#!/usr/bin/env python3 """ Redisserver. Implements enough of the RESP protocol to respond to AUTH, INFO, CONFIG GET, KEYS, and arbitrary commands. Logs every command and argument as JSON. """ import asyncio import os import instance_seed as _seed from syslog_bridge import ( encode_secret, forward_syslog, syslog_line, write_syslog_file, ) NODE_NAME = os.environ.get("NODE_NAME", "cache-server") SERVICE_NAME = "redis" LOG_TARGET = os.environ.get("LOG_TARGET", "") PORT = int(os.environ.get("PORT", "6379")) # Per-instance realistic version pick (weighted toward still-supported lines). _REDIS_VER = os.environ.get("REDIS_VERSION") or _seed.pick_weighted([ ("7.2.4", 2), ("7.2.5", 3), ("7.2.6", 3), ("7.2.7", 2), ("7.0.15", 2), ("7.0.14", 1), ("6.2.14", 2), ("6.2.16", 1), ]) # Kernel line matching plausible Debian/Ubuntu LTS minor ranges. _REDIS_OS = os.environ.get("REDIS_OS") or _seed.pick([ "Linux 5.15.0-118-generic x86_64", "Linux 6.1.0-21-amd64 x86_64", "Linux 5.10.0-30-amd64 x86_64", "Linux 6.5.0-27-generic x86_64", ]) _RUN_ID = _seed.instance_hex(20, "redis-run") _PROCESS_ID = _seed.rng.randint(120, 32000) _TCP_PORT_STR = str(PORT) # AUTH config: empty REDIS_PASSWORD means "no auth configured" — AUTH returns # the canonical "Client sent AUTH, but no password is set" error, matching a # real redis-server with requirepass unset. _REQUIREPASS = os.environ.get("REDIS_PASSWORD", "") def _info_block() -> bytes: uptime = _seed.uptime_seconds() uptime_days = max(1, uptime // 86400) # Minimal but plausible subset; real redis INFO has ~150 keys. text = ( "# Server\r\n" f"redis_version:{_REDIS_VER}\r\n" f"redis_git_sha1:00000000\r\n" f"redis_git_dirty:0\r\n" f"redis_build_id:{_seed.instance_hex(8, 'redis-build')}\r\n" "redis_mode:standalone\r\n" f"os:{_REDIS_OS}\r\n" "arch_bits:64\r\n" f"process_id:{_PROCESS_ID}\r\n" f"run_id:{_RUN_ID}\r\n" f"tcp_port:{_TCP_PORT_STR}\r\n" f"uptime_in_seconds:{uptime}\r\n" f"uptime_in_days:{uptime_days}\r\n" "hz:10\r\n" "# Clients\r\n" "connected_clients:1\r\n" "maxclients:10000\r\n" "# Memory\r\n" f"used_memory:{_seed.rng.randint(800_000, 12_000_000)}\r\n" "mem_fragmentation_ratio:1.12\r\n" "# Stats\r\n" f"total_connections_received:{_seed.rng.randint(50, 9000)}\r\n" f"total_commands_processed:{_seed.rng.randint(5_000, 2_000_000)}\r\n" "# Keyspace\r\n" ) return text.encode() def _build_fake_store() -> dict[bytes, bytes]: """Per-instance plausible cache content. No embedded DECNET-identifying strings; keys / values shaped like what real apps leave in redis.""" n_sessions = _seed.rng.randint(3, 14) store: dict[bytes, bytes] = {} app_slug = _seed.pick(["api", "web", "worker", "shop", "admin", "cms"]) env_slug = _seed.pick(["prod", "stage", "live"]) for i in range(n_sessions): sid = _seed.instance_hex(16, f"sess-{i}") uid = _seed.rng.randint(1000, 999_999) store[f"session:{sid}".encode()] = ( f'{{"uid":{uid},"exp":{int(_seed.boot_epoch()) + 86400 * 7}}}' ).encode() for i in range(_seed.rng.randint(2, 6)): store[f"cache:{app_slug}:feed:{i}".encode()] = ( _seed.instance_hex(24, f"feed-{i}").encode() ) store[f"stats:{app_slug}:{env_slug}:requests".encode()] = ( str(_seed.rng.randint(5_000, 900_000)).encode() ) return store _FAKE_STORE = _build_fake_store() # Config presented via CONFIG GET — realistic subset of a default redis.conf. _CONFIG = { "maxmemory": "0", "maxmemory-policy": "noeviction", "maxclients": "10000", "timeout": "0", "tcp-keepalive": "300", "databases": "16", "save": "3600 1 300 100 60 10000", "appendonly": "no", "loglevel": "notice", "dir": "/var/lib/redis", "bind": "127.0.0.1 -::1", "protected-mode": "yes", "supervised": "systemd", } def _log(event_type: str, severity: int = 6, **kwargs) -> None: line = syslog_line(SERVICE_NAME, NODE_NAME, event_type, severity, **kwargs) write_syslog_file(line) forward_syslog(line, LOG_TARGET) def _bulk(s: str) -> bytes: enc = s.encode() return f"${len(enc)}\r\n".encode() + enc + b"\r\n" def _err(msg: str) -> bytes: return f"-ERR {msg}\r\n".encode() class RESPParser: """Incremental RESP array parser — returns list of str tokens or None if incomplete.""" def __init__(self): self._buf = b"" def feed(self, data: bytes): self._buf += data return self._try_parse() def _try_parse(self): commands = [] while self._buf: cmd, consumed = self._parse_one(self._buf) if cmd is None: break commands.append(cmd) self._buf = self._buf[consumed:] return commands def _parse_one(self, buf: bytes): if not buf: return None, 0 if buf[0:1] == b"*": end = buf.find(b"\r\n") if end == -1: return None, 0 count = int(buf[1:end]) pos = end + 2 parts = [] for _ in range(count): if pos >= len(buf): return None, 0 if buf[pos:pos + 1] != b"$": return None, 0 end2 = buf.find(b"\r\n", pos) if end2 == -1: return None, 0 length = int(buf[pos + 1:end2]) start = end2 + 2 if start + length + 2 > len(buf): return None, 0 parts.append(buf[start:start + length].decode(errors="replace")) pos = start + length + 2 return parts, pos # Inline command end = buf.find(b"\r\n") if end == -1: end = buf.find(b"\n") if end == -1: return None, 0 line = buf[:end].decode(errors="replace").strip() return line.split(), end + (2 if buf[end:end + 2] == b"\r\n" else 1) def _config_get(pattern: str) -> bytes: """Emulate `CONFIG GET ` — returns alternating key/value bulks.""" import fnmatch matches = [(k, v) for k, v in _CONFIG.items() if fnmatch.fnmatchcase(k, pattern)] out = f"*{len(matches) * 2}\r\n".encode() for k, v in matches: out += _bulk(k) + _bulk(v) return out class RedisProtocol(asyncio.Protocol): def __init__(self): self._transport = None self._peer = None self._parser = RESPParser() self._authed = not _REQUIREPASS # auth satisfied iff no password set def connection_made(self, transport): self._transport = transport self._peer = transport.get_extra_info("peername", ("?", 0)) _log("connect", src=self._peer[0], src_port=self._peer[1]) def data_received(self, data): for cmd in self._parser.feed(data): self._handle_command(cmd) def _write(self, payload: bytes) -> None: """Writes with per-response jitter. Unseeded so two connections to the same decky don't get an identical latency fingerprint. Honeypot throughput targets are low; a few ms of blocking sleep here is fine and avoids the asyncio-task plumbing the synchronous protocol model doesn't otherwise need.""" _seed.jitter_sync(2, 40) if self._transport and not self._transport.is_closing(): self._transport.write(payload) def _handle_command(self, parts): if not parts: return verb = parts[0].upper() args = parts[1:] _log("command", src=self._peer[0], cmd=verb, args=args[:8]) if verb == "AUTH": # Redis 6+ accepts two-arg AUTH (`AUTH `) for ACL # auth; legacy single-arg AUTH is just the password. Capture # the username when present so attackers brute-forcing ACLs # leave the same trail SSH/FTP do. password = args[-1] if args else "" _user = args[0] if len(args) >= 2 else None _log("auth", src=self._peer[0], principal=_user, **encode_secret(password)) if not _REQUIREPASS: self._write( _err("Client sent AUTH, but no password is set. " "Did you mean AUTH ?") ) elif password == _REQUIREPASS: self._authed = True self._write(b"+OK\r\n") else: self._write(_err("WRONGPASS invalid username-password pair or user is disabled.")) return if not self._authed: self._write(_err("NOAUTH Authentication required.")) return if verb == "INFO": info = _info_block() self._write(f"${len(info)}\r\n".encode() + info + b"\r\n") elif verb == "PING": self._write(b"+PONG\r\n") elif verb == "CONFIG": sub = args[0].upper() if args else "" if sub == "GET" and len(args) >= 2: self._write(_config_get(args[1])) elif sub == "SET": self._write(b"+OK\r\n") elif sub == "RESETSTAT": self._write(b"+OK\r\n") else: self._write(_err( "Unknown CONFIG subcommand or wrong number of arguments for '" f"{sub.lower() or '?'}'" )) elif verb == "KEYS": pattern = args[0] if args else "*" keys = list(_FAKE_STORE.keys()) if pattern.endswith('*') and pattern != '*': prefix = pattern[:-1].encode() keys = [k for k in keys if k.startswith(prefix)] elif pattern != '*': pat = pattern.encode() keys = [k for k in keys if k == pat] resp = f"*{len(keys)}\r\n".encode() + b"".join(_bulk(k.decode()) for k in keys) self._write(resp) elif verb == "GET": key = args[0].encode() if args else b"" if key in _FAKE_STORE: self._write(_bulk(_FAKE_STORE[key].decode())) else: self._write(b"$-1\r\n") elif verb == "SCAN": keys = list(_FAKE_STORE.keys()) resp = b"*2\r\n$1\r\n0\r\n" + f"*{len(keys)}\r\n".encode() + b"".join(_bulk(k.decode()) for k in keys) self._write(resp) elif verb == "TYPE": self._write(b"+string\r\n") elif verb == "TTL": self._write(b":-1\r\n") elif verb == "DBSIZE": self._write(f":{len(_FAKE_STORE)}\r\n".encode()) elif verb == "COMMAND": self._write(b"*0\r\n") elif verb == "CLIENT": self._write(b"+OK\r\n") elif verb == "SELECT": self._write(b"+OK\r\n") elif verb == "QUIT": self._write(b"+OK\r\n") if self._transport: self._transport.close() else: self._write(_err(f"unknown command '{verb.lower()}'")) def connection_lost(self, exc): _log("disconnect", src=self._peer[0] if self._peer else "?") async def main(): _log("startup", msg=f"Redis server starting as {NODE_NAME}") loop = asyncio.get_running_loop() server = await loop.create_server(RedisProtocol, "0.0.0.0", PORT) # nosec B104 async with server: await server.serve_forever() if __name__ == "__main__": asyncio.run(main())