检测到 yunginnanet/HellPot 一共引入了208个开源组件，存在1个漏洞

漏洞标题：Go SSH拒绝服务漏洞
漏洞编号：CVE-2020-9283
漏洞描述：Go SSH是一个使用go语言开发的极度简洁的ssh工具，用于远程管理linux、unix等机器。
Go SSH存在拒绝服务漏洞，该漏洞源于网络系统或产品未对输入的数据进行正确的验证，攻击者可利用该漏洞导致拒绝服务条件，拒绝向合法用户提供服务。
国家漏洞库信息：https://www.cnvd.org.cn/flaw/show/CNVD-2020-14300
影响范围：(∞, 0.0.0-20200220183623-bac4c82f6975)
最小修复版本：0.0.0-20200220183623-bac4c82f6975
缺陷组件引入路径：github.com/yunginnanet/HellPot@->github.com/spf13/[email protected]>github.com/spf13/[email protected]>golang.org/x/[email protected]

另外还有几个漏洞，详细报告：https://mofeisec.com/jr?p=nbd6a6

OS: Ubuntu Server 20.04 LTS

root@box:~# ./HellPot-0.3-linux-amd64 
error writing new config: mkdir /root/.config/HellPot: no such file or directory
open /root/.config/HellPot/config.toml: no such file or directory

fix:
mkdir -p /root/.config/HellPot

Tested:
HellPot-0.3-linux-386
HellPot-0.3-linux-amd64

create a dockerfile and upload it to dockerhub :)

As seen here the logger that logs to terminal returns the exact amount of bytes, which is well and good for JSON processing by other programs, but this is not ideal for human readers quickly checking the rough amount of data being sent.

My recommended solution is to automatically format bytes sent in a human readable manor but only when sent to terminal, but keep current style with JSON logging.

I'm thinking of using this hellpot to reply to bots who scrape a JSON-based API, by replying to them with the ever-evolving response that never ends.

However, this hellpot replies with text, and some iterative parsers will fail and disconnect immediately upon the first character.

Is there a way for the hellpot to detect when it sends Accept: application/json and the likes, and reply with hellish JSON instead?

There are considerable changes to this repository, as well as a name change.
Also, the heffalump repository seems to be inactive anyway.
Therefore, perhaps the fork status should be removed, especially since hellalump is mentioned in the README anyway.

Behavior: 2021/10/23 02:47:15 error when serving connection "[redacted]:[redacted]"<->"[redacted]:[redacted]": error when reading request headers: cannot find http request method

Expected: 2:47AM ERR REMOTE_ADDR=[redacted]:[redacted] error when reading request headers: cannot find http request method (roughy)

This means certain fasthttp errors won't be in our JSON log as well. I'll address this soon.

Help doesn't show up, and also if you call -c without a config file following it, HellPot panics.

I've done this with gitlab but never before with github. It would be nice for the master branch to do automatic builds upon successful pushes to master.

I know this is very obscure but cloudflare keeps trying to "cache" the site which immediately clashes with hellpot (even with robots.txt) so i was wondering if you could add a feature where it ignores certain user agents?

Just noticed that by supplying ...

..
..
log_directory = "/var/log/hellpot/"
..
..

for config.toml... outside a user's home directory is ignored and hellpot tries to setup the folder inside the user's home directory.

A quick check to test everything else is fine (i.e. permissions) I hardcoded the path in logger.go by setting logDir = "<desired path>" which is working fine.

Also I noticed, even if config.toml is present hellpot tries to create a .config/HellPot folder in the user's home directory.

more details here: #131 (comment)

I'm not sure if this is my fault or not, but I appreciate the feedback.

I've set up HellPot to respond to ALL requests. See the config below. Despite this config and the setup in nginx (also below) some URLs still return 404 Not Found. I am not sure why

Please note that the "error.crt" in my nginx config is a simple self-signed certificate that already blocks some malicious clients.

server {
    listen      80 default_server;
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name _;
    location / {
        limit_rate 5k;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:8081$request_uri;
    }
    ssl_certificate     /etc/openresty/tls/error.crt;
    ssl_certificate_key /etc/openresty/tls/error.key;
}

[deception]
server_name = 'nginx'

[http]
bind_addr = '127.0.0.1'
bind_port = '8081'
real_ip_header = 'X-Real-IP'
uagent_string_blacklist = ['Cloudflare-Traffic-Manager']
unix_socket_path = '/var/run/hellpot'
unix_socket_permissions = '0666'
use_unix_socket = false

[http.router]
catchall = true
makerobots = true
paths = ['wp-login.php', 'wp-login']

[logger]
debug = true
directory = '/home/sander/.local/share/HellPot/logs'
nocolor = false
trace = false
use_date_filename = true

[performance]
max_workers = 256
restrict_concurrency = false

Notable URLs that return a 404 instead of HellPot:

• /_profiler/phpinfo
• .git/config
• /actuator/gateway/routes

The special character (_, .) is a hint but I'm not sure if this is something in HellPot or my nginx (config).

go1.16.6 and higher breaks HellPot with its changes to net/http

HellPot takes its buffer and begins writing it straight to the http ResponseWriter, but now that ResponseWriter asserts reading the length of the source before it will write the header to our client.

breaking commit: golang/go@cb4cd9e

I am working on rewriting HellPot to use a custom HTTP server that uses raw net.Conn handling, if anyone has a better solution let me know.

I wish to effectively respond to all requests (apart from robots.txt) with HellPot as to punish rouge exploit searching botnets. Such a feature would be greatly appreciated.

An option to limit bandwidth usage per second or per day/month would be a welcome feature.

I am absolutely thrilled to see the participation rising on this repo, but it really starts to bring something to light about HellPot:

there are no test cases

the solution is simple¹: write tests