anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0fe9f895d0475b2fa1876790634ca696816dc2aa
DECNET/decnet/templates/telnet/entrypoint.sh
anti 3e9c4c29b9 feat(ssh,telnet): add non-root user account for privesc + enum lure 
Real Linux deployments (especially Ubuntu cloud images) ship a non-
root admin user; honeypots that only accept root logins are a tell.
Add a second account on both SSH and Telnet decoys, configurable
via service_cfg keys `user` / `user_password`, defaulting to
`ubuntu` / `admin` so the lure is live on every fresh deploy.

* `decnet/services/{ssh,telnet}.py` — two new ServiceConfigFields
  (`user` string, `user_password` secret) and matching env vars
  (`SSH_USER` / `SSH_USER_PASSWORD`, mirror for telnet) propagated
  via the compose fragment.
* `decnet/templates/ssh/entrypoint.sh` — runtime `useradd -m -s
  /usr/libexec/login-session -G sudo "$SSH_USER"` so the new user
  inherits the same sessrec pty-recording shell as root and lands
  in the sudo group. Privesc attempts (`sudo`) flow through the
  existing sudo-log capture; network-enum from the user's shell
  rides the recorded transcript.
* `decnet/templates/telnet/entrypoint.sh` — same useradd pattern
  (no sudo group — busybox+login telnet image has no sudo
  package; privesc rides `su -` which itself flows through the
  existing PAM auth-helper at /etc/pam.d/login).
* New tests for default + custom user / password + independence
  from root password. Updated the schema-keys assertion to match
  the four-field shape.

The new account is ALSO the natural home for the body-aware
predicates that were previously gated on root-only sessions —
attackers who land on `ubuntu@host` and run network-recon /
privesc commands now generate the same structured TTP-rule
events as root sessions did, captured via the same auth-helper
+ sessrec + sudo-log pipes.
2026-05-02 19:48:03 -04:00

68 lines
2.3 KiB
Bash
Raw Blame History

#!/bin/bash
set -e
# Configure root password (default: admin)
ROOT_PASSWORD="${TELNET_ROOT_PASSWORD:-admin}"
echo "root:${ROOT_PASSWORD}" | chpasswd
# Non-root user — gives the decoy a realistic "telnet user@host"
# surface so enumeration scripts that only try common usernames find
# a plausible second account, AND so post-login `su -` privesc flows
# through the existing PAM auth-helper. Login shell is the sessrec
# wrapper so the user's pty session is recorded in the same shape
# as root's. TELNET_USER blank disables the second account; the
# compose fragment defaults TELNET_USER to "ubuntu" so this branch
# is the live path on fresh deploys.
TELNET_USER="${TELNET_USER:-}"
TELNET_USER_PASSWORD="${TELNET_USER_PASSWORD:-admin}"
if [ -n "${TELNET_USER}" ] && [ "${TELNET_USER}" != "root" ]; then
if ! id -u "${TELNET_USER}" >/dev/null 2>&1; then
useradd -m -s /usr/libexec/login-session "${TELNET_USER}"
fi
echo "${TELNET_USER}:${TELNET_USER_PASSWORD}" | chpasswd
fi
# Optional: override hostname inside container
if [ -n "$TELNET_HOSTNAME" ]; then
echo "$TELNET_HOSTNAME" > /etc/hostname
hostname "$TELNET_HOSTNAME"
fi
# Fake bash history so the box looks used
if [ ! -f /root/.bash_history ]; then
cat > /root/.bash_history <<'HIST'
apt update && apt upgrade -y
systemctl status mysql
tail -f /var/log/syslog
df -h
ps aux
cd /root/scripts
bash backup.sh
crontab -e
ls /root/backups
cat /root/.env
HIST
fi
# sessrec needs the transcripts dir on the quarantine mount + a service
# discriminant file (busybox /bin/login strips env, so we can't rely on
# SESSREC_SERVICE env var here like the SSH template does).
mkdir -p /var/lib/systemd/coredump/transcripts
chmod 750 /var/lib/systemd/coredump/transcripts
echo "telnet" > /etc/sessrec.service
# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout.
# Cloak the pipe path and the relay `cat` so `ps aux` / `ls /run` don't
# betray the honeypot — see ssh/entrypoint.sh for the same pattern.
mkdir -p /run/systemd/journal
rm -f /run/systemd/journal/syslog-relay
mkfifo /run/systemd/journal/syslog-relay
bash -c 'exec -a "systemd-journal-fwd" cat /run/systemd/journal/syslog-relay' &
# Start rsyslog
rsyslogd
# busybox telnetd: foreground mode, real /bin/login for PAM auth logging
exec busybox telnetd -F -l /bin/login -p 23
Reference in New Issue View Git Blame Copy Permalink