tweak installer

This commit is contained in:
t3chn0m4g3
2019-02-13 13:33:53 +01:00
parent 08d6d443af
commit 097e1d4684
2 changed files with 856 additions and 60 deletions

View File

@ -185,6 +185,10 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
fi
}
#!/bin/bash
function fuBANNER {
toilet -f smmono12 -o -F metal "$1" | pv -qL 4000
}
# Prepare running the installer
echo "$myINFO" | head -n 3
@ -422,30 +426,35 @@ if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
htpasswd -b -c /data/nginx/conf/nginxpasswd "$myCONF_WEB_USER" "$myCONF_WEB_PW" 2>&1 | dialog --keep-window --title "[ Setting up user and password ]" $myPROGRESSBOXCONF;
fi
dialog --clear
########################
# Installation section #
########################
fuBANNER "Installing"
# Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway)
if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
then
mkdir -p /data/nginx/cert 2>&1 | dialog --keep-window --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF;
openssl req \
-nodes \
-x509 \
-sha512 \
-newkey rsa:8192 \
-keyout "/data/nginx/cert/nginx.key" \
-out "/data/nginx/cert/nginx.crt" \
-days 3650 \
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' 2>&1 | dialog --keep-window --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF;
fuBANNER "NGINX Certificate"
mkdir -p /data/nginx/cert
openssl req \
-nodes \
-x509 \
-sha512 \
-newkey rsa:8192 \
-keyout "/data/nginx/cert/nginx.key" \
-out "/data/nginx/cert/nginx.crt" \
-days 3650 \
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd'
fi
# Let's setup the ntp server
if [ "$myCONF_NTP_USE" == "0" ];
then
cp $myCONF_NTP_CONF_FILE /etc/ntp.conf 2>&1 | dialog --keep-window --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF
fuBANNER "Setup NTP"
cp $myCONF_NTP_CONF_FILE /etc/ntp.conf
fi
# Let's setup 802.1x networking
@ -493,12 +502,13 @@ network={
"
if [ "myCONF_PFX_USE" == "0" ];
then
cp $myCONF_PFX_FILE /etc/wpa_supplicant/ 2>&1 | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF
echo "$myNETWORK_INTERFACES" 2>&1 | tee -a /etc/network/interfaces | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF
fuBANNER "Setup 802.1x"
cp $myCONF_PFX_FILE /etc/wpa_supplicant/
echo "$myNETWORK_INTERFACES" 2>&1 | tee -a /etc/network/interfaces
echo "$myNETWORK_WIRED8021x" 2>&1 | tee /etc/wpa_supplicant/wired8021x.conf | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF
echo "$myNETWORK_WIRED8021x" 2>&1 | tee /etc/wpa_supplicant/wired8021x.conf
echo "$myNETWORK_WLAN8021x" 2>&1 | tee /etc/wpa_supplicant/wireless8021x.conf | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF
echo "$myNETWORK_WLAN8021x" 2>&1 | tee /etc/wpa_supplicant/wireless8021x.conf
fi
# Let's provide a wireless example config ...
@ -530,38 +540,42 @@ myNETWORK_WLANEXAMPLE="
# wpa-key-mgmt WPA-PSK
# wpa-psk \"<your_password_here_without_brackets>\"
"
echo "$myNETWORK_WLANEXAMPLE" 2>&1 | tee -a /etc/network/interfaces | dialog --keep-window --title "[ Provide WLAN example config ]" $myPROGRESSBOXCONF
# Let's modify the sources list
sed -i '/cdrom/d' /etc/apt/sources.list
fuBANNER "Example config"
echo "$myNETWORK_WLANEXAMPLE" 2>&1 | tee -a /etc/network/interfaces
# Let's make sure SSH roaming is turned off (CVE-2016-0777, CVE-2016-0778)
echo "UseRoaming no" 2>&1 | tee -a /etc/ssh/ssh_config | dialog --keep-window --title "[ Turn SSH roaming off ]" $myPROGRESSBOXCONF
fuBANNER "SSH roaming off"
echo "UseRoaming no" 2>&1 | tee -a /etc/ssh/ssh_config
# Installing ctop, elasticdump, tpot, yq
npm install https://github.com/taskrabbit/elasticsearch-dump -g 2>&1 | dialog --keep-window --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF
pip install --upgrade pip 2>&1 | dialog --keep-window --title "[ Installing pip ]" $myPROGRESSBOXCONF
hash -r 2>&1 | dialog --keep-window --title "[ Installing pip ]" $myPROGRESSBOXCONF
pip install elasticsearch-curator yq 2>&1 | dialog --keep-window --title "[ Installing elasticsearch-curator, yq ]" $myPROGRESSBOXCONF
wget https://github.com/bcicen/ctop/releases/download/v0.7.2/ctop-0.7.2-linux-amd64 -O /usr/bin/ctop 2>&1 | dialog --keep-window --title "[ Installing ctop ]" $myPROGRESSBOXCONF
chmod +x /usr/bin/ctop 2>&1 | dialog --keep-window --title "[ Installing ctop ]" $myPROGRESSBOXCONF
git clone https://github.com/dtag-dev-sec/tpotce -b debian /opt/tpot 2>&1 | dialog --keep-window --title "[ Cloning T-Pot ]" $myPROGRESSBOXCONF
fuBANNER "Installing packages"
npm install https://github.com/taskrabbit/elasticsearch-dump -g
pip install --upgrade pip
hash -r
pip install elasticsearch-curator yq
# Cloning T-Pot from GitHub
fuBANNER "Cloning T-Pot"
git clone https://github.com/dtag-dev-sec/tpotce -b debian /opt/tpot
# Let's create the T-Pot user
addgroup --gid 2000 tpot 2>&1 | dialog --keep-window --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF
adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --keep-window --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF
fuBANNER "Create user"
addgroup --gid 2000 tpot
adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot
# Let's set the hostname
a=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/a.txt)
n=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/n.txt)
myHOST=$a$n
hostnamectl set-hostname $myHOST 2>&1 | dialog --keep-window --title "[ Setting new hostname ]" $myPROGRESSBOXCONF
sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts 2>&1 | dialog --keep-window --title "[ Setting new hostname ]" $myPROGRESSBOXCONF
fuBANNER "Set hostname"
hostnamectl set-hostname $myHOST
sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts
# Let's patch cockpit.socket, sshd_config
sed -i 's#ListenStream=9090#ListenStream=64294#' /lib/systemd/system/cockpit.socket 2>&1 | dialog --keep-window --title "[ Cockpit listen on tcp/64294 ]" $myPROGRESSBOXCONF
sed -i '/^port/Id' /etc/ssh/sshd_config 2>&1 | dialog --keep-window --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF
echo "Port 64295" >> /etc/ssh/sshd_config 2>&1 | dialog --keep-window --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF
fuBANNER "Adjust tcp ports"
sed -i 's#ListenStream=9090#ListenStream=64294#' /lib/systemd/system/cockpit.socket
sed -i '/^port/Id' /etc/ssh/sshd_config
echo "Port 64295" >> /etc/ssh/sshd_config
# Let's make sure only myCONF_TPOT_FLAVOR images will be downloaded and started
case $myCONF_TPOT_FLAVOR in
@ -599,14 +613,16 @@ for name in $(cat $myTPOTCOMPOSE | grep -v '#' | grep image | cut -d'"' -f2 | un
done
wait
}
fuPULLIMAGES 2>&1 | dialog --keep-window --title "[ Pulling docker images, please be patient ]" $myPROGRESSBOXCONF
fuBANNER "Pull images"
fuPULLIMAGES
# Let's add the daily update check with a weekly clean interval
myUPDATECHECK="APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Download-Upgradeable-Packages \"0\";
APT::Periodic::AutocleanInterval \"7\";
"
echo "$myUPDATECHECK" 2>&1 | tee /etc/apt/apt.conf.d/10periodic | dialog --keep-window --title "[ Modifying update checks ]" $myPROGRESSBOXCONF
fuBANNER "Modify update checks"
echo "$myUPDATECHECK" | tee /etc/apt/apt.conf.d/10periodic
# Let's make sure to reboot the system after a kernel panic
mySYSCTLCONF="
@ -619,7 +635,8 @@ net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
"
echo "$mySYSCTLCONF" 2>&1 | tee -a /etc/sysctl.conf | dialog --keep-window --title "[ Tweak Sysctl ]" $myPROGRESSBOXCONF
fuBANNER "Tweak systctl"
echo "$mySYSCTLCONF" | tee -a /etc/sysctl.conf
# Let's setup fail2ban config
myFAIL2BANCONF="[DEFAULT]
@ -646,14 +663,16 @@ port = 64295
filter = sshd
logpath = /var/log/auth.log
"
echo "$myFAIL2BANCONF" 2>&1 | tee /etc/fail2ban/jail.d/tpot.conf | dialog --keep-window --title "[ Setup fail2ban config ]" $myPROGRESSBOXCONF
fuBANNER "Setup fail2ban"
echo "$myFAIL2BANCONF" | tee /etc/fail2ban/jail.d/tpot.conf
# Fix systemd error https://github.com/systemd/systemd/issues/3374
mySYSTEMDFIX="[Link]
NamePolicy=kernel database onboard slot path
MACAddressPolicy=none
"
echo "$mySYSTEMDFIX" 2>&1 | tee /etc/systemd/network/99-default.link | dialog --keep-window --title "[ systemd fix ]" $myPROGRESSBOXCONF
fuBANNER "Systemd fix"
echo "$mySYSTEMDFIX" | tee /etc/systemd/network/99-default.link
# Let's add some cronjobs
myCRONJOBS="
@ -672,9 +691,11 @@ myCRONJOBS="
# Check for updated packages every sunday, upgrade and reboot
27 16 * * 0 root apt-get autoclean -y && apt-get autoremove -y && apt-get update -y && apt-get upgrade -y && sleep 10 && reboot
"
echo "$myCRONJOBS" 2>&1 | tee -a /etc/crontab | dialog --keep-window --title "[ Adding cronjobs ]" $myPROGRESSBOXCONF
fuBANNNER "Add cronjobs"
echo "$myCRONJOBS" | tee -a /etc/crontab
# Let's create some files and folders
fuBANNER "Create files & folders"
mkdir -p /data/adbhoney/downloads /data/adbhoney/log \
/data/ciscoasa/log \
/data/conpot/log \
@ -695,33 +716,39 @@ mkdir -p /data/adbhoney/downloads /data/adbhoney/log \
/data/spiderfoot \
/data/suricata/log /home/tsec/.ssh/ \
/data/tanner/log /data/tanner/files \
/data/p0f/log 2>&1 | dialog --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF
touch /data/spiderfoot/spiderfoot.db 2>&1 | dialog --keep-window --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF
touch /data/nginx/log/error.log 2>&1 | dialog --keep-window --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF
/data/p0f/log
touch /data/spiderfoot/spiderfoot.db
touch /data/nginx/log/error.log
# Let's copy some files
tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / 2>&1 | dialog --keep-window --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF
cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ 2>&1 | dialog --keep-window --title "[ Copy configs ]" $myPROGRESSBOXCONF
systemctl enable tpot 2>&1 | dialog --keep-window --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF
fuBANNER "Copy configs"
tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C /
cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/
systemctl enable tpot
# Let's take care of some files and permissions
chmod 760 -R /data 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
chown tpot:tpot -R /data 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
chmod 644 -R /data/nginx/conf 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
chmod 644 -R /data/nginx/cert 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
fuBANNER "Set permissions"
chmod 760 -R /data
chown tpot:tpot -R /data
chmod 644 -R /data/nginx/conf
chmod 644 -R /data/nginx/cert
# Let's replace "quiet splash" options, set a console font for more screen canvas and update grub
sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet"#GRUB_CMDLINE_LINUX_DEFAULT="quiet consoleblank=0"#' /etc/default/grub 2>&1>/dev/null
sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"#' /etc/default/grub 2>&1>/dev/null
update-grub 2>&1 | dialog --keep-window --title "[ Update grub ]" $myPROGRESSBOXCONF
fuBANNER "Set options"
sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet"#GRUB_CMDLINE_LINUX_DEFAULT="quiet consoleblank=0"#' /etc/default/grub
sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"#' /etc/default/grub
update-grub 2>&1
fuBANNER "Setup console"
cp /usr/share/consolefonts/Uni2-Terminus12x6.psf.gz /etc/console-setup/
gunzip /etc/console-setup/Uni2-Terminus12x6.psf.gz
sed -i 's#FONTFACE=".*#FONTFACE="Terminus"#' /etc/default/console-setup
sed -i 's#FONTSIZE=".*#FONTSIZE="12x6"#' /etc/default/console-setup
update-initramfs -u 2>&1 | dialog --keep-window --title "[ Update initramfs ]" $myPROGRESSBOXCONF
sed -i 's#After=.*#After=systemd-tmpfiles-setup.service console-screen.service kbd.service local-fs.target#' /etc/systemd/system/multi-user.target.wants/console-setup.service 2>&1 | dialog --keep-window --title "[ Fix race with console setup ]" $myPROGRESSBOXCONF
update-initramfs -u
sed -i 's#After=.*#After=systemd-tmpfiles-setup.service console-screen.service kbd.service local-fs.target#' /etc/systemd/system/multi-user.target.wants/console-setup.service
# Let's enable a color prompt and add /opt/tpot/bin to path
fuBANNER "Setup prompts"
myROOTPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;1m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;1m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"'
myUSERPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;2m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;2m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"'
myROOTCOLORS="export LS_OPTIONS='--color=auto'
@ -729,25 +756,27 @@ eval \"\`dircolors\`\"
alias ls='ls \$LS_OPTIONS'
alias ll='ls \$LS_OPTIONS -l'
alias l='ls \$LS_OPTIONS -lA'"
tee -a /root/.bashrc 2>&1>/dev/null <<EOF
tee -a /root/.bashrc <<EOF
$myROOTPROMPT
$myROOTCOLORS
PATH="$PATH:/opt/tpot/bin"
EOF
for i in $(ls -d /home/*/)
do
tee -a $i.bashrc 2>&1>/dev/null <<EOF
tee -a $i.bashrc <<EOF
$myUSERPROMPT
PATH="$PATH:/opt/tpot/bin"
EOF
done
# Let's create ews.ip before reboot and prevent race condition for first start
/opt/tpot/bin/updateip.sh 2>&1>/dev/null
fuBANNER "Update IP"
/opt/tpot/bin/updateip.sh
# Let's clean up apt
apt-get autoclean -y 2>&1 | dialog --keep-window --title "[ Cleaning up ]" $myPROGRESSBOXCONF
apt-get autoremove -y 2>&1 | dialog --keep-window --title "[ Cleaning up ]" $myPROGRESSBOXCONF
fuBANNER "Clean up"
apt-get autoclean -y
apt-get autoremove -y
# Final steps
cp /opt/tpot/host/etc/rc.local /etc/rc.local 2>&1>/dev/null && \
@ -762,5 +791,6 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "auto" ];
else
dialog --keep-window --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Thanks for your patience. Now rebooting. ]" --pause "" 6 80 2 && \
systemctl restart console-setup.service
dialog --clear
reboot
fi