Errors with Docker customisation

Question

Errors with Docker customisation

unixfox opened this issue 8 years ago · 21 comments

Related to this commit: f3c9e60

Since the customisation of the docker container, I can't launch honSSH without completing the fields inside the honssh.cfg.
The validation obliges/requires me to fill the fields:

[VALIDATION] - [honeypot-docker][shm_size] must not be blank.

[VALIDATION] - [honeypot-docker][cpu_period] must not be blank.

Strangly according to the configuration, it isn't required to fill the fiels (https://github.com/tnich/honssh/blob/master/honssh.cfg.default#L168) and it worked like this when I tested this pull request with a friend: #91

tnich commented 8 years ago

😄

Answer 1 · 2016-11-06T16:50:42.000Z

Sorry, got rid of the extra validation, fixed now.

Answer 2 · 2016-11-06T16:54:44.000Z

Thank you but I'm getting this error after launching honSSH:

2016-11-06T17:52:25+0100 [honssh.server.HonsshServerFactory] [PLUGIN][HONEYPOT-DOCKER] - GET_PRE_AUTH_DETAILS
2016-11-06T17:52:25+0100 [honssh.server.HonsshServerFactory] [PLUGIN][HONEYPOT-DOCKER][ERR] - invalid literal for int() with base 10: ''

Answer 3 · 2016-11-06T16:57:31.000Z

Any idea which config item is doing it?

Answer 4 · 2016-11-06T16:58:58.000Z

@tnich I'll try to diagnostic by removing and adding the value of each fields.

Answer 5 · 2016-11-06T17:01:52.000Z

Thank you 😄

Answer 6 · 2016-11-06T17:03:42.000Z

I removed every fields related to docker customisation:

#-----------------------#
#   HONEYPOT DOCKER     #
#-----------------------#
[honeypot-docker]
# Documentation to come
enabled = true

# Should HonSSH use this plugin to get the honeypot details (before authentication)
pre-auth = true

# Should HonSSH use this plugin to get the honeypot details (after authentication)
post-auth = true

# image: image id/name to use for honeypot container
# required: if enabled = true
image = rastasheep/ubuntu-sshd:14.04

# uri: socket to interact with container daemon
# required: if enabled = true
# default: unix://var/run/docker.sock
uri = unix://var/run/docker.sock

# honey_hostname: the hostname for the container
# required: if enabled = true
hostname = digitalocean

# launch_cmd: command to run when container is first launched
# required: if enabled = true
# default = service ssh start
launch_cmd = echo connected

# SSH port of the honeypot.
#
# input: Number
# required: YES
# default: 22
honey_port = 22

# Pid limit of the honeypot (-1 for unlimited)
#
# input: Number
# required: NO
# default: -1
pids_limit =

# Memory limit of the honeypot
# Example: 1G
#
# required: NO
mem_limit =

# Swap limit of the honeypot
# Example: 1G
#
# required: NO
memswap_limit =

# Shm size limit of the honeypot
# Example: 1G
#
# required: NO
shm_size =

# Microseconds of CPU time that the container can get in a CPU period of the honeypot
#
# input: Number
# required: NO
cpu_period =

# CPU shares (relative weight) of the honeypot
# Example: Percentage * value of cat /sys/fs/cgroup/cpu/docker/cpu.shares
#
# required: NO
cpu_shares =

# CPUs in which to allow execution of the honeypot
# Example: 0-3, 0,1
#
# required: NO
cpuset_cpus =

But I'm getting the same error message. I had the same error when I tried the modifications @DeltaEvolution with him. I'll poke him to reply here.

Answer 7 · 2016-11-06T17:09:02.000Z

@tnich you have added some properties to validate_config, but these are not required
https://github.com/tnich/honssh/blob/master/honssh/honeypot/honeypot-docker.py#L91

Answer 8 · 2016-11-06T17:10:51.000Z

Yeah, I realized that, I've got rid of them in the last commit.

I guess a '' is being passed to connection.create_host_config and it doesn't like it?

Answer 9 · 2016-11-06T17:12:45.000Z

But the check_valid_number should verify this, no ?
https://github.com/tnich/honssh/blob/master/honssh/honeypot/honeypot-docker.py#L98

Answer 10 · 2016-11-06T17:13:47.000Z

What about the strings?

Answer 11 · 2016-11-06T17:14:14.000Z

There is an error here no ? https://github.com/tnich/honssh/blob/master/honssh/config.py#L126 the is_digit with int() ?
Edit: it's the error, in python print int(True) and print int(False) work so the check_valid_number dosen't work

Answer 12 · 2016-11-06T17:17:18.000Z

Whoops, yeah thanks, I have removed the is_digit. I don't have docker setup on this computer, so can't test it myself currently.

Answer 13 · 2016-11-06T17:48:27.000Z

Just set up Docker and it seems to be behaving again. Thanks for you assistance @unixfox and @DeltaEvolution.

Answer 14 · 2016-11-06T18:38:20.000Z

@tnich Are you sure?
I'm getting another weird error:

2016-11-06T19:47:53+0100 [-] Loading honssh.tac...
2016-11-06T19:47:54+0100 [-] [PLUGIN][OUTPUT-TXTLOG] - VALIDATE_CONFIG
2016-11-06T19:47:54+0100 [-] [PLUGIN][OUTPUT-CONTRIBUTE] - VALIDATE_CONFIG
2016-11-06T19:47:54+0100 [-] [PLUGIN][HONEYPOT-DOCKER] - VALIDATE_CONFIG
2016-11-06T19:47:54+0100 [-] [SERVER] - Using ssh_banner for SSH Version String: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
2016-11-06T19:47:54+0100 [-] [HONSSH] - HonSSH Boot Sequence Complete - Ready for attacks!
2016-11-06T19:47:54+0100 [-] Loaded.
2016-11-06T19:47:54+0100 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 16.5.0 (/usr/bin/python 2.7.12) starting up.
2016-11-06T19:47:54+0100 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2016-11-06T19:47:54+0100 [-] HonsshServerFactory starting on 22
2016-11-06T19:47:54+0100 [honssh.server.HonsshServerFactory#info] Starting factory <honssh.server.HonsshServerFactory instance at 0x7f1430363fc8>
2016-11-06T19:47:54+0100 [-] Factory starting on 5123
2016-11-06T19:47:54+0100 [twisted.internet.protocol.Factory#info] Starting factory <twisted.internet.protocol.Factory instance at 0x7f1430327e18>
2016-11-06T19:47:56+0100 [honssh.server.HonsshServerFactory] [PLUGIN][HONEYPOT-DOCKER] - GET_PRE_AUTH_DETAILS
2016-11-06T19:47:56+0100 [stdout#info] [VALIDATION] - [honeypot-docker][cpu_period] should be number.
2016-11-06T19:47:56+0100 [stdout#info] [VALIDATION] - [honeypot-docker][cpu_shares] should be number.
2016-11-06T19:47:56+0100 [HonsshServerTransport,0,62.235.25.147] kex alg, key alg: 'diffie-hellman-group14-sha1' 'ssh-rsa'
2016-11-06T19:47:56+0100 [HonsshServerTransport,0,62.235.25.147] outgoing: 'aes128-ctr' 'hmac-sha1' 'none'
2016-11-06T19:47:56+0100 [HonsshServerTransport,0,62.235.25.147] incoming: 'aes128-ctr' 'hmac-sha1' 'none'
2016-11-06T19:47:56+0100 [HonsshServerTransport,0,62.235.25.147] NEW KEYS
2016-11-06T19:47:56+0100 [HonsshServerTransport,0,62.235.25.147] [SERVER] - CONNECTION TO HONEYPOT NOT READY, BUFFERING PACKET
2016-11-06T19:47:57+0100 [honssh.server.HonsshServerFactory] [PLUGIN][HONEYPOT-DOCKER][ERR] - 
2016-11-06T19:47:57+0100 [-] [PRE_AUTH][ERROR] - PLUGIN ERROR - DISCONNECTING ATTACKER
2016-11-06T19:47:57+0100 [-] Disconnecting with error, code 10
    reason: user closed connection

My configuration: http://hastebin.com/uwecacepev.ini

Answer 15 · 2016-11-06T19:36:39.000Z

nvm, I forgot to add a field inside my configuration.

Answer 16 · 2017-08-13T10:16:13.000Z

hi can anyone help me how to solve this error

honsshctrl.sh[15102]: Starting honssh in background...
2017-08-13 10:01:12+0000 [-] Log opened.
2017-08-13 10:01:12+0000 [-] twistd 13.2.0 (/usr/bin/python 2.7.6) starting up.
2017-08-13 10:01:12+0000 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2017-08-13 10:01:12+0000 [-] HonsshServerFactory starting on 2222
2017-08-13 10:01:12+0000 [-] Starting factory <honssh.server.HonsshServerFactory instance at 0x7f3616ab2d40>
2017-08-13 10:01:26+0000 [-] [PRE_AUTH][ERROR] - PLUGIN ERROR - DISCONNECTING ATTACKER
2017-08-13 10:01:26+0000 [-] Disconnecting with error, code 10
reason: user closed connection
2017-08-13 10:01:26+0000 [HonsshServerTransport,0,45.242.210.107] connection lost
2017-08-13 10:05:32+0000 [-] [PRE_AUTH][ERROR] - PLUGIN ERROR - DISCONNECTING ATTACKER
2017-08-13 10:05:32+0000 [-] Disconnecting with error, code 10
reason: user closed connection
2017-08-13 10:05:32+0000 [HonsshServerTransport,1,45.242.249.26] connection lost
2017-08-13 10:14:44+0000 [-] Received SIGTERM, shutting down.
2017-08-13 10:14:44+0000 [-] (TCP Port 2222 Closed)
2017-08-13 10:14:44+0000 [-] Stopping factory <honssh.server.HonsshServerFactory instance at 0x7f3616ab2d40>
2017-08-13 10:14:44+0000 [-] Main loop terminated.
2017-08-13 10:14:44+0000 [-] Server Shut Down.
2017-08-13 10:14:48+0000 [-] Log opened.
2017-08-13 10:14:48+0000 [-] twistd 13.2.0 (/usr/bin/python 2.7.6) starting up.
2017-08-13 10:14:48+0000 [-] reactor class: twisted.internet.epollreactor.EPollReactor.
2017-08-13 10:14:48+0000 [-] HonsshServerFactory starting on 2222
2017-08-13 10:14:48+0000 [-] Starting factory <honssh.server.HonsshServerFactory instance at 0x7f8c39a2ed40>
2017-08-13 10:15:02+0000 [-] [PRE_AUTH][ERROR] - PLUGIN ERROR - DISCONNECTING ATTACKER
2017-08-13 10:15:02+0000 [-] Disconnecting with error, code 10
reason: user closed connection
2017-08-13 10:15:02+0000 [HonsshServerTransport,0,45.242.249.26] connection lost

Answer 17 · 2017-08-13T10:49:47.000Z

Hi,

It looks like your pre auth plugin is failing. Can you email me your configuration file and what you are trying to achieve and I'll try and find time to look into it.

Also, if you're the same person that emailed me a while ago and I didn't reply, sorry!

Answer 18 · 2017-08-13T13:18:40.000Z

Thank you Thomas. i want to setup honssh with docker. i want honssh to proxy the attacker to honeyd that running on another container.That is what i want to do. *this is my configuration file* # # HonSSH configuration file (honssh.cfg) # #----------------------------------------------# # GENERAL SETUP # #----------------------------------------------# #-----------------------# # HONEYPOT # #-----------------------# [honeypot] # IP addresses to listen for incoming SSH connections. # # input: IP Address # required: YES ssh_addr = 174.138.50.3 # Port to listen for incoming SSH connections. # # input: Number # required: YES # default: 2222 ssh_port = 2222 # IP addresses to send outgoing SSH connections. # 0.0.0.0 for all interfaces # # input: IP Address # required: YES client_addr = 172.17.42.1 # Public and private SSH key files. # # input: Text # required: YES # default: id_rsa.pub # default: id_rsa # default: id_dsa.pub # default: id_dsa public_key = id_rsa.pub private_key = id_rsa public_key_dsa = id_dsa.pub private_key_dsa = id_dsa # SSH banner to send to clients # If not specified, HonSSH will try and obtain it by connecting to # honey_addr:honey_port # # input: text # required: No # default: ssh_banner = SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 # connection_timeout: connection timeout for pre and post auth handlers # required: YES # default: 10 connection_timeout = 10 #-----------------------# # HONEYPOT STATIC # #-----------------------# [honeypot-static] # Documentation to come, stick with these options and ignore honeypot-* unless you know what you are doing or fancy a challenge enabled = false # Should HonSSH use this plugin to get the honeypot details (before authentication) pre-auth = true # Should HonSSH use this plugin to get the honeypot details (after authentication) post-auth = true # This name will be used when logging to any of the output mechanisms. # Please ensure it is meaningful. # # input: Text # required: YES sensor_name = hanem # IP addresses of the honeypot. # # input: IP Address # required: YES honey_ip = 172.17.44.1 # SSH port of the honeypot. # # input: Number # required: YES # default: 22 honey_port = #-----------------------# # HONEYPOT SCRIPT # #-----------------------# [honeypot-script] # Documentation to come enabled = false # Should HonSSH use this plugin to get the honeypot details (before authentication) pre-auth = false # Should HonSSH use this plugin to get the honeypot details (after authentication) # Should HonSSH use this plugin to get the honeypot details (after authentication) post-auth = false # ./script IP LOCALIP PORT LOCALPORT pre-auth-script = # ./script IP LOCALIP PORT LOCALPORT USERNAME PASSWORD post-auth-script = #-----------------------# # HONEYPOT DOCKER # #-----------------------# [honeypot-docker] # Documentation to come enabled = true # Should HonSSH use this plugin to get the honeypot details (before authentication) pre-auth = true # Should HonSSH use this plugin to get the honeypot details (after authentication) post-auth = true # image: image id/name to use for honeypot container # required: if enabled = true image = rastasheep/ubuntu-sshd:14.04 # uri: socket to interact with container daemon # required: if enabled = true # default: unix://var/run/docker.sock uri = unix://var/run/docker.sock # honey_hostname: the hostname for the container # required: if enabled = true hostname = test-box # This feature does *NOT* work with remote docker hosts. # # Nothing is saved if left empty. # # Supported storage drivers: # - aufs # - btrfs # - overlay # - overlay2 # # Warning: # - This delays the connection until all watches are added # - This may have a performance impact (depends on the amount of running containers and your hardware) # # required: NO overlay_folder = # overlay_max_filesize: maximum filesize (kb) to copy. # Use 0 for unlimited size. Please consider using quotas on your filesystem. # # required: NO # default: 51200 (50 MB) overlay_max_filesize = # overlay_use_revisions: false reuse_container: If activated containers will be linked to the attackers IP address # and restarted on subsequent connects from the same IP address. # # required: YES reuse_container = false # reuse_ttl: Defines how long a stopped container should be retained for reuse. # The amount is measured in minutes. # Use '0' for no cleanup. # reuse_container has to be activated. # # required = NO # default = 1440 (24 h) reuse_ttl = # reuse_ttl_check_interval: Defines in which interval the ttl should be checked. # The amount is measured in minutes. # # required = NO # default = 30 reuse_ttl_check_interval = # Pid limit of the honeypot (-1 for unlimited) # # input: Number # required: NO # required: NO # default: -1 pids_limit = # Memory limit of the honeypot # Example: 1G # # required: NO mem_limit = # Swap limit of the honeypot # Example: 1G # # required: NO memswap_limit = # Shm size limit of the honeypot # Example: 1G # # required: NO shm_size = # Microseconds of CPU time that the container can get in a CPU period of the honeypot # # input: Number # required: NO cpu_period = # CPU shares (relative weight) of the honeypot # Example: Percentage * value of cat /sys/fs/cgroup/cpu/docker/cpu.shares # # required: NO cpu_shares = # CPUs in which to allow execution of the honeypot # Example: 0-3, 0,1 # # required: NO cpuset_cpus = #-----------------------# # HONEYPOT RESTRICTIONS # #-----------------------# [hp-restrict] # When enabled, HonSSH will restrict connections to password only and decline any public keys. # HonSSH will not work with public keys - this should always be true. # # input: true/false # required: YES # default: true disable_x11 = true # When enabled, HonSSH will block any attempts to start an SFTP session. # HonSSH will log SFTP traffic and capture downloaded files. # # input: true/false # required: YES # default: false disable_sftp = false # When enabled, HonSSH will block any attempts to start an EXEC session. # HonSSH will log all EXEC sessions, including SCP transfers. # # input: true/false # required: YES # default: false disable_exec = false # When enabled, HonSSH will block any attempts to start running port forwarding over SSH. # You can allow port forwarding but HonSSH will not log the session - Yet! (log to PCAP?) # # input: true/false # required: YES # default: true disable_port_forwarding = true #-----------------------# # OUTPUT DIRECTORIES # #-----------------------# [folders] # Directory where log files will be saved in. # # input: Text # required: YES # default: logs log_path = logs # Directory where session files will be saved in. # # input: Text # launch_cmd: command to run when container is first launched # required: if enabled = true # default = service ssh start launch_cmd = echo hanem # SSH port of the honeypot. # # input: Number # required: YES # default: 22 honey_port = 22 I just started working with honeypots and really i would be grateful if you help me.

…

On Sun, Aug 13, 2017 at 12:49 PM, Thomas Nicholson ***@***.*** > wrote: Hi, It looks like your pre auth plugin is failing. Can you email me your configuration file and what you are trying to achieve and I'll try and find time to look into it. Also, if you're the same person that emailed me a while ago and I didn't reply, sorry! — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#92 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AdfqcWqgCVd19K-MnuTeVUPiGjVogwczks5sXtTLgaJpZM4Kqmyb> .

Answer 19 · 2017-08-13T13:29:27.000Z

Have you tried just doing a static deployment with honssh, without docker?
If you've just started with honeypots, this may be a good place to start.

Have you tested docker is working locally on the honssh box?

Answer 20 · 2017-08-13T16:10:10.000Z

i tried doing a static deployment with honssh but the same problem appeared

…

On Sun, Aug 13, 2017 at 3:29 PM, Thomas Nicholson ***@***.***> wrote: Have you tried just doing a static deployment with honssh, without docker? If you've just started with honeypots, this may be a good place to start. Have you tested docker is working locally on the honssh box? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#92 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AdfqcRoLokyNZvHOvs0p0fIhtVbwTIxXks5sXvo4gaJpZM4Kqmyb> .