pgsqlpot 2.0.0__py2.py3-none-any.whl

pgsqlpot/data/etc/honeypot.cfg.base

@@ -0,0 +1,418 @@
+# DO NOT EDIT THIS FILE!
+# Changes to default files will be lost on update and are difficult to
+# manage and support.
+#
+# Please make any changes to system defaults by overriding them in
+# honeypot.cfg
+#
+# To override a specific setting, copy the name of the stanza and
+# setting to the file where you wish to override it.
+
+# ============================================================================
+# General Honeypot Options
+# ============================================================================
+[honeypot]
+
+# Sensor name is used to identify this honeypot instance. Used by the database
+# logging modules such as JSON.
+#
+# If not specified, the logging modules will instead use the host name of the
+# server as the sensor name.
+#
+# (default: the name of the local machine)
+#sensor_name = myhostname
+
+# Directory where to save log files in.
+# Log files are named <log_filename>.YYYY-MM-DD in that directory
+#
+# (default: log)
+log_path = log
+
+# Log file name
+#
+# (default: stdout)
+#log_filename =
+
+# ============================================================================
+# Network Specific Options
+# ============================================================================
+
+# Port to listen for incoming connections.
+#
+# (default: 5432)
+#listen_port = 5432
+
+# Site to query for one's public IP address
+#
+# (default: https://ident.me)
+#public_ip_url = https://ident.me
+
+# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
+# IP address is obtained by querying public_ip_url
+#
+# (default: false)
+#report_public_ip = false
+
+# A comma-separated list of networks, connection from whose IPs won't be logged
+#
+# (default: none)
+#blacklist=127.0.0.1,192.168.0.0/16
+
+
+# ============================================================================
+# Output Plugins
+# These provide an extensible mechanism to send audit log entries to third
+# parties. The audit entries contain information on clients connecting to
+# the honeypot.
+#
+# Output entries need to start with 'output_' and have the 'enabled' entry.
+# ============================================================================
+
+# CouchDB logging module
+#
+#[output_couch]
+#enabled = false
+#host = localhost
+#port = 5984
+#username = pgsqlpot
+#password = secret
+#database = pgsqlpot
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# Datadog output module
+# sends JSON directly to Datadog
+# mandatory field: api_key
+# optional fields (fallback configured in module): ddsource, ddtags, service
+# For more information on fields https://docs.datadoghq.com/api/latest/logs/#send-logs
+#
+#[output_datadog]
+#enabled = false
+#url = https://http-intake.logs.datadoghq.com/api/v2/logs
+#api_key = abcdef1234567890fedcba0987654321
+#ddsource = pgsqlpot
+#ddtags = env:dev
+#service = honeypot
+# Host from which the logs are connected, default - current hostname
+#hostname = pandora.nlcv.bas.bg
+
+# Send output to a Discord webhook
+#
+#[output_discord]
+#enabled = false
+# Delay between messages (for rate limiting)
+#delay = 2.0
+#url = https://discord.com/api/webhooks/id/token
+
+# Elasticsearch logging module
+#
+#[output_elastic]
+#enabled = false
+#host = localhost
+#port = 9200
+#index = pgsqlpot
+#
+# type has been deprecated since ES 6.0.0
+# use _doc which is the default type. See
+# https://stackoverflow.com/a/53688626 for
+# more information
+#
+#type = _doc
+#
+# set pipeline = geoip to map src_ip to
+# geo location data. You can use a custom
+# pipeline but you must ensure it exists
+# in elasticsearch.
+#
+#pipeline = geoip
+#
+# Authentication. When x-pack.security is enabled
+# in ES, default users have been created and requests
+# must be authenticated.
+#
+# Credentials
+#
+#username = pgsqlpot
+#password = secret
+#
+# TLS encryption. Communications between the client (pgsqlpot) 
+# and the ES server should naturally be protected by encryption
+# if requests are authenticated (to prevent from man-in-the-middle 
+# attacks). The following options are then paramount
+# if username and password are provided.
+#
+# use ssl/tls
+#ssl = true
+# verify SSL certificates
+#verify_certs = true
+# Path to trusted CA certs on disk
+#ca_certs = /path/to/cert/file/elastic_ca.crt
+
+# HPFeeds
+#
+# Note the lack of "s" at the end:
+#[output_hpfeed]
+#enabled = false
+#server = hpfeeds.mysite.org
+#tlscert = /path/to/tls/cert/file
+#port = 10000
+#identifier = abc123
+#secret = secret
+#channel = pgsqlpot
+
+# InfluxDB 2.0 logging module
+#
+#[output_influx2]
+#enabled = false
+#host = hostname
+#token = token
+#org = organization
+#bucket = pgsqlpot
+
+# JSON based logging module
+#
+#[output_jsonlog]
+#enabled = false
+#logfile = log/pgsqlpot.json
+#epoch_timestamp = true
+
+# Kafka logging module
+#
+#[output_kafka]
+#enabled = false
+#host = 127.0.0.1
+#port = 9092
+#topic = pgsqlpot
+#username =
+#password =
+#debug = false
+
+# MongoDB logging module
+#
+#[output_mongodb]
+#enabled = false
+#host = 127.0.0.1
+#username = pgsqlpot
+#password = secret
+#database = pgsqlpot
+# Note: .format(username, password, host) is done on the following string,
+#  so make sure that there are exactly 3 placeholders ({}) in it
+#connection_string = mongodb+srv://{}:{}@{}/?retryWrites=true&w=majority&appName=Cluster0
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# MySQL logging module
+# Database structure for this module is supplied in docs/sql/mysql.sql
+#
+# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
+# MySQL logging requires an extra Python module: pip install mysql-python
+#
+#[output_mysql]
+#enabled = false
+#host = localhost
+#database = pgsqlpot
+#username = pgsqlpot
+#password = secret
+#port = 3306
+#debug = false
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# NLCV-BAS honeypot data aggregation API
+#
+#[output_nlcvapi]
+#enabled = false
+#host = https://api.nlcv.bas.bg/v1.0/honeypot
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# PostgreSQL logging module
+#
+#[output_postgres]
+#enabled = false
+#host = hostname
+#username = pgsqlpot
+#password = secret
+#port = 5432
+#database = pgsqlpot
+#debug = false
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# RedisDB logging module
+#
+#[output_redisdb]
+#enabled = false
+#debug = true
+#host = 127.0.0.1
+#port = 6379
+# DB of the redis server. Defaults to 0
+#db = 0
+# Password of the redis server. Defaults to None
+#password = secret
+# Name of the list to push to or the channel to publish to. Required
+#keyname = pgsqlpot
+# Method to use when sending data to redis.
+# Can be one of [lpush, rpush, publish]. Defaults to lpush
+#send_method = lpush
+
+# Rethinkdb output module
+#
+#[output_rethinkdblog]
+#enabled = false
+#host = 127.0.0.1
+#port = 28015
+#table = events
+#db = pgsqlpot
+#user = admin
+#password =
+
+# Slack logging module
+# This will produce a _lot_ of messages - you have been warned....
+#
+#[output_slack]
+#enabled = false
+#channel = channel_that_events_should_be_posted_in
+#token = slack_token_for_your_bot
+# Delay between messages (for rate limiting)
+#delay = 1.2
+
+# Socket logging module
+#
+#[output_socketlog]
+#enabled = false
+#address = 127.0.0.1:9000
+#timeout = 5
+
+# SQLite3 logging module
+#
+# Logging to SQLite3 database. To init the database, use the script
+# docs/sql/sqlite3.sql:
+#     sqlite3 <db_file> < docs/sql/sqlite3.sql
+#
+#[output_sqlite]
+#enabled = false
+#debug = false
+#db_file = data/pgsqlpot.db
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# Local Syslog output module
+#
+# This sends log messages to the local syslog daemon.
+#
+#[output_localsyslog]
+#enabled = false
+# Facility can be:
+# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
+#
+# default: USER
+#facility = USER
+
+# Send message using Telegram bot
+# 1. Create a bot following https://core.telegram.org/bots#6-botfather to get token.
+# 2. Send message to your bot, then use https://api.telegram.org/bot{bot_token}/getUpdates to find chat_id.
+#
+#[output_telegram]
+#enabled = false
+#bot_token = 123456789:AbCDEfGhiJkLmnOpQRstUVWxYZ
+#chat_id = 987654321
+# Delay between messages (for rate limiting)
+#delay = 2.0
+
+# Text output
+# This writes audit log entries to a text file
+#
+#[output_textlog]
+#enabled = false
+#logfile = log/pgsqlpot.txt
+
+# XMPP logging module
+#
+#[output_xmpp]
+#enabled=false
+#server = conference.pgsqlpot.local
+#user = pgsqlpot@pgsqlpot.local
+#password = secret
+#muc = hacker_room
+
+
+# TODO:
+
+# Send login attemp information to SANS DShield
+# See https://isc.sans.edu/ssh.html
+# You must signup for an api key.
+# Once registered, find your details at: https://isc.sans.edu/myaccount.html
+#
+#[output_dshield]
+#enabled = false
+#userid = userid_here
+#auth_key = auth_key_here
+#batch_size = 100
+
+# Graylog logging module for GELF http input
+#
+#[output_graylog]
+#enabled = false
+#url = http://graylog.example.com:122011/gelf
+
+# InfluxDB logging module
+#
+#[output_influx]
+#enabled = false
+#host = 127.0.0.1
+#port = 8086
+#database_name = pgsqlpot
+#retention_policy_duration = 30d
+
+# Oracle Cloud custom logs output module
+# sends JSON directly to Oracle Cloud custom logs
+# mandatory field: authtype, log_ocid
+# optional fields (to be set if user_principals is selected as authtype): user_ocid, fingerprint, tenancy_ocid, region, keyfile
+# For more information on Oracle Cloud custom logs: https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/custom_logs.htm
+# For more information on Oracle Cloud user principal authentication method: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#five
+# For more information on Oracle Cloud instance principal authentication method: https://blogs.oracle.com/developers/post/accessing-the-oracle-cloud-infrastructure-api-using-instance-principals
+#
+#[output_oraclecloud]
+#enabled = false
+# authtype must be set either to user_principals or to instance_principals
+#authtype = instance_principals
+# following parameters must be set in case user_principals is used. keyfile is the absolute path to your API pem key file.
+#log_ocid = ocid1.log.oc1.eu-stockholm-1.xxx
+#user_ocid = ocid1.user.oc1..xxx
+#fingerprint = 77:9c:4xxxxx
+#tenancy_ocid = ocid1.tenancy.oc1..xxx
+#region = eu-stockholm-1
+#keyfile = /home/xx/key.pem
+
+# Splunk HTTP Event Collector (HEC) output module
+# sends JSON directly to Splunk over HTTP or HTTPS
+# Use 'https' if your HEC is encrypted, else 'http'
+# mandatory fields: url, token
+# optional fields: index, source, sourcetype, host
+#
+#[output_splunk]
+#enabled = false
+#url = https://localhost:8088/services/collector/event
+#token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
+#index = pgsqlpot
+#sourcetype = pgsqlpot
+#source = pgsqlpot
+

pgsqlpot/data/test/.gitignore

@@ -0,0 +1,3 @@
+*
+!.gitignore
+!test.py

pgsqlpot/data/test/test.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from __future__ import print_function
+
+
+__description__ = 'Test the PGSQLPot honeypot'
+__license__ = 'GPL'
+__VERSION__ = '1.0.0'
+__author__ = 'Vesselin Bontchev'
+__email__ = 'vbontchev@yahoo.com'
+
+
+from argparse import ArgumentParser
+from os import environ
+from sys import stderr
+
+try:
+    from psycopg2 import connect, OperationalError
+except ImportError:
+    print('Could not import module "psycopg2"; try "pip install psycopg2".', file=stderr)
+    exit(1)
+
+def get_options():
+    parser = ArgumentParser(description=__description__)
+
+    parser.add_argument('-v', '--version', action='version', version='%(prog)s version ' + __VERSION__)
+    parser.add_argument('-P', '--port', type=int, default=5432,
+                        help='Port to send data to (default: %(default)d)')
+    parser.add_argument('-H', '--host', default='127.0.0.1',
+                        help='Host to communicate with (default: %(default)s)')
+    parser.add_argument('-u', '--user',
+                        default=environ.get('USERNAME', '') or environ.get('USER', ''),
+                        help='Username (default: %(default)s)')
+    parser.add_argument('-p', '--password', help='Password')
+    args = parser.parse_args()
+    return args
+
+
+def main():
+    args = get_options()
+    try:
+        connect(host=args.host, port=args.port, user=args.user, password=args.password)
+    except OperationalError as e:
+        print('Error: {}'.format(e.args[0]), file=stderr)
+    except KeyboardInterrupt:
+        pass
+
+
+if __name__ == '__main__':
+    main()

pgsqlpot/honeypot.py

@@ -0,0 +1,117 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from argparse import ArgumentParser
+from ipaddress import ip_network
+from os.path import join
+from socket import gethostname
+from sys import version_info
+
+from core.config import CONFIG
+from core.logfile import set_logger
+from core.paths import workdir_path
+from core.protocol import PostgresFactory
+from core.tools import (
+    get_public_ip,
+    import_plugins,
+    mkdir,
+    stop_plugins,
+)
+
+from twisted.internet import error
+from twisted.internet.reactor import listenTCP, run
+from twisted.python.log import msg
+
+
+__VERSION__ = '2.0.0'
+__description__ = 'A PostgreSQL Honeypot'
+__license__ = 'GPLv3'
+__uri__ = 'https://gitlab.com/bontchev/pgsqlpot'
+__author__ = 'Vesselin Bontchev'
+__email__ = 'vbontchev@yahoo.com'
+
+
+if version_info[0] >= 3:
+    def unicode(x):
+        return x
+
+
+def get_options(cfg_options):
+    parser = ArgumentParser(description=__description__)
+
+    parser.add_argument('-v', '--version', action='version', version=__VERSION__)
+    parser.add_argument('-p', '--port', type=int, default=cfg_options['port'],
+                        help='Port to listen on (default: %(default)s)')
+    parser.add_argument('-l', '--logfile', type=str, default=cfg_options['logfile'],
+                        help='Log file (default: stdout)')
+    parser.add_argument('-s', '--sensor', type=str, default=cfg_options['sensor'],
+                        help='Sensor name (default: %(default)s)')
+    args = parser.parse_args()
+    return args
+
+
+def set_options():
+    cfg_options = {}
+
+    cfg_options['port'] = CONFIG.getint('honeypot', 'listen_port', fallback=5432)
+    log_name = CONFIG.get('honeypot', 'log_filename', fallback='')
+    if log_name:
+        logdir = workdir_path(CONFIG.get('honeypot', 'log_path', fallback='log'))
+        mkdir(logdir)
+        cfg_options['logfile'] = join(logdir, log_name)
+    else:
+        cfg_options['logfile'] = None
+    cfg_options['sensor'] = CONFIG.get('honeypot', 'sensor_name', fallback=gethostname())
+
+    args = get_options(cfg_options)
+
+    cfg_options['port'] = args.port
+    cfg_options['logfile'] = args.logfile
+    cfg_options['sensor'] = args.sensor
+    cfg_options['public_ip_url'] = CONFIG.get('honeypot', 'public_ip_url', fallback='https://ident.me')
+    cfg_options['report_public_ip'] = CONFIG.getboolean('honeypot', 'report_public_ip', fallback=False)
+
+    pub_ip = get_public_ip(cfg_options['public_ip_url'])
+    if pub_ip is None:
+        cfg_options['report_public_ip'] = False
+        cfg_options['public_ip'] = '127.0.0.1'
+    else:
+        cfg_options['public_ip'] = pub_ip
+
+    cfg_options['blacklist'] = CONFIG.get('honeypot', 'blacklist', fallback='127.0.0.1,192.168.0.0/16').split(',')
+
+    return cfg_options
+
+
+def main():
+    cfg_options = set_options()
+
+    set_logger(cfg_options)
+
+    msg(__description__ + ' by ' + __author__)
+
+    blacklist = []
+    for network in cfg_options['blacklist']:
+        try:
+            if network:
+                ip_network(unicode(network))
+                blacklist += [network]
+        except ValueError:
+            msg('Blacklist element "{}" is not a valid IP address; ignored.'.format(network))
+    cfg_options['blacklist'] = blacklist
+
+    cfg_options['output_plugins'] = import_plugins(cfg_options)
+
+    try:
+        listenTCP(cfg_options['port'], PostgresFactory(cfg_options))
+    except error.CannotListenError as e:
+        msg('Cannot listen on port {}: {}'.format(e.port, e.socketError.strerror))
+        stop_plugins(cfg_options)
+        return
+    run()
+    msg('Shutdown requested, exiting...')
+    stop_plugins(cfg_options)
+
+
+if __name__ == '__main__':
+    main()