olliencc · January 11, 2022 10:00
diff --git a/ansible.yml b/ansible.yml
 ---
 - name: Install Docker
  hosts: hollowcanary
  vars:
    DOCKER_PACKAGES:
      - apt-transport-https
      - ca-certificates
      - curl
      - gnupg-agent
      - software-properties-common
      - python-pip
      - python-docker
    USER: "ubuntu"

  tasks:
  - name: Update apt packages
    become: true
    become_method: sudo
    apt:
      update_cache: "yes"
      force_apt_get: "yes"

  - name: Install packages needed for Docker
    become: true
    become_method: sudo
    apt:
      name: "{{ DOCKER_PACKAGES }}"
      state: present
      force_apt_get: "yes"

  - name: Add Docker GPG apt Key
    become: true
    become_method: sudo
    apt_key:
      url: https://download.docker.com/linux/ubuntu/gpg
      state: present

  - name: Save the current Ubuntu release version into a variable
    shell: lsb_release -cs
    register: ubuntu_version

  - name: Add Docker Repository
    become: true
    become_method: sudo
    apt_repository:
      repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ubuntu_version.stdout }} stable"
      state: present

  - name: Update apt packages
    become: true
    become_method: sudo
    apt:
      update_cache: "yes"
      force_apt_get: "yes"

  - name: Install Docker
    become: true
    become_method: sudo
    apt:
      name: "docker-ce"
      state: present
      force_apt_get: "yes"
  
  - name: Create directory to store Dockerfiles
    file:
      path: /home/ubuntu/Dockerfiles
      state: directory

  - name: Copy Dockerfile
    copy:
      src: Dockerfile
      dest: /home/ubuntu/Dockerfiles

  - name: Build image and with build args
    become: true
    become_method: sudo
    docker_image:
      name: hollowcanary_ssh
      build:
        path: /home/ubuntu/Dockerfiles
  
  - name: Start LiamTest container
    become: true
    become_method: sudo
    docker_container:
      name: LiamTest
      image: hollowcanary_ssh
      state: started
      hostname: LAP4321
      published_ports: "3000:22"

  - name: Forward 8000 to 3000
    become: true
    become_method: sudo
    iptables:
      table: nat
      chain: PREROUTING
      in_interface: eth0
      protocol: tcp
      match: tcp
      source: "XXX.XXX.XXX.XXX"
      destination_port: 8000
      jump: REDIRECT
      to_ports: 3000
      comment: Redirect ssh traffic to port 3000

  - name: Start NCCGroup container
    become: true
    become_method: sudo
    docker_container:
      name: NCCGroup
      image: hollowcanary_ssh
      state: started
      hostname: srv1234
      published_ports: "4000:22"

  - name: Forward 8000 to 4000
    become: true
    become_method: sudo  
    iptables:
      table: nat
      chain: PREROUTING
      in_interface: eth0
      protocol: tcp
      match: tcp
      source: "YYYY.YYYY.YYYY.YYYY"
      destination_port: 8000
      jump: REDIRECT
      to_ports: 4000
      comment: Redirect web traffic to port 4000 
diff --git a/Dockerfile b/Dockerfile
 FROM ubuntu:16.04

 RUN apt-get update && apt-get install -y openssh-server
 RUN mkdir /var/run/sshd
 RUN echo 'root:toor' | chpasswd
 RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config

 # SSH login fix. Otherwise user is kicked off after login
 RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd

 ENV NOTVISIBLE "in users profile"
 RUN echo "export VISIBLE=now" >> /etc/profile

 EXPOSE 22
 CMD ["/usr/sbin/sshd", "-D"]
diff --git a/opencanaryd_ssh_1.py b/opencanaryd_ssh_1.py
 def connectionLost(self, reason):
        for i in self.interactors:
            i.sessionClosed()
        if self.transport.sessionno in self.factory.sessions:
            del self.factory.sessions[self.transport.sessionno]
        #self.lastlogExit()
        if self.ttylog_open:
            ttylog.ttylog_close(self.ttylog_file, time.time())
            self.ttylog_open = False
        transport.SSHServerTransport.connectionLost(self, reason)

    def sendDisconnect(self, reason, desc):
        """
        Workaround for the "bad packet length" error message.
        @param reason: the reason for the disconnect.  Should be one of the
                       DISCONNECT_* values.
        @type reason: C{int}
        @param desc: a descrption of the reason for the disconnection.
        @type desc: C{str}
        """
        if not 'bad packet length' in desc.decode():
            # With python >= 3 we can use super?
            transport.SSHServerTransport.sendDisconnect(self, reason, desc)
        else:
            self.transport.write('Protocol mismatch.\n')
            log.msg('Disconnecting with error, code %s\nreason: %s' % \
                (reason, desc))
            self.transport.loseConnection()
diff --git a/opencanaryd_ssh_2.py b/opencanaryd_ssh_2.py
 @implementer(checkers.ICredentialsChecker)
 class HoneypotPasswordChecker:

    credentialInterfaces = (credentials.IUsernamePassword,)

    def __init__(self, logger=None):
        self.logger = logger
        self.auth_attempt = 0


    def requestAvatarId(self, credentials):
        return defer.fail(error.UnauthorizedLogin())


 @implementer(checkers.ICredentialsChecker)
 class CanaryPublicKeyChecker:

    credentialInterfaces = (credentials.ISSHPrivateKey,)

    def __init__(self, logger=None):
        self.logger = logger
        self.auth_attempt = 0

    def requestAvatarId(self, credentials):
        return defer.fail(error.UnauthorizedLogin())
	---
	- name: Install Docker
	hosts: hollowcanary
	vars:
	DOCKER_PACKAGES:
	- apt-transport-https
	- ca-certificates
	- curl
	- gnupg-agent
	- software-properties-common
	- python-pip
	- python-docker
	USER: "ubuntu"

	tasks:
	- name: Update apt packages
	become: true
	become_method: sudo
	apt:
	update_cache: "yes"
	force_apt_get: "yes"

	- name: Install packages needed for Docker
	become: true
	become_method: sudo
	apt:
	name: "{{ DOCKER_PACKAGES }}"
	state: present
	force_apt_get: "yes"

	- name: Add Docker GPG apt Key
	become: true
	become_method: sudo
	apt_key:
	url: https://download.docker.com/linux/ubuntu/gpg
	state: present

	- name: Save the current Ubuntu release version into a variable
	shell: lsb_release -cs
	register: ubuntu_version

	- name: Add Docker Repository
	become: true
	become_method: sudo
	apt_repository:
	repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ubuntu_version.stdout }} stable"
	state: present

	- name: Update apt packages
	become: true
	become_method: sudo
	apt:
	update_cache: "yes"
	force_apt_get: "yes"

	- name: Install Docker
	become: true
	become_method: sudo
	apt:
	name: "docker-ce"
	state: present
	force_apt_get: "yes"

	- name: Create directory to store Dockerfiles
	file:
	path: /home/ubuntu/Dockerfiles
	state: directory

	- name: Copy Dockerfile
	copy:
	src: Dockerfile
	dest: /home/ubuntu/Dockerfiles

	- name: Build image and with build args
	become: true
	become_method: sudo
	docker_image:
	name: hollowcanary_ssh
	build:
	path: /home/ubuntu/Dockerfiles

	- name: Start LiamTest container
	become: true
	become_method: sudo
	docker_container:
	name: LiamTest
	image: hollowcanary_ssh
	state: started
	hostname: LAP4321
	published_ports: "3000:22"

	- name: Forward 8000 to 3000
	become: true
	become_method: sudo
	iptables:
	table: nat
	chain: PREROUTING
	in_interface: eth0
	protocol: tcp
	match: tcp
	source: "XXX.XXX.XXX.XXX"
	destination_port: 8000
	jump: REDIRECT
	to_ports: 3000
	comment: Redirect ssh traffic to port 3000

	- name: Start NCCGroup container
	become: true
	become_method: sudo
	docker_container:
	name: NCCGroup
	image: hollowcanary_ssh
	state: started
	hostname: srv1234
	published_ports: "4000:22"

	- name: Forward 8000 to 4000
	become: true
	become_method: sudo
	iptables:
	table: nat
	chain: PREROUTING
	in_interface: eth0
	protocol: tcp
	match: tcp
	source: "YYYY.YYYY.YYYY.YYYY"
	destination_port: 8000
	jump: REDIRECT
	to_ports: 4000
	comment: Redirect web traffic to port 4000
	FROM ubuntu:16.04

	RUN apt-get update && apt-get install -y openssh-server
	RUN mkdir /var/run/sshd
	RUN echo 'root:toor' \| chpasswd
	RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config

	# SSH login fix. Otherwise user is kicked off after login
	RUN sed 's@session\srequired\spam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd

	ENV NOTVISIBLE "in users profile"
	RUN echo "export VISIBLE=now" >> /etc/profile

	EXPOSE 22
	CMD ["/usr/sbin/sshd", "-D"]
	def connectionLost(self, reason):
	for i in self.interactors:
	i.sessionClosed()
	if self.transport.sessionno in self.factory.sessions:
	del self.factory.sessions[self.transport.sessionno]
	#self.lastlogExit()
	if self.ttylog_open:
	ttylog.ttylog_close(self.ttylog_file, time.time())
	self.ttylog_open = False
	transport.SSHServerTransport.connectionLost(self, reason)

	def sendDisconnect(self, reason, desc):
	"""
	Workaround for the "bad packet length" error message.
	@param reason: the reason for the disconnect. Should be one of the
	DISCONNECT_* values.
	@type reason: C{int}
	@param desc: a descrption of the reason for the disconnection.
	@type desc: C{str}
	"""
	if not 'bad packet length' in desc.decode():
	# With python >= 3 we can use super?
	transport.SSHServerTransport.sendDisconnect(self, reason, desc)
	else:
	self.transport.write('Protocol mismatch.\n')
	log.msg('Disconnecting with error, code %s\nreason: %s' % \
	(reason, desc))
	self.transport.loseConnection()
	@implementer(checkers.ICredentialsChecker)
	class HoneypotPasswordChecker:

	credentialInterfaces = (credentials.IUsernamePassword,)

	def __init__(self, logger=None):
	self.logger = logger
	self.auth_attempt = 0


	def requestAvatarId(self, credentials):
	return defer.fail(error.UnauthorizedLogin())


	@implementer(checkers.ICredentialsChecker)
	class CanaryPublicKeyChecker:

	credentialInterfaces = (credentials.ISSHPrivateKey,)

	def __init__(self, logger=None):
	self.logger = logger
	self.auth_attempt = 0

	def requestAvatarId(self, credentials):
	return defer.fail(error.UnauthorizedLogin())