refactor(ssh): consolidate real_ssh into ssh, remove duplication

real_ssh was a separate service name pointing to the same template and behaviour as ssh. Merged them: ssh is now the single real-OpenSSH service. - Rename templates/real_ssh/ → templates/ssh/ - Remove decnet/services/real_ssh.py - Deaddeck archetype updated: services=["ssh"] - Merge test_real_ssh.py into test_ssh.py (includes deaddeck + logging tests) - Drop decnet.services.real_ssh from test_build module list
2026-04-11 19:51:41 -04:00
parent d77def64c4
commit c79f96f321
45 changed files with 1610 additions and 239 deletions
--- a/templates/conpot/decnet_logging.py
+++ b/templates/conpot/decnet_logging.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+"""
+Shared RFC 5424 syslog helper for DECNET service templates.
+
+Services call syslog_line() to format an RFC 5424 message, then
+write_syslog_file() to emit it to stdout — Docker captures it, and the
+host-side collector streams it into the log file.
+
+RFC 5424 structure:
+  <PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [SD-ELEMENT] MSG
+
+Facility: local0 (16), PEN for SD element ID: decnet@55555
+"""
+
+from datetime import datetime, timezone
+from typing import Any
+
+# ─── Constants ────────────────────────────────────────────────────────────────
+
+_FACILITY_LOCAL0 = 16
+_SD_ID = "decnet@55555"
+_NILVALUE = "-"
+
+SEVERITY_EMERG   = 0
+SEVERITY_ALERT   = 1
+SEVERITY_CRIT    = 2
+SEVERITY_ERROR   = 3
+SEVERITY_WARNING = 4
+SEVERITY_NOTICE  = 5
+SEVERITY_INFO    = 6
+SEVERITY_DEBUG   = 7
+
+_MAX_HOSTNAME = 255
+_MAX_APPNAME  = 48
+_MAX_MSGID    = 32
+
+# ─── Formatter ────────────────────────────────────────────────────────────────
+
+def _sd_escape(value: str) -> str:
+    """Escape SD-PARAM-VALUE per RFC 5424 §6.3.3."""
+    return value.replace("\\", "\\\\").replace('"', '\\"').replace("]", "\\]")
+
+
+def _sd_element(fields: dict[str, Any]) -> str:
+    if not fields:
+        return _NILVALUE
+    params = " ".join(f'{k}="{_sd_escape(str(v))}"' for k, v in fields.items())
+    return f"[{_SD_ID} {params}]"
+
+
+def syslog_line(
+    service: str,
+    hostname: str,
+    event_type: str,
+    severity: int = SEVERITY_INFO,
+    timestamp: datetime | None = None,
+    msg: str | None = None,
+    **fields: Any,
+) -> str:
+    """
+    Return a single RFC 5424-compliant syslog line (no trailing newline).
+
+    Args:
+        service:    APP-NAME (e.g. "http", "mysql")
+        hostname:   HOSTNAME (decky node name)
+        event_type: MSGID    (e.g. "request", "login_attempt")
+        severity:   Syslog severity integer (default: INFO=6)
+        timestamp:  UTC datetime; defaults to now
+        msg:        Optional free-text MSG
+        **fields:   Encoded as structured data params
+    """
+    pri     = f"<{_FACILITY_LOCAL0 * 8 + severity}>"
+    ts      = (timestamp or datetime.now(timezone.utc)).isoformat()
+    host    = (hostname or _NILVALUE)[:_MAX_HOSTNAME]
+    appname = (service  or _NILVALUE)[:_MAX_APPNAME]
+    msgid   = (event_type or _NILVALUE)[:_MAX_MSGID]
+    sd      = _sd_element(fields)
+    message = f" {msg}" if msg else ""
+    return f"{pri}1 {ts} {host} {appname} {_NILVALUE} {msgid} {sd}{message}"
+
+
+def write_syslog_file(line: str) -> None:
+    """Emit a syslog line to stdout for Docker log capture."""
+    print(line, flush=True)
+
+
+def forward_syslog(line: str, log_target: str) -> None:
+    """No-op stub. TCP forwarding is now handled by rsyslog, not by service containers."""
+    pass
--- a/templates/cowrie/decnet_logging.py
+++ b/templates/cowrie/decnet_logging.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+"""
+Shared RFC 5424 syslog helper for DECNET service templates.
+
+Services call syslog_line() to format an RFC 5424 message, then
+write_syslog_file() to emit it to stdout — Docker captures it, and the
+host-side collector streams it into the log file.
+
+RFC 5424 structure:
+  <PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [SD-ELEMENT] MSG
+
+Facility: local0 (16), PEN for SD element ID: decnet@55555
+"""
+
+from datetime import datetime, timezone
+from typing import Any
+
+# ─── Constants ────────────────────────────────────────────────────────────────
+
+_FACILITY_LOCAL0 = 16
+_SD_ID = "decnet@55555"
+_NILVALUE = "-"
+
+SEVERITY_EMERG   = 0
+SEVERITY_ALERT   = 1
+SEVERITY_CRIT    = 2
+SEVERITY_ERROR   = 3
+SEVERITY_WARNING = 4
+SEVERITY_NOTICE  = 5
+SEVERITY_INFO    = 6
+SEVERITY_DEBUG   = 7
+
+_MAX_HOSTNAME = 255
+_MAX_APPNAME  = 48
+_MAX_MSGID    = 32
+
+# ─── Formatter ────────────────────────────────────────────────────────────────
+
+def _sd_escape(value: str) -> str:
+    """Escape SD-PARAM-VALUE per RFC 5424 §6.3.3."""
+    return value.replace("\\", "\\\\").replace('"', '\\"').replace("]", "\\]")
+
+
+def _sd_element(fields: dict[str, Any]) -> str:
+    if not fields:
+        return _NILVALUE
+    params = " ".join(f'{k}="{_sd_escape(str(v))}"' for k, v in fields.items())
+    return f"[{_SD_ID} {params}]"
+
+
+def syslog_line(
+    service: str,
+    hostname: str,
+    event_type: str,
+    severity: int = SEVERITY_INFO,
+    timestamp: datetime | None = None,
+    msg: str | None = None,
+    **fields: Any,
+) -> str:
+    """
+    Return a single RFC 5424-compliant syslog line (no trailing newline).
+
+    Args:
+        service:    APP-NAME (e.g. "http", "mysql")
+        hostname:   HOSTNAME (decky node name)
+        event_type: MSGID    (e.g. "request", "login_attempt")
+        severity:   Syslog severity integer (default: INFO=6)
+        timestamp:  UTC datetime; defaults to now
+        msg:        Optional free-text MSG
+        **fields:   Encoded as structured data params
+    """
+    pri     = f"<{_FACILITY_LOCAL0 * 8 + severity}>"
+    ts      = (timestamp or datetime.now(timezone.utc)).isoformat()
+    host    = (hostname or _NILVALUE)[:_MAX_HOSTNAME]
+    appname = (service  or _NILVALUE)[:_MAX_APPNAME]
+    msgid   = (event_type or _NILVALUE)[:_MAX_MSGID]
+    sd      = _sd_element(fields)
+    message = f" {msg}" if msg else ""
+    return f"{pri}1 {ts} {host} {appname} {_NILVALUE} {msgid} {sd}{message}"
+
+
+def write_syslog_file(line: str) -> None:
+    """Emit a syslog line to stdout for Docker log capture."""
+    print(line, flush=True)
+
+
+def forward_syslog(line: str, log_target: str) -> None:
+    """No-op stub. TCP forwarding is now handled by rsyslog, not by service containers."""
+    pass
--- a/templates/cowrie/honeyfs/etc/group
+++ b/templates/cowrie/honeyfs/etc/group
@@ -0,0 +1,62 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:syslog,admin
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:admin
+floppy:x:25:
+tape:x:26:
+sudo:x:27:admin
+audio:x:29:
+dip:x:30:admin
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:admin
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+systemd-journal:x:101:
+systemd-network:x:102:
+systemd-resolve:x:103:
+crontab:x:104:
+messagebus:x:105:
+systemd-timesync:x:106:
+input:x:107:
+sgx:x:108:
+kvm:x:109:
+render:x:110:
+syslog:x:110:
+tss:x:111:
+uuidd:x:112:
+tcpdump:x:113:
+ssl-cert:x:114:
+landscape:x:115:
+fwupd-refresh:x:116:
+usbmux:x:46:
+lxd:x:117:admin
+systemd-coredump:x:999:
+mysql:x:119:
+netdev:x:120:admin
+admin:x:1000:
--- a/templates/cowrie/honeyfs/etc/hostname
+++ b/templates/cowrie/honeyfs/etc/hostname
@@ -0,0 +1 @@
+NODE_NAME
--- a/templates/cowrie/honeyfs/etc/hosts
+++ b/templates/cowrie/honeyfs/etc/hosts
@@ -0,0 +1,5 @@
+127.0.0.1	localhost
+127.0.1.1	NODE_NAME
+::1		localhost ip6-localhost ip6-loopback
+ff02::1		ip6-allnodes
+ff02::2		ip6-allrouters
--- a/templates/cowrie/honeyfs/etc/issue
+++ b/templates/cowrie/honeyfs/etc/issue
@@ -0,0 +1,2 @@
+Ubuntu 22.04.3 LTS \n \l
+
--- a/templates/cowrie/honeyfs/etc/issue.net
+++ b/templates/cowrie/honeyfs/etc/issue.net
@@ -0,0 +1 @@
+Ubuntu 22.04.3 LTS
--- a/templates/cowrie/honeyfs/etc/motd
+++ b/templates/cowrie/honeyfs/etc/motd
@@ -0,0 +1,26 @@
+
+ * Documentation:  https://help.ubuntu.com
+ * Management:     https://landscape.canonical.com
+ * Support:        https://ubuntu.com/advantage
+
+  System information as of Mon Jan 15 09:12:44 UTC 2024
+
+  System load:  0.08               Processes:             142
+  Usage of /:   34.2% of 49.10GB   Users logged in:       0
+  Memory usage: 22%                IPv4 address for eth0: 10.0.1.5
+  Swap usage:   0%
+
+ * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
+   just raised the bar for K8s security.
+
+     https://ubuntu.com/engage/secure-kubernetes-at-the-edge
+
+Expanded Security Maintenance for Applications is not enabled.
+
+0 updates can be applied immediately.
+
+Enable ESM Apps to receive additional future security updates.
+See https://ubuntu.com/esm or run: sudo pro status
+
+
+Last login: Sun Jan 14 23:45:01 2024 from 10.0.0.1
--- a/templates/cowrie/honeyfs/etc/os-release
+++ b/templates/cowrie/honeyfs/etc/os-release
@@ -0,0 +1,12 @@
+PRETTY_NAME="Ubuntu 22.04.3 LTS"
+NAME="Ubuntu"
+VERSION_ID="22.04"
+VERSION="22.04.3 LTS (Jammy Jellyfish)"
+VERSION_CODENAME=jammy
+ID=ubuntu
+ID_LIKE=debian
+HOME_URL="https://www.ubuntu.com/"
+SUPPORT_URL="https://help.ubuntu.com/"
+BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
+PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
+UBUNTU_CODENAME=jammy
--- a/templates/cowrie/honeyfs/etc/passwd
+++ b/templates/cowrie/honeyfs/etc/passwd
@@ -0,0 +1,36 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+syslog:x:104:110::/home/syslog:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
+uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
+tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
+landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
+pollinate:x:110:1::/var/cache/pollinate:/bin/false
+fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
+usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
+mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
+admin:x:1000:1000:Admin User,,,:/home/admin:/bin/bash
--- a/templates/cowrie/honeyfs/etc/resolv.conf
+++ b/templates/cowrie/honeyfs/etc/resolv.conf
@@ -0,0 +1,4 @@
+# This file is managed by man:systemd-resolved(8). Do not edit.
+nameserver 8.8.8.8
+nameserver 8.8.4.4
+search company.internal
--- a/templates/cowrie/honeyfs/etc/shadow
+++ b/templates/cowrie/honeyfs/etc/shadow
@@ -0,0 +1,36 @@
+root:$6$rounds=4096$randomsalt$hashed_root_password:19000:0:99999:7:::
+daemon:*:19000:0:99999:7:::
+bin:*:19000:0:99999:7:::
+sys:*:19000:0:99999:7:::
+sync:*:19000:0:99999:7:::
+games:*:19000:0:99999:7:::
+man:*:19000:0:99999:7:::
+lp:*:19000:0:99999:7:::
+mail:*:19000:0:99999:7:::
+news:*:19000:0:99999:7:::
+uucp:*:19000:0:99999:7:::
+proxy:*:19000:0:99999:7:::
+www-data:*:19000:0:99999:7:::
+backup:*:19000:0:99999:7:::
+list:*:19000:0:99999:7:::
+irc:*:19000:0:99999:7:::
+gnats:*:19000:0:99999:7:::
+nobody:*:19000:0:99999:7:::
+systemd-network:*:19000:0:99999:7:::
+systemd-resolve:*:19000:0:99999:7:::
+messagebus:*:19000:0:99999:7:::
+systemd-timesync:*:19000:0:99999:7:::
+syslog:*:19000:0:99999:7:::
+_apt:*:19000:0:99999:7:::
+tss:*:19000:0:99999:7:::
+uuidd:*:19000:0:99999:7:::
+tcpdump:*:19000:0:99999:7:::
+landscape:*:19000:0:99999:7:::
+pollinate:*:19000:0:99999:7:::
+fwupd-refresh:*:19000:0:99999:7:::
+usbmux:*:19000:0:99999:7:::
+sshd:*:19000:0:99999:7:::
+systemd-coredump:!!:19000::::::
+lxd:!:19000::::::
+mysql:!:19000:0:99999:7:::
+admin:$6$rounds=4096$xyz123$hashed_admin_password:19000:0:99999:7:::
--- a/templates/cowrie/honeyfs/home/admin/.aws/credentials
+++ b/templates/cowrie/honeyfs/home/admin/.aws/credentials
@@ -0,0 +1,14 @@
+[default]
+aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+region = us-east-1
+
+[production]
+aws_access_key_id = AKIAI44QH8DHBEXAMPLE
+aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
+region = us-east-1
+
+[backup-role]
+aws_access_key_id = AKIAIOSFODNN7BACKUP1
+aws_secret_access_key = 9drTJvcXLB89EXAMPLEKEY/bPxRfiCYBACKUPKEY
+region = eu-west-2
--- a/templates/cowrie/honeyfs/home/admin/.bash_history
+++ b/templates/cowrie/honeyfs/home/admin/.bash_history
@@ -0,0 +1,33 @@
+ls -la
+cd /var/www/html
+git status
+git pull origin main
+sudo systemctl restart nginx
+sudo systemctl status nginx
+df -h
+free -m
+top
+ps aux | grep nginx
+aws s3 ls
+aws s3 ls s3://company-prod-backups
+aws s3 cp /var/www/html/backup.tar.gz s3://company-prod-backups/
+aws ec2 describe-instances --region us-east-1
+kubectl get pods -n production
+kubectl get services -n production
+kubectl describe pod api-deployment-7d4b9c5f6-xk2pz -n production
+docker ps
+docker images
+docker-compose up -d
+mysql -u admin -pSup3rS3cr3t! -h 10.0.1.5 production
+cat /etc/mysql/my.cnf
+tail -f /var/log/nginx/access.log
+tail -f /var/log/auth.log
+ssh root@10.0.1.10
+scp admin@10.0.1.20:/home/admin/.aws/credentials /tmp/
+cat ~/.aws/credentials
+vim ~/.aws/credentials
+sudo crontab -l
+ls /opt/app/
+cd /opt/app && npm run build
+git log --oneline -20
+history
--- a/templates/cowrie/honeyfs/home/admin/.ssh/authorized_keys
+++ b/templates/cowrie/honeyfs/home/admin/.ssh/authorized_keys
@@ -0,0 +1,2 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekey admin@workstation
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbackupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline deploy@ci-runner
--- a/templates/cowrie/honeyfs/root/.bash_history
+++ b/templates/cowrie/honeyfs/root/.bash_history
@@ -0,0 +1,22 @@
+whoami
+id
+uname -a
+cat /etc/passwd
+cat /etc/shadow
+ls /home
+ls /home/admin
+cat /home/admin/.bash_history
+cat /home/admin/.aws/credentials
+find / -name "*.pem" 2>/dev/null
+find / -name "id_rsa" 2>/dev/null
+find / -name "*.key" 2>/dev/null
+netstat -tunlp
+ss -tunlp
+iptables -L
+cat /etc/crontab
+crontab -l
+ps aux
+systemctl list-units
+cat /etc/mysql/my.cnf
+mysql -u root -p
+history -c
--- a/templates/cowrie/honeyfs/var/log/auth.log
+++ b/templates/cowrie/honeyfs/var/log/auth.log
@@ -0,0 +1,12 @@
+Jan 14 23:31:04 NODE_NAME sshd[1832]: Accepted publickey for admin from 10.0.0.1 port 54321 ssh2: RSA SHA256:xAmPlEkEyHaSh1234567890abcdefghijklmnop
+Jan 14 23:31:04 NODE_NAME sshd[1832]: pam_unix(sshd:session): session opened for user admin by (uid=0)
+Jan 14 23:31:46 NODE_NAME sudo[1901]:    admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/systemctl restart nginx
+Jan 14 23:31:46 NODE_NAME sudo[1901]: pam_unix(sudo:session): session opened for user root by admin(uid=0)
+Jan 14 23:31:47 NODE_NAME sudo[1901]: pam_unix(sudo:session): session closed for user root
+Jan 14 23:45:01 NODE_NAME sshd[1832]: pam_unix(sshd:session): session closed for user admin
+Jan 15 00:02:14 NODE_NAME sshd[2104]: Failed password for invalid user oracle from 185.220.101.47 port 38291 ssh2
+Jan 15 00:02:16 NODE_NAME sshd[2106]: Failed password for invalid user postgres from 185.220.101.47 port 38295 ssh2
+Jan 15 00:02:19 NODE_NAME sshd[2108]: Failed password for root from 185.220.101.47 port 38301 ssh2
+Jan 15 00:02:19 NODE_NAME sshd[2108]: error: maximum authentication attempts exceeded for root from 185.220.101.47 port 38301 ssh2 [preauth]
+Jan 15 09:12:44 NODE_NAME sshd[2891]: Accepted password for admin from 10.0.0.5 port 51243 ssh2
+Jan 15 09:12:44 NODE_NAME sshd[2891]: pam_unix(sshd:session): session opened for user admin by (uid=0)
--- a/templates/real_ssh/Dockerfile
+++ b/templates/real_ssh/Dockerfile
--- a/templates/real_ssh/decnet_logging.py
+++ b/templates/real_ssh/decnet_logging.py
--- a/templates/real_ssh/entrypoint.sh
+++ b/templates/real_ssh/entrypoint.sh