Adds Proxy Protocol support to the SSH honeypot server. When enabled, the honeypot looks for a Proxy Protocol header on client connections and extracts the client IP from the header. This IP is used as the "source IP" for threat feed updates and logging.
To accommodate this change, the SSH password callback function is now set when a client connects. Previously, it was defined during server startup.
This change removes the 'threat score' feature which allowed users to configure each honeypot server with a variable 'score' when updating the threat feed.
It is replaced with a fixed observation count that is incremented by 1 for each honeypot interaction.
The field `threat_score` has been replaced with `observations` in all API call parameters and threat feed data.
The `threat_score` field in the CSV file has been renamed to `observations`. Existing threat feed CSV files will be automatically updated on the next threat feed save.
This change adjusts the SSH, TCP, and UDP honeypots to print quoted (escaped) strings to the terminal for certain log fields rather than raw strings. The adjusted fields are SSH username, SSH password, TCP responses, and UDP received data.
- Rename the threat feed `UpdateIoC` function to `Update`.
- Rename `iocMap` to `iocData`.
- Rename `loadIoC` and `saveIoC` to `loadCSV` and `saveCSV`.
- Edit most comments mentioning *database* to simply *threat feed* or *data*.
- Renamed functions from `Start<server_type>` to `Start`.
- Removed unnecessary wrappers for Start functions.
- The HTTP and HTTPS servers now share a single Start function which starts the appropriate listener depending on the passed in configuration.
This change removes the logging of source ports for connecting clients in the honeypot servers. The source port does not provide value for this type of honeypot and only clutters the logs.
This change adds a 30-second deadline to SSH connections. Client connections are forced closed after the deadline.
Additionally, a 2-second delay is added prior to rejecting authentication requests. This mimics the `pam_faildelay` PAM module found on modern Linux systems.
This change adds a public key authentication callback function to the SSH honeypot server. All requests are rejected, and currently, no data is logged.
This change removes unnecessary channel handling code from the SSH honeypot server. Since authentication requests are always rejected, `ssh.NewServerConn` will consistently return an error, making the channel handling redundant.
This change introduces a ConfidenceLevel configuration setting for honeypot servers and the IoC struct in the threat feed database. Each IP in the database now maintains a confidence level. Whenever a honeypot calls UpdateIoC, the confidence level of the IP is incremented by the configued amount for the honeypot.
This change sets the Unix file permissions to `0600` for generated private keys saved to disk, ensuring that ownly the owner can access the keys. While private keys for the honeypot servers are mostly insignificant, this change aligns with typical private key permissions.
This change adds a new XML element, sendToThreatFeed, to the configuration for servers to control whether interactions with the server should update the threat feed.
This change moves the slog.Logger from the Config struct to the Server struct, allowing each honeypot server to have its own logger. Each server can now specify a custom log file path, defaulting to the main log path in the Config if none is provided.
