Updated README and support for binding to all interfaces

8e2d9a86 · Jose Carlos Luna Duran · 0e160dc2 · 8e2d9a86 · 8e2d9a86 · 8e2d9a86
Commit 8e2d9a86 authored 10 months ago by Jose Carlos Luna Duran
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ Gocanary implements a DNS, HTTPS and HTTP honeytoken interaction traps.

 The tokens are defined in a file, by default `canary.yaml`

-The yaml is pretty simple and containts a sequence of canaries with the current example structure:
+The yaml is pretty simple and containts a sequence of canaries, example:

 ```
 - key: 'mycanary1'
@@ -28,13 +28,13 @@ The yaml is pretty simple and containts a sequence of canaries with the current
  level: 'low'
 ```

-`key` should be unique and will be part of the canary that will be exposed to the potential attackers.
+`key` should be unique and will be token canary that needs to be exposed to the potential attackers.

 `tag` and `level` are metadata that are included in all the alerts.

-`type` limits the interactions triggering alert for that token.
+`type` limits the types of alerts generated for that token.

-The alert specifies the different alert sinks. Gocanary implements three sinks:
+The alert can have different sinks. Gocanary implements three sinks:

 - slack: uses a webhook to send the alert using the slack/mattermost format
 - log: prints to stdout or logfile
@@ -43,8 +43,8 @@ The alert specifies the different alert sinks. Gocanary implements three sinks:
 The alert content depends on the interaction trigger and contains both information of the token and the triggering source and system. 

 Eg:
+`{"time":"2024-05-16T10:49:16.374474022+02:00","level":"INFO","msg":"token-alert","Key":"mycanary1","Tag":"gitlab-canary","Level":"low","FullUrl":"http://myhost/test%20this/mycanary1/","UserAgent":"curl/7.81.0","RemoteIP":"127.0.0.1","RemotePort":49664,"LocalIP":"127.0.0.1","LocalPort":80,"Referer":"","Type":"token-http"}`

- `2024/04/30 18:31:14 TOKEN_LOG: Key:"mycanary1" Tag:"gitlab-canary" Level:"low" chan:"HTTP" SourceIP:"127.0.0.1" SourcePort:"37440" UserAgent:"curl/7.81.0" URL:"http://mycanary1.subdomain.domain/hostprefix/"`

 ## DNS

@@ -52,6 +52,8 @@ The trap will be triggered when a domain that matches a honeytoken is resolved (

 Eg: someone resolves `mycanary1.domain` and this query reaches our gocanary resolver through NS delegation, i.e. domain is in reality subdomain.domain  and domain nameservers delegate resolution of subdomain to our host

+Beware that the remote ip will be typically the resolver that the client is using and not the IP of the potential attacker.
+
 ## HTTP and HTTPS

 The trap will be triggered when a URL that has either a token is defined that matches the last path component or the first component of the hostname.
@@ -60,9 +62,9 @@ Eg: A request is made to `http://mycanary1.myhost.domain/whatever`    or  a requ

 ## Running

-Gocanary is a single binary that accepts command line options. Gocanary also reads a config file (default `config.yaml`) where the same parameters that can be passed as arguments might be predefined.
+Gocanary is a single binary that accepts command line options. Gocanary also reads a config file (default `config.yaml`) where the same parameters that can be passed as arguments might alternatively be defined.
 It is intended to be run as `root` (to be able to bind to default DNS and WEB ports) and will drop privileges to `nobody` and sandbox file access using landlock (https://docs.kernel.org/userspace-api/landlock.html)
-Alternatively can be run as nonroot and changing the different ports, and then using iptables/nftables to redirect traffic to it.
+It would be possible to run as nonroot and changing the different ports, and then using iptables/nftables to redirect traffic to it.

 All configuration options can be defined in config.yaml. Example:

@@ -109,7 +111,7 @@ Flags:

 The easiest way to run this is with docker compose.

-The leanest way is to download the gocanary artifact and then use the `docker-compose-inline.yml`
+The leanest way is to download the gocanary from the releases page and then use the `docker-compose-inline.yml`
 The most compatible way to run is using the `docker-compose-with-build.yml`, which will compile and run the project.

-In all cases the compose file will need to be edited to at least bind only the public IPs and also to specify certificate options when using https support.
+Except for the docker-compose-inline the compose file will need to be edited to at least bind only the public IPs and also to specify certificate options when using https support.
--- a/configtools.go
+++ b/configtools.go
@@ -63,7 +63,7 @@ func getHTTPConfig() chttp.HTTPServerConfig {

 // Initialize all flags
 func init() {
-	gocanaryCmd.PersistentFlags().StringVarP(&bindAddr, "bind-address", "b", "", "Ip address to bind servers to")
+	gocanaryCmd.PersistentFlags().StringVarP(&bindAddr, "bind-address", "b", "", "Ip address to bind servers to, use * for all interfaces")
 	gocanaryCmd.PersistentFlags().StringVarP(&slackHook, "slack-hook", "s", "", "Webhook for alerts")
 	gocanaryCmd.PersistentFlags().Uint16Var(&slackSilence, "slack-silence", 1, "Wait this many seconds between each slack alert")
 	gocanaryCmd.PersistentFlags().StringVarP(&canaryPath, "canary-file", "c", "canary.yaml", "File where canaries are defined")
@@ -126,7 +126,7 @@ func bindFlags(cmd *cobra.Command) {
 			val := viper.Get(configName)
 			valType := reflect.TypeOf(val).String()
 			//support string arrays
-			if (valType == "[]interface {}") {
+			if valType == "[]interface {}" {
 				valArray := val.([]interface{})
 				for _, v := range valArray {
 					cmd.Flags().Set(f.Name, fmt.Sprintf("%v", v))

--- a/server/utils.go
+++ b/server/utils.go
@@ -24,6 +24,9 @@ func getOutboundIPv4() net.IP {
 // Returns a bind string based on the public IP and the port given as a parameter
 func GetBindAddr(bindAddr string, port uint16) string {
 	if bindAddr != "" {
+		if bindAddr == "*" {
+			bindAddr = ""
+		}
 		return fmt.Sprintf("%s:%d", bindAddr, port)
 	}
 	LocalIP := getOutboundIPv4()