Page:
Security and Stealth
Pages
Archetypes
CLI Reference
Custom Services
Database Drivers
Deployment Modes
Design Overview
Developer Guide
Distro Profiles
Environment Variables
Home
INI Config Format
Installation
Logging and Syslog
MazeNET
Module Reference Core
Module Reference Services
Module Reference Web
Module Reference Workers
Mutation and Randomization
Networking MACVLAN IPVLAN
OS Fingerprint Spoofing
PKI and mTLS
Performance Story
Quick Start
REST API Reference
Remote Updates
Requirements and Python Versions
Roadmap and Known Debt
SWARM Mode
Security and Stealth
Service Bus
Service Personas
Services Catalog
Sponsors
Support the Project
Systemd Setup
Teardown and State
Testing and CI
Tracing and Profiling
Troubleshooting
UI Things
Web Dashboard
Writing a Service Plugin
Clone
1
Security and Stealth
anti edited this page 2026-04-18 06:07:29 -04:00
Security and Stealth
DECNET sits on the attacker-facing edge of a network, so its own posture matters as much as the decoys it deploys.
Authentication
JWT
- Algorithm: HS256 (see
decnet/web/auth.py). - Secret:
DECNET_JWT_SECRET— must be ≥ 32 characters. Anything shorter is rejected at startup with an explicit error referencing RFC 7518 §3.2 (seedecnet/env.py). - No fallback: the env var is required, not optional.
Admin Credentials
DECNET_ADMIN_USER/DECNET_ADMIN_PASSWORDseed the initial admin on first boot (decnet/web/db/sqlmodel_repo.py).- The combination
admin/adminis rejected at startup. Deployments must pick a real password. - Passwords are hashed with bcrypt — plaintext is never persisted.
RBAC
- All admin endpoints are gated server-side via
require_admin/require_role("admin")dependencies (decnet/web/dependencies.py). - Contributor rule (ANTI): the admin UI must be server-gated, never client-side only. A hidden button is not access control.
Stealth in Active Probes
Contributor rule (ANTI): active probes and health checks must never reveal DECNET's identity.
- No
User-Agent: DECNET/.... - No banners, headers, or log lines that leak the framework name to a decoy or an external target.
- Probe traffic should be indistinguishable from ordinary tooling (curl, nmap, python-requests). If you're adding a probe and unsure, ask before merging.
Network Architecture
- Decoy network is attacker-facing by design.
- Logging / aggregation network (Logstash → ELK → SIEM) is isolated from the decoy network.
- A publicly accessible real server bridges the two; deckies never talk to the SIEM directly.
See the top-level README.md for the full diagram.
OS Fingerprint Spoofing
Deckies rotate service banners, TTLs, TCP options, and OS hints to look heterogeneous. Mutation is time-based and randomized per decky.
- Details: Mutation-and-Randomization
Responsible Disclosure
Found a security issue in DECNET itself (not a decoy)? Email:
TODO: add security@ disclosure address
Please do not file public issues for exploitable bugs.
See also: Troubleshooting · Environment-Variables · Web-Dashboard
DECNET
User docs
- Quick-Start
- Installation
- Requirements-and-Python-Versions
- CLI-Reference
- INI-Config-Format
- Custom-Services
- Services-Catalog
- Service-Personas
- Archetypes
- Distro-Profiles
- OS-Fingerprint-Spoofing
- Networking-MACVLAN-IPVLAN
- Deployment-Modes
- SWARM-Mode
- MazeNET
- Remote-Updates
- Environment-Variables
- Teardown-and-State
- Database-Drivers
- Systemd-Setup
- Logging-and-Syslog
- Service-Bus
- Web-Dashboard
- REST-API-Reference
- Mutation-and-Randomization
- Troubleshooting
Developer docs
DECNET — honeypot deception-network framework. Pre-1.0, active development — use with caution. See Sponsors to support the project. Contact: samuel@securejump.cl