Added timezone env variable handling

2025-12-28 17:07:18 +01:00
parent 499760c939
commit 6556e17f91
12 changed files with 258 additions and 65 deletions
--- a/README.md
+++ b/README.md
@@ -186,6 +186,7 @@ To customize the deception server installation several **environment variables**
 | `DASHBOARD_SECRET_PATH` | Custom dashboard path | Auto-generated |
 | `PROBABILITY_ERROR_CODES` | Error response probability (0-100%) | `0` |
 | `SERVER_HEADER` | HTTP Server header for deception | `Apache/2.2.22 (Ubuntu)` |
+| `TIMEZONE` | IANA timezone for logs and dashboard (e.g., `America/New_York`, `Europe/Rome`) | System timezone |

 ## robots.txt
 The actual (juicy) robots.txt configuration is the following
--- a/deployment.yaml
+++ b/deployment.yaml
@@ -1,44 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: krawl-server
-  namespace: krawl
-  labels:
-    app: krawl-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: krawl-server
-  template:
-    metadata:
-      labels:
-        app: krawl-server
-    spec:
-      containers:
-      - name: krawl
-        image: ghcr.io/blessedrebus/krawl:latest
-        imagePullPolicy: Always
-        ports:
-        - containerPort: 5000
-          name: http
-          protocol: TCP
-        envFrom:
-        - configMapRef:
-            name: krawl-config
-        volumeMounts:
-        - name: wordlists
-          mountPath: /app/wordlists.json
-          subPath: wordlists.json
-          readOnly: true
-        resources:
-          requests:
-            memory: "64Mi"
-            cpu: "100m"
-          limits:
-            memory: "256Mi"
-            cpu: "500m"
-      volumes:
-      - name: wordlists
-        configMap:
-          name: krawl-wordlists
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -25,6 +25,8 @@ services:
      # - CANARY_TOKEN_URL=http://canarytokens.com/api/users/YOUR_TOKEN/passwords.txt
      # Optional: Set custom dashboard path (auto-generated if not set)
      # - DASHBOARD_SECRET_PATH=/my-secret-dashboard
+      # Optional: Set timezone for logs and dashboard (e.g., America/New_York, Europe/Rome)
+      # - TIMEZONE=UTC
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "python3", "-c", "import requests; requests.get('http://localhost:5000')"]
--- a/helm/templates/configmap.yaml
+++ b/helm/templates/configmap.yaml
@@ -16,3 +16,6 @@ data:
  PROBABILITY_ERROR_CODES: {{ .Values.config.probabilityErrorCodes | quote }}
  SERVER_HEADER: {{ .Values.config.serverHeader | quote }}
  CANARY_TOKEN_URL: {{ .Values.config.canaryTokenUrl | quote }}
+  {{- if .Values.config.timezone }}
+  TIMEZONE: {{ .Values.config.timezone | quote }}
+  {{- end }}
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -75,6 +75,7 @@ config:
  probabilityErrorCodes: 0
  serverHeader: "Apache/2.2.22 (Ubuntu)"
 #  canaryTokenUrl: set-your-canary-token-url-here
+#  timezone: "UTC"  # IANA timezone (e.g., "America/New_York", "Europe/Rome"). If not set, system timezone is used.

 networkPolicy:
  enabled: true
--- a/kubernetes/manifests/configmap.yaml
+++ b/kubernetes/manifests/configmap.yaml
@@ -15,3 +15,4 @@ data:
  PROBABILITY_ERROR_CODES: "0"
  SERVER_HEADER: "Apache/2.2.22 (Ubuntu)"
 #  CANARY_TOKEN_URL: set-your-canary-token-url-here
+#  TIMEZONE: "UTC"  # IANA timezone (e.g., "America/New_York", "Europe/Rome")
--- a/src/config.py
+++ b/src/config.py
@@ -3,6 +3,8 @@
 import os
 from dataclasses import dataclass
 from typing import Optional, Tuple
+from zoneinfo import ZoneInfo
+import time


@dataclass
@@ -22,6 +24,40 @@ class Config:
    api_server_path: str = "/api/v2/users"
    probability_error_codes: int = 0  # Percentage (0-100)
    server_header: str = "Apache/2.2.22 (Ubuntu)"
+    timezone: str = None  # IANA timezone (e.g., 'America/New_York', 'Europe/Rome')
+    
+    @staticmethod
+    # Try to fetch timezone before if not set
+    def get_system_timezone() -> str:
+        """Get the system's default timezone"""
+        try:
+            if os.path.islink('/etc/localtime'):
+                tz_path = os.readlink('/etc/localtime')
+                if 'zoneinfo/' in tz_path:
+                    return tz_path.split('zoneinfo/')[-1]
+            
+            local_tz = time.tzname[time.daylight]
+            if local_tz and local_tz != 'UTC':
+                return local_tz
+        except Exception:
+            pass
+        
+        # Default fallback to UTC
+        return 'UTC'
+    
+    def get_timezone(self) -> ZoneInfo:
+        """Get configured timezone as ZoneInfo object"""
+        if self.timezone:
+            try:
+                return ZoneInfo(self.timezone)
+            except Exception:
+                pass
+        
+        system_tz = self.get_system_timezone()
+        try:
+            return ZoneInfo(system_tz)
+        except Exception:
+            return ZoneInfo('UTC')

    @classmethod
    def from_env(cls) -> 'Config':
@@ -45,6 +81,7 @@ class Config:
            api_server_url=os.getenv('API_SERVER_URL'),
            api_server_port=int(os.getenv('API_SERVER_PORT', 8080)),
            api_server_path=os.getenv('API_SERVER_PATH', '/api/v2/users'),
-            probability_error_codes=int(os.getenv('PROBABILITY_ERROR_CODES', 5)),
-            server_header=os.getenv('SERVER_HEADER', 'Apache/2.2.22 (Ubuntu)')
+            probability_error_codes=int(os.getenv('PROBABILITY_ERROR_CODES', 0)),
+            server_header=os.getenv('SERVER_HEADER', 'Apache/2.2.22 (Ubuntu)'),
+            timezone=os.getenv('TIMEZONE')  # If not set, will use system timezone
        )
--- a/src/logger.py
+++ b/src/logger.py
@@ -8,6 +8,23 @@ Provides two loggers: app (application) and access (HTTP access logs).
 import logging
 import os
 from logging.handlers import RotatingFileHandler
+from typing import Optional
+from zoneinfo import ZoneInfo
+from datetime import datetime
+
+
+class TimezoneFormatter(logging.Formatter):
+    """Custom formatter that respects configured timezone"""
+    def __init__(self, fmt=None, datefmt=None, timezone: Optional[ZoneInfo] = None):
+        super().__init__(fmt, datefmt)
+        self.timezone = timezone or ZoneInfo('UTC')
+    
+    def formatTime(self, record, datefmt=None):
+        """Override formatTime to use configured timezone"""
+        dt = datetime.fromtimestamp(record.created, tz=self.timezone)
+        if datefmt:
+            return dt.strftime(datefmt)
+        return dt.isoformat()


 class LoggerManager:
@@ -20,23 +37,27 @@ class LoggerManager:
            cls._instance._initialized = False
        return cls._instance

-    def initialize(self, log_dir: str = "logs") -> None:
+    def initialize(self, log_dir: str = "logs", timezone: Optional[ZoneInfo] = None) -> None:
        """
        Initialize the logging system with rotating file handlers.

        Args:
            log_dir: Directory for log files (created if not exists)
+            timezone: ZoneInfo timezone for log timestamps (defaults to UTC)
        """
        if self._initialized:
            return

+        self.timezone = timezone or ZoneInfo('UTC')
+
        # Create log directory if it doesn't exist
        os.makedirs(log_dir, exist_ok=True)

        # Common format for all loggers
-        log_format = logging.Formatter(
+        log_format = TimezoneFormatter(
            "[%(asctime)s] %(levelname)s - %(message)s",
-            datefmt="%Y-%m-%d %H:%M:%S"
+            datefmt="%Y-%m-%d %H:%M:%S",
+            timezone=self.timezone
        )

        # Rotation settings: 1MB max, 5 backups
@@ -83,7 +104,7 @@ class LoggerManager:
        self._credential_logger.handlers.clear()

        # Credential logger uses a simple format: timestamp|ip|username|password|path
-        credential_format = logging.Formatter("%(message)s")
+        credential_format = TimezoneFormatter("%(message)s", timezone=self.timezone)
        
        credential_file_handler = RotatingFileHandler(
            os.path.join(log_dir, "credentials.log"),
@@ -136,6 +157,6 @@ def get_credential_logger() -> logging.Logger:
    return _logger_manager.credentials


-def initialize_logging(log_dir: str = "logs") -> None:
+def initialize_logging(log_dir: str = "logs", timezone: Optional[ZoneInfo] = None) -> None:
    """Initialize the logging system."""
-    _logger_manager.initialize(log_dir)
+    _logger_manager.initialize(log_dir, timezone)
--- a/src/server.py
+++ b/src/server.py
@@ -33,6 +33,8 @@ def print_usage():
    print('  PROBABILITY_ERROR_CODES - Probability (0-100) to return HTTP error codes (default: 0)')
    print('  CHAR_SPACE            - Characters for random links')
    print('  SERVER_HEADER         - HTTP Server header for deception (default: Apache/2.2.22 (Ubuntu))')
+    print('  TIMEZONE              - IANA timezone for logs/dashboard (e.g., America/New_York, Europe/Rome)')
+    print('                          If not set, system timezone will be used')


 def main():
@@ -41,15 +43,19 @@ def main():
        print_usage()
        exit(0)

-    # Initialize logging
-    initialize_logging()
+    config = Config.from_env()
+    
+    # Get timezone configuration
+    tz = config.get_timezone()
+    
+    # Initialize logging with timezone
+    initialize_logging(timezone=tz)
    app_logger = get_app_logger()
    access_logger = get_access_logger()
    credential_logger = get_credential_logger()

-    config = Config.from_env()
-
-    tracker = AccessTracker()
+    # Initialize tracker with timezone
+    tracker = AccessTracker(timezone=tz)

    Handler.config = config
    Handler.tracker = tracker
@@ -71,6 +77,7 @@ def main():

    try:
        app_logger.info(f'Starting deception server on port {config.port}...')
+        app_logger.info(f'Timezone configured: {tz.key}')
        app_logger.info(f'Dashboard available at: {config.dashboard_secret_path}')
        if config.canary_token_url:
            app_logger.info(f'Canary token will appear after {config.canary_token_tries} tries')
--- a/src/templates/dashboard_template.py
+++ b/src/templates/dashboard_template.py
@@ -5,6 +5,18 @@ Dashboard template for viewing honeypot statistics.
 Customize this template to change the dashboard appearance.
 """

+from datetime import datetime
+
+
+def format_timestamp(iso_timestamp: str) -> str:
+    """Format ISO timestamp for display (YYYY-MM-DD HH:MM:SS)"""
+    try:
+        dt = datetime.fromisoformat(iso_timestamp)
+        return dt.strftime("%Y-%m-%d %H:%M:%S")
+    except Exception:
+        # Fallback for old format
+        return iso_timestamp.split("T")[1][:8] if "T" in iso_timestamp else iso_timestamp
+

 def generate_dashboard(stats: dict) -> str:
    """Generate dashboard HTML with access statistics"""
@@ -29,7 +41,7 @@ def generate_dashboard(stats: dict) -> str:

    # Generate suspicious accesses rows
    suspicious_rows = '\n'.join([
-        f'<tr><td>{log["ip"]}</td><td>{log["path"]}</td><td style="word-break: break-all;">{log["user_agent"][:60]}</td><td>{log["timestamp"].split("T")[1][:8]}</td></tr>'
+        f'<tr><td>{log["ip"]}</td><td>{log["path"]}</td><td style="word-break: break-all;">{log["user_agent"][:60]}</td><td>{format_timestamp(log["timestamp"])}</td></tr>'
        for log in stats['recent_suspicious'][-10:]
    ]) or '<tr><td colspan="4" style="text-align:center;">No suspicious activity detected</td></tr>'

@@ -41,13 +53,13 @@ def generate_dashboard(stats: dict) -> str:

    # Generate attack types rows
    attack_type_rows = '\n'.join([
-        f'<tr><td>{log["ip"]}</td><td>{log["path"]}</td><td>{", ".join(log["attack_types"])}</td><td style="word-break: break-all;">{log["user_agent"][:60]}</td><td>{log["timestamp"].split("T")[1][:8]}</td></tr>'
+        f'<tr><td>{log["ip"]}</td><td>{log["path"]}</td><td>{", ".join(log["attack_types"])}</td><td style="word-break: break-all;">{log["user_agent"][:60]}</td><td>{format_timestamp(log["timestamp"])}</td></tr>'
        for log in stats.get('attack_types', [])[-10:]
    ]) or '<tr><td colspan="4" style="text-align:center;">No attacks detected</td></tr>'

    # Generate credential attempts rows
    credential_rows = '\n'.join([
-        f'<tr><td>{log["ip"]}</td><td>{log["username"]}</td><td>{log["password"]}</td><td>{log["path"]}</td><td>{log["timestamp"].split("T")[1][:8]}</td></tr>'
+        f'<tr><td>{log["ip"]}</td><td>{log["username"]}</td><td>{log["password"]}</td><td>{log["path"]}</td><td>{format_timestamp(log["timestamp"])}</td></tr>'
        for log in stats.get('credential_attempts', [])[-20:]
    ]) or '<tr><td colspan="5" style="text-align:center;">No credentials captured yet</td></tr>'

--- a/src/tracker.py
+++ b/src/tracker.py
@@ -1,20 +1,22 @@
 #!/usr/bin/env python3

-from typing import Dict, List, Tuple
+from typing import Dict, List, Tuple, Optional
 from collections import defaultdict
 from datetime import datetime
+from zoneinfo import ZoneInfo
 import re
 import urllib.parse


 class AccessTracker:
    """Track IP addresses and paths accessed"""
-    def __init__(self):
+    def __init__(self, timezone: Optional[ZoneInfo] = None):
        self.ip_counts: Dict[str, int] = defaultdict(int)
        self.path_counts: Dict[str, int] = defaultdict(int)
        self.user_agent_counts: Dict[str, int] = defaultdict(int)
        self.access_log: List[Dict] = []
        self.credential_attempts: List[Dict] = []
+        self.timezone = timezone or ZoneInfo('UTC')
        self.suspicious_patterns = [
            'bot', 'crawler', 'spider', 'scraper', 'curl', 'wget', 'python-requests',
            'scanner', 'nikto', 'sqlmap', 'nmap', 'masscan', 'nessus', 'acunetix',
@@ -81,7 +83,7 @@ class AccessTracker:
            'path': path,
            'username': username,
            'password': password,
-            'timestamp': datetime.now().isoformat()
+            'timestamp': datetime.now(self.timezone).isoformat()
        })

    def record_access(self, ip: str, path: str, user_agent: str = '', body: str = ''):
@@ -112,7 +114,7 @@ class AccessTracker:
            'suspicious': is_suspicious,
            'honeypot_triggered': self.is_honeypot_path(path),
            'attack_types':attack_findings,
-            'timestamp': datetime.now().isoformat()
+            'timestamp': datetime.now(self.timezone).isoformat()
        })

    def detect_attack_type(self, data:str) -> list[str]:
--- a/tests/test_credentials.sh
+++ b/tests/test_credentials.sh
@@ -0,0 +1,150 @@
+#!/bin/bash
+
+# This script sends various POST requests with credentials to the honeypot
+
+GREEN='\033[0;32m'
+BLUE='\033[0;34m'
+YELLOW='\033[1;33m'
+RED='\033[0;31m'
+NC='\033[0m'
+
+# Configuration
+HOST="localhost"
+PORT="5000"
+BASE_URL="http://${HOST}:${PORT}"
+
+echo -e "${BLUE}========================================${NC}"
+echo -e "${BLUE}Krawl Credential Logging Test Script${NC}"
+echo -e "${BLUE}========================================${NC}\n"
+
+# Check if server is running
+echo -e "${YELLOW}Checking if server is running on ${BASE_URL}...${NC}"
+if ! curl -s -f "${BASE_URL}/health" > /dev/null 2>&1; then
+    echo -e "${RED}❌ Server is not running. Please start the Krawl server first.${NC}"
+    echo -e "${YELLOW}Run: python3 src/server.py${NC}"
+    exit 1
+fi
+echo -e "${GREEN}✓ Server is running${NC}\n"
+
+# Test 1: Simple login form POST
+echo -e "${YELLOW}Test 1: POST to /login with form data${NC}"
+curl -s -X POST "${BASE_URL}/login" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "username=admin&password=admin123" \
+    > /dev/null
+echo -e "${GREEN}✓ Sent: admin / admin123${NC}\n"
+
+sleep 1
+
+# Test 2: Admin panel login
+echo -e "${YELLOW}Test 2: POST to /admin with credentials${NC}"
+curl -s -X POST "${BASE_URL}/admin" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "user=root&pass=toor&submit=Login" \
+    > /dev/null
+echo -e "${GREEN}✓ Sent: root / toor${NC}\n"
+
+sleep 1
+
+# Test 3: WordPress login attempt
+echo -e "${YELLOW}Test 3: POST to /wp-login.php${NC}"
+curl -s -X POST "${BASE_URL}/wp-login.php" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "log=wpuser&pwd=Password1&wp-submit=Log+In" \
+    > /dev/null
+echo -e "${GREEN}✓ Sent: wpuser / Password1${NC}\n"
+
+sleep 1
+
+# Test 4: JSON formatted credentials
+echo -e "${YELLOW}Test 4: POST to /api/login with JSON${NC}"
+curl -s -X POST "${BASE_URL}/api/login" \
+    -H "Content-Type: application/json" \
+    -d '{"username":"apiuser","password":"apipass123","remember":true}' \
+    > /dev/null
+echo -e "${GREEN}✓ Sent: apiuser / apipass123${NC}\n"
+
+sleep 1
+
+# Test 5: SSH-style login
+echo -e "${YELLOW}Test 5: POST to /ssh with credentials${NC}"
+curl -s -X POST "${BASE_URL}/ssh" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "username=sshuser&password=P@ssw0rd!" \
+    > /dev/null
+echo -e "${GREEN}✓ Sent: sshuser / P@ssw0rd!${NC}\n"
+
+sleep 1
+
+# Test 6: Database admin
+echo -e "${YELLOW}Test 6: POST to /phpmyadmin with credentials${NC}"
+curl -s -X POST "${BASE_URL}/phpmyadmin" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "pma_username=dbadmin&pma_password=dbpass123&server=1" \
+    > /dev/null
+echo -e "${GREEN}✓ Sent: dbadmin / dbpass123${NC}\n"
+
+sleep 1
+
+# Test 7: Multiple fields with email
+echo -e "${YELLOW}Test 7: POST to /register with email${NC}"
+curl -s -X POST "${BASE_URL}/register" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "email=test@example.com&username=newuser&password=NewPass123&confirm_password=NewPass123" \
+    > /dev/null
+echo -e "${GREEN}✓ Sent: newuser / NewPass123 (email: test@example.com)${NC}\n"
+
+sleep 1
+
+# Test 8: FTP credentials
+echo -e "${YELLOW}Test 8: POST to /ftp/login${NC}"
+curl -s -X POST "${BASE_URL}/ftp/login" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "ftpuser=ftpadmin&ftppass=ftp123456" \
+    > /dev/null
+echo -e "${GREEN}✓ Sent: ftpadmin / ftp123456${NC}\n"
+
+sleep 1
+
+# Test 9: Common brute force attempt
+echo -e "${YELLOW}Test 9: Multiple attempts (simulating brute force)${NC}"
+for i in {1..3}; do
+    curl -s -X POST "${BASE_URL}/login" \
+        -H "Content-Type: application/x-www-form-urlencoded" \
+        -d "username=admin&password=pass${i}" \
+        > /dev/null
+    echo -e "${GREEN}✓ Attempt $i: admin / pass${i}${NC}"
+    sleep 0.5
+done
+echo ""
+
+sleep 1
+
+# Test 10: Special characters in credentials
+echo -e "${YELLOW}Test 10: POST with special characters${NC}"
+curl -s -X POST "${BASE_URL}/login" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    --data-urlencode "username=user@domain.com" \
+    --data-urlencode "password=P@\$\$w0rd!#%" \
+    > /dev/null
+echo -e "${GREEN}✓ Sent: user@domain.com / P@\$\$w0rd!#%${NC}\n"
+
+echo -e "${BLUE}========================================${NC}"
+echo -e "${GREEN}✓ All credential tests completed!${NC}"
+echo -e "${BLUE}========================================${NC}\n"
+
+echo -e "${YELLOW}Check the results:${NC}"
+echo -e "  1. View the log file: ${GREEN}cat src/logs/credentials.log${NC}"
+echo -e "  2. View the dashboard: ${GREEN}${BASE_URL}/dashboard${NC}"
+echo -e "  3. Check recent logs: ${GREEN}tail -20 src/logs/krawl.log${NC}\n"
+
+# Display last 10 credential entries if log file exists
+if [ -f "src/logs/credentials.log" ]; then
+    echo -e "${BLUE}========================================${NC}"
+    echo -e "${BLUE}Last 10 Captured Credentials:${NC}"
+    echo -e "${BLUE}========================================${NC}"
+    tail -10 src/logs/credentials.log
+    echo ""
+fi
+
+echo -e "${YELLOW}💡 Tip: Open ${BASE_URL}/dashboard in your browser to see the credentials in real-time!${NC}"