added auto key rotation and bugfix

Author: KingUdo

docker-compose.yml

@@ -1,10 +1,10 @@
 version: "3"
 
 services:
-  NetWatchSSH:
+  NetWatchSSHAttackPod:
     image: netwatch_ssh-attackpod:latest
     container_name: netwatch_ssh-attackpod
     environment:
       NETWATCH_COLLECTOR_AUTHORIZATINON: ${NETWATCH_COLLECTOR_AUTHORIZATINON}
       NETWATCH_COLLECTOR_URL: "https://api.netwatch.team"
-    restart: unless-stopped
+    restart: unless-stopped

src/Dockerfile

@@ -1,33 +1,70 @@
-FROM ubuntu
-
-RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list 
-RUN apt-get update 
-RUN apt-get upgrade --assume-yes  
-RUN DEBIAN_FRONTEND=noninteractive apt-get install --assume-yes --no-install-recommends tzdata 
-RUN apt-get build-dep --assume-yes openssh-server
-RUN apt-get install --assume-yes build-essential fakeroot devscripts
-RUN mkdir src && cd src
-RUN apt-get source openssh-server
-RUN ls -alh
-RUN cd openssh-8.9p1/ && sed -e 's/^\([ \t]*\)\(struct passwd \*pw = authctxt->pw;\)/\1logit("Login attempt by username '\''%s'\'', password '\''%s'\'', from ip '\''%.200s'\''", authctxt->user, password, ssh_remote_ipaddr(ssh));\nreturn 0;\1\2/' -i auth-passwd.c && \
+# Stage 1: Build stage
+FROM ubuntu:20.04 as builder
+
+# Set environment variable for non-interactive installations
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Enable 'deb-src' entries and install dependencies
+RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list && \
+    apt-get update && \
+    apt-get install --no-install-recommends -y \
+        build-essential \
+        fakeroot \
+        devscripts \
+        tzdata \
+        openssh-client \
+        putty-tools \
+        python3-twisted && \
+    apt-get build-dep --no-install-recommends -y openssh-server && \
+    mkdir -p /src && cd /src && \
+    apt-get source openssh-server && \
+    cd openssh-* && \
+    sed -i 's/^\([ \t]*\)\(struct passwd \*pw = authctxt->pw;\)/\1logit("Login attempt by username '\''%s'\'', password '\''%s'\'', from ip '\''%.200s'\''", authctxt->user, password, ssh_remote_ipaddr(ssh));\nreturn 0;\1\2/' auth-passwd.c && \
     debchange --nmu 'add verbose logging of usernames and passwords' && \
     EDITOR=true dpkg-source --commit . 'chatty-ssh.patch' && \
     debuild -us -uc -i -I && \
-    apt-get install --assume-yes putty-tools python3-twisted && \
-    debi && \
-    mkdir /run/sshd && \
-    cd && rm -rf /src && \
-    apt-get clean && \
-    apt-get autoremove --assume-yes 
+    apt-get clean && apt-get autoremove -y
+
+# Stage 2: Runtime stage
+FROM ubuntu:20.04
+
+# Set environment variable for non-interactive installations
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install runtime dependencies only
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y \
+        python3-pip \
+        openssh-server && \
+    apt-get clean && apt-get autoremove -y && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy patched sshd binary and configuration from builder stage
+COPY --from=builder /src/openssh-*/debian/tmp/usr/sbin/sshd /usr/sbin/sshd
+
+# Create a non-root user
+RUN groupadd -r appuser && useradd -r -g appuser -m appuser
+
+# Adjust permissions for SSH and log files
+RUN mkdir -p /etc/ssh && chown -R appuser:appuser /etc/ssh && \
+    touch /var/log/ssh.log && chown appuser:appuser /var/log/ssh.log
+
+# Set working directory
+WORKDIR /home/appuser/code
+RUN chown -R appuser:appuser /home/appuser
+
+# Switch to non-root user
+USER appuser
 
-RUN apt-get install --assume-yes python3-pip
-WORKDIR /code
-ADD requirements.txt /code/
-RUN pip install -r requirements.txt
-RUN touch /var/log/ssh.log
+# Copy runtime requirements and install them
+COPY requirements.txt /home/appuser/code/
+RUN pip install --no-cache-dir -r requirements.txt --user
 
-COPY monitor.py /code/
+# Copy application code
+COPY monitor.py /home/appuser/code/
 
+# Expose SSH port
 EXPOSE 22
 
-CMD python3 monitor.py
+# Command to run your application
+CMD ["python3", "monitor.py"]

src/monitor.py

@@ -6,7 +6,7 @@
 import threading
 import time
 
-logging.basicConfig(encoding='utf-8', level=logging.DEBUG)
+logging.basicConfig(level=logging.DEBUG)
 
 def get_env(key, fallback):
     env = os.getenv(key, default=fallback)
@@ -51,7 +51,7 @@ def submit_attack(ip, user, password, evidence, ATTACKPOD_LOCAL_IP):
     retry_counter = 0
     while retry_counter < 5:
         try:
-            response = requests.post("{}/add_attack".format(get_env("NETWATCH_COLLECTOR_URL", "http://net_watch_collector:8080")),
+            response = requests.post("{}/add_attack".format(get_env("NETWATCH_COLLECTOR_URL", "")),
                                      json=json,
                                      headers=header)
             if response.status_code == 200:
@@ -74,6 +74,7 @@ def run_sshd():
 
 
 def rotate_sshd_keys():
+    os.system("rm -f /etc/ssh/ssh_host_*")
     os.system("ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key")
     os.system("ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key")
     os.system("ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key")
@@ -82,7 +83,12 @@ def rotate_sshd_keys():
 if __name__ == '__main__':
     logging.info("[+] Starting NetWatch Attackpod")
     logging.info("[+] Getting local ip")
-    ATTACKPOD_LOCAL_IP = get_local_ip()
+
+    if os.getenv("ATTACK_POD_IP") is not None:
+        ATTACKPOD_LOCAL_IP = get_env("ATTACK_POD_IP","")
+    else:
+        ATTACKPOD_LOCAL_IP = get_local_ip()
+    
     logging.info("[+] Got the local ip of {} for the AttackPod".format(ATTACKPOD_LOCAL_IP))
 
     logging.info("[+] Rotating SSHD Keys")
@@ -134,4 +140,4 @@ def rotate_sshd_keys():
                     ip = ""
                     user = ""
                     password = ""
-                    evidence = ""
+                    evidence = ""