telekom-security/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 01:27:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add T-Pot Technical Preview

Browse Source
This commit is contained in:
Marco Ochse
2023-05-30 12:22:10 +02:00
parent 87ef005c17
commit 00d6d1b4c7
20 changed files with 3546 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
preview/docker/Dockerfile Normal file
View File

@ -0,0 +1,61 @@
FROM alpine:edge
#
# Include dist
COPY dist/ /root/dist/
#
# Get and install dependencies & packages
RUN apk --no-cache -U add \
aria2 \
apache2-utils \
bash \
bind-tools \
conntrack-tools \
curl \
ethtool \
figlet \
git \
grep \
iproute2 \
iptables \
jq \
logrotate \
lsblk \
net-tools \
openssl \
pigz \
tar \
uuidgen && \
apk --no-cache -U add --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community \
yq && \
#
# Setup user
addgroup -g 2000 tpot && \
adduser -S -s /bin/ash -u 2000 -D -g 2000 tpot && \
#
# Install tpot
git clone --depth=1 https://github.com/telekom-security/tpotce /opt/tpot && \
cd /opt/tpot && \
sed -i "s#/opt/tpot/etc/logrotate/status#/data/tpot/etc/logrotate/status#g" bin/clean.sh && \
sed -i "s#/opt/tpot/etc/compose/elk_environment#/data/tpot/etc/compose/elk_environment#g" bin/clean.sh && \
sed -i "s#/usr/sbin/iptables-legacy#/sbin/iptables-legacy#g" bin/rules.sh && \
sed -i "s/tr -d '\", '/tr -d '\", ,#,-'/g" bin/rules.sh && \
sed -i "s#/opt/tpot/etc/compose/elk_environment#/data/tpot/etc/compose/elk_environment#g" bin/updateip.sh && \
sed -i "s#.*myLOCALIP=.*#myLOCALIP=\$(/sbin/ip address show | awk '/inet .*brd/{split(\$2,a,\"/\"); print a[1]; exit}')#" bin/updateip.sh && \
sed -i "s#.*myUUID=.*#myUUID=\$(cat /data/uuid)#" bin/updateip.sh && \
sed -i "s#/etc/issue#/tmp/etc/issue#g" bin/updateip.sh && \
sed -i "/toilet/d" bin/updateip.sh && \
sed -i "/source \/etc\/environment/d" bin/updateip.sh && \
touch /opt/tpot/etc/tpot.yml && \
cp /root/dist/entrypoint.sh . && \
#
# Clean up
apk del --purge git && \
rm -rf /root/* /tmp/* && \
rm -rf /root/.cache /opt/tpot/.git && \
rm -rf /var/cache/apk/*
#
# Run tpotinit
WORKDIR /opt/tpot
HEALTHCHECK --retries=1000 --interval=5s CMD test -f /tmp/success || exit 1
STOPSIGNAL SIGKILL
CMD ["/opt/tpot/entrypoint.sh"]

168
preview/docker/dist/entrypoint.sh vendored Executable file
View File

@ -0,0 +1,168 @@
#!/bin/bash
VERSION="T-Pot $(cat /opt/tpot/version)"
COMPOSE="/tmp/tpot/docker-compose.yml"
# Check for compatible OSType
echo
echo "# Checking if OSType is compatible."
echo
myOSTYPE=$(uname -a | grep -Eo "linuxkit")
if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
then
echo "# Docker Desktop for macOS or Windows detected."
echo "# 1. You need to adjust the OSType in the hidden \".env\" file."
echo "# 2. You need to use the macos or win docker compose file."
echo
echo "# Aborting."
echo
exit 1
fi
# Data folder management
if [ -f "/data/uuid" ];
then
figlet "Initializing ..."
figlet "${VERSION}"
echo
echo "# Data folder is present, just cleaning up, please be patient ..."
echo
/opt/tpot/bin/clean.sh on
echo
else
figlet "Setting up ..."
figlet "${VERSION}"
echo
echo "# Checking for default user."
if [ "${WEB_USER}" == "changeme" ] || [ "${WEB_PW}" == "changeme" ];
then
echo "# Please change WEB_USER and WEB_PW in the hidden \".env\" file."
echo "# Aborting."
echo
exit 1
fi
echo
echo "# Setting up data folder structure ..."
echo
mkdir -vp /data/ews/conf \
/data/nginx/{cert,conf,log} \
/data/tpot/etc/compose/ \
/data/tpot/etc/logrotate/ \
/tmp/etc/
echo
echo "# Generating self signed certificate ..."
echo
myINTIP=$(/sbin/ip address show | awk '/inet .*brd/{split($2,a,"/"); print a[1]; exit}')
openssl req \
-nodes \
-x509 \
-sha512 \
-newkey rsa:8192 \
-keyout "/data/nginx/cert/nginx.key" \
-out "/data/nginx/cert/nginx.crt" \
-days 3650 \
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' \
-addext "subjectAltName = IP:${myINTIP}"
echo
echo "# Creating web user from tpot.env, make sure to erase the password from the .env ..."
echo
htpasswd -b -c /data/nginx/conf/nginxpasswd "${WEB_USER}" "${WEB_PW}"
echo
echo "# Extracting objects, final touches and permissions ..."
echo
tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C /
/opt/tpot/bin/clean.sh off
uuidgen > /data/uuid
fi
# Check if TPOT_BLACKHOLE is enabled
if [ "${myOSTYPE}" == "linuxkit" ];
then
echo
echo "# Docker Desktop for macOS or Windows detected, Blackhole feature is not supported."
echo
else
if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ ! -f "/etc/blackhole/mass_scanner.txt" ];
then
echo "# Adding Blackhole routes."
/opt/tpot/bin/blackhole.sh add
echo
fi
if [ "${TPOT_BLACKHOLE}" == "DISABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ];
then
echo "# Removing Blackhole routes."
/opt/tpot/bin/blackhole.sh del
echo
else
echo "# Blackhole is not active."
fi
fi
# Get IP
echo
echo "# Updating IP Info ..."
echo
/opt/tpot/bin/updateip.sh
# Update permissions
echo
echo "# Updating permissions ..."
echo
chown -R tpot:tpot /data
chmod -R 777 /data
#chmod 644 -R /data/nginx/conf
#chmod 644 -R /data/nginx/cert
# Update interface settings (p0f and Suricata) and setup iptables to support NFQ based honeypots (glutton, honeytrap)
### This is currently not supported on Docker for Desktop, only on Docker Engine for Linux
if [ "${myOSTYPE}" != "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
then
echo
echo "# Get IF, disable offloading, enable promiscious mode for p0f and suricata ..."
echo
ethtool --offload $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) rx off tx off
ethtool -K $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) gso off gro off
ip link set $(/sbin/ip address | grep "^2: " | awk '{ print $2 }' | tr -d [:punct:]) promisc on
echo
echo "# Adding firewall rules ..."
echo
/opt/tpot/bin/rules.sh ${COMPOSE} set
fi
# Display open ports
if [ "${myOSTYPE}" != "linuxkit" ];
then
echo
echo "# This is a list of open ports on the host (netstat -tulpen)."
echo "# Make sure there are no conflicting ports by checking the docker compose file."
echo "# Conflicting ports will prevent the startup of T-Pot."
echo
netstat -tulpen | grep -Eo ':([0-9]+)' | cut -d ":" -f 2 | uniq
echo
else
echo
echo "# Docker Desktop for macOS or Windows detected, cannot show open ports on the host."
echo
fi
# Done
echo
figlet "Starting ..."
figlet "${VERSION}"
echo
touch /tmp/success
# We want to see true source for UDP packets in container (https://github.com/moby/libnetwork/issues/1994)
if [ "${myOSTYPE}" != "linuxkit" ];
then
sleep 60
/usr/sbin/conntrack -D -p udp
else
echo
echo "# Docker Desktop for macOS or Windows detected, Conntrack feature is not supported."
echo
fi
# Keep the container running ...
sleep infinity

15
preview/docker/docker-compose.yml Normal file
View File

@ -0,0 +1,15 @@
version: '3.9'
services:
# T-Pot Init Service
tpotinit:
build: .
container_name: tpotinit
restart: "no"
image: "dtagdevsec/tpotinit:2204"
# volumes:
# - /var/run/docker.sock:/var/run/docker.sock:ro
network_mode: "host"
cap_add:
- NET_ADMIN

35
preview/docker/macvlan/docker-compose.yml Normal file
View File

@ -0,0 +1,35 @@
### This is an example on how to use macvlan driver
### which results in bridging the container fully
### to your network.
version: '3.9'
services:
nginx:
container_name: nginx
restart: always
image: nginx
networks:
mynet:
### unassigned ip from your local network
ipv4_address: 1.2.3.10
nginx2:
container_name: nginx2
restart: always
image: nginx
networks:
mynet:
### unassigned ip from your local network
ipv4_address: 1.2.3.11
networks:
mynet:
driver: macvlan
driver_opts:
parent: eth0
ipam:
config:
### your local network with netmask and gateway
- subnet: 1.2.3.0/24
gateway: 1.2.3.1