     Login incorrect
+|_    login: Password:
+25/tcp    open  smtp          Postfix smtpd
+|_smtp-commands: omega-decky, PIPELINING, SIZE 10240000, VRFY, ETRN, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
+80/tcp    open  http          Apache httpd 2.4.54
+|_http-title: 403 Forbidden
+|_http-server-header: Werkzeug/3.1.8 Python/3.11.2
+110/tcp   open  pop3          Dovecot pop3d ([omega-decky])
+|_pop3-capabilities: USER
+143/tcp   open  imap          Dovecot imapd
+|_imap-capabilities: IMAP4rev1 AUTH=PLAIN OK completed AUTH=LOGINA0001 CAPABILITY
+389/tcp   open  ldap          Cisco LDAP server
+445/tcp   open  microsoft-ds
+| fingerprint-strings: 
+|   SMBProgNeg: 
+|     SMBr
+|_    "3DUfw
+1433/tcp  open  ms-sql-s?
+1883/tcp  open  mqtt
+| mqtt-subscribe: 
+|   Topics and their most recent payloads: 
+|     plant/water/pump2/status: STANDBY
+|     plant/alarm/high_pressure: 0
+|     plant/water/chlorine/residual: 0.8
+|     plant/water/chlorine/dosing: 1.2
+|     plant/water/pump1/rpm: 1419
+|     plant/water/tank1/level: 76.6
+|     plant/$SYS/broker/uptime: 2847392
+|     plant/$SYS/broker/version: Mosquitto 2.0.15
+|     plant/water/valve/inlet/state: OPEN
+|     plant/water/valve/drain/state: CLOSED
+|     plant/water/tank1/pressure: 2.86
+|     plant/water/pump1/status: RUNNING
+|     plant/alarm/low_chlorine: 0
+|_    plant/alarm/pump_fault: 0
+2375/tcp  open  docker        Docker 24.0.5
+| fingerprint-strings: 
+|   GetRequest: 
+|     HTTP/1.1 404 NOT FOUND
+|     Server: Werkzeug/3.1.8 Python/3.11.2
+|     Date: Fri, 10 Apr 2026 06:25:23 GMT
+|     Content-Type: application/json
+|     Content-Length: 46
+|     Connection: close
+|     {"message": "page not found", "response": 404}
+|   HTTPOptions: 
+|     HTTP/1.1 200 OK
+|     Server: Werkzeug/3.1.8 Python/3.11.2
+|     Date: Fri, 10 Apr 2026 06:25:23 GMT
+|     Content-Type: text/html; charset=utf-8
+|     Allow: HEAD, OPTIONS, GET
+|     Content-Length: 0
+|     Connection: close
+|   Hello: 
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 400</p>
+|     <p>Message: Bad request syntax ('EHLO').</p>
+|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
+|     </body>
+|     </html>
+|   RTSPRequest: 
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 400</p>
+|     <p>Message: Bad request version ('RTSP/1.0').</p>
+|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
+|     </body>
+|     </html>
+|   docker: 
+|     HTTP/1.1 200 OK
+|     Server: Werkzeug/3.1.8 Python/3.11.2
+|     Date: Fri, 10 Apr 2026 06:25:23 GMT
+|     Content-Type: application/json
+|     Content-Length: 187
+|     Connection: close
+|_    {"Version": "24.0.5", "ApiVersion": "1.43", "MinAPIVersion": "1.12", "GitCommit": "ced0996", "GoVersion": "go1.20.6", "Os": "linux", "Arch": "amd64", "KernelVersion": "5.15.0-76-generic"}
+| docker-version: 
+|   KernelVersion: 5.15.0-76-generic
+|   MinAPIVersion: 1.12
+|   Arch: amd64
+|   Os: linux
+|   GoVersion: go1.20.6
+|   Version: 24.0.5
+|   GitCommit: ced0996
+|_  ApiVersion: 1.43
+3306/tcp  open  mysql         MySQL 5.7.38-log
+| mysql-info: 
+|   Protocol: 10
+|   Version: 5.7.38-log
+|   Thread ID: 1
+|   Capabilities flags: 63487
+|   Some Capabilities: Support41Auth, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, ConnectWithDatabase, SupportsTransactions, IgnoreSpaceBeforeParenthesis, SupportsCompression, LongColumnFlag, SupportsLoadDataLocal, ODBCClient, LongPassword, Speaks41ProtocolNew, InteractiveClient, FoundRows, IgnoreSigpipes, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
+|   Status: Autocommit
+|   Salt: pv!magic!O}%>UM|gu^1
+|_  Auth Plugin Name: mysql_native_password
+3389/tcp  open  ms-wbt-server xrdp
+5060/tcp  open  sip           (SIP end point; Status: 401 Unauthorized)
+| fingerprint-strings: 
+|   HTTPOptions: 
+|     SIP/2.0 401 Unauthorized
+|     Via: 
+|     From: 
+|     Call-ID: 
+|     CSeq: 
+|     WWW-Authenticate: Digest realm="omega-decky", nonce="fa63b9f8e719d810", algorithm=MD5
+|     Content-Length: 0
+|   RTSPRequest: 
+|     SIP/2.0 401 Unauthorized
+|     Via: 
+|     From: 
+|     Call-ID: 
+|     CSeq: 
+|     WWW-Authenticate: Digest realm="omega-decky", nonce="25b193b6f8c63e9d", algorithm=MD5
+|     Content-Length: 0
+|   SIPOptions: 
+|     SIP/2.0 401 Unauthorized
+|     Via: SIP/2.0/TCP nm;branch=foo
+|     From: <sip:nm@nm>;tag=root
+|     <sip:nm2@nm2>
+|     Call-ID: 50000
+|     CSeq: 42 OPTIONS
+|     WWW-Authenticate: Digest realm="omega-decky", nonce="7d2aa09cb9bfbac0", algorithm=MD5
+|_    Content-Length: 0
+5432/tcp  open  postgresql?
+5900/tcp  open  vnc           VNC (protocol 3.8)
+| vnc-info: 
+|   Protocol version: 3.8
+|   Security types: 
+|_    VNC Authentication (2)
+6379/tcp  open  redis?
+| fingerprint-strings: 
+|   HELP4STOMP, HTTPOptions, Hello, Help, Kerberos, LPDString, Memcache, NessusTPv10, NessusTPv11, NessusTPv12, RTSPRequest, SSLSessionReq, SSLv23SessionReq, Socks5, SqueezeCenter_CLI, TLSSessionReq, TerminalServerCookie, Verifier, VerifierAdvanced, WWWOFFLEctrlstat, ajp, dominoconsole, firebird: 
+|     -ERR unknown command
+|   LDAPSearchReq, hp-pjl, pervasive-btrieve: 
+|     -ERR unknown command
+|     -ERR unknown command
+|   SIPOptions: 
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|   redis-server: 
+|     $150
+|     Server
+|     redis_version:7.2.7
+|     redis_mode:standalone
+|     os:Linux 5.15.0
+|     arch_bits:64
+|     tcp_port:6379
+|     uptime_in_seconds:864000
+|     connected_clients:1
+|_    Keyspace
+6443/tcp  open  sun-sr-https?
+| fingerprint-strings: 
+|   GetRequest: 
+|     HTTP/1.1 404 NOT FOUND
+|     Server: Werkzeug/3.1.8 Python/3.11.2
+|     Date: Fri, 10 Apr 2026 06:25:23 GMT
+|     Content-Type: application/json
+|     Content-Length: 52
+|     Connection: close
+|     {"kind": "Status", "status": "Failure", "code": 404}
+|   HTTPOptions: 
+|     HTTP/1.1 200 OK
+|     Server: Werkzeug/3.1.8 Python/3.11.2
+|     Date: Fri, 10 Apr 2026 06:25:23 GMT
+|     Content-Type: text/html; charset=utf-8
+|     Allow: GET, HEAD, OPTIONS
+|     Content-Length: 0
+|     Connection: close
+|   RTSPRequest: 
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 400</p>
+|     <p>Message: Bad request version ('RTSP/1.0').</p>
+|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
+|     </body>
+|     </html>
+|   SSLSessionReq: 
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 400</p>
+|     <p>Message: Bad request syntax ('
+|     &lt;=
+|     ').</p>
+|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
+|     </body>
+|_    </html>
+9200/tcp  open  wap-wsp?
+| fingerprint-strings: 
+|   GetRequest: 
+|     HTTP/1.0 200 OK
+|     Server: elasticsearch 
+|     Date: Fri, 10 Apr 2026 06:25:23 GMT
+|     Content-Type: application/json; charset=UTF-8
+|     Content-Length: 477
+|     X-elastic-product: Elasticsearch
+|     {"name": "omega-decky", "cluster_name": "elasticsearch", "cluster_uuid": "xC3Pr9abTq2mNkOeLvXwYA", "version": {"number": "7.17.9", "build_flavor": "default", "build_type": "docker", "build_hash": "ef48222227ee6b9e70e502f0f0daa52435ee634d", "build_date": "2023-01-31T05:34:43.305517834Z", "build_snapshot": false, "lucene_version": "8.11.1", "minimum_wire_compatibility_version": "6.8.0", "minimum_index_compatibility_version": "6.0.0-beta1"}, "tagline": "You Know, for Search"}
+|   HTTPOptions: 
+|     HTTP/1.0 501 Unsupported method ('OPTIONS')
+|     Server: elasticsearch 
+|     Date: Fri, 10 Apr 2026 06:25:23 GMT
+|     Connection: close
+|     Content-Type: text/html;charset=utf-8
+|     Content-Length: 360
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 501</p>
+|     <p>Message: Unsupported method ('OPTIONS').</p>
+|     <p>Error code explanation: 501 - Server does not support this operation.</p>
+|     </body>
+|     </html>
+|   RTSPRequest: 
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 400</p>
+|     <p>Message: Bad request version ('RTSP/1.0').</p>
+|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
+|     </body>
+|_    </html>
+27017/tcp open  mongod?
+|_mongodb-databases: ERROR: Script execution failed (use -d to debug)
+|_mongodb-info: ERROR: Script execution failed (use -d to debug)
+8 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port23-TCP:V=7.92%I=9%D=4/10%Time=69D897D3%P=x86_64-redhat-linux-gnu%r(
+SF:NULL,7,"login:\x20")%r(GenericLines,2C,"login:\x20\xff\xfb\x01Password:
+SF:\x20\nLogin\x20incorrect\nlogin:\x20")%r(tn3270,16,"login:\x20\xff\xfe\
+SF:x18\xff\xfe\x19\xff\xfc\x19\xff\xfe\0\xff\xfc\0")%r(GetRequest,2C,"logi
+SF:n:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(HTT
+SF:POptions,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nl
+SF:ogin:\x20")%r(RTSPRequest,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogi
+SF:n\x20incorrect\nlogin:\x20")%r(RPCCheck,7,"login:\x20")%r(DNSVersionBin
+SF:dReqTCP,7,"login:\x20")%r(DNSStatusRequestTCP,7,"login:\x20")%r(Hello,1
+SF:4,"login:\x20\xff\xfb\x01Password:\x20")%r(Help,14,"login:\x20\xff\xfb\
+SF:x01Password:\x20")%r(SSLSessionReq,14,"login:\x20\xff\xfb\x01Password:\
+SF:x20")%r(TerminalServerCookie,14,"login:\x20\xff\xfb\x01Password:\x20")%
+SF:r(SSLv23SessionReq,14,"login:\x20\xff\xfb\x01Password:\x20")%r(Kerberos
+SF:,14,"login:\x20\xff\xfb\x01Password:\x20")%r(X11Probe,7,"login:\x20")%r
+SF:(FourOhFourRequest,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogin\x20in
+SF:correct\nlogin:\x20")%r(LPDString,14,"login:\x20\xff\xfb\x01Password:\x
+SF:20")%r(LDAPSearchReq,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogin\x20
+SF:incorrect\nlogin:\x20")%r(LDAPBindReq,7,"login:\x20")%r(SIPOptions,BE,"
+SF:login:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20Pass
+SF:word:\x20\nLogin\x20incorrect\nlogin:\x20Password:\x20\nLogin\x20incorr
+SF:ect\nlogin:\x20Password:\x20\nLogin\x20incorrect\nlogin:\x20Password:\x
+SF:20\nLogin\x20incorrect\nlogin:\x20Password:\x20")%r(LANDesk-RC,7,"login
+SF::\x20")%r(TerminalServer,7,"login:\x20")%r(NotesRPC,7,"login:\x20")%r(D
+SF:istCCD,7,"login:\x20")%r(JavaRMI,7,"login:\x20")%r(Radmin,7,"login:\x20
+SF:")%r(NessusTPv12,14,"login:\x20\xff\xfb\x01Password:\x20")%r(NessusTPv1
+SF:1,14,"login:\x20\xff\xfb\x01Password:\x20")%r(NessusTPv10,14,"login:\x2
+SF:0\xff\xfb\x01Password:\x20")%r(WMSRequest,7,"login:\x20")%r(mydoom,7,"l
+SF:ogin:\x20")%r(WWWOFFLEctrlstat,14,"login:\x20\xff\xfb\x01Password:\x20"
+SF:)%r(Verifier,14,"login:\x20\xff\xfb\x01Password:\x20")%r(VerifierAdvanc
+SF:ed,14,"login:\x20\xff\xfb\x01Password:\x20");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port445-TCP:V=7.92%I=9%D=4/10%Time=69D897D8%P=x86_64-redhat-linux-gnu%r
+SF:(SMBProgNeg,51,"\0\0\0M\xffSMBr\0\0\0\0\x80\0\xc0\0\0\0\0\0\0\0\0\0\0\0
+SF:\0\0\0@\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\xfa\0\0\0\0\x01\0\0\0
+SF:\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\x08\x08\0\x11\"3DUfw\x88");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port1433-TCP:V=7.92%I=9%D=4/10%Time=69D897D8%P=x86_64-redhat-linux-gnu%
+SF:r(ms-sql-s,2F,"\x04\x01\0/\0\0\x01\0\0\0\x1a\0\x06\x01\0\x20\0\x01\x02\
+SF:0!\0\x01\x03\0\"\0\x04\x04\0&\0\x01\xff\x0e\0\x07\xd0\0\0\x02\0\0\0\0\0
+SF:\0");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port5060-TCP:V=7.92%I=9%D=4/10%Time=69D897E0%P=x86_64-redhat-linux-gnu%
+SF:r(SIPOptions,F7,"SIP/2\.0\x20401\x20Unauthorized\r\nVia:\x20SIP/2\.0/TC
+SF:P\x20nm;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@
+SF:nm2>\r\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nWWW-Authenticate
+SF::\x20Digest\x20realm=\"omega-decky\",\x20nonce=\"7d2aa09cb9bfbac0\",\x2
+SF:0algorithm=MD5\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,AE,"SIP/
+SF:2\.0\x20401\x20Unauthorized\r\nVia:\x20\r\nFrom:\x20\r\nTo:\x20\r\nCall
+SF:-ID:\x20\r\nCSeq:\x20\r\nWWW-Authenticate:\x20Digest\x20realm=\"omega-d
+SF:ecky\",\x20nonce=\"fa63b9f8e719d810\",\x20algorithm=MD5\r\nContent-Leng
+SF:th:\x200\r\n\r\n")%r(RTSPRequest,AE,"SIP/2\.0\x20401\x20Unauthorized\r\
+SF:nVia:\x20\r\nFrom:\x20\r\nTo:\x20\r\nCall-ID:\x20\r\nCSeq:\x20\r\nWWW-A
+SF:uthenticate:\x20Digest\x20realm=\"omega-decky\",\x20nonce=\"25b193b6f8c
+SF:63e9d\",\x20algorithm=MD5\r\nContent-Length:\x200\r\n\r\n");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port5432-TCP:V=7.92%I=9%D=4/10%Time=69D897E2%P=x86_64-redhat-linux-gnu%
+SF:r(SMBProgNeg,D,"R\0\0\0\x0c\0\0\0\x05\x96\xbci&")%r(Kerberos,D,"R\0\0\0
+SF:\x0c\0\0\0\x05\xa7\x87:~")%r(ZendJavaBridge,D,"R\0\0\0\x0c\0\0\0\x05\xe
+SF:d\x9f\xf8\0");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port6379-TCP:V=7.92%I=9%D=4/10%Time=69D897D8%P=x86_64-redhat-linux-gnu%
+SF:r(redis-server,9E,"\$150\r\n#\x20Server\nredis_version:7\.2\.7\nredis_m
+SF:ode:standalone\nos:Linux\x205\.15\.0\narch_bits:64\ntcp_port:6379\nupti
+SF:me_in_seconds:864000\nconnected_clients:1\n#\x20Keyspace\n\r\n")%r(GetR
+SF:equest,5,"\$-1\r\n")%r(HTTPOptions,16,"-ERR\x20unknown\x20command\r\n")
+SF:%r(RTSPRequest,16,"-ERR\x20unknown\x20command\r\n")%r(Hello,16,"-ERR\x2
+SF:0unknown\x20command\r\n")%r(Help,16,"-ERR\x20unknown\x20command\r\n")%r
+SF:(SSLSessionReq,16,"-ERR\x20unknown\x20command\r\n")%r(TerminalServerCoo
+SF:kie,16,"-ERR\x20unknown\x20command\r\n")%r(TLSSessionReq,16,"-ERR\x20un
+SF:known\x20command\r\n")%r(SSLv23SessionReq,16,"-ERR\x20unknown\x20comman
+SF:d\r\n")%r(Kerberos,16,"-ERR\x20unknown\x20command\r\n")%r(FourOhFourReq
+SF:uest,5,"\$-1\r\n")%r(LPDString,16,"-ERR\x20unknown\x20command\r\n")%r(L
+SF:DAPSearchReq,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20comma
+SF:nd\r\n")%r(SIPOptions,DC,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown
+SF:\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command
+SF:\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x2
+SF:0unknown\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x2
+SF:0command\r\n-ERR\x20unknown\x20command\r\n")%r(NessusTPv12,16,"-ERR\x20
+SF:unknown\x20command\r\n")%r(NessusTPv11,16,"-ERR\x20unknown\x20command\r
+SF:\n")%r(NessusTPv10,16,"-ERR\x20unknown\x20command\r\n")%r(WWWOFFLEctrls
+SF:tat,16,"-ERR\x20unknown\x20command\r\n")%r(Verifier,16,"-ERR\x20unknown
+SF:\x20command\r\n")%r(VerifierAdvanced,16,"-ERR\x20unknown\x20command\r\n
+SF:")%r(Socks5,16,"-ERR\x20unknown\x20command\r\n")%r(OfficeScan,5,"\$-1\r
+SF:\n")%r(HELP4STOMP,16,"-ERR\x20unknown\x20command\r\n")%r(Memcache,16,"-
+SF:ERR\x20unknown\x20command\r\n")%r(firebird,16,"-ERR\x20unknown\x20comma
+SF:nd\r\n")%r(pervasive-btrieve,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20
+SF:unknown\x20command\r\n")%r(ajp,16,"-ERR\x20unknown\x20command\r\n")%r(h
+SF:p-pjl,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command\r\n"
+SF:)%r(SqueezeCenter_CLI,16,"-ERR\x20unknown\x20command\r\n")%r(dominocons
+SF:ole,16,"-ERR\x20unknown\x20command\r\n");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port6443-TCP:V=7.92%I=9%D=4/10%Time=69D897D3%P=x86_64-redhat-linux-gnu%
+SF:r(SSLSessionReq,1E8,"<!DOCTYPE\x20HTML>\n<html\x20lang=\"en\">\n\x20\x2
+SF:0\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"utf
+SF:-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>
+SF:\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20
+SF:\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x2
+SF:0<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Messa
+SF:ge:\x20Bad\x20request\x20syntax\x20\('\\x16\\x03\\x00\\x00S\\x01\\x00\\
+SF:x00O\\x03\\x00\?G\xc3\x97\xc3\xb7\xc2\xba,\xc3\xae\xc3\xaa\xc2\xb2`~\xc
+SF:3\xb3\\x00\xc3\xbd\\x82{\xc2\xb9\xc3\x95\\x96\xc3\x88w\\x9b\xc3\xa6\xc3
+SF:\x84\xc3\x9b&lt;=\xc3\x9bo\xc3\xaf\\x10n\\x00\\x00\(\\x00\\x16\\x00\\x1
+SF:3\\x00'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20ex
+SF:planation:\x20400\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported
+SF:\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(GetRequest,E0,
+SF:"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werkzeug/3\.1\.8\x20Pyt
+SF:hon/3\.11\.2\r\nDate:\x20Fri,\x2010\x20Apr\x202026\x2006:25:23\x20GMT\r
+SF:\nContent-Type:\x20application/json\r\nContent-Length:\x2052\r\nConnect
+SF:ion:\x20close\r\n\r\n{\"kind\":\x20\"Status\",\x20\"status\":\x20\"Fail
+SF:ure\",\x20\"code\":\x20404}")%r(HTTPOptions,C7,"HTTP/1\.1\x20200\x20OK\
+SF:r\nServer:\x20Werkzeug/3\.1\.8\x20Python/3\.11\.2\r\nDate:\x20Fri,\x201
+SF:0\x20Apr\x202026\x2006:25:23\x20GMT\r\nContent-Type:\x20text/html;\x20c
+SF:harset=utf-8\r\nAllow:\x20GET,\x20HEAD,\x20OPTIONS\r\nContent-Length:\x
+SF:200\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,16C,"<!DOCTYPE\x20H
+SF:TML>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x
+SF:20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20
+SF:\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20
+SF:\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</
+SF:h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20
+SF:\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x2
+SF:0\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20cod
+SF:e\x20explanation:\x20400\x20-\x20Bad\x20request\x20syntax\x20or\x20unsu
+SF:pported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port9200-TCP:V=7.92%I=9%D=4/10%Time=69D897D3%P=x86_64-redhat-linux-gnu%
+SF:r(GetRequest,293,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20elasticsearch\x2
+SF:0\r\nDate:\x20Fri,\x2010\x20Apr\x202026\x2006:25:23\x20GMT\r\nContent-T
+SF:ype:\x20application/json;\x20charset=UTF-8\r\nContent-Length:\x20477\r\
+SF:nX-elastic-product:\x20Elasticsearch\r\n\r\n{\"name\":\x20\"omega-decky
+SF:\",\x20\"cluster_name\":\x20\"elasticsearch\",\x20\"cluster_uuid\":\x20
+SF:\"xC3Pr9abTq2mNkOeLvXwYA\",\x20\"version\":\x20{\"number\":\x20\"7\.17\
+SF:.9\",\x20\"build_flavor\":\x20\"default\",\x20\"build_type\":\x20\"dock
+SF:er\",\x20\"build_hash\":\x20\"ef48222227ee6b9e70e502f0f0daa52435ee634d\
+SF:",\x20\"build_date\":\x20\"2023-01-31T05:34:43\.305517834Z\",\x20\"buil
+SF:d_snapshot\":\x20false,\x20\"lucene_version\":\x20\"8\.11\.1\",\x20\"mi
+SF:nimum_wire_compatibility_version\":\x20\"6\.8\.0\",\x20\"minimum_index_
+SF:compatibility_version\":\x20\"6\.0\.0-beta1\"},\x20\"tagline\":\x20\"Yo
+SF:u\x20Know,\x20for\x20Search\"}")%r(HTTPOptions,223,"HTTP/1\.0\x20501\x2
+SF:0Unsupported\x20method\x20\('OPTIONS'\)\r\nServer:\x20elasticsearch\x20
+SF:\r\nDate:\x20Fri,\x2010\x20Apr\x202026\x2006:25:23\x20GMT\r\nConnection
+SF::\x20close\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Lengt
+SF:h:\x20360\r\n\r\n<!DOCTYPE\x20HTML>\n<html\x20lang=\"en\">\n\x20\x20\x2
+SF:0\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"utf-8\"
+SF:>\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x
+SF:20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20
+SF:\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>
+SF:Error\x20code:\x20501</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\
+SF:x20Unsupported\x20method\x20\('OPTIONS'\)\.</p>\n\x20\x20\x20\x20\x20\x
+SF:20\x20\x20<p>Error\x20code\x20explanation:\x20501\x20-\x20Server\x20doe
+SF:s\x20not\x20support\x20this\x20operation\.</p>\n\x20\x20\x20\x20</body>
+SF:\n</html>\n")%r(RTSPRequest,16C,"<!DOCTYPE\x20HTML>\n<html\x20lang=\"en
+SF:\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20c
+SF:harset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20resp
+SF:onse</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20
+SF:\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x2
+SF:0\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20
+SF:\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP/1\.0'\)\.</p>\n
+SF:\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20explanation:\x20400
+SF:\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\
+SF:n\x20\x20\x20\x20</body>\n</html>\n");
+MAC Address: F2:5F:2F:EE:5B:96 (Unknown)
+Service Info: Hosts:  omega-decky, omega-decky
+
+Host script results:
+|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
+| smb2-time: 
+|   date: 2026-04-10T06:33:53
+|_  start_date: 2026-04-10T06:33:53
+| smb-security-mode: 
+|   account_used: guest
+|   authentication_level: user
+|   challenge_response: supported
+|_  message_signing: disabled (dangerous, but default)
+| smb2-security-mode: 
+|   2.0.2: 
+|_    Message signing enabled but not required
+|_clock-skew: mean: -77663d15h16m57s, deviation: 109832d23h14m31s, median: -155327d06h33m54s
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 784.93 seconds
diff --git a/postpostfixnmap.txt b/postpostfixnmap.txt
new file mode 100644
index 0000000..992d459
--- /dev/null
+++ b/postpostfixnmap.txt
@@ -0,0 +1,549 @@
+# Nmap 7.92 scan initiated Sat Apr 11 04:21:11 2026 as: nmap -A -O -p- -sV -sC --version-intensity 9 -oN postpostfixnmap.txt 192.168.1.200,201
+Nmap scan report for 192.168.1.200
+Host is up (0.000031s latency).
+Not shown: 65510 closed tcp ports (reset)
+PORT      STATE SERVICE       VERSION
+21/tcp    open  ftp           vsftpd (before 2.0.8) or WU-FTPD
+23/tcp    open  telnet?
+| fingerprint-strings: 
+|   DNSStatusRequestTCP, DNSVersionBindReqTCP, DistCCD, JavaRMI, LANDesk-RC, LDAPBindReq, NULL, NotesRPC, RPCCheck, Radmin, TLSSessionReq, TerminalServer, WMSRequest, X11Probe, mydoom, tn3270: 
+|     login:
+|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, LDAPSearchReq, RTSPRequest: 
+|     login: 
+|     Password: 
+|     Login incorrect
+|     login:
+|   Hello, Help, Kerberos, LPDString, NessusTPv10, NessusTPv11, NessusTPv12, SSLSessionReq, SSLv23SessionReq, TerminalServerCookie, Verifier, VerifierAdvanced, WWWOFFLEctrlstat: 
+|     login: 
+|     Password:
+|   SIPOptions: 
+|     login: 
+|     Password: 
+|     Login incorrect
+|     login: Password: 
+|     Login incorrect
+|     login: Password: 
+|     Login incorrect
+|     login: Password: 
+|     Login incorrect
+|     login: Password: 
+|     Login incorrect
+|_    login: Password:
+25/tcp    open  smtp          Postfix smtpd
+|_smtp-commands: omega-decky, PIPELINING, SIZE 10240000, VRFY, ETRN, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
+80/tcp    open  http          Apache httpd 2.4.54
+|_http-server-header: Werkzeug/3.1.8 Python/3.11.2
+|_http-title: 403 Forbidden
+110/tcp   open  pop3
+|_pop3-capabilities: TOP AUTH-RESP-CODE SASL RESP-CODES UIDL USER
+| fingerprint-strings: 
+|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, NULL, RPCCheck, SMBProgNeg, X11Probe: 
+|     +OK omega-decky Dovecot POP3 ready.
+|   FourOhFourRequest, GetRequest, HTTPOptions, Hello, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie: 
+|     +OK omega-decky Dovecot POP3 ready.
+|     -ERR Command not recognized
+|   LDAPSearchReq: 
+|     +OK omega-decky Dovecot POP3 ready.
+|     -ERR Command not recognized
+|_    -ERR Command not recognized
+143/tcp   open  imap          Dovecot imapd
+|_imap-capabilities: ENABLE LOGIN-REFERRALS ID completed SASL-IR CAPABILITY AUTH=PLAIN AUTH=LOGINA0001 IDLE OK LITERAL+ IMAP4rev1
+389/tcp   open  ldap          Cisco LDAP server
+445/tcp   open  microsoft-ds
+| fingerprint-strings: 
+|   SMBProgNeg: 
+|     SMBr
+|_    "3DUfw
+502/tcp   open  mbap?
+1433/tcp  open  ms-sql-s?
+1883/tcp  open  mqtt
+| mqtt-subscribe: 
+|   Topics and their most recent payloads: 
+|     plant/alarm/pump_fault: 0
+|     plant/water/tank1/pressure: 2.65
+|     plant/alarm/high_pressure: 0
+|     plant/$SYS/broker/version: Mosquitto 2.0.15
+|     plant/alarm/low_chlorine: 0
+|     plant/water/valve/inlet/state: OPEN
+|     plant/water/chlorine/residual: 0.7
+|     plant/water/pump1/status: RUNNING
+|     plant/water/pump2/status: STANDBY
+|     plant/water/valve/drain/state: CLOSED
+|     plant/water/pump1/rpm: 1432
+|     plant/water/tank1/level: 77.9
+|     plant/water/chlorine/dosing: 1.2
+|_    plant/$SYS/broker/uptime: 2847392
+2121/tcp  open  ccproxy-ftp?
+| fingerprint-strings: 
+|   GenericLines: 
+|     200 FTP server ready.
+|     Command '
+|     understood
+|   NULL: 
+|_    200 FTP server ready.
+2375/tcp  open  docker        Docker 24.0.5
+| fingerprint-strings: 
+|   GetRequest: 
+|     HTTP/1.1 404 NOT FOUND
+|     Server: Werkzeug/3.1.8 Python/3.11.2
+|     Date: Sat, 11 Apr 2026 08:21:18 GMT
+|     Content-Type: application/json
+|     Content-Length: 46
+|     Connection: close
+|     {"message": "page not found", "response": 404}
+|   HTTPOptions: 
+|     HTTP/1.1 200 OK
+|     Server: Werkzeug/3.1.8 Python/3.11.2
+|     Date: Sat, 11 Apr 2026 08:21:18 GMT
+|     Content-Type: text/html; charset=utf-8
+|     Allow: HEAD, GET, OPTIONS
+|     Content-Length: 0
+|     Connection: close
+|   Hello: 
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 400</p>
+|     <p>Message: Bad request syntax ('EHLO').</p>
+|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
+|     </body>
+|     </html>
+|   RTSPRequest: 
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 400</p>
+|     <p>Message: Bad request version ('RTSP/1.0').</p>
+|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
+|     </body>
+|     </html>
+|   docker: 
+|     HTTP/1.1 200 OK
+|     Server: Werkzeug/3.1.8 Python/3.11.2
+|     Date: Sat, 11 Apr 2026 08:21:18 GMT
+|     Content-Type: application/json
+|     Content-Length: 187
+|     Connection: close
+|_    {"Version": "24.0.5", "ApiVersion": "1.43", "MinAPIVersion": "1.12", "GitCommit": "ced0996", "GoVersion": "go1.20.6", "Os": "linux", "Arch": "amd64", "KernelVersion": "5.15.0-76-generic"}
+| docker-version: 
+|   GitCommit: ced0996
+|   GoVersion: go1.20.6
+|   KernelVersion: 5.15.0-76-generic
+|   Version: 24.0.5
+|   Arch: amd64
+|   MinAPIVersion: 1.12
+|   ApiVersion: 1.43
+|_  Os: linux
+3306/tcp  open  mysql         MySQL 5.7.38-log
+| mysql-info: 
+|   Protocol: 10
+|   Version: 5.7.38-log
+|   Thread ID: 1
+|   Capabilities flags: 63487
+|   Some Capabilities: LongPassword, LongColumnFlag, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, InteractiveClient, Speaks41ProtocolOld, SupportsCompression, Speaks41ProtocolNew, IgnoreSigpipes, DontAllowDatabaseTableColumn, SupportsTransactions, Support41Auth, ODBCClient, ConnectWithDatabase, FoundRows, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
+|   Status: Autocommit
+|   Salt: pv!magic!O}%>UM|gu^1
+|_  Auth Plugin Name: mysql_native_password
+3389/tcp  open  ms-wbt-server xrdp
+5060/tcp  open  sip           (SIP end point; Status: 401 Unauthorized)
+| fingerprint-strings: 
+|   HTTPOptions: 
+|     SIP/2.0 401 Unauthorized
+|     Via: 
+|     From: 
+|     Call-ID: 
+|     CSeq: 
+|     WWW-Authenticate: Digest realm="omega-decky", nonce="39b4807e4f2565a7", algorithm=MD5
+|     Content-Length: 0
+|   RTSPRequest: 
+|     SIP/2.0 401 Unauthorized
+|     Via: 
+|     From: 
+|     Call-ID: 
+|     CSeq: 
+|     WWW-Authenticate: Digest realm="omega-decky", nonce="73b517049d1e9586", algorithm=MD5
+|     Content-Length: 0
+|   SIPOptions: 
+|     SIP/2.0 401 Unauthorized
+|     Via: SIP/2.0/TCP nm;branch=foo
+|     From: <sip:nm@nm>;tag=root
+|     <sip:nm2@nm2>
+|     Call-ID: 50000
+|     CSeq: 42 OPTIONS
+|     WWW-Authenticate: Digest realm="omega-decky", nonce="4895a904f454dcfb", algorithm=MD5
+|_    Content-Length: 0
+5432/tcp  open  postgresql?
+5900/tcp  open  vnc           VNC (protocol 3.8)
+| vnc-info: 
+|   Protocol version: 3.8
+|   Security types: 
+|_    VNC Authentication (2)
+6379/tcp  open  redis?
+| fingerprint-strings: 
+|   HELP4STOMP, HTTPOptions, Hello, Help, Kerberos, LPDString, Memcache, NessusTPv10, NessusTPv11, NessusTPv12, RTSPRequest, SSLSessionReq, SSLv23SessionReq, Socks5, SqueezeCenter_CLI, TLSSessionReq, TerminalServerCookie, Verifier, VerifierAdvanced, WWWOFFLEctrlstat, ajp, dominoconsole, firebird: 
+|     -ERR unknown command
+|   LDAPSearchReq, hp-pjl, pervasive-btrieve: 
+|     -ERR unknown command
+|     -ERR unknown command
+|   SIPOptions: 
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|     -ERR unknown command
+|   redis-server: 
+|     $150
+|     Server
+|     redis_version:7.2.7
+|     redis_mode:standalone
+|     os:Linux 5.15.0
+|     arch_bits:64
+|     tcp_port:6379
+|     uptime_in_seconds:864000
+|     connected_clients:1
+|_    Keyspace
+6443/tcp  open  sun-sr-https?
+| fingerprint-strings: 
+|   GetRequest: 
+|     HTTP/1.1 404 NOT FOUND
+|     Server: Werkzeug/3.1.8 Python/3.11.2
+|     Date: Sat, 11 Apr 2026 08:21:18 GMT
+|     Content-Type: application/json
+|     Content-Length: 52
+|     Connection: close
+|     {"kind": "Status", "status": "Failure", "code": 404}
+|   HTTPOptions: 
+|     HTTP/1.1 200 OK
+|     Server: Werkzeug/3.1.8 Python/3.11.2
+|     Date: Sat, 11 Apr 2026 08:21:18 GMT
+|     Content-Type: text/html; charset=utf-8
+|     Allow: HEAD, GET, OPTIONS
+|     Content-Length: 0
+|     Connection: close
+|   RTSPRequest: 
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 400</p>
+|     <p>Message: Bad request version ('RTSP/1.0').</p>
+|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
+|     </body>
+|     </html>
+|   SSLSessionReq: 
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 400</p>
+|     <p>Message: Bad request syntax ('
+|     &lt;=
+|     ').</p>
+|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
+|     </body>
+|_    </html>
+8800/tcp  open  sunwebadmin?
+| fingerprint-strings: 
+|   GetRequest: 
+|     HTTP/1.1 302 Found
+|     Date: Sat, 11 Apr 2026 08:17:44 GMT
+|     Content-Type: text/html
+|     Location: /index.html
+|     Content-Length: 0
+|   HTTPOptions: 
+|     HTTP/1.1 200 OK
+|     Date: Sat, 11 Apr 2026 08:17:44 GMT
+|     Allow: GET,HEAD,POST,OPTIONS,TRACE
+|     Content-Length: 0
+|     Connection: close
+|_    Content-Type: text/html
+9200/tcp  open  wap-wsp?
+| fingerprint-strings: 
+|   GetRequest: 
+|     HTTP/1.0 200 OK
+|     Server: elasticsearch 
+|     Date: Sat, 11 Apr 2026 08:21:18 GMT
+|     Content-Type: application/json; charset=UTF-8
+|     Content-Length: 477
+|     X-elastic-product: Elasticsearch
+|     {"name": "omega-decky", "cluster_name": "elasticsearch", "cluster_uuid": "xC3Pr9abTq2mNkOeLvXwYA", "version": {"number": "7.17.9", "build_flavor": "default", "build_type": "docker", "build_hash": "ef48222227ee6b9e70e502f0f0daa52435ee634d", "build_date": "2023-01-31T05:34:43.305517834Z", "build_snapshot": false, "lucene_version": "8.11.1", "minimum_wire_compatibility_version": "6.8.0", "minimum_index_compatibility_version": "6.0.0-beta1"}, "tagline": "You Know, for Search"}
+|   HTTPOptions: 
+|     HTTP/1.0 501 Unsupported method ('OPTIONS')
+|     Server: elasticsearch 
+|     Date: Sat, 11 Apr 2026 08:21:18 GMT
+|     Connection: close
+|     Content-Type: text/html;charset=utf-8
+|     Content-Length: 360
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 501</p>
+|     <p>Message: Unsupported method ('OPTIONS').</p>
+|     <p>Error code explanation: 501 - Server does not support this operation.</p>
+|     </body>
+|     </html>
+|   RTSPRequest: 
+|     <!DOCTYPE HTML>
+|     <html lang="en">
+|     <head>
+|     <meta charset="utf-8">
+|     <title>Error response</title>
+|     </head>
+|     <body>
+|     <h1>Error response</h1>
+|     <p>Error code: 400</p>
+|     <p>Message: Bad request version ('RTSP/1.0').</p>
+|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
+|     </body>
+|_    </html>
+10201/tcp open  rsms?
+27017/tcp open  mongod?
+|_mongodb-info: ERROR: Script execution failed (use -d to debug)
+|_mongodb-databases: ERROR: Script execution failed (use -d to debug)
+44818/tcp open  EtherNetIP-2?
+9 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port23-TCP:V=7.92%I=9%D=4/11%Time=69DA047E%P=x86_64-redhat-linux-gnu%r(
+SF:NULL,7,"login:\x20")%r(GenericLines,2C,"login:\x20\xff\xfb\x01Password:
+SF:\x20\nLogin\x20incorrect\nlogin:\x20")%r(tn3270,16,"login:\x20\xff\xfe\
+SF:x18\xff\xfe\x19\xff\xfc\x19\xff\xfe\0\xff\xfc\0")%r(GetRequest,2C,"logi
+SF:n:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(HTT
+SF:POptions,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nl
+SF:ogin:\x20")%r(RTSPRequest,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogi
+SF:n\x20incorrect\nlogin:\x20")%r(RPCCheck,7,"login:\x20")%r(DNSVersionBin
+SF:dReqTCP,7,"login:\x20")%r(DNSStatusRequestTCP,7,"login:\x20")%r(Hello,1
+SF:4,"login:\x20\xff\xfb\x01Password:\x20")%r(Help,14,"login:\x20\xff\xfb\
+SF:x01Password:\x20")%r(SSLSessionReq,14,"login:\x20\xff\xfb\x01Password:\
+SF:x20")%r(TerminalServerCookie,14,"login:\x20\xff\xfb\x01Password:\x20")%
+SF:r(TLSSessionReq,7,"login:\x20")%r(SSLv23SessionReq,14,"login:\x20\xff\x
+SF:fb\x01Password:\x20")%r(Kerberos,14,"login:\x20\xff\xfb\x01Password:\x2
+SF:0")%r(X11Probe,7,"login:\x20")%r(FourOhFourRequest,2C,"login:\x20\xff\x
+SF:fb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(LPDString,14,"l
+SF:ogin:\x20\xff\xfb\x01Password:\x20")%r(LDAPSearchReq,2C,"login:\x20\xff
+SF:\xfb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(LDAPBindReq,7
+SF:,"login:\x20")%r(SIPOptions,BE,"login:\x20\xff\xfb\x01Password:\x20\nLo
+SF:gin\x20incorrect\nlogin:\x20Password:\x20\nLogin\x20incorrect\nlogin:\x
+SF:20Password:\x20\nLogin\x20incorrect\nlogin:\x20Password:\x20\nLogin\x20
+SF:incorrect\nlogin:\x20Password:\x20\nLogin\x20incorrect\nlogin:\x20Passw
+SF:ord:\x20")%r(LANDesk-RC,7,"login:\x20")%r(TerminalServer,7,"login:\x20"
+SF:)%r(NotesRPC,7,"login:\x20")%r(DistCCD,7,"login:\x20")%r(JavaRMI,7,"log
+SF:in:\x20")%r(Radmin,7,"login:\x20")%r(NessusTPv12,14,"login:\x20\xff\xfb
+SF:\x01Password:\x20")%r(NessusTPv11,14,"login:\x20\xff\xfb\x01Password:\x
+SF:20")%r(NessusTPv10,14,"login:\x20\xff\xfb\x01Password:\x20")%r(WMSReque
+SF:st,7,"login:\x20")%r(mydoom,7,"login:\x20")%r(WWWOFFLEctrlstat,14,"logi
+SF:n:\x20\xff\xfb\x01Password:\x20")%r(Verifier,14,"login:\x20\xff\xfb\x01
+SF:Password:\x20")%r(VerifierAdvanced,14,"login:\x20\xff\xfb\x01Password:\
+SF:x20");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port110-TCP:V=7.92%I=9%D=4/11%Time=69DA047E%P=x86_64-redhat-linux-gnu%r
+SF:(NULL,25,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n")%r(Gen
+SF:ericLines,25,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n")%r
+SF:(GetRequest,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n-E
+SF:RR\x20Command\x20not\x20recognized\r\n")%r(HTTPOptions,42,"\+OK\x20omeg
+SF:a-decky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\x20not\x20reco
+SF:gnized\r\n")%r(RTSPRequest,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x
+SF:20ready\.\r\n-ERR\x20Command\x20not\x20recognized\r\n")%r(RPCCheck,25,"
+SF:\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n")%r(DNSVersionBin
+SF:dReqTCP,25,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n")%r(D
+SF:NSStatusRequestTCP,25,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\
+SF:.\r\n")%r(Hello,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r
+SF:\n-ERR\x20Command\x20not\x20recognized\r\n")%r(Help,42,"\+OK\x20omega-d
+SF:ecky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\x20not\x20recogni
+SF:zed\r\n")%r(SSLSessionReq,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x2
+SF:0ready\.\r\n-ERR\x20Command\x20not\x20recognized\r\n")%r(TerminalServer
+SF:Cookie,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x2
+SF:0Command\x20not\x20recognized\r\n")%r(TLSSessionReq,42,"\+OK\x20omega-d
+SF:ecky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\x20not\x20recogni
+SF:zed\r\n")%r(SSLv23SessionReq,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3
+SF:\x20ready\.\r\n-ERR\x20Command\x20not\x20recognized\r\n")%r(Kerberos,42
+SF:,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\
+SF:x20not\x20recognized\r\n")%r(SMBProgNeg,25,"\+OK\x20omega-decky\x20Dove
+SF:cot\x20POP3\x20ready\.\r\n")%r(X11Probe,25,"\+OK\x20omega-decky\x20Dove
+SF:cot\x20POP3\x20ready\.\r\n")%r(FourOhFourRequest,42,"\+OK\x20omega-deck
+SF:y\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\x20not\x20recognized
+SF:\r\n")%r(LPDString,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\
+SF:.\r\n-ERR\x20Command\x20not\x20recognized\r\n")%r(LDAPSearchReq,5F,"\+O
+SF:K\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\x20no
+SF:t\x20recognized\r\n-ERR\x20Command\x20not\x20recognized\r\n");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port445-TCP:V=7.92%I=9%D=4/11%Time=69DA0483%P=x86_64-redhat-linux-gnu%r
+SF:(SMBProgNeg,51,"\0\0\0M\xffSMBr\0\0\0\0\x80\0\xc0\0\0\0\0\0\0\0\0\0\0\0
+SF:\0\0\0@\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\xfa\0\0\0\0\x01\0\0\0
+SF:\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\x08\x08\0\x11\"3DUfw\x88");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port1433-TCP:V=7.92%I=9%D=4/11%Time=69DA0483%P=x86_64-redhat-linux-gnu%
+SF:r(ms-sql-s,2F,"\x04\x01\0/\0\0\x01\0\0\0\x1a\0\x06\x01\0\x20\0\x01\x02\
+SF:0!\0\x01\x03\0\"\0\x04\x04\0&\0\x01\xff\x0e\0\x07\xd0\0\0\x02\0\0\0\0\0
+SF:\0");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port2121-TCP:V=7.92%I=9%D=4/11%Time=69DA047E%P=x86_64-redhat-linux-gnu%
+SF:r(NULL,17,"200\x20FTP\x20server\x20ready\.\r\n")%r(GenericLines,3A,"200
+SF:\x20FTP\x20server\x20ready\.\r\n500\x20Command\x20'\\r\\n'\x20not\x20un
+SF:derstood\r\n");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port5060-TCP:V=7.92%I=9%D=4/11%Time=69DA048A%P=x86_64-redhat-linux-gnu%
+SF:r(SIPOptions,F7,"SIP/2\.0\x20401\x20Unauthorized\r\nVia:\x20SIP/2\.0/TC
+SF:P\x20nm;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@
+SF:nm2>\r\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nWWW-Authenticate
+SF::\x20Digest\x20realm=\"omega-decky\",\x20nonce=\"4895a904f454dcfb\",\x2
+SF:0algorithm=MD5\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,AE,"SIP/
+SF:2\.0\x20401\x20Unauthorized\r\nVia:\x20\r\nFrom:\x20\r\nTo:\x20\r\nCall
+SF:-ID:\x20\r\nCSeq:\x20\r\nWWW-Authenticate:\x20Digest\x20realm=\"omega-d
+SF:ecky\",\x20nonce=\"39b4807e4f2565a7\",\x20algorithm=MD5\r\nContent-Leng
+SF:th:\x200\r\n\r\n")%r(RTSPRequest,AE,"SIP/2\.0\x20401\x20Unauthorized\r\
+SF:nVia:\x20\r\nFrom:\x20\r\nTo:\x20\r\nCall-ID:\x20\r\nCSeq:\x20\r\nWWW-A
+SF:uthenticate:\x20Digest\x20realm=\"omega-decky\",\x20nonce=\"73b517049d1
+SF:e9586\",\x20algorithm=MD5\r\nContent-Length:\x200\r\n\r\n");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port5432-TCP:V=7.92%I=9%D=4/11%Time=69DA048D%P=x86_64-redhat-linux-gnu%
+SF:r(SMBProgNeg,D,"R\0\0\0\x0c\0\0\0\x059=\xdb\x16")%r(Kerberos,D,"R\0\0\0
+SF:\x0c\0\0\0\x05\xae>;\xd5")%r(ZendJavaBridge,D,"R\0\0\0\x0c\0\0\0\x05\x8
+SF:3l\x7f\x8c");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port6379-TCP:V=7.92%I=9%D=4/11%Time=69DA0483%P=x86_64-redhat-linux-gnu%
+SF:r(redis-server,9E,"\$150\r\n#\x20Server\nredis_version:7\.2\.7\nredis_m
+SF:ode:standalone\nos:Linux\x205\.15\.0\narch_bits:64\ntcp_port:6379\nupti
+SF:me_in_seconds:864000\nconnected_clients:1\n#\x20Keyspace\n\r\n")%r(GetR
+SF:equest,5,"\$-1\r\n")%r(HTTPOptions,16,"-ERR\x20unknown\x20command\r\n")
+SF:%r(RTSPRequest,16,"-ERR\x20unknown\x20command\r\n")%r(Hello,16,"-ERR\x2
+SF:0unknown\x20command\r\n")%r(Help,16,"-ERR\x20unknown\x20command\r\n")%r
+SF:(SSLSessionReq,16,"-ERR\x20unknown\x20command\r\n")%r(TerminalServerCoo
+SF:kie,16,"-ERR\x20unknown\x20command\r\n")%r(TLSSessionReq,16,"-ERR\x20un
+SF:known\x20command\r\n")%r(SSLv23SessionReq,16,"-ERR\x20unknown\x20comman
+SF:d\r\n")%r(Kerberos,16,"-ERR\x20unknown\x20command\r\n")%r(FourOhFourReq
+SF:uest,5,"\$-1\r\n")%r(LPDString,16,"-ERR\x20unknown\x20command\r\n")%r(L
+SF:DAPSearchReq,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20comma
+SF:nd\r\n")%r(SIPOptions,DC,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown
+SF:\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command
+SF:\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x2
+SF:0unknown\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x2
+SF:0command\r\n-ERR\x20unknown\x20command\r\n")%r(NessusTPv12,16,"-ERR\x20
+SF:unknown\x20command\r\n")%r(NessusTPv11,16,"-ERR\x20unknown\x20command\r
+SF:\n")%r(NessusTPv10,16,"-ERR\x20unknown\x20command\r\n")%r(WWWOFFLEctrls
+SF:tat,16,"-ERR\x20unknown\x20command\r\n")%r(Verifier,16,"-ERR\x20unknown
+SF:\x20command\r\n")%r(VerifierAdvanced,16,"-ERR\x20unknown\x20command\r\n
+SF:")%r(Socks5,16,"-ERR\x20unknown\x20command\r\n")%r(OfficeScan,5,"\$-1\r
+SF:\n")%r(HELP4STOMP,16,"-ERR\x20unknown\x20command\r\n")%r(Memcache,16,"-
+SF:ERR\x20unknown\x20command\r\n")%r(firebird,16,"-ERR\x20unknown\x20comma
+SF:nd\r\n")%r(pervasive-btrieve,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20
+SF:unknown\x20command\r\n")%r(ajp,16,"-ERR\x20unknown\x20command\r\n")%r(h
+SF:p-pjl,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command\r\n"
+SF:)%r(SqueezeCenter_CLI,16,"-ERR\x20unknown\x20command\r\n")%r(dominocons
+SF:ole,16,"-ERR\x20unknown\x20command\r\n");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port6443-TCP:V=7.92%I=9%D=4/11%Time=69DA047E%P=x86_64-redhat-linux-gnu%
+SF:r(SSLSessionReq,1E8,"<!DOCTYPE\x20HTML>\n<html\x20lang=\"en\">\n\x20\x2
+SF:0\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"utf
+SF:-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>
+SF:\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20
+SF:\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x2
+SF:0<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Messa
+SF:ge:\x20Bad\x20request\x20syntax\x20\('\\x16\\x03\\x00\\x00S\\x01\\x00\\
+SF:x00O\\x03\\x00\?G\xc3\x97\xc3\xb7\xc2\xba,\xc3\xae\xc3\xaa\xc2\xb2`~\xc
+SF:3\xb3\\x00\xc3\xbd\\x82{\xc2\xb9\xc3\x95\\x96\xc3\x88w\\x9b\xc3\xa6\xc3
+SF:\x84\xc3\x9b&lt;=\xc3\x9bo\xc3\xaf\\x10n\\x00\\x00\(\\x00\\x16\\x00\\x1
+SF:3\\x00'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20ex
+SF:planation:\x20400\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported
+SF:\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(GetRequest,E0,
+SF:"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werkzeug/3\.1\.8\x20Pyt
+SF:hon/3\.11\.2\r\nDate:\x20Sat,\x2011\x20Apr\x202026\x2008:21:18\x20GMT\r
+SF:\nContent-Type:\x20application/json\r\nContent-Length:\x2052\r\nConnect
+SF:ion:\x20close\r\n\r\n{\"kind\":\x20\"Status\",\x20\"status\":\x20\"Fail
+SF:ure\",\x20\"code\":\x20404}")%r(HTTPOptions,C7,"HTTP/1\.1\x20200\x20OK\
+SF:r\nServer:\x20Werkzeug/3\.1\.8\x20Python/3\.11\.2\r\nDate:\x20Sat,\x201
+SF:1\x20Apr\x202026\x2008:21:18\x20GMT\r\nContent-Type:\x20text/html;\x20c
+SF:harset=utf-8\r\nAllow:\x20HEAD,\x20GET,\x20OPTIONS\r\nContent-Length:\x
+SF:200\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,16C,"<!DOCTYPE\x20H
+SF:TML>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x
+SF:20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20
+SF:\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20
+SF:\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</
+SF:h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20
+SF:\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x2
+SF:0\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20cod
+SF:e\x20explanation:\x20400\x20-\x20Bad\x20request\x20syntax\x20or\x20unsu
+SF:pported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n");
+MAC Address: 5A:84:B9:11:A3:E8 (Unknown)
+Device type: general purpose
+Running: Linux 5.X
+OS CPE: cpe:/o:linux:linux_kernel:5
+OS details: Linux 5.3 - 5.4
+Network Distance: 1 hop
+Service Info: Hosts:  omega-decky, omega-decky
+
+Host script results:
+| smb2-security-mode: 
+|   2.0.2: 
+|_    Message signing enabled but not required
+|_clock-skew: mean: -77664d04h15m02s, deviation: 109833d17h34m55s, median: -155328d08h30m05s
+| smb2-time: 
+|   date: 2026-04-11T08:30:06
+|_  start_date: 2026-04-11T08:30:06
+| smb-security-mode: 
+|   account_used: guest
+|   authentication_level: user
+|   challenge_response: supported
+|_  message_signing: disabled (dangerous, but default)
+|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
+
+TRACEROUTE
+HOP RTT     ADDRESS
+1   0.03 ms 192.168.1.200
+
+Nmap scan report for 192.168.1.201
+Host is up (0.000037s latency).
+Not shown: 65534 closed tcp ports (reset)
+PORT   STATE SERVICE VERSION
+25/tcp open  smtp    Postfix smtpd
+|_smtp-commands: relay-decky, PIPELINING, SIZE 10240000, VRFY, ETRN, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
+MAC Address: 0E:84:8E:09:6A:47 (Unknown)
+No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
+TCP/IP fingerprint:
+OS:SCAN(V=7.92%E=4%D=4/11%OT=25%CT=1%CU=38325%PV=Y%DS=1%DC=D%G=Y%M=0E848E%T
+OS:M=69DA07BC%P=x86_64-redhat-linux-gnu)SEQ(SP=101%GCD=1%ISR=10F%TI=Z%CI=Z%
+OS:TS=A)SEQ(SP=101%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NWA%O2=
+OS:M5B4ST11NWA%O3=M5B4NNT11NWA%O4=M5B4ST11NWA%O5=M5B4ST11NWA%O6=M5B4ST11)WI
+OS:N(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FA
+OS:F0%O=M5B4NNSNWA%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3
+OS:(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=
+OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=
+OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%R
+OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
+
+Network Distance: 1 hop
+Service Info: Host:  relay-decky
+
+TRACEROUTE
+HOP RTT     ADDRESS
+1   0.04 ms 192.168.1.201
+
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Apr 11 04:35:08 2026 -- 2 IP addresses (2 hosts up) scanned in 836.75 seconds
diff --git a/templates/conpot/decnet_logging.py b/templates/conpot/decnet_logging.py
new file mode 100644
index 0000000..5a09505
--- /dev/null
+++ b/templates/conpot/decnet_logging.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+"""
+Shared RFC 5424 syslog helper for DECNET service templates.
+
+Services call syslog_line() to format an RFC 5424 message, then
+write_syslog_file() to emit it to stdout — Docker captures it, and the
+host-side collector streams it into the log file.
+
+RFC 5424 structure:
+  <PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [SD-ELEMENT] MSG
+
+Facility: local0 (16), PEN for SD element ID: decnet@55555
+"""
+
+from datetime import datetime, timezone
+from typing import Any
+
+# ─── Constants ────────────────────────────────────────────────────────────────
+
+_FACILITY_LOCAL0 = 16
+_SD_ID = "decnet@55555"
+_NILVALUE = "-"
+
+SEVERITY_EMERG   = 0
+SEVERITY_ALERT   = 1
+SEVERITY_CRIT    = 2
+SEVERITY_ERROR   = 3
+SEVERITY_WARNING = 4
+SEVERITY_NOTICE  = 5
+SEVERITY_INFO    = 6
+SEVERITY_DEBUG   = 7
+
+_MAX_HOSTNAME = 255
+_MAX_APPNAME  = 48
+_MAX_MSGID    = 32
+
+# ─── Formatter ────────────────────────────────────────────────────────────────
+
+def _sd_escape(value: str) -> str:
+    """Escape SD-PARAM-VALUE per RFC 5424 §6.3.3."""
+    return value.replace("\\", "\\\\").replace('"', '\\"').replace("]", "\\]")
+
+
+def _sd_element(fields: dict[str, Any]) -> str:
+    if not fields:
+        return _NILVALUE
+    params = " ".join(f'{k}="{_sd_escape(str(v))}"' for k, v in fields.items())
+    return f"[{_SD_ID} {params}]"
+
+
+def syslog_line(
+    service: str,
+    hostname: str,
+    event_type: str,
+    severity: int = SEVERITY_INFO,
+    timestamp: datetime | None = None,
+    msg: str | None = None,
+    **fields: Any,
+) -> str:
+    """
+    Return a single RFC 5424-compliant syslog line (no trailing newline).
+
+    Args:
+        service:    APP-NAME (e.g. "http", "mysql")
+        hostname:   HOSTNAME (decky node name)
+        event_type: MSGID    (e.g. "request", "login_attempt")
+        severity:   Syslog severity integer (default: INFO=6)
+        timestamp:  UTC datetime; defaults to now
+        msg:        Optional free-text MSG
+        **fields:   Encoded as structured data params
+    """
+    pri     = f"<{_FACILITY_LOCAL0 * 8 + severity}>"
+    ts      = (timestamp or datetime.now(timezone.utc)).isoformat()
+    host    = (hostname or _NILVALUE)[:_MAX_HOSTNAME]
+    appname = (service  or _NILVALUE)[:_MAX_APPNAME]
+    msgid   = (event_type or _NILVALUE)[:_MAX_MSGID]
+    sd      = _sd_element(fields)
+    message = f" {msg}" if msg else ""
+    return f"{pri}1 {ts} {host} {appname} {_NILVALUE} {msgid} {sd}{message}"
+
+
+def write_syslog_file(line: str) -> None:
+    """Emit a syslog line to stdout for Docker log capture."""
+    print(line, flush=True)
+
+
+def forward_syslog(line: str, log_target: str) -> None:
+    """No-op stub. TCP forwarding is now handled by rsyslog, not by service containers."""
+    pass
diff --git a/templates/cowrie/decnet_logging.py b/templates/cowrie/decnet_logging.py
new file mode 100644
index 0000000..5a09505
--- /dev/null
+++ b/templates/cowrie/decnet_logging.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+"""
+Shared RFC 5424 syslog helper for DECNET service templates.
+
+Services call syslog_line() to format an RFC 5424 message, then
+write_syslog_file() to emit it to stdout — Docker captures it, and the
+host-side collector streams it into the log file.
+
+RFC 5424 structure:
+  <PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [SD-ELEMENT] MSG
+
+Facility: local0 (16), PEN for SD element ID: decnet@55555
+"""
+
+from datetime import datetime, timezone
+from typing import Any
+
+# ─── Constants ────────────────────────────────────────────────────────────────
+
+_FACILITY_LOCAL0 = 16
+_SD_ID = "decnet@55555"
+_NILVALUE = "-"
+
+SEVERITY_EMERG   = 0
+SEVERITY_ALERT   = 1
+SEVERITY_CRIT    = 2
+SEVERITY_ERROR   = 3
+SEVERITY_WARNING = 4
+SEVERITY_NOTICE  = 5
+SEVERITY_INFO    = 6
+SEVERITY_DEBUG   = 7
+
+_MAX_HOSTNAME = 255
+_MAX_APPNAME  = 48
+_MAX_MSGID    = 32
+
+# ─── Formatter ────────────────────────────────────────────────────────────────
+
+def _sd_escape(value: str) -> str:
+    """Escape SD-PARAM-VALUE per RFC 5424 §6.3.3."""
+    return value.replace("\\", "\\\\").replace('"', '\\"').replace("]", "\\]")
+
+
+def _sd_element(fields: dict[str, Any]) -> str:
+    if not fields:
+        return _NILVALUE
+    params = " ".join(f'{k}="{_sd_escape(str(v))}"' for k, v in fields.items())
+    return f"[{_SD_ID} {params}]"
+
+
+def syslog_line(
+    service: str,
+    hostname: str,
+    event_type: str,
+    severity: int = SEVERITY_INFO,
+    timestamp: datetime | None = None,
+    msg: str | None = None,
+    **fields: Any,
+) -> str:
+    """
+    Return a single RFC 5424-compliant syslog line (no trailing newline).
+
+    Args:
+        service:    APP-NAME (e.g. "http", "mysql")
+        hostname:   HOSTNAME (decky node name)
+        event_type: MSGID    (e.g. "request", "login_attempt")
+        severity:   Syslog severity integer (default: INFO=6)
+        timestamp:  UTC datetime; defaults to now
+        msg:        Optional free-text MSG
+        **fields:   Encoded as structured data params
+    """
+    pri     = f"<{_FACILITY_LOCAL0 * 8 + severity}>"
+    ts      = (timestamp or datetime.now(timezone.utc)).isoformat()
+    host    = (hostname or _NILVALUE)[:_MAX_HOSTNAME]
+    appname = (service  or _NILVALUE)[:_MAX_APPNAME]
+    msgid   = (event_type or _NILVALUE)[:_MAX_MSGID]
+    sd      = _sd_element(fields)
+    message = f" {msg}" if msg else ""
+    return f"{pri}1 {ts} {host} {appname} {_NILVALUE} {msgid} {sd}{message}"
+
+
+def write_syslog_file(line: str) -> None:
+    """Emit a syslog line to stdout for Docker log capture."""
+    print(line, flush=True)
+
+
+def forward_syslog(line: str, log_target: str) -> None:
+    """No-op stub. TCP forwarding is now handled by rsyslog, not by service containers."""
+    pass
diff --git a/templates/cowrie/honeyfs/etc/group b/templates/cowrie/honeyfs/etc/group
new file mode 100644
index 0000000..f6f803f
--- /dev/null
+++ b/templates/cowrie/honeyfs/etc/group
@@ -0,0 +1,62 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:syslog,admin
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:admin
+floppy:x:25:
+tape:x:26:
+sudo:x:27:admin
+audio:x:29:
+dip:x:30:admin
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:admin
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+systemd-journal:x:101:
+systemd-network:x:102:
+systemd-resolve:x:103:
+crontab:x:104:
+messagebus:x:105:
+systemd-timesync:x:106:
+input:x:107:
+sgx:x:108:
+kvm:x:109:
+render:x:110:
+syslog:x:110:
+tss:x:111:
+uuidd:x:112:
+tcpdump:x:113:
+ssl-cert:x:114:
+landscape:x:115:
+fwupd-refresh:x:116:
+usbmux:x:46:
+lxd:x:117:admin
+systemd-coredump:x:999:
+mysql:x:119:
+netdev:x:120:admin
+admin:x:1000:
diff --git a/templates/cowrie/honeyfs/etc/hostname b/templates/cowrie/honeyfs/etc/hostname
new file mode 100644
index 0000000..680d0ba
--- /dev/null
+++ b/templates/cowrie/honeyfs/etc/hostname
@@ -0,0 +1 @@
+NODE_NAME
diff --git a/templates/cowrie/honeyfs/etc/hosts b/templates/cowrie/honeyfs/etc/hosts
new file mode 100644
index 0000000..6fa59b8
--- /dev/null
+++ b/templates/cowrie/honeyfs/etc/hosts
@@ -0,0 +1,5 @@
+127.0.0.1	localhost
+127.0.1.1	NODE_NAME
+::1		localhost ip6-localhost ip6-loopback
+ff02::1		ip6-allnodes
+ff02::2		ip6-allrouters
diff --git a/templates/cowrie/honeyfs/etc/issue b/templates/cowrie/honeyfs/etc/issue
new file mode 100644
index 0000000..c813011
--- /dev/null
+++ b/templates/cowrie/honeyfs/etc/issue
@@ -0,0 +1,2 @@
+Ubuntu 22.04.3 LTS \n \l
+
diff --git a/templates/cowrie/honeyfs/etc/issue.net b/templates/cowrie/honeyfs/etc/issue.net
new file mode 100644
index 0000000..1b339ce
--- /dev/null
+++ b/templates/cowrie/honeyfs/etc/issue.net
@@ -0,0 +1 @@
+Ubuntu 22.04.3 LTS
diff --git a/templates/cowrie/honeyfs/etc/motd b/templates/cowrie/honeyfs/etc/motd
new file mode 100644
index 0000000..d6d0561
--- /dev/null
+++ b/templates/cowrie/honeyfs/etc/motd
@@ -0,0 +1,26 @@
+
+ * Documentation:  https://help.ubuntu.com
+ * Management:     https://landscape.canonical.com
+ * Support:        https://ubuntu.com/advantage
+
+  System information as of Mon Jan 15 09:12:44 UTC 2024
+
+  System load:  0.08               Processes:             142
+  Usage of /:   34.2% of 49.10GB   Users logged in:       0
+  Memory usage: 22%                IPv4 address for eth0: 10.0.1.5
+  Swap usage:   0%
+
+ * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
+   just raised the bar for K8s security.
+
+     https://ubuntu.com/engage/secure-kubernetes-at-the-edge
+
+Expanded Security Maintenance for Applications is not enabled.
+
+0 updates can be applied immediately.
+
+Enable ESM Apps to receive additional future security updates.
+See https://ubuntu.com/esm or run: sudo pro status
+
+
+Last login: Sun Jan 14 23:45:01 2024 from 10.0.0.1
diff --git a/templates/cowrie/honeyfs/etc/os-release b/templates/cowrie/honeyfs/etc/os-release
new file mode 100644
index 0000000..39240aa
--- /dev/null
+++ b/templates/cowrie/honeyfs/etc/os-release
@@ -0,0 +1,12 @@
+PRETTY_NAME="Ubuntu 22.04.3 LTS"
+NAME="Ubuntu"
+VERSION_ID="22.04"
+VERSION="22.04.3 LTS (Jammy Jellyfish)"
+VERSION_CODENAME=jammy
+ID=ubuntu
+ID_LIKE=debian
+HOME_URL="https://www.ubuntu.com/"
+SUPPORT_URL="https://help.ubuntu.com/"
+BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
+PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
+UBUNTU_CODENAME=jammy
diff --git a/templates/cowrie/honeyfs/etc/passwd b/templates/cowrie/honeyfs/etc/passwd
new file mode 100644
index 0000000..fa9fe0f
--- /dev/null
+++ b/templates/cowrie/honeyfs/etc/passwd
@@ -0,0 +1,36 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+syslog:x:104:110::/home/syslog:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
+uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
+tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
+landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
+pollinate:x:110:1::/var/cache/pollinate:/bin/false
+fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
+usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
+mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
+admin:x:1000:1000:Admin User,,,:/home/admin:/bin/bash
diff --git a/templates/cowrie/honeyfs/etc/resolv.conf b/templates/cowrie/honeyfs/etc/resolv.conf
new file mode 100644
index 0000000..43cde45
--- /dev/null
+++ b/templates/cowrie/honeyfs/etc/resolv.conf
@@ -0,0 +1,4 @@
+# This file is managed by man:systemd-resolved(8). Do not edit.
+nameserver 8.8.8.8
+nameserver 8.8.4.4
+search company.internal
diff --git a/templates/cowrie/honeyfs/etc/shadow b/templates/cowrie/honeyfs/etc/shadow
new file mode 100644
index 0000000..16bde7c
--- /dev/null
+++ b/templates/cowrie/honeyfs/etc/shadow
@@ -0,0 +1,36 @@
+root:$6$rounds=4096$randomsalt$hashed_root_password:19000:0:99999:7:::
+daemon:*:19000:0:99999:7:::
+bin:*:19000:0:99999:7:::
+sys:*:19000:0:99999:7:::
+sync:*:19000:0:99999:7:::
+games:*:19000:0:99999:7:::
+man:*:19000:0:99999:7:::
+lp:*:19000:0:99999:7:::
+mail:*:19000:0:99999:7:::
+news:*:19000:0:99999:7:::
+uucp:*:19000:0:99999:7:::
+proxy:*:19000:0:99999:7:::
+www-data:*:19000:0:99999:7:::
+backup:*:19000:0:99999:7:::
+list:*:19000:0:99999:7:::
+irc:*:19000:0:99999:7:::
+gnats:*:19000:0:99999:7:::
+nobody:*:19000:0:99999:7:::
+systemd-network:*:19000:0:99999:7:::
+systemd-resolve:*:19000:0:99999:7:::
+messagebus:*:19000:0:99999:7:::
+systemd-timesync:*:19000:0:99999:7:::
+syslog:*:19000:0:99999:7:::
+_apt:*:19000:0:99999:7:::
+tss:*:19000:0:99999:7:::
+uuidd:*:19000:0:99999:7:::
+tcpdump:*:19000:0:99999:7:::
+landscape:*:19000:0:99999:7:::
+pollinate:*:19000:0:99999:7:::
+fwupd-refresh:*:19000:0:99999:7:::
+usbmux:*:19000:0:99999:7:::
+sshd:*:19000:0:99999:7:::
+systemd-coredump:!!:19000::::::
+lxd:!:19000::::::
+mysql:!:19000:0:99999:7:::
+admin:$6$rounds=4096$xyz123$hashed_admin_password:19000:0:99999:7:::
diff --git a/templates/cowrie/honeyfs/home/admin/.aws/credentials b/templates/cowrie/honeyfs/home/admin/.aws/credentials
new file mode 100644
index 0000000..11dfea1
--- /dev/null
+++ b/templates/cowrie/honeyfs/home/admin/.aws/credentials
@@ -0,0 +1,14 @@
+[default]
+aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+region = us-east-1
+
+[production]
+aws_access_key_id = AKIAI44QH8DHBEXAMPLE
+aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
+region = us-east-1
+
+[backup-role]
+aws_access_key_id = AKIAIOSFODNN7BACKUP1
+aws_secret_access_key = 9drTJvcXLB89EXAMPLEKEY/bPxRfiCYBACKUPKEY
+region = eu-west-2
diff --git a/templates/cowrie/honeyfs/home/admin/.bash_history b/templates/cowrie/honeyfs/home/admin/.bash_history
new file mode 100644
index 0000000..a3770b1
--- /dev/null
+++ b/templates/cowrie/honeyfs/home/admin/.bash_history
@@ -0,0 +1,33 @@
+ls -la
+cd /var/www/html
+git status
+git pull origin main
+sudo systemctl restart nginx
+sudo systemctl status nginx
+df -h
+free -m
+top
+ps aux | grep nginx
+aws s3 ls
+aws s3 ls s3://company-prod-backups
+aws s3 cp /var/www/html/backup.tar.gz s3://company-prod-backups/
+aws ec2 describe-instances --region us-east-1
+kubectl get pods -n production
+kubectl get services -n production
+kubectl describe pod api-deployment-7d4b9c5f6-xk2pz -n production
+docker ps
+docker images
+docker-compose up -d
+mysql -u admin -pSup3rS3cr3t! -h 10.0.1.5 production
+cat /etc/mysql/my.cnf
+tail -f /var/log/nginx/access.log
+tail -f /var/log/auth.log
+ssh root@10.0.1.10
+scp admin@10.0.1.20:/home/admin/.aws/credentials /tmp/
+cat ~/.aws/credentials
+vim ~/.aws/credentials
+sudo crontab -l
+ls /opt/app/
+cd /opt/app && npm run build
+git log --oneline -20
+history
diff --git a/templates/cowrie/honeyfs/home/admin/.ssh/authorized_keys b/templates/cowrie/honeyfs/home/admin/.ssh/authorized_keys
new file mode 100644
index 0000000..1f3fbca
--- /dev/null
+++ b/templates/cowrie/honeyfs/home/admin/.ssh/authorized_keys
@@ -0,0 +1,2 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekey admin@workstation
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbackupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline deploy@ci-runner
diff --git a/templates/cowrie/honeyfs/root/.bash_history b/templates/cowrie/honeyfs/root/.bash_history
new file mode 100644
index 0000000..fa7b2ba
--- /dev/null
+++ b/templates/cowrie/honeyfs/root/.bash_history
@@ -0,0 +1,22 @@
+whoami
+id
+uname -a
+cat /etc/passwd
+cat /etc/shadow
+ls /home
+ls /home/admin
+cat /home/admin/.bash_history
+cat /home/admin/.aws/credentials
+find / -name "*.pem" 2>/dev/null
+find / -name "id_rsa" 2>/dev/null
+find / -name "*.key" 2>/dev/null
+netstat -tunlp
+ss -tunlp
+iptables -L
+cat /etc/crontab
+crontab -l
+ps aux
+systemctl list-units
+cat /etc/mysql/my.cnf
+mysql -u root -p
+history -c
diff --git a/templates/cowrie/honeyfs/var/log/auth.log b/templates/cowrie/honeyfs/var/log/auth.log
new file mode 100644
index 0000000..e28240e
--- /dev/null
+++ b/templates/cowrie/honeyfs/var/log/auth.log
@@ -0,0 +1,12 @@
+Jan 14 23:31:04 NODE_NAME sshd[1832]: Accepted publickey for admin from 10.0.0.1 port 54321 ssh2: RSA SHA256:xAmPlEkEyHaSh1234567890abcdefghijklmnop
+Jan 14 23:31:04 NODE_NAME sshd[1832]: pam_unix(sshd:session): session opened for user admin by (uid=0)
+Jan 14 23:31:46 NODE_NAME sudo[1901]:    admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/systemctl restart nginx
+Jan 14 23:31:46 NODE_NAME sudo[1901]: pam_unix(sudo:session): session opened for user root by admin(uid=0)
+Jan 14 23:31:47 NODE_NAME sudo[1901]: pam_unix(sudo:session): session closed for user root
+Jan 14 23:45:01 NODE_NAME sshd[1832]: pam_unix(sshd:session): session closed for user admin
+Jan 15 00:02:14 NODE_NAME sshd[2104]: Failed password for invalid user oracle from 185.220.101.47 port 38291 ssh2
+Jan 15 00:02:16 NODE_NAME sshd[2106]: Failed password for invalid user postgres from 185.220.101.47 port 38295 ssh2
+Jan 15 00:02:19 NODE_NAME sshd[2108]: Failed password for root from 185.220.101.47 port 38301 ssh2
+Jan 15 00:02:19 NODE_NAME sshd[2108]: error: maximum authentication attempts exceeded for root from 185.220.101.47 port 38301 ssh2 [preauth]
+Jan 15 09:12:44 NODE_NAME sshd[2891]: Accepted password for admin from 10.0.0.5 port 51243 ssh2
+Jan 15 09:12:44 NODE_NAME sshd[2891]: pam_unix(sshd:session): session opened for user admin by (uid=0)
diff --git a/templates/real_ssh/Dockerfile b/templates/ssh/Dockerfile
similarity index 100%
rename from templates/real_ssh/Dockerfile
rename to templates/ssh/Dockerfile
diff --git a/templates/real_ssh/decnet_logging.py b/templates/ssh/decnet_logging.py
similarity index 100%
rename from templates/real_ssh/decnet_logging.py
rename to templates/ssh/decnet_logging.py
diff --git a/templates/real_ssh/entrypoint.sh b/templates/ssh/entrypoint.sh
similarity index 100%
rename from templates/real_ssh/entrypoint.sh
rename to templates/ssh/entrypoint.sh
diff --git a/tests/test_build.py b/tests/test_build.py
index 90a126c..fbdc185 100644
--- a/tests/test_build.py
+++ b/tests/test_build.py
@@ -51,7 +51,6 @@ MODULES = [
     "decnet.services.imap",
     "decnet.services.pop3",
     "decnet.services.conpot",
-    "decnet.services.real_ssh",
     "decnet.services.registry",
 ]
 
diff --git a/tests/test_real_ssh.py b/tests/test_real_ssh.py
deleted file mode 100644
index 7fd9a6d..0000000
--- a/tests/test_real_ssh.py
+++ /dev/null
@@ -1,188 +0,0 @@
-"""
-Tests for the RealSSHService plugin and the deaddeck archetype.
-"""
-
-from pathlib import Path
-
-from decnet.services.registry import all_services, get_service
-from decnet.archetypes import get_archetype
-
-
-# ---------------------------------------------------------------------------
-# Helpers
-# ---------------------------------------------------------------------------
-
-def _fragment(service_cfg: dict | None = None, log_target: str | None = None) -> dict:
-    return get_service("real_ssh").compose_fragment(
-        "test-decky", log_target=log_target, service_cfg=service_cfg
-    )
-
-
-# ---------------------------------------------------------------------------
-# Registration
-# ---------------------------------------------------------------------------
-
-def test_real_ssh_registered():
-    assert "real_ssh" in all_services()
-
-
-def test_real_ssh_ports():
-    svc = get_service("real_ssh")
-    assert svc.ports == [22]
-
-
-def test_real_ssh_is_build_service():
-    svc = get_service("real_ssh")
-    assert svc.default_image == "build"
-
-
-def test_real_ssh_dockerfile_context_exists():
-    svc = get_service("real_ssh")
-    ctx = svc.dockerfile_context()
-    assert ctx is not None
-    assert ctx.is_dir(), f"Dockerfile context directory missing: {ctx}"
-    assert (ctx / "Dockerfile").exists(), "Dockerfile missing in real_ssh template dir"
-    assert (ctx / "entrypoint.sh").exists(), "entrypoint.sh missing in real_ssh template dir"
-
-
-# ---------------------------------------------------------------------------
-# compose_fragment structure
-# ---------------------------------------------------------------------------
-
-def test_compose_fragment_has_build():
-    frag = _fragment()
-    assert "build" in frag
-    assert "context" in frag["build"]
-
-
-def test_compose_fragment_container_name():
-    frag = _fragment()
-    assert frag["container_name"] == "test-decky-real-ssh"
-
-
-def test_compose_fragment_restart_policy():
-    frag = _fragment()
-    assert frag["restart"] == "unless-stopped"
-
-
-def test_compose_fragment_cap_add():
-    frag = _fragment()
-    assert "NET_BIND_SERVICE" in frag.get("cap_add", [])
-
-
-def test_compose_fragment_default_password():
-    frag = _fragment()
-    env = frag["environment"]
-    assert env["SSH_ROOT_PASSWORD"] == "admin"
-
-
-# ---------------------------------------------------------------------------
-# service_cfg overrides
-# ---------------------------------------------------------------------------
-
-def test_custom_password():
-    frag = _fragment(service_cfg={"password": "s3cr3t!"})
-    assert frag["environment"]["SSH_ROOT_PASSWORD"] == "s3cr3t!"
-
-
-def test_custom_hostname():
-    frag = _fragment(service_cfg={"hostname": "srv-prod-01"})
-    assert frag["environment"]["SSH_HOSTNAME"] == "srv-prod-01"
-
-
-def test_no_hostname_by_default():
-    frag = _fragment()
-    assert "SSH_HOSTNAME" not in frag["environment"]
-
-
-# ---------------------------------------------------------------------------
-# log_target: real_ssh does not forward logs via LOG_TARGET
-# (no log aggregation on the entry-point — attacker shouldn't see it)
-# ---------------------------------------------------------------------------
-
-def test_no_log_target_env_injected():
-    frag = _fragment(log_target="10.0.0.1:5140")
-    assert "LOG_TARGET" not in frag.get("environment", {})
-
-
-# ---------------------------------------------------------------------------
-# Deaddeck archetype
-# ---------------------------------------------------------------------------
-
-def test_deaddeck_archetype_exists():
-    arch = get_archetype("deaddeck")
-    assert arch.slug == "deaddeck"
-
-
-def test_deaddeck_uses_real_ssh():
-    arch = get_archetype("deaddeck")
-    assert "real_ssh" in arch.services
-
-
-def test_deaddeck_nmap_os():
-    arch = get_archetype("deaddeck")
-    assert arch.nmap_os == "linux"
-
-
-def test_deaddeck_preferred_distros_not_empty():
-    arch = get_archetype("deaddeck")
-    assert len(arch.preferred_distros) >= 1
-
-
-# ---------------------------------------------------------------------------
-# Logging pipeline wiring (Dockerfile + entrypoint)
-# ---------------------------------------------------------------------------
-
-def _dockerfile_text() -> str:
-    svc = get_service("real_ssh")
-    return (svc.dockerfile_context() / "Dockerfile").read_text()
-
-
-def _entrypoint_text() -> str:
-    svc = get_service("real_ssh")
-    return (svc.dockerfile_context() / "entrypoint.sh").read_text()
-
-
-def test_dockerfile_has_rsyslog():
-    assert "rsyslog" in _dockerfile_text()
-
-
-def test_dockerfile_runs_as_root():
-    """sshd requires root — no USER directive should appear after setup."""
-    lines = [l.strip() for l in _dockerfile_text().splitlines()]
-    user_lines = [l for l in lines if l.startswith("USER ")]
-    assert user_lines == [], f"Unexpected USER directive(s): {user_lines}"
-
-
-def test_dockerfile_rsyslog_conf_created():
-    df = _dockerfile_text()
-    assert "99-decnet.conf" in df
-    assert "RFC5424fmt" in df
-
-
-def test_dockerfile_sudoers_syslog():
-    df = _dockerfile_text()
-    assert "syslog=auth" in df
-    assert "log_input" in df
-    assert "log_output" in df
-
-
-def test_dockerfile_prompt_command_logger():
-    df = _dockerfile_text()
-    assert "PROMPT_COMMAND" in df
-    assert "logger" in df
-
-
-def test_entrypoint_creates_named_pipe():
-    assert "mkfifo" in _entrypoint_text()
-
-
-def test_entrypoint_starts_rsyslogd():
-    assert "rsyslogd" in _entrypoint_text()
-
-
-def test_entrypoint_sshd_no_dash_e():
-    ep = _entrypoint_text()
-    assert "sshd -D" in ep
-    # -e flag would bypass syslog; must not be present
-    assert "sshd -D -e" not in ep
diff --git a/tests/test_ssh.py b/tests/test_ssh.py
index 13d8c2d..65ccb7e 100644
--- a/tests/test_ssh.py
+++ b/tests/test_ssh.py
@@ -3,6 +3,7 @@ Tests for the SSHService plugin (real OpenSSH, Cowrie removed).
 """
 
 from decnet.services.registry import all_services, get_service
+from decnet.archetypes import get_archetype
 
 
 # ---------------------------------------------------------------------------
@@ -15,6 +16,14 @@ def _fragment(service_cfg: dict | None = None, log_target: str | None = None) ->
     )
 
 
+def _dockerfile_text() -> str:
+    return (get_service("ssh").dockerfile_context() / "Dockerfile").read_text()
+
+
+def _entrypoint_text() -> str:
+    return (get_service("ssh").dockerfile_context() / "entrypoint.sh").read_text()
+
+
 # ---------------------------------------------------------------------------
 # Registration
 # ---------------------------------------------------------------------------
@@ -23,6 +32,10 @@ def test_ssh_registered():
     assert "ssh" in all_services()
 
 
+def test_real_ssh_not_registered():
+    assert "real_ssh" not in all_services()
+
+
 def test_ssh_ports():
     assert get_service("ssh").ports == [22]
 
@@ -88,3 +101,68 @@ def test_no_hostname_by_default():
 
 def test_no_log_target_in_env():
     assert "LOG_TARGET" not in _fragment(log_target="10.0.0.1:5140").get("environment", {})
+
+
+# ---------------------------------------------------------------------------
+# Logging pipeline wiring (Dockerfile + entrypoint)
+# ---------------------------------------------------------------------------
+
+def test_dockerfile_has_rsyslog():
+    assert "rsyslog" in _dockerfile_text()
+
+
+def test_dockerfile_runs_as_root():
+    lines = [l.strip() for l in _dockerfile_text().splitlines()]
+    user_lines = [l for l in lines if l.startswith("USER ")]
+    assert user_lines == [], f"Unexpected USER directive(s): {user_lines}"
+
+
+def test_dockerfile_rsyslog_conf_created():
+    df = _dockerfile_text()
+    assert "99-decnet.conf" in df
+    assert "RFC5424fmt" in df
+
+
+def test_dockerfile_sudoers_syslog():
+    df = _dockerfile_text()
+    assert "syslog=auth" in df
+    assert "log_input" in df
+    assert "log_output" in df
+
+
+def test_dockerfile_prompt_command_logger():
+    df = _dockerfile_text()
+    assert "PROMPT_COMMAND" in df
+    assert "logger" in df
+
+
+def test_entrypoint_creates_named_pipe():
+    assert "mkfifo" in _entrypoint_text()
+
+
+def test_entrypoint_starts_rsyslogd():
+    assert "rsyslogd" in _entrypoint_text()
+
+
+def test_entrypoint_sshd_no_dash_e():
+    ep = _entrypoint_text()
+    assert "sshd -D" in ep
+    assert "sshd -D -e" not in ep
+
+
+# ---------------------------------------------------------------------------
+# Deaddeck archetype
+# ---------------------------------------------------------------------------
+
+def test_deaddeck_uses_ssh():
+    arch = get_archetype("deaddeck")
+    assert "ssh" in arch.services
+    assert "real_ssh" not in arch.services
+
+
+def test_deaddeck_nmap_os():
+    assert get_archetype("deaddeck").nmap_os == "linux"
+
+
+def test_deaddeck_preferred_distros_not_empty():
+    assert len(get_archetype("deaddeck").preferred_distros) >= 1