github r-smith/deceptifeed v0.67.0
0.67.0
on GitHub

17 hours ago

Changes

  • Added the option to log and report when an IP address establishes a connection with a honeypot. Previously, the threatfeed and honeypot logs would only update after interactions from the client (such as submitting credentials or other data). Now you get logging and threatfeed updates immediately when the client connects. This feature is currently only available for the TCP and SSH honeypot types and is disabled by default. To enable, use <logConnections>true</logConnections> and <reportConnections>true<reportConnections> in your honeypot configuration. Example snippet: 
<config>
<honeypotServers>
<server type="ssh">
<logConnections>true</logConnections>
<reportConnections>true</reportConnections>
</server>
</honeypotServers>
</config>
  • Added the option to set a session timeout to control the time after which a client is disconnected. Previously, this was hard-coded at 30 seconds for TCP and SSH honeypots and 5 seconds for HTTP honeypots. Those values remain the default, but can be overridden in your honeypot configuration. To use, set the <sessionTimeout> option, such as <sessionTimeout>5</sessionTimeout>.
    • Additionally, setting 0 on a TCP honeypot causes connections to immediately force close using a TCP RST rather than a typical graceful close. This behavior mimics an IPS or other security appliance forcing a connection closed.
  • Configuration change: Two options in the configuration file have been renamed. The original option names still work if present. Here's what's renamed:
    • <logEnabled> is renamed to <logInteractions>
    • <sendToThreatFeed> is renamed to <reportInteractions>
  • A threatfeed exclude list file is now automatically created when the option is set and the file doesn't already exist. The created file is populated with comments explaining its usage and includes example entries.
    • The default configuration files are updated to take advantage of this.
    • If you don't have an exclude list set, here's a sample config snippet: <threatFeed><excludeListPath>myfile.conf</excludeListPath></threatFeed>.
  • Added a very short random delay to TCP honeypots before printing the banner or 1st prompt.
  • Improved formatting of console output. This is tailored for journald when running as a systemd service. Console output is visible from journalctl -u deceptifeed. If running from Docker, you can use docker logs -f deceptifeed.

Other

  • Performance improvements when saving the threatfeed database.
  • When saving the threatfeed database, updates are first written to a temporary file before replacing the database. This prevents corruption if anything happens to crash while the threatfeed is saving.
  • Performance improvements when serving the threatfeed with an exclude list configured. The exclude list is now stored in-memory and the file is re-parsed only when changes are detected. Previously, the threatfeed would open and read the exclude list file on every request.

Full Changelog: v0.66.0...v0.67.0

Check out latest releases or
releases around r-smith/deceptifeed v0.67.0

Don't miss a new deceptifeed release

NewReleases is sending notifications on new releases.

Get notifications