yunginnanet / hellpot Goto Github PK
View Code? Open in Web Editor NEWHellPot is a portal to endless suffering meant to punish unruly HTTP bots.
License: MIT License
HellPot is a portal to endless suffering meant to punish unruly HTTP bots.
License: MIT License
检测到 yunginnanet/HellPot 一共引入了208个开源组件,存在1个漏洞
漏洞标题:Go SSH拒绝服务漏洞
漏洞编号:CVE-2020-9283
漏洞描述:Go SSH是一个使用go语言开发的极度简洁的ssh工具,用于远程管理linux、unix等机器。
Go SSH存在拒绝服务漏洞,该漏洞源于网络系统或产品未对输入的数据进行正确的验证,攻击者可利用该漏洞导致拒绝服务条件,拒绝向合法用户提供服务。
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2020-14300
影响范围:(∞, 0.0.0-20200220183623-bac4c82f6975)
最小修复版本:0.0.0-20200220183623-bac4c82f6975
缺陷组件引入路径:github.com/yunginnanet/HellPot@->github.com/spf13/[email protected]>github.com/spf13/[email protected]>golang.org/x/[email protected]
另外还有几个漏洞,详细报告:https://mofeisec.com/jr?p=nbd6a6
I wish to effectively respond to all requests (apart from robots.txt) with HellPot as to punish rouge exploit searching botnets. Such a feature would be greatly appreciated.
There are considerable changes to this repository, as well as a name change.
Also, the heffalump repository seems to be inactive anyway.
Therefore, perhaps the fork status should be removed, especially since hellalump is mentioned in the README anyway.
An option to limit bandwidth usage per second or per day/month would be a welcome feature.
I'm not sure if this is my fault or not, but I appreciate the feedback.
I've set up HellPot to respond to ALL requests. See the config below. Despite this config and the setup in nginx (also below) some URLs still return 404 Not Found. I am not sure why
Please note that the "error.crt" in my nginx config is a simple self-signed certificate that already blocks some malicious clients.
server {
listen 80 default_server;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
location / {
limit_rate 5k;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8081$request_uri;
}
ssl_certificate /etc/openresty/tls/error.crt;
ssl_certificate_key /etc/openresty/tls/error.key;
}
[deception]
server_name = 'nginx'
[http]
bind_addr = '127.0.0.1'
bind_port = '8081'
real_ip_header = 'X-Real-IP'
uagent_string_blacklist = ['Cloudflare-Traffic-Manager']
unix_socket_path = '/var/run/hellpot'
unix_socket_permissions = '0666'
use_unix_socket = false
[http.router]
catchall = true
makerobots = true
paths = ['wp-login.php', 'wp-login']
[logger]
debug = true
directory = '/home/sander/.local/share/HellPot/logs'
nocolor = false
trace = false
use_date_filename = true
[performance]
max_workers = 256
restrict_concurrency = false
Notable URLs that return a 404 instead of HellPot:
/_profiler/phpinfo
.git/config
/actuator/gateway/routes
The special character (_, .) is a hint but I'm not sure if this is something in HellPot or my nginx (config).
OS: Ubuntu Server 20.04 LTS
root@box:~# ./HellPot-0.3-linux-amd64
error writing new config: mkdir /root/.config/HellPot: no such file or directory
open /root/.config/HellPot/config.toml: no such file or directory
fix:
mkdir -p /root/.config/HellPot
Tested:
HellPot-0.3-linux-386
HellPot-0.3-linux-amd64
more details here: #131 (comment)
Help doesn't show up, and also if you call -c
without a config file following it, HellPot panics.
Just noticed that by supplying ...
..
..
log_directory = "/var/log/hellpot/"
..
..
for config.toml
... outside a user's home directory is ignored and hellpot tries to setup the folder inside the user's home directory.
A quick check to test everything else is fine (i.e. permissions) I hardcoded the path in logger.go
by setting logDir = "<desired path>"
which is working fine.
Also I noticed, even if config.toml
is present hellpot tries to create a .config/HellPot
folder in the user's home directory.
I am absolutely thrilled to see the participation rising on this repo, but it really starts to bring something to light about HellPot:
the solution is simple1: write tests
half joking here; since this is an app vs a lib, proper test coverage tends to be slightly more of a challenge ↩
HellPot takes its buffer and begins writing it straight to the http ResponseWriter, but now that ResponseWriter asserts reading the length of the source before it will write the header to our client.
breaking commit: golang/go@cb4cd9e
I am working on rewriting HellPot to use a custom HTTP server that uses raw net.Conn handling, if anyone has a better solution let me know.
I've done this with gitlab but never before with github. It would be nice for the master branch to do automatic builds upon successful pushes to master.
I know this is very obscure but cloudflare keeps trying to "cache" the site which immediately clashes with hellpot (even with robots.txt) so i was wondering if you could add a feature where it ignores certain user agents?
I'm thinking of using this hellpot to reply to bots who scrape a JSON-based API, by replying to them with the ever-evolving response that never ends.
However, this hellpot replies with text, and some iterative parsers will fail and disconnect immediately upon the first character.
Is there a way for the hellpot to detect when it sends Accept: application/json
and the likes, and reply with hellish JSON instead?
As seen here the logger that logs to terminal returns the exact amount of bytes, which is well and good for JSON processing by other programs, but this is not ideal for human readers quickly checking the rough amount of data being sent.
My recommended solution is to automatically format bytes sent in a human readable manor but only when sent to terminal, but keep current style with JSON logging.
create a dockerfile and upload it to dockerhub :)
Behavior: 2021/10/23 02:47:15 error when serving connection "[redacted]:[redacted]"<->"[redacted]:[redacted]": error when reading request headers: cannot find http request method
Expected: 2:47AM ERR REMOTE_ADDR=[redacted]:[redacted] error when reading request headers: cannot find http request method
(roughy)
This means certain fasthttp errors won't be in our JSON log as well. I'll address this soon.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.