Merge pull request #36 from seccome/dev

merger Dev

README.md

@@ -16,6 +16,7 @@
 
 > ⭐️ Seccome Teamer积累十几年的安全经验，都将对外逐步开放，首开的Ehoney欺骗防御系统，该系统是基于云原生的欺骗防御系统，也是业界唯一开源的对标商业系统的产品，欺骗防御系统通过部署高交互高仿真蜜罐及流量代理转发，再结合自研密签及诱饵，将攻击者攻击引导到蜜罐中达到扰乱引导以及延迟攻击的效果，可以很大程度上保护业务的安全。`护网必备良药`，该平台只提供安全技术防护能力，任何人不得用于任何不法行为⭐️   
 
+
 ![介绍视频](./doc/img/介绍.gif)
 
 

main.go

@@ -11,7 +11,6 @@ import (
 	"decept-defense/models/util"
 	"decept-defense/models/util/comhttp"
 	"decept-defense/models/util/comm"
-	"decept-defense/models/util/k3s"
 	"flag"
 	"fmt"
 	"github.com/astaxie/beego"
@@ -43,12 +42,16 @@ func makeRouter() *mux.Router {
 	/*管理员登录*/
 	r.HandleFunc("/deceptdefense/api/login", AdminLogin)
 	r.HandleFunc("/deceptdefense/api/logout", AdminLogout)
+	/*更新管理员密码*/
+	r.HandleFunc("/deceptdefense/api/passwordupdate", AdminUpdatePassword)
 
 	/*镜像列表更新*/
 	r.HandleFunc("/deceptdefense/api/refreshimages", RefreshImages)
 
 	r.HandleFunc("/deceptdefense/api/agent/download", Download)
 
+	r.HandleFunc("/deceptdefense/api/agent/downloadwin", DownloadWindowsAgent)
+
 	//add route for 思瀚
 	r.HandleFunc("/deceptdefense/api/dbportmap", controllers.Map)
 
@@ -63,9 +66,14 @@ func makeRouter() *mux.Router {
 
 	r.HandleFunc("/deceptdefense/api/insertAttackLog", InsertAttackLogHandler)
 
+	r.HandleFunc("/deceptdefense/api/getAttackLog", GetAttackLogListByIp)
+
 	/*SSH Key 插入*/
 	r.HandleFunc("/deceptdefense/api/insertsshkey", InsertSSHKeyHandler)
 
+	/*反制攻击者信息 插入*/
+	r.HandleFunc("/deceptdefense/api/ainfo", InsertAttackInfo)
+
 	/*服务器心跳*/
 	r.HandleFunc("/deceptdefense/api/getapplocationssignmsg", ApplicationSignMsgHandler)
 
@@ -300,7 +308,7 @@ func initiLogger() {
 	// 根据心跳注册主机
 	go redisCenter.RedisPubConsumerServerRegResponse()
 
-	go k3s.FreshPods()
+	//go k3s.FreshPods()
 	return
 }
 

manage.sh

@@ -287,11 +287,10 @@ function setupFalco(){
     cd $(dirname $0)
     pwd
   )
-  echo "start setup falco"
-
-  exist=`helm list | grep falco`
-  if [ "${exist}" == "" ]; then
-	cd $Project_Dir/helm
+ echo "start setup falco"
+ helmFile=/usr/local/bin/helm
+ if [ ! -f "${helmFile}" ]; then
+	  cd $Project_Dir/helm
 	  cp helm /usr/local/bin/helm
 	  chmod +x /usr/local/bin/helm
 	  helm repo add stable http://mirror.azure.cn/kubernetes/charts/

models/datavcenter/datavSQL.go

@@ -3,10 +3,12 @@ package datavcenter
 import (
 	"database/sql"
 	"decept-defense/models/util"
+	"decept-defense/models/util/comm"
 	"encoding/json"
 	"github.com/astaxie/beego"
 	"github.com/astaxie/beego/logs"
 	"github.com/astaxie/beego/orm"
+	"strings"
 )
 
 var (
@@ -17,6 +19,63 @@ var (
 	Dbname     = beego.AppConfig.String("dbname")
 )
 
+func QueryAttackerInfoByIP(ip string) []orm.Params {
+	o := orm.NewOrm()
+	var maps []orm.Params
+	_, err := o.Raw("SELECT * from `attacker_info` WHERE ip=?", ip).Values(&maps)
+	if err != nil {
+		logs.Error("[SelectApplicationByAgentID] select event list error,%s", err)
+	}
+	return maps
+}
+
+func TryTransferIPToAgentIp(targetIP string) string {
+	o := orm.NewOrm()
+	var maps []orm.Params
+	param := "%" + targetIP + "%"
+	_, err := o.Raw("SELECT * from `servers` WHERE serverip like ?", param).Values(&maps)
+	if err != nil {
+		logs.Error("[TryTransferIPToAgentIp] select server list error,%s", err)
+	}
+
+	if len(maps) == 0 {
+		return targetIP
+	}
+
+	for _, vMap := range maps {
+		serverip := util.Strval(vMap["serverip"])
+		if strings.Index(serverip, ",") > -1 {
+			ips := strings.Split(serverip, ",")
+			for _, ip := range ips {
+
+				if ip == targetIP {
+					return serverip
+				}
+			}
+		} else {
+			if serverip == targetIP {
+				return serverip
+			}
+		}
+	}
+
+	return targetIP
+}
+
+func InsertAttackerInfo(sourceSite, account, ip, city string) (map[string]interface{}, string, int) {
+	msg := "成功"
+	var data map[string]interface{}
+	o := orm.NewOrm()
+	var maps []orm.Params
+	_, err := o.Raw("insert into attacker_info (source_site, account, ip, city) VALUES (?,?,?,?)", sourceSite, account, ip, city).Values(&maps)
+	if err != nil {
+		logs.Error("[InsertClamavData] insert servers error,%s", err)
+		msg = "数据插入失败"
+		return data, msg, comm.ErrorCode
+	}
+	return data, msg, comm.SuccessCode
+}
+
 func GetTopAttackMap() map[string]interface{} {
 	sqlCon, err1 := sql.Open("mysql", Dbuser+":"+Dbpassword+"@tcp("+Dbhost+":"+Dbport+")/"+Dbname+"?charset=utf8&loc=Asia%2FShanghai")
 	if err1 != nil {

models/honeycluster/honeyclusterSQL.go

@@ -40,6 +40,34 @@ func UpdateAdminLoginStatus(username string, password string) {
 	}
 }
 
+func CheckAdminPassword(oldPassword string) bool {
+	o := orm.NewOrm()
+	var maps []orm.Params
+	_, err := o.Raw("select count(*) as count from e_admin where upass=? ", oldPassword).Values(&maps)
+
+	if err != nil {
+		logs.Error("[UpdateAdminLoginStatus] query e_admin upass error,%s", err)
+		return false
+	}
+
+	if len(maps) == 0 {
+		return false
+	}
+
+	return true
+}
+
+func UpdateAdminPassword(oldPassword, newPassword string) error {
+	o := orm.NewOrm()
+	var maps []orm.Params
+	_, err := o.Raw("update e_admin set upass=? where uname='admin' and upass=?", newPassword, oldPassword).Values(&maps)
+	if err != nil {
+		logs.Error("[UpdateAdminLoginStatus] update AdminLoginStatus policy error,%s", err)
+		return err
+	}
+	return nil
+}
+
 //func CheckAdminLogin(username string, password string) bool {
 //	result := false
 //	sqlCon, err1 := sql.Open("mysql", Dbuser+":"+Dbpassword+"@tcp("+Dbhost+":"+Dbport+")/"+Dbname+"?charset=utf8&loc=Asia%2FShanghai")
@@ -246,6 +274,34 @@ func SelectApplicationBaitsById(taskid string) []orm.Params {
 	return maps
 }
 
+func QueryServerByBaitOrSignTaskId(taskid string) string {
+	if taskid == "" {
+		return ""
+	}
+	o := orm.NewOrm()
+	var maps []orm.Params
+	_, err := o.Raw("SELECT s.* FROM server_bait sb LEFT JOIN servers s on sb.agentid = s.agentid  WHERE sb.taskid = ? union SELECT s.* FROM server_sign ss LEFT JOIN servers s on ss.agentid = s.agentid  WHERE ss.taskid = ?", taskid, taskid).Values(&maps)
+	if err != nil {
+		logs.Error("[QueryServerByBaitTaskId] select server error,%s", err)
+
+	}
+	return maps[0]["sys"].(string)
+}
+
+func QueryServerByAgentId(agentId string) string {
+	if agentId == "" {
+		return ""
+	}
+	o := orm.NewOrm()
+	var maps []orm.Params
+	_, err := o.Raw("SELECT * FROM servers WHERE agentid = ?", agentId).Values(&maps)
+	if err != nil {
+		logs.Error("[QueryServerByAgentId] select server error,%s", err)
+
+	}
+	return maps[0]["sys"].(string)
+}
+
 func SelectSigns(signname string, signid string, signtype string, creator string, starttime string, endtime string, pageSize int, pageNum int) map[string]interface{} {
 
 	sqlCon, err1 := sql.Open("mysql", Dbuser+":"+Dbpassword+"@tcp("+Dbhost+":"+Dbport+")/"+Dbname+"?charset=utf8&loc=Asia%2FShanghai")
@@ -1539,12 +1595,12 @@ func InsertApplication(ecsname string, ecsip string, ecsid string, status int, v
 	return data, msg, comm.SuccessCode
 }
 
-func ServerHeartBeatAct(agentid string, status int, ips string, servername string, timenow int64) (map[string]interface{}, string, int) {
+func ServerHeartBeatAct(agentid, sys string, status int, ips string, servername string, timenow int64) (map[string]interface{}, string, int) {
 	msg := "成功"
 	var data map[string]interface{}
 	o := orm.NewOrm()
 	var maps []orm.Params
-	_, err := o.Raw("insert into servers (servername,serverip,status,agentid,regtime,heartbeattime) VALUES (?,?,?,?,?,?) ON DUPLICATE KEY UPDATE serverip=?, status=?, heartbeattime=?", servername, ips, status, agentid, timenow, timenow, ips, status, timenow).Values(&maps)
+	_, err := o.Raw("insert into servers (servername,serverip,sys, status,agentid,regtime,heartbeattime) VALUES (?,?,?,?,?,?,?) ON DUPLICATE KEY UPDATE serverip=?, status=?, heartbeattime=?", servername, ips, sys, status, agentid, timenow, timenow, ips, status, timenow).Values(&maps)
 	if err != nil {
 		logs.Error("[ServerHeartBeatAct]  ServerHeartBeatAct error,%s", err)
 		msg = "数据插入更新失败"

models/redisCenter/producer.go

@@ -202,14 +202,21 @@ func (rs *redisServer) ServerHeartBeatListen(pool *redis.Pool, key string) {
 			ips := gjson.Get(data, "IPs")
 			servername := gjson.Get(data, "HostName")
 			servertype := gjson.Get(data, "Type")
+			sys := gjson.Get(data, "Sys")
+			var system string
+			if sys.Str == "" {
+				system = "Linux"
+			} else {
+				system = sys.Str
+			}
 			timenow := time.Now().Unix()
 			status1 := 0
 			if status.Str == "running" {
 				status1 = 1
 			}
 			if strings.ToLower(servertype.Str) == "edge" {
 				//fmt.Println(fmt.Println("EDGE data：", data))
-				honeycluster.ServerHeartBeatAct(agentid.Str, status1, ips.Str, servername.Str, timenow)
+				honeycluster.ServerHeartBeatAct(agentid.Str, system, status1, ips.Str, servername.Str, timenow)
 			} else if strings.ToLower(servertype.Str) == "relay" {
 				//fmt.Println(fmt.Println("RELAY data：", data))
 				honeycluster.HoneyServerHeartBeatAct(agentid.Str, status1, ips.Str, servername.Str, timenow)
@@ -261,7 +268,7 @@ func (rs *redisServer) TransEventListen(pool *redis.Pool, key string) {
 			hport, _ := strconv.Atoi(honeypotport)
 			bport, _ := strconv.Atoi(bindport.Raw)
 			eport, _ := strconv.Atoi(exportport.Raw)
-			policyCenter.InsertAttackLog(proxytype.Str, serverip, bport, util.GetIP(sourceaddr.Str), honeypotid, hport, honeytypeid, eventtime.Int(), eport)
+			policyCenter.InsertAttackLog(proxytype.Str, serverip, bport, util.GetIp2(sourceaddr.Str), honeypotid, hport, honeytypeid, eventtime.Int(), eport)
 
 		case redis.Subscription: //Subscribe一个Channel时
 			fmt.Printf("%s: %s %d\n", v.Channel, v.Kind, v.Count)