@hadi_ali/warden 1.0.0 → 1.0.1

package/app/honeypot.js

@@ -1,26 +1,249 @@
 function checkHoneypot(req) {
+  // Honeypot paths commonly probed by scanners, bots, and exploit kits.
+  // Matching: exact segment match OR any path segment equals one of these.
   const honeypots = [
+    // ---------- WordPress ----------
     'wp-admin', 'wp-login.php', 'wp-config.php',
-    'phpmyadmin', 'pma',
-    'shell.php', 'cmd.php', 'exec.php', 'backdoor', 'webshell',
-    'phpinfo', 'phpinfo.php',
-    'env', 'git', 'htaccess', '.env', '.git', '.htaccess',
-    'config.php', 'web.config',
+    'wp-config.php.bak', 'wp-config.php.old', 'wp-config.php.save',
+    'wp-config.php.txt', 'wp-config.php.orig', 'wp-config.php.swp',
+    'wp-config.bak', 'wp-config.old', 'wp-config.txt', 'wp-config-sample.php',
+    'wp-content', 'wp-content/plugins', 'wp-content/themes', 'wp-content/uploads',
+    'wp-includes', 'wp-json', 'wp-cron.php', 'wp-comments-post.php',
+    'xmlrpc.php', 'wp-signup.php', 'wp-register.php',
+    'wp-admin/admin-ajax.php', 'wp-admin/install.php',
+    'wp-admin/setup-config.php', 'wp-admin/includes', 'wp-admin/maint',
+    'wordpress', 'wp', 'blog', 'wp-trackback.php',
+
+    // ---------- Other CMS ----------
+    'joomla', 'joomla/administrator', 'administrator',
+    'drupal', 'drupal/admin', 'sites/default',
+    'magento', 'magento/admin', 'magento2',
+    'typo3', 'concrete5', 'cms', 'cms/admin',
+    'bitrix', 'bitrix/admin', 'opencart', 'prestashop',
+    'shopify', 'squarespace', 'wix', 'ghost',
+
+    // ---------- Database admin tools ----------
+    'phpmyadmin', 'phpmyadmin2', 'phpmyadmin3', 'phpmyadmin4',
+    'phpmyadmin5', 'pma', 'pma2', 'myadmin', 'myadmin2', 'myadmin3',
+    'adminer', 'adminer.php', 'adminer-4.8.1', 'adminer-4.7.8',
+    'phpminiadmin.php', 'sql.php', 'mysql.php', 'database.php',
+    'pgadmin', 'pgadmin4', 'phppgadmin', 'mysqladmin',
+    'redis-commander', 'redisinsight', 'redis-desktop',
+    'rockmongo', 'mongo-express', 'mongo', 'mongosh',
+    'arangodb', 'neo4j', 'memcached', 'memcached-admin',
+    'couchdb', 'couchdb-utils', 'elasticsearch',
+
+    // ---------- Server admin panels ----------
+    'admin', 'administrator', 'panel', 'control', 'controlpanel',
+    'cpanel', 'whm', 'plesk', 'webmin', 'virtualmin',
+    'directadmin', 'ispconfig', 'vesta', 'vestacp',
+    'manage', 'manager', 'portal', 'dashboard', 'dashboards',
+    'backend', 'backoffice', 'cms-admin', 'site-admin',
+    'useradmin', 'user-admin', 'sysadmin', 'sys-admin',
+
+    // ---------- Server status / info (often leak data) ----------
+    'server-status', 'server-info', 'server-status?',
+    'nginx_status', 'apache-status', 'apache-status?',
+    'status', 'status/', 'status.json', 'status.xml', 'status.php',
+    'info', 'info.php', 'info.html', 'info.txt',
+    'phpinfo', 'phpinfo.php', 'php_info', 'php-version',
+    'test', 'test.php', 'test.html', 'test.txt',
+    'demo', 'demo.php', 'sample', 'sample.php', 'example.php',
+    'health', 'healthcheck', 'health.php', 'health.json',
+    'ping', 'ping.php', 'ping.json', 'probe', 'probe.json',
+    'version', 'version.php', 'version.json', 'version.txt',
+    'about', 'about.php', 'about.json', 'about.html',
+
+    // ---------- Shell / Webshell / RCE attempts ----------
+    'shell.php', 'shell.asp', 'shell.aspx', 'shell.jsp', 'shell.cgi',
+    'cmd.php', 'cmd.asp', 'cmd.aspx', 'cmd.jsp', 'cmd.cgi',
+    'exec.php', 'exec.asp', 'exec.aspx', 'backdoor', 'backdoor.php',
+    'webshell', 'webshell.php', 'webshell.jsp', 'webshell.aspx',
+    'c99.php', 'c99.txt', 'c99shell', 'c99madshell',
+    'r57.php', 'r57.txt', 'r57shell',
+    'wso.php', 'wso.txt', 'wso2.php', 'wso2.txt',
+    'alfa.php', 'alfa.txt', 'alfacompact.php',
+    'b374k.php', 'b374k.txt', 'b374k-2.2.php',
+    'mini.php', 'minishell.php', 'simshell.php', 'phpspy.php',
+    'eval.php', 'system.php', 'passthru.php', 'popen.php',
+    'reverse-shell.php', 'revshell.php', 'nc.exe', 'nc.php',
+    'cmd-aspx', 'shell.aspx', '1.asp', 'x.asp', '0.asp',
+    'c99', 'r57', 'wso', 'alfa',
+
+    // ---------- Environment & config files (CRITICAL — leak secrets) ----------
+    'env', '.env', 'env.bak', 'env.old', 'env.save', 'env.orig',
+    '.env.bak', '.env.old', '.env.save', '.env.orig', '.env.swp',
+    '.env.local', '.env.production', '.env.development',
+    '.env.staging', '.env.testing', '.env.example', '.env.sample',
+    '.env.backup', '.env.dist', '.env.defaults',
+    'env.local', 'env.production', 'env.development',
+    'env.staging', 'env.testing', 'env.example',
+    'htaccess', 'htpasswd', '.htaccess', '.htpasswd',
+    'htaccess.bak', '.htaccess.bak',
+    'user.ini', '.user.ini', 'php.ini', 'php.ini.bak',
+    'web.config', 'web.config.bak', 'web.config.old',
+    'config.php', 'config.php.bak', 'config.php.old', 'config.php.save',
+    'configuration.php', 'local.xml', 'app/etc/local.xml',
+    'config.yml', 'config.yaml', 'config.yml.bak',
+    'config.json', 'config.json.bak',
+    'config.xml', 'config.xml.bak',
+    'config.ini', 'config.ini.bak',
+    'config.inc.php', 'config.inc', 'settings.php', 'settings.py',
+    'settings.json', 'settings.yml', 'settings.yaml',
+    'app.config', 'application.config', 'app.yml', 'application.yml',
+    'artisan', // Laravel
+    'database.yml', 'database.yaml', 'database.php',
+    'secrets.yml', 'secrets.yaml', 'secrets.json',
+    'credentials.yml', 'credentials.yaml', 'credentials.json',
+    'production.yml', 'production.yaml',
+    'staging.yml', 'staging.yaml',
+
+    // ---------- Version control ----------
+    'git', '.git', '.git/HEAD', '.git/config', '.git/index',
+    '.gitignore', '.gitattributes', '.gitmodules',
+    '.git/objects', '.git/refs', '.git/logs', '.git/hooks',
+    '.git/packed-refs', '.git/info', '.git/info/refs',
+    'svn', '.svn', '.svn/entries', '.svn/wc.db', '.svn/all-wcprops',
+    'hg', '.hg', '.hg/store', '.hg/requires', '.hg/dirstate',
+    'bzr', '.bzr', '.bzr/README',
+
+    // ---------- Cloud / Container secrets ----------
+    '.dockerignore', 'dockerfile', 'dockerfile.bak',
+    'docker-compose.yml', 'docker-compose.yaml',
+    'docker-compose.override.yml',
+    '.docker', 'docker.sock',
+    '.aws', '.aws/credentials', '.aws/config',
+    '.kube', '.kube/config', 'kubeconfig',
+    '.ssh', '.ssh/id_rsa', '.ssh/id_rsa.pub',
+    '.ssh/authorized_keys', '.ssh/known_hosts',
+    '.ssh/config', 'id_rsa', 'id_rsa.pub', 'id_dsa', 'id_dsa.pub',
+    'id_ecdsa', 'id_ecdsa.pub', 'id_ed25519', 'id_ed25519.pub',
+    'ssh_keys', 'ssh-keys', 'sshkey', 'ssh-key',
+    '.bash_history', '.zsh_history', '.mysql_history',
+    '.psql_history', '.python_history',
+    'gcp-credentials.json', 'service-account.json',
+    'firebase-adminsdk.json', 'gcloud-service-key.json',
+
+    // ---------- CI/CD ----------
+    '.gitlab-ci.yml', '.github', '.github/workflows',
+    'jenkinsfile', 'jenkins', 'jenkins/',
+    '.travis.yml', '.circleci', 'circle.yml',
+    'bitbucket-pipelines.yml', '.drone.yml', '.drone.yml.sig',
+    'azure-pipelines.yml', '.appveyor.yml',
+    'codefresh.yml', 'wercker.yml', 'shippable.yml',
+
+    // ---------- Backup files (CRITICAL — often full site dumps) ----------
+    'backup', 'backups', 'backup.zip', 'backup.tar.gz', 'backup.tar',
+    'backup.tgz', 'backup.tar.bz2', 'backup.7z', 'backup.rar',
+    'backup.sql', 'backup.bak', 'backup.db', 'backup.json',
+    'backup.xml', 'backup.csv', 'backup.log',
+    'backup.old', 'backup.save', 'backup.orig',
+    'site.zip', 'site.tar.gz', 'site.tar', 'site.tgz',
+    'www.zip', 'www.tar.gz', 'www.tar', 'www.tgz',
+    'public.zip', 'html.zip', 'web.zip',
+    'app.zip', 'app.tar.gz', 'src.zip', 'code.zip',
+    'dump.sql', 'database.sql', 'db.sql', 'db_backup.sql',
+    'mysql.sql', 'postgres.sql', 'postgresql.sql',
+    'data.sql', 'users.sql', 'members.sql', 'accounts.sql',
+    '1.sql', 'dump', 'snapshot', 'full_backup', 'backup_db',
+    'bak', 'bak/', 'old', 'old/', 'archives', 'archive.zip',
+    'sql', 'sql/', 'database', 'databases',
+
+    // ---------- Logs ----------
+    'log', 'logs', 'logging', 'log/',
+    'access.log', 'error.log', 'app.log', 'httpd.log',
+    'nginx.log', 'debug.log', 'errors.log',
+    'application.log', 'laravel.log', 'storage/logs',
+    'storage/logs/laravel.log', 'log.txt', 'logs.txt',
+    'debug.txt', 'errors.txt',
+
+    // ---------- API docs / debug endpoints ----------
+    'swagger', 'swagger.json', 'swagger.yaml', 'swagger.yml',
+    'swagger/v1/swagger.json', 'swagger/v2/swagger.json',
+    'api-docs', 'api-docs.json', 'api-docs.yaml',
+    'openapi', 'openapi.json', 'openapi.yaml', 'openapi.yml',
+    'redoc', 'redoc.html', 'swagger-ui', 'swagger-ui.html',
+    'graphql', 'graphiql', 'graphql-playground', 'playground',
+    'graph', 'gql', 'voyager', 'altair',
+    'rpc', 'soap', 'wsdl', 'wsdl.php',
+    'actuator', 'actuator/', 'actuator/env', 'actuator/health',
+    'actuator/beans', 'actuator/mappings', 'actuator/configprops',
+
+    // ---------- Installer / setup ----------
+    'install.php', 'install/', 'install', 'install.html',
+    'setup.php', 'setup/', 'setup', 'setup.html',
+    'init.php', 'initialize.php', 'migrate.php', 'upgrade.php',
+    'upgrade/', 'update.php', 'updater.php',
+    'installer', 'installer.php', 'installwizard.php',
+
+    // ---------- Common probes ----------
+    'crossdomain.xml', 'sitemap.xml', 'humans.txt',
+    'security.txt', '.well-known/security.txt',
+    'readme.html', 'readme.txt', 'readme.md', 'readme',
+    'changelog.txt', 'release-notes.txt', 'changelog.md',
+    'license.txt', 'license.md', 'license',
+    'robots.txt', 'ads.txt', 'app-ads.txt', 'favicon.ico',
+    'manifest.json', 'service-worker.js', 'sw.js',
+    'package.json', 'composer.json', 'composer.lock',
+    'package-lock.json', 'yarn.lock',
+
+    // ---------- Suspicious paths / files ----------
+    'internal', 'private', 'secret', 'hidden',
+    'restricted', 'confidential', 'topsecret',
+    'staging', 'preview', 'preprod', 'pre-prod',
+    'dev', 'development', 'test', 'testing', 'qa', 'uat', 'sandbox',
+    'mock', 'fake', 'dummy', 'temp', 'tmp',
+    'upload', 'uploads', 'uploaded', 'files', 'documents',
+    'wp-content/uploads', 'media', 'media/uploads',
   ];
 
-  const path = req.path.toLowerCase().replace(/\/+$/, '');
+  // Dangerous file extensions — any file ending in these triggers the honeypot.
+  const dangerousExtensions = new Set([
+    // Backup / old
+    'bak', 'old', 'orig', 'copy', 'save', 'swp', 'swo', 'tmp', 'temp',
+    'bk', 'bkp', 'backup', '1', '2', '3', // .1, .2 versions
+    // Database
+    'sql', 'db', 'sqlite', 'sqlite3', 'mdb', 'accdb',
+    'dbf', 'frm', 'myd', 'myi',  // MySQL files
+    // Secrets / keys
+    'key', 'pem', 'crt', 'cer', 'pfx', 'p12', 'p8',
+    'keystore', 'jks', 'asc', 'gpg', 'pub',
+    // Archives
+    'zip', 'tar', 'tgz', 'tar.gz', 'gz', 'bz2', 'xz', '7z', 'rar',
+    'iso', 'dmg', 'jar', 'war', 'ear',
+    // Logs
+    'log', 'logs',
+    // Config / env
+    'config', 'conf', 'cfg', 'ini', 'env',
+    // VCS
+    'git', 'svn', 'hg',
+    // Source / code (might leak unreleased code)
+    'php', 'php5', 'php7', 'phtml', 'phar',
+    'pl', 'py', 'rb', 'sh', 'bash',
+  ]);
 
+  const path = (req.path || '').toLowerCase().replace(/\/+$/, '');
+
+  // Exact path match
   for (const honeypot of honeypots) {
     if (path === `/${honeypot}` || path === honeypot) {
       return 30;
     }
   }
 
+  // Segment match (e.g., /something/wp-admin/foo matches because 'wp-admin' is a segment)
   const pathSegments = path.split('/').filter(Boolean);
   for (const segment of pathSegments) {
     if (honeypots.includes(segment)) {
       return 30;
     }
+    // Match dangerous file extensions (e.g., config.bak, db.sql, backup.zip)
+    if (segment.includes('.')) {
+      const ext = segment.split('.').pop();
+      if (dangerousExtensions.has(ext)) {
+        return 30;
+      }
+    }
   }
 
   return 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hadi_ali/warden",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Express middleware that scores requests and blocks bots/scrapers using header heuristics, IP reputation, rate limiting, and brute-force tracking.",
   "main": "index.js",
   "scripts": {