Merge pull request #5 from Whispergate/dev

V0.3.1 - IAC, Opsec, and Phishing Updates

Author: Lavender-dll

.env.example

@@ -72,9 +72,22 @@ INFRAGUARD_DB_PATH=/app/data/infraguard.db
 # Examples: "status", "api/ping", ".well-known/health", "favicon.ico"
 INFRAGUARD_HEALTH_PATH=health
 
+# ── Decoy Pages ───────────────────────────────────────────────────────
+# Directory containing SPA folders for the "decoy" drop action.
+# Each subfolder is a complete site (index.html + assets).
+# Docker: /app/pages  |  Local: pages
+IG_DECOY_PAGES_DIR=/app/pages
+# Which site folder to serve (e.g., "InfraGuardBlog", "TestBlog")
+IG_DECOY_SITE=
+
 # ── Rules / Blocklists ────────────────────────────────────────────────
-# Path to ingested IP blocklist file. Generate with:
-#   infraguard ingest rules/.htaccess --format blocklist -o rules/banned_ips.txt
+# Directory containing .htaccess and robots.txt rule files.
+# Any files found here are automatically ingested on proxy startup.
+# Docker: /app/rules  |  Local: rules
+INFRAGUARD_RULES_DIR=/app/rules
+
+# Path to ingested IP blocklist file (legacy - rules_dir is preferred).
+# Generate manually with: infraguard ingest rules/.htaccess --format blocklist -o rules/banned_ips.txt
 # Docker: /app/rules/banned_ips.txt  |  Local: rules/banned_ips.txt
 INFRAGUARD_BANNED_IP_FILE=/app/rules/banned_ips.txt
 

.gitignore

@@ -223,3 +223,6 @@ __marimo__/
 # Vendor source (cloned at build time, not tracked)
 vendor/pwndrop/pwndrop/
 images/.$InfraGuard Infrastructure Diagram.drawio.bkp
+.planning/*
+.claude
+.infraguard-deploy

Dockerfile

@@ -10,6 +10,7 @@ WORKDIR /app
 COPY pyproject.toml README.md ./
 COPY infraguard/ infraguard/
 COPY examples/ examples/
+COPY pages/ pages/
 
 RUN pip install --no-cache-dir ".[all]"
 

config/config.yaml

@@ -20,17 +20,17 @@ domains:
   # Fronts a CS teamserver behind a jQuery CDN lookalike.
   # Requests that don't match the malleable profile are redirected
   # to the real jQuery site so the redirector looks legitimate.
-  cdn.example.com:
-    upstream: "${INFRAGUARD_CS_UPSTREAM}"
-    profile_path: "examples/jquery-c2.3.14.profile"
-    profile_type: "cobalt_strike"
-    whitelist_cidrs:
-      - "192.168.1.0/24"       # operator subnet
-      - "10.0.0.0/8"           # internal range
-    decoy_dir: null             # or path to static site served to blocked visitors
-    drop_action:
-      type: "redirect"
-      target: "https://jquery.com"
+  # cdn.example.com:
+  #   upstream: "${INFRAGUARD_CS_UPSTREAM}"
+  #   profile_path: "examples/jquery-c2.3.14.profile"
+  #   profile_type: "cobalt_strike"
+  #   whitelist_cidrs:
+  #     - "192.168.1.0/24"       # operator subnet
+  #     - "10.0.0.0/8"           # internal range
+  #   decoy_dir: null             # or path to static site served to blocked visitors
+  #   drop_action:
+  #     type: "redirect"
+  #     target: "https://jquery.com"
 
     # ── Content delivery routes (optional) ──────────────────────────
     # Evaluated BEFORE the C2 profile filter. Serve payloads, decoys,
@@ -56,14 +56,14 @@ domains:
   # Fronts a Mythic teamserver behind a generic CDN static-assets page.
   # Uses the Mythic HTTPX JSON profile format. Non-matching requests
   # get proxied to a real site so the redirector returns valid HTML.
-  static.example.net:
+  ${INFRAGUARD_DOMAIN}:
     upstream: "${INFRAGUARD_MYTHIC_UPSTREAM}"
-    profile_path: "examples/mythic-httpx.json"
+    profile_path: "examples/jquery-c2.3.14.profile.json"
     profile_type: "mythic"
-    whitelist_cidrs: []         # empty = all IPs are allowed (no whitelist)
+    whitelist_cidrs: []      # empty = all IPs are allowed (no whitelist)
     drop_action:
-      type: "proxy"            # serve real content from the target site
-      target: "https://example.net"
+      type: "decoy"
+      target: "${IG_DECOY_SITE}"
     content_routes:
       - path: "/downloads/*"
         backend:
@@ -88,6 +88,7 @@ intel:
   geoip_asn_db: "${INFRAGUARD_GEOIP_ASN_DB}"
   geoip_country_db: "${INFRAGUARD_GEOIP_COUNTRY_DB}"
   banned_ip_file: "${INFRAGUARD_BANNED_IP_FILE}"
+  rules_dir: "${INFRAGUARD_RULES_DIR}"    # auto-ingest .htaccess / robots.txt on startup
   feeds:
     enabled: true
 
@@ -104,6 +105,9 @@ api:
   auth_token: "${INFRAGUARD_API_TOKEN}"
   health_path: "/${INFRAGUARD_HEALTH_PATH}"
 
+decoy_pages_dir: "${IG_DECOY_PAGES_DIR}"  # base directory for decoy SPA sites
+
 logging:
   level: "${INFRAGUARD_LOG_LEVEL}"
   format: "json"
+

config/test-config-full.yaml

@@ -75,11 +75,19 @@ listeners:
 # teamserver, IP whitelist, drop action, and content delivery routes.
 #
 # Supported profile types:
-#   cobalt_strike  - .profile files (Malleable C2 DSL)
-#   mythic         - .json files (Mythic HTTPX profile format)
-#   brute_ratel    - .json files (BRC4 server config with listeners)
-#   sliver         - .json files (Sliver HTTP C2 profile with URI generation)
-#   havoc          - .toml files (Havoc/Kaine profile with URI alternation patterns)
+#
+#   C2 frameworks (require profile_path):
+#     cobalt_strike  - .profile files (Malleable C2 DSL)
+#     mythic         - .json files (Mythic HTTPX profile format)
+#     brute_ratel    - .json files (BRC4 server config with listeners)
+#     sliver         - .json files (Sliver HTTP C2 profile with URI generation)
+#     havoc          - .toml files (Havoc/Kaine profile with URI alternation patterns)
+#
+#   Phishing frameworks (no profile_path needed):
+#     gophish        - GoPhish landing pages, tracking, and report endpoints
+#     evilginx       - Evilginx reverse proxy phishlets (proxies all paths)
+#     cuddlephish    - CuddlePhish OAuth/device-code phishing flows
+#     passthrough    - Generic proxy mode - all paths forwarded, no profile matching
 
 domains:
 
@@ -172,6 +180,79 @@ domains:
   #     type: "proxy"
   #     target: "https://portal.azure.com"
 
+  # ── GoPhish domain ─────────────────────────────────────────────────
+  # Fronts a GoPhish instance. No C2 profile needed - path-based
+  # filtering allows tracking pixels (/track/*), report endpoint
+  # (/report), static assets (/static/*), and landing pages.
+  # IP/bot/geo filters still run to block scanners.
+  #
+  # Use allowed_paths to override the built-in GoPhish patterns:
+  # phish.example.com:
+  #   upstream: "https://10.0.0.10:3333"
+  #   profile_type: "gophish"
+  #   # allowed_paths:                       # optional - overrides built-in patterns
+  #   #   - "/custom-landing"                # exact path
+  #   #   - "/campaigns/*"                   # prefix glob
+  #   #   - "~^/t/[a-f0-9]+"                # regex (prefix with ~)
+  #   drop_action:
+  #     type: "redirect"
+  #     target: "https://example.com"
+
+  # ── Evilginx domain ────────────────────────────────────────────────
+  # Fronts an Evilginx reverse proxy. Two modes:
+  #
+  # 1. With phishlet file (recommended): InfraGuard parses the phishlet
+  #    to extract login paths and auth_urls for filtering.
+  #    Set profile_path to the phishlet YAML file.
+  #
+  # 2. Without phishlet: all paths are forwarded (Evilginx default).
+  #    Use allowed_paths to restrict if needed.
+  #
+  # IP/bot/geo filters protect against scanners discovering the phishlet.
+  # login.example.com:
+  #   upstream: "https://10.0.0.11:443"
+  #   profile_type: "evilginx"
+  #   profile_path: "examples/wordpress-phishlet.yaml"  # optional phishlet file
+  #   # allowed_paths:                       # optional - replaces defaults
+  #   #   - "/wp-login.php"
+  #   #   - "/wp-admin/*"
+  #   drop_action:
+  #     type: "proxy"
+  #     target: "https://login.microsoftonline.com"
+
+  # ── CuddlePhish domain ─────────────────────────────────────────────
+  # Fronts a CuddlePhish OAuth/device-code phishing server. All paths
+  # forwarded - CuddlePhish handles OAuth flow routing internally.
+  # Use allowed_paths to restrict to specific OAuth endpoints.
+  # auth.example.com:
+  #   upstream: "https://10.0.0.12:8443"
+  #   profile_type: "cuddlephish"
+  #   # allowed_paths:
+  #   #   - "/devicelogin"
+  #   #   - "/common/oauth2/*"
+  #   #   - "/common/login"
+  #   drop_action:
+  #     type: "redirect"
+  #     target: "https://login.microsoftonline.com"
+
+  # ── Generic passthrough domain ──────────────────────────────────────
+  # Pure reverse proxy with IP/bot/geo filtering. All requests that
+  # pass the filter pipeline are forwarded to upstream. No profile
+  # matching at all. Use for custom phishing frameworks, payload
+  # delivery servers, or any HTTP service that needs scanner protection.
+  #
+  # If allowed_paths is set, only those paths are proxied (converts
+  # passthrough into path-filtered mode).
+  # proxy.example.com:
+  #   upstream: "https://10.0.0.13:8080"
+  #   profile_type: "passthrough"
+  #   # allowed_paths:                       # optional - restricts passthrough
+  #   #   - "/api/*"
+  #   #   - "/webhook"
+  #   drop_action:
+  #     type: "reset"
+  #     target: ""
+
 # ── IP Intelligence ───────────────────────────────────────────────────
 
 intel:
@@ -181,16 +262,20 @@ intel:
   geoip_country_db: "${INFRAGUARD_GEOIP_COUNTRY_DB}"  # GeoLite2-Country.mmdb
 
   blocked_countries: []                  # e.g. ["CN", "RU", "KP", "IR"]
-  allowed_countries: []                  # e.g. ["US", "GB", "DE"] — if set, ONLY these pass
+  allowed_countries: []                  # e.g. ["US", "GB", "DE"] - if set, ONLY these pass
   blocked_asns: []                       # e.g. [14061, 16276] for DigitalOcean, OVH
-  allowed_asns: []                       # e.g. [15169, 13335] for Google, Cloudflare — if set, ONLY these pass
+  allowed_asns: []                       # e.g. [15169, 13335] for Google, Cloudflare - if set, ONLY these pass
   auto_block_scanners: true              # block Shodan, Censys, Rapid7, etc.
   dynamic_whitelist_threshold: 3         # auto-whitelist after N valid C2 requests
 
   # Ingested blocklist from rules/ directory
   # Generate with: infraguard ingest rules/.htaccess --format blocklist -o rules/banned_ips.txt
   banned_ip_file: "${INFRAGUARD_BANNED_IP_FILE}"
 
+  # Auto-ingest .htaccess and robots.txt from this directory on startup.
+  # Drop rule files into the rules/ directory and they'll be loaded automatically.
+  rules_dir: "${INFRAGUARD_RULES_DIR}"
+
   # Threat intel feed auto-update
   feeds:
     enabled: true

docker-compose.yml

@@ -12,6 +12,7 @@ services:
       - ./config:/app/config:ro
       - ./examples:/app/examples:ro
       - ./rules:/app/rules:ro
+      - ./pages:/app/pages:ro
       - ./data:/app/data
       - certs:/app/certs:ro
       - geoip:/app/geoip:ro
@@ -60,6 +61,7 @@ services:
   #   /etc/letsencrypt/live/${INFRAGUARD_DOMAIN}/privkey.pem
   #
   # After first run, restart the proxy to pick up the new certs.
+  # docker compose --profile letsencrypt up certbot
   certbot:
     image: certbot/certbot:latest
     container_name: infraguard-certbot
@@ -69,19 +71,19 @@ services:
       - certs:/etc/letsencrypt
       - certbot-www:/var/www/certbot
     entrypoint: /bin/sh
-    command: >
-      -c '
-        if [ "${INFRAGUARD_LETSENCRYPT}" = "true" ]; then
-          certbot certonly --standalone
-            --non-interactive --agree-tos
-            --email ${INFRAGUARD_DOMAIN_EMAIL}
-            -d ${INFRAGUARD_DOMAIN}
-            --preferred-challenges http
-          && echo "Certificate obtained for ${INFRAGUARD_DOMAIN}"
+    command:
+      - -c
+      - |
+        if [ "$${INFRAGUARD_LETSENCRYPT}" = "true" ]; then
+          certbot certonly --standalone \
+            --non-interactive --agree-tos \
+            --email $${INFRAGUARD_DOMAIN_EMAIL} \
+            -d $${INFRAGUARD_DOMAIN} \
+            --preferred-challenges http \
+          && echo "Certificate obtained for $${INFRAGUARD_DOMAIN}"
         else
-          echo "Let'\''s Encrypt disabled (INFRAGUARD_LETSENCRYPT != true)"
+          echo "Let's Encrypt disabled (INFRAGUARD_LETSENCRYPT != true)"
         fi
-      '
     ports:
       - "80:80"
     networks:

infraguard/config/defaults.py

@@ -1,7 +1,13 @@
 """Default configuration values for InfraGuard."""
 
+import os
+from pathlib import Path
+
+_CONFIG_DIR = Path(os.environ.get("XDG_CONFIG_HOME", Path.home() / ".config")) / "infraguard"
+_CONFIG_DIR.mkdir(parents=True, exist_ok=True)
+
 DEFAULT_BLOCK_SCORE_THRESHOLD = 0.7
-DEFAULT_DB_PATH = "infraguard.db"
+DEFAULT_DB_PATH = str(_CONFIG_DIR / "infraguard.db")
 DEFAULT_RETENTION_DAYS = 30
 DEFAULT_API_BIND = "127.0.0.1"
 DEFAULT_API_PORT = 8080