shadowtrap/config.py at main · rayketcham/shadowtrap · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
"""
Enterprise Honeypot Configuration
All settings centralized here for easy management.
"""

import os
import secrets

# ─── General ────────────────────────────────────────────────────────────────

HONEYPOT_NAME = os.environ.get("HONEYPOT_NAME", "ShadowTrap")
BIND_ADDRESS = os.environ.get("HONEYPOT_BIND", "0.0.0.0")
DATA_DIR = os.environ.get("HONEYPOT_DATA", "/opt/honeypot/data")
LOG_DIR = os.environ.get("HONEYPOT_LOGS", "/opt/honeypot/logs")
DB_PATH = os.path.join(DATA_DIR, "honeypot.db")

# ─── Service Port Mappings ──────────────────────────────────────────────────
# Override per-service: HONEYPOT_ENABLE_SSH=false, HONEYPOT_PORT_SSH=2222
# Or whitelist:         HONEYPOT_SERVICES=ssh,http,dns (only these start)

_SERVICE_DEFAULTS = {
    "ftp":           {"port": 21,    "proto": "tcp"},
    "ssh":           {"port": 22,    "proto": "tcp"},
    "telnet":        {"port": 23,    "proto": "tcp"},
    "smtp":          {"port": 25,    "proto": "tcp"},
    "dns":           {"port": 53,    "proto": "udp"},
    "http":          {"port": 80,    "proto": "tcp"},
    "snmp":          {"port": 161,   "proto": "udp"},
    "ldap":          {"port": 389,   "proto": "tcp"},
    "https":         {"port": 443,   "proto": "tcp"},
    "smb":           {"port": 445,   "proto": "tcp"},
    "mssql":         {"port": 1433,  "proto": "tcp"},
    "mysql":         {"port": 3306,  "proto": "tcp"},
    "rdp":           {"port": 3389,  "proto": "tcp"},
    "sip":           {"port": 5060,  "proto": "udp"},
    "postgres":      {"port": 5432,  "proto": "tcp"},
    "vnc":           {"port": 5900,  "proto": "tcp"},
    "redis":         {"port": 6379,  "proto": "tcp"},
    "elasticsearch": {"port": 9200,  "proto": "tcp"},
    "memcached":     {"port": 11211, "proto": "tcp"},
    "mongodb":       {"port": 27017, "proto": "tcp"},
    "docker_api":    {"port": 2375,  "proto": "tcp"},
}

# Build SERVICES dict with env var overrides
_services_whitelist = os.environ.get("HONEYPOT_SERVICES", "").strip()
_whitelist_set = {s.strip() for s in _services_whitelist.split(",") if s.strip()} if _services_whitelist else None

SERVICES = {}
for _name, _defaults in _SERVICE_DEFAULTS.items():
    _env_key = _name.upper().replace("-", "_")
    # Determine enabled: whitelist wins, then per-service env, then default (True)
    if _whitelist_set is not None:
        _enabled = _name in _whitelist_set
    else:
        _enabled = os.environ.get(f"HONEYPOT_ENABLE_{_env_key}", "true").lower() == "true"
    # Port override
    _port = int(os.environ.get(f"HONEYPOT_PORT_{_env_key}", str(_defaults["port"])))
    SERVICES[_name] = {"port": _port, "enabled": _enabled, "proto": _defaults["proto"]}

# ─── Web Dashboard ──────────────────────────────────────────────────────────

WEB_HOST = os.environ.get("WEB_HOST", "0.0.0.0")
WEB_PORT = int(os.environ.get("WEB_PORT", "8443"))
WEB_TLS = True
# HTTP port that redirects to HTTPS (0 = disabled)
WEB_HTTP_REDIRECT_PORT = int(os.environ.get("WEB_HTTP_PORT", "0"))
# IP whitelist for dashboard access (comma-separated, empty = allow all)
WEB_ALLOWED_IPS = os.environ.get("WEB_ALLOWED_IPS", "")
WEB_CERT_FILE = os.path.join(DATA_DIR, "certs", "dashboard.crt")
WEB_KEY_FILE = os.path.join(DATA_DIR, "certs", "dashboard.key")
WEB_SECRET_KEY = os.environ.get("WEB_SECRET", secrets.token_hex(32))

# GitHub issue reporter — set GITHUB_TOKEN to enable
GITHUB_REPO = os.environ.get("GITHUB_REPO", "")
GITHUB_TOKEN = os.environ.get("GITHUB_TOKEN", "")
WEB_SESSION_TIMEOUT = 3600  # 1 hour
WEB_RATE_LIMIT = 60  # requests per minute per IP
WEB_MAX_LOGIN_ATTEMPTS = 5
WEB_LOCKOUT_DURATION = 900  # 15 minutes

# Default admin credentials (change on first login)
WEB_DEFAULT_USER = "admin"
WEB_DEFAULT_PASS = "changeme"

# ─── GeoIP ──────────────────────────────────────────────────────────────────

GEO_API_URL = "http://ip-api.com/json/{ip}?fields=status,message,country,countryCode,region,regionName,city,lat,lon,isp,org,as,query"
GEO_CACHE_TTL = 86400  # 24 hours
GEO_BATCH_SIZE = 100
GEO_RATE_LIMIT = 45  # requests per minute (API limit)

# ─── Payload Capture ──────────────────────────────────────────────────────

CAPTURE_DIR = os.path.join(DATA_DIR, "capture")
CAPTURE_MAX_SIZE = 1024 * 1024  # 1 MB max per session payload
CAPTURE_ENABLED = os.environ.get("CAPTURE_ENABLED", "true").lower() == "true"

# ─── Data Retention ─────────────────────────────────────────────────────────

RETENTION_DAYS = int(os.environ.get("RETENTION_DAYS", "90"))
CLEANUP_INTERVAL = 3600  # Run cleanup every hour

# ─── Rate Limiting (per-IP connection throttling) ───────────────────────────

MAX_CONNECTIONS_PER_IP = 20
CONNECTION_RATE_WINDOW = 60  # seconds
BAN_THRESHOLD = 100  # connections per window triggers temp ban
BAN_DURATION = 600  # 10 minute ban

# ─── Logging ────────────────────────────────────────────────────────────────

LOG_LEVEL = os.environ.get("LOG_LEVEL", "INFO")
LOG_MAX_SIZE = 50 * 1024 * 1024  # 50 MB
LOG_BACKUP_COUNT = 10

# ─── Threat Scoring ────────────────────────────────────────────────────────

THREAT_WEIGHTS = {
    "credential_attempt": 10,
    "port_scan": 5,
    "brute_force": 25,
    "exploit_attempt": 50,
    "data_exfil": 30,
    "reconnaissance": 3,
    "multiple_services": 15,
}

THREAT_LEVELS = {
    "low": (0, 25),
    "medium": (26, 50),
    "high": (51, 75),
    "critical": (76, 100),
}

# ─── Alerting ────────────────────────────────────────────────────────────

# Webhook: POST JSON to this URL on high-severity events
ALERT_WEBHOOK_URL = os.environ.get("ALERT_WEBHOOK_URL", "")
ALERT_WEBHOOK_SECRET = os.environ.get("ALERT_WEBHOOK_SECRET", "")

# Syslog: forward alerts to remote syslog server (RFC 5424)
ALERT_SYSLOG_HOST = os.environ.get("ALERT_SYSLOG_HOST", "")
ALERT_SYSLOG_PORT = int(os.environ.get("ALERT_SYSLOG_PORT", "514"))

# Minimum severity to trigger external alerts: low, medium, high, critical
ALERT_MIN_SEVERITY = os.environ.get("ALERT_MIN_SEVERITY", "high")

# Rate limit: max alerts per IP per window (prevents flood)
ALERT_RATE_LIMIT = int(os.environ.get("ALERT_RATE_LIMIT", "10"))
ALERT_RATE_WINDOW = int(os.environ.get("ALERT_RATE_WINDOW", "300"))  # 5 minutes