DECNET/README.md

# DECNET

A honeypot/deception network framework. Deploys fake machines (**deckies**) with realistic services (SSH, SMB, RDP, FTP, HTTP) that appear as real LAN hosts — complete with their own MACs and IPs — to lure, detect, and profile attackers. All interactions are forwarded to an isolated logging pipeline (ELK / SIEM).

```
attacker ──► decoy network (deckies)
                   │
                   └──► log forwarder ──► isolated SIEM (ELK)
```

---

## Requirements

- Python ≥ 3.11
- Docker + Docker Compose
- Root / `sudo` for MACVLAN networking (bare metal or VM recommended; WSL has known limitations)

---

## Install

```bash
pip install -e .
```

---

## Usage

```bash
# List available honeypot service plugins
decnet services

# Dry-run — generate compose file, no containers started
decnet deploy --mode unihost --deckies 3 --randomize-services --dry-run

# Deploy 5 deckies with random services
sudo decnet deploy --mode unihost --deckies 5 --interface eth0 --randomize-services

# Deploy with specific services and log forwarding
sudo decnet deploy --mode unihost --deckies 3 --services ssh,smb --log-target 192.168.1.5:5140

# Deploy from an INI config file
sudo decnet deploy --config decnet.ini

# Status
decnet status

# Teardown
sudo decnet teardown --all
sudo decnet teardown --id decky-01
```

### Key flags

| Flag | Description |
|---|---|
| `--mode` | `unihost` (single host) or `swarm` (multi-host) |
| `--deckies N` | Number of fake machines to spin up |
| `--interface` | Host NIC (auto-detected if omitted) |
| `--subnet` | LAN subnet CIDR (auto-detected if omitted) |
| `--ip-start` | First decky IP (auto if omitted) |
| `--services` | Comma-separated list: `ssh,smb,rdp,ftp,http` |
| `--randomize-services` | Assign random service mix to each decky |
| `--log-target` | Forward logs to `ip:port` (e.g. Logstash) |
| `--dry-run` | Generate compose file without starting containers |
| `--no-cache` | Force rebuild all images |
| `--config` | Path to INI config file |

---

## Deployment Modes

**UNIHOST** — one real host spins up _n_ deckies via Docker Compose. Simplest setup, single machine.

**SWARM (MULTIHOST)** — _n_ real hosts each running deckies. Orchestrated via Ansible or similar tooling.

---

## Architecture

- **Containers**: Docker Compose with `debian:bookworm-slim` as the default base image. Mixing Ubuntu, CentOS, and other distros is encouraged to make the decoy network look heterogeneous.
- **Networking**: MACVLAN/IPVLAN — each decky gets its own MAC and IP, appearing as a distinct real machine on the LAN.
- **Log pipeline**: Logstash → ELK stack → SIEM on an isolated network unreachable from the decoy network.
- **Services**: Plugin-based registry (`decnet/services/`). Each plugin declares its ports, default image, and container config.

```
decnet/
├── cli.py            # Typer CLI — deploy, status, teardown, services
├── config.py         # Pydantic models (DecnetConfig, DeckyConfig)
├── composer.py       # Docker Compose YAML generator
├── deployer.py       # Container lifecycle management
├── network.py        # IP allocation, interface/subnet detection
├── ini_loader.py     # INI config file support
├── logging/
│   └── forwarder.py  # Log target probe + forwarding
└── services/
    ├── registry.py   # Plugin registry
    ├── ssh.py
    ├── smb.py
    ├── rdp.py
    ├── ftp.py
    └── http.py
```

---

## INI Config

You can describe a fully custom decoy fleet in an INI file instead of CLI flags:

```ini
[global]
interface = eth0
log_target = 192.168.1.5:5140

[decky-01]
services = ssh,smb
base_image = debian:bookworm-slim
hostname = DESKTOP-A1B2C3

[decky-02]
services = rdp,http
base_image = ubuntu:22.04
hostname = WIN-SERVER-02
```

```bash
sudo decnet deploy --config decnet.ini
```

---

## Adding a Service Plugin

1. Create `decnet/services/yourservice.py` implementing the `BaseService` interface.
2. Register it in `decnet/services/registry.py`.
3. Verify with `decnet services`.