checker: add honeypot-path collector and rules
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
Probes 20 known-bad paths (/.env, /.git/config, /actuator/env, etc.) that CT-log scanners hit immediately after a new certificate is issued. Critical credential/source-leak paths raise StatusCrit; other exposed paths raise StatusWarn; 401/403 responses raise StatusInfo. Fixes: #1
This commit is contained in:
parent
4cae94153f
commit
086d3e151d
5 changed files with 397 additions and 46 deletions
|
|
@ -6,12 +6,8 @@ package checker
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
)
|
||||
|
||||
// ObservationKeyWellKnown is the Extensions[] key under which
|
||||
|
|
@ -28,12 +24,7 @@ type WellKnownData struct {
|
|||
}
|
||||
|
||||
// WellKnownProbe is a single (URI → outcome) entry.
|
||||
type WellKnownProbe struct {
|
||||
URL string `json:"url"`
|
||||
StatusCode int `json:"status_code,omitempty"`
|
||||
Bytes int `json:"bytes,omitempty"`
|
||||
Error string `json:"error,omitempty"`
|
||||
}
|
||||
type WellKnownProbe = PathProbe
|
||||
|
||||
// wellknownCollector probes a small, fixed set of standardised URIs
|
||||
// served at the apex of the host. Today it covers:
|
||||
|
|
@ -51,49 +42,16 @@ func (wellknownCollector) Collect(ctx context.Context, t Target) (any, error) {
|
|||
if len(t.IPs) == 0 {
|
||||
return nil, fmt.Errorf("no IPs to probe")
|
||||
}
|
||||
addr := net.JoinHostPort(t.IPs[0], "443")
|
||||
dialer := &net.Dialer{Timeout: t.Timeout}
|
||||
transport := &http.Transport{
|
||||
DialContext: func(ctx context.Context, network, _ string) (net.Conn, error) {
|
||||
return dialer.DialContext(ctx, network, addr)
|
||||
},
|
||||
TLSClientConfig: &tls.Config{ServerName: t.Host},
|
||||
TLSHandshakeTimeout: t.Timeout,
|
||||
ResponseHeaderTimeout: t.Timeout,
|
||||
DisableKeepAlives: true,
|
||||
}
|
||||
defer transport.CloseIdleConnections()
|
||||
transport, cleanup := newPinnedHTTPSTransport(t.IPs[0], t.Host, t.Timeout)
|
||||
defer cleanup()
|
||||
client := &http.Client{Transport: transport}
|
||||
|
||||
uris := []string{"/.well-known/security.txt", "/robots.txt"}
|
||||
out := WellKnownData{URIs: make(map[string]WellKnownProbe, len(uris))}
|
||||
for _, path := range uris {
|
||||
out.URIs[path] = fetchOne(ctx, client, t.Host, path, t.UserAgent)
|
||||
out.URIs[path] = fetchHTTPSPath(ctx, client, t.Host, path, t.UserAgent, 64<<10)
|
||||
}
|
||||
return &out, nil
|
||||
}
|
||||
|
||||
func fetchOne(ctx context.Context, client *http.Client, host, path, ua string) WellKnownProbe {
|
||||
u := (&url.URL{Scheme: "https", Host: host, Path: path}).String()
|
||||
probe := WellKnownProbe{URL: u}
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, u, nil)
|
||||
if err != nil {
|
||||
probe.Error = err.Error()
|
||||
return probe
|
||||
}
|
||||
req.Header.Set("User-Agent", ua)
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
probe.Error = err.Error()
|
||||
return probe
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
probe.StatusCode = resp.StatusCode
|
||||
// Cap the read so a misconfigured server can't pull megabytes for a
|
||||
// "did this exist?" probe.
|
||||
body, _ := io.ReadAll(io.LimitReader(resp.Body, 64<<10))
|
||||
probe.Bytes = len(body)
|
||||
return probe
|
||||
}
|
||||
|
||||
func init() { RegisterCollector(wellknownCollector{}) }
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue