Skip to content

Commit 16e56cc

Browse files
committed
added auto key rotation and bugfix
1 parent da2fc8f commit 16e56cc

3 files changed

Lines changed: 74 additions & 31 deletions

File tree

docker-compose.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
version: "3"
22

33
services:
4-
NetWatchSSH:
4+
NetWatchSSHAttackPod:
55
image: netwatch_ssh-attackpod:latest
66
container_name: netwatch_ssh-attackpod
77
environment:
88
NETWATCH_COLLECTOR_AUTHORIZATINON: ${NETWATCH_COLLECTOR_AUTHORIZATINON}
99
NETWATCH_COLLECTOR_URL: "https://api.netwatch.team"
10-
restart: unless-stopped
10+
restart: unless-stopped

src/Dockerfile

Lines changed: 62 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,33 +1,70 @@
1-
FROM ubuntu
2-
3-
RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list
4-
RUN apt-get update
5-
RUN apt-get upgrade --assume-yes
6-
RUN DEBIAN_FRONTEND=noninteractive apt-get install --assume-yes --no-install-recommends tzdata
7-
RUN apt-get build-dep --assume-yes openssh-server
8-
RUN apt-get install --assume-yes build-essential fakeroot devscripts
9-
RUN mkdir src && cd src
10-
RUN apt-get source openssh-server
11-
RUN ls -alh
12-
RUN cd openssh-8.9p1/ && sed -e 's/^\([ \t]*\)\(struct passwd \*pw = authctxt->pw;\)/\1logit("Login attempt by username '\''%s'\'', password '\''%s'\'', from ip '\''%.200s'\''", authctxt->user, password, ssh_remote_ipaddr(ssh));\nreturn 0;\1\2/' -i auth-passwd.c && \
1+
# Stage 1: Build stage
2+
FROM ubuntu:20.04 as builder
3+
4+
# Set environment variable for non-interactive installations
5+
ENV DEBIAN_FRONTEND=noninteractive
6+
7+
# Enable 'deb-src' entries and install dependencies
8+
RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list && \
9+
apt-get update && \
10+
apt-get install --no-install-recommends -y \
11+
build-essential \
12+
fakeroot \
13+
devscripts \
14+
tzdata \
15+
openssh-client \
16+
putty-tools \
17+
python3-twisted && \
18+
apt-get build-dep --no-install-recommends -y openssh-server && \
19+
mkdir -p /src && cd /src && \
20+
apt-get source openssh-server && \
21+
cd openssh-* && \
22+
sed -i 's/^\([ \t]*\)\(struct passwd \*pw = authctxt->pw;\)/\1logit("Login attempt by username '\''%s'\'', password '\''%s'\'', from ip '\''%.200s'\''", authctxt->user, password, ssh_remote_ipaddr(ssh));\nreturn 0;\1\2/' auth-passwd.c && \
1323
debchange --nmu 'add verbose logging of usernames and passwords' && \
1424
EDITOR=true dpkg-source --commit . 'chatty-ssh.patch' && \
1525
debuild -us -uc -i -I && \
16-
apt-get install --assume-yes putty-tools python3-twisted && \
17-
debi && \
18-
mkdir /run/sshd && \
19-
cd && rm -rf /src && \
20-
apt-get clean && \
21-
apt-get autoremove --assume-yes
26+
apt-get clean && apt-get autoremove -y
27+
28+
# Stage 2: Runtime stage
29+
FROM ubuntu:20.04
30+
31+
# Set environment variable for non-interactive installations
32+
ENV DEBIAN_FRONTEND=noninteractive
33+
34+
# Install runtime dependencies only
35+
RUN apt-get update && \
36+
apt-get install --no-install-recommends -y \
37+
python3-pip \
38+
openssh-server && \
39+
apt-get clean && apt-get autoremove -y && \
40+
rm -rf /var/lib/apt/lists/*
41+
42+
# Copy patched sshd binary and configuration from builder stage
43+
COPY --from=builder /src/openssh-*/debian/tmp/usr/sbin/sshd /usr/sbin/sshd
44+
45+
# Create a non-root user
46+
RUN groupadd -r appuser && useradd -r -g appuser -m appuser
47+
48+
# Adjust permissions for SSH and log files
49+
RUN mkdir -p /etc/ssh && chown -R appuser:appuser /etc/ssh && \
50+
touch /var/log/ssh.log && chown appuser:appuser /var/log/ssh.log
51+
52+
# Set working directory
53+
WORKDIR /home/appuser/code
54+
RUN chown -R appuser:appuser /home/appuser
55+
56+
# Switch to non-root user
57+
USER appuser
2258

23-
RUN apt-get install --assume-yes python3-pip
24-
WORKDIR /code
25-
ADD requirements.txt /code/
26-
RUN pip install -r requirements.txt
27-
RUN touch /var/log/ssh.log
59+
# Copy runtime requirements and install them
60+
COPY requirements.txt /home/appuser/code/
61+
RUN pip install --no-cache-dir -r requirements.txt --user
2862

29-
COPY monitor.py /code/
63+
# Copy application code
64+
COPY monitor.py /home/appuser/code/
3065

66+
# Expose SSH port
3167
EXPOSE 22
3268

33-
CMD python3 monitor.py
69+
# Command to run your application
70+
CMD ["python3", "monitor.py"]

src/monitor.py

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
import threading
77
import time
88

9-
logging.basicConfig(encoding='utf-8', level=logging.DEBUG)
9+
logging.basicConfig(level=logging.DEBUG)
1010

1111
def get_env(key, fallback):
1212
env = os.getenv(key, default=fallback)
@@ -51,7 +51,7 @@ def submit_attack(ip, user, password, evidence, ATTACKPOD_LOCAL_IP):
5151
retry_counter = 0
5252
while retry_counter < 5:
5353
try:
54-
response = requests.post("{}/add_attack".format(get_env("NETWATCH_COLLECTOR_URL", "http://net_watch_collector:8080")),
54+
response = requests.post("{}/add_attack".format(get_env("NETWATCH_COLLECTOR_URL", "")),
5555
json=json,
5656
headers=header)
5757
if response.status_code == 200:
@@ -74,6 +74,7 @@ def run_sshd():
7474

7575

7676
def rotate_sshd_keys():
77+
os.system("rm -f /etc/ssh/ssh_host_*")
7778
os.system("ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key")
7879
os.system("ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key")
7980
os.system("ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key")
@@ -82,7 +83,12 @@ def rotate_sshd_keys():
8283
if __name__ == '__main__':
8384
logging.info("[+] Starting NetWatch Attackpod")
8485
logging.info("[+] Getting local ip")
85-
ATTACKPOD_LOCAL_IP = get_local_ip()
86+
87+
if os.getenv("ATTACK_POD_IP") is not None:
88+
ATTACKPOD_LOCAL_IP = get_env("ATTACK_POD_IP","")
89+
else:
90+
ATTACKPOD_LOCAL_IP = get_local_ip()
91+
8692
logging.info("[+] Got the local ip of {} for the AttackPod".format(ATTACKPOD_LOCAL_IP))
8793

8894
logging.info("[+] Rotating SSHD Keys")
@@ -134,4 +140,4 @@ def rotate_sshd_keys():
134140
ip = ""
135141
user = ""
136142
password = ""
137-
evidence = ""
143+
evidence = ""

0 commit comments

Comments
 (0)