mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-07-02 01:27:27 -04:00
tweak installer
This commit is contained in:
@ -185,6 +185,10 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
|
||||
fi
|
||||
}
|
||||
|
||||
#!/bin/bash
|
||||
function fuBANNER {
|
||||
toilet -f smmono12 -o -F metal "$1" | pv -qL 4000
|
||||
}
|
||||
|
||||
# Prepare running the installer
|
||||
echo "$myINFO" | head -n 3
|
||||
@ -422,30 +426,35 @@ if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
|
||||
htpasswd -b -c /data/nginx/conf/nginxpasswd "$myCONF_WEB_USER" "$myCONF_WEB_PW" 2>&1 | dialog --keep-window --title "[ Setting up user and password ]" $myPROGRESSBOXCONF;
|
||||
fi
|
||||
|
||||
dialog --clear
|
||||
|
||||
########################
|
||||
# Installation section #
|
||||
########################
|
||||
|
||||
fuBANNER "Installing"
|
||||
|
||||
# Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway)
|
||||
if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
|
||||
then
|
||||
mkdir -p /data/nginx/cert 2>&1 | dialog --keep-window --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF;
|
||||
openssl req \
|
||||
-nodes \
|
||||
-x509 \
|
||||
-sha512 \
|
||||
-newkey rsa:8192 \
|
||||
-keyout "/data/nginx/cert/nginx.key" \
|
||||
-out "/data/nginx/cert/nginx.crt" \
|
||||
-days 3650 \
|
||||
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' 2>&1 | dialog --keep-window --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF;
|
||||
fuBANNER "NGINX Certificate"
|
||||
mkdir -p /data/nginx/cert
|
||||
openssl req \
|
||||
-nodes \
|
||||
-x509 \
|
||||
-sha512 \
|
||||
-newkey rsa:8192 \
|
||||
-keyout "/data/nginx/cert/nginx.key" \
|
||||
-out "/data/nginx/cert/nginx.crt" \
|
||||
-days 3650 \
|
||||
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd'
|
||||
fi
|
||||
|
||||
# Let's setup the ntp server
|
||||
if [ "$myCONF_NTP_USE" == "0" ];
|
||||
then
|
||||
cp $myCONF_NTP_CONF_FILE /etc/ntp.conf 2>&1 | dialog --keep-window --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Setup NTP"
|
||||
cp $myCONF_NTP_CONF_FILE /etc/ntp.conf
|
||||
fi
|
||||
|
||||
# Let's setup 802.1x networking
|
||||
@ -493,12 +502,13 @@ network={
|
||||
"
|
||||
if [ "myCONF_PFX_USE" == "0" ];
|
||||
then
|
||||
cp $myCONF_PFX_FILE /etc/wpa_supplicant/ 2>&1 | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF
|
||||
echo "$myNETWORK_INTERFACES" 2>&1 | tee -a /etc/network/interfaces | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Setup 802.1x"
|
||||
cp $myCONF_PFX_FILE /etc/wpa_supplicant/
|
||||
echo "$myNETWORK_INTERFACES" 2>&1 | tee -a /etc/network/interfaces
|
||||
|
||||
echo "$myNETWORK_WIRED8021x" 2>&1 | tee /etc/wpa_supplicant/wired8021x.conf | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF
|
||||
echo "$myNETWORK_WIRED8021x" 2>&1 | tee /etc/wpa_supplicant/wired8021x.conf
|
||||
|
||||
echo "$myNETWORK_WLAN8021x" 2>&1 | tee /etc/wpa_supplicant/wireless8021x.conf | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF
|
||||
echo "$myNETWORK_WLAN8021x" 2>&1 | tee /etc/wpa_supplicant/wireless8021x.conf
|
||||
fi
|
||||
|
||||
# Let's provide a wireless example config ...
|
||||
@ -530,38 +540,42 @@ myNETWORK_WLANEXAMPLE="
|
||||
# wpa-key-mgmt WPA-PSK
|
||||
# wpa-psk \"<your_password_here_without_brackets>\"
|
||||
"
|
||||
echo "$myNETWORK_WLANEXAMPLE" 2>&1 | tee -a /etc/network/interfaces | dialog --keep-window --title "[ Provide WLAN example config ]" $myPROGRESSBOXCONF
|
||||
|
||||
# Let's modify the sources list
|
||||
sed -i '/cdrom/d' /etc/apt/sources.list
|
||||
fuBANNER "Example config"
|
||||
echo "$myNETWORK_WLANEXAMPLE" 2>&1 | tee -a /etc/network/interfaces
|
||||
|
||||
# Let's make sure SSH roaming is turned off (CVE-2016-0777, CVE-2016-0778)
|
||||
echo "UseRoaming no" 2>&1 | tee -a /etc/ssh/ssh_config | dialog --keep-window --title "[ Turn SSH roaming off ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "SSH roaming off"
|
||||
echo "UseRoaming no" 2>&1 | tee -a /etc/ssh/ssh_config
|
||||
|
||||
# Installing ctop, elasticdump, tpot, yq
|
||||
npm install https://github.com/taskrabbit/elasticsearch-dump -g 2>&1 | dialog --keep-window --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF
|
||||
pip install --upgrade pip 2>&1 | dialog --keep-window --title "[ Installing pip ]" $myPROGRESSBOXCONF
|
||||
hash -r 2>&1 | dialog --keep-window --title "[ Installing pip ]" $myPROGRESSBOXCONF
|
||||
pip install elasticsearch-curator yq 2>&1 | dialog --keep-window --title "[ Installing elasticsearch-curator, yq ]" $myPROGRESSBOXCONF
|
||||
wget https://github.com/bcicen/ctop/releases/download/v0.7.2/ctop-0.7.2-linux-amd64 -O /usr/bin/ctop 2>&1 | dialog --keep-window --title "[ Installing ctop ]" $myPROGRESSBOXCONF
|
||||
chmod +x /usr/bin/ctop 2>&1 | dialog --keep-window --title "[ Installing ctop ]" $myPROGRESSBOXCONF
|
||||
git clone https://github.com/dtag-dev-sec/tpotce -b debian /opt/tpot 2>&1 | dialog --keep-window --title "[ Cloning T-Pot ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Installing packages"
|
||||
npm install https://github.com/taskrabbit/elasticsearch-dump -g
|
||||
pip install --upgrade pip
|
||||
hash -r
|
||||
pip install elasticsearch-curator yq
|
||||
|
||||
# Cloning T-Pot from GitHub
|
||||
fuBANNER "Cloning T-Pot"
|
||||
git clone https://github.com/dtag-dev-sec/tpotce -b debian /opt/tpot
|
||||
|
||||
# Let's create the T-Pot user
|
||||
addgroup --gid 2000 tpot 2>&1 | dialog --keep-window --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF
|
||||
adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --keep-window --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Create user"
|
||||
addgroup --gid 2000 tpot
|
||||
adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot
|
||||
|
||||
# Let's set the hostname
|
||||
a=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/a.txt)
|
||||
n=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/n.txt)
|
||||
myHOST=$a$n
|
||||
hostnamectl set-hostname $myHOST 2>&1 | dialog --keep-window --title "[ Setting new hostname ]" $myPROGRESSBOXCONF
|
||||
sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts 2>&1 | dialog --keep-window --title "[ Setting new hostname ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Set hostname"
|
||||
hostnamectl set-hostname $myHOST
|
||||
sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts
|
||||
|
||||
# Let's patch cockpit.socket, sshd_config
|
||||
sed -i 's#ListenStream=9090#ListenStream=64294#' /lib/systemd/system/cockpit.socket 2>&1 | dialog --keep-window --title "[ Cockpit listen on tcp/64294 ]" $myPROGRESSBOXCONF
|
||||
sed -i '/^port/Id' /etc/ssh/sshd_config 2>&1 | dialog --keep-window --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF
|
||||
echo "Port 64295" >> /etc/ssh/sshd_config 2>&1 | dialog --keep-window --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Adjust tcp ports"
|
||||
sed -i 's#ListenStream=9090#ListenStream=64294#' /lib/systemd/system/cockpit.socket
|
||||
sed -i '/^port/Id' /etc/ssh/sshd_config
|
||||
echo "Port 64295" >> /etc/ssh/sshd_config
|
||||
|
||||
# Let's make sure only myCONF_TPOT_FLAVOR images will be downloaded and started
|
||||
case $myCONF_TPOT_FLAVOR in
|
||||
@ -599,14 +613,16 @@ for name in $(cat $myTPOTCOMPOSE | grep -v '#' | grep image | cut -d'"' -f2 | un
|
||||
done
|
||||
wait
|
||||
}
|
||||
fuPULLIMAGES 2>&1 | dialog --keep-window --title "[ Pulling docker images, please be patient ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Pull images"
|
||||
fuPULLIMAGES
|
||||
|
||||
# Let's add the daily update check with a weekly clean interval
|
||||
myUPDATECHECK="APT::Periodic::Update-Package-Lists \"1\";
|
||||
APT::Periodic::Download-Upgradeable-Packages \"0\";
|
||||
APT::Periodic::AutocleanInterval \"7\";
|
||||
"
|
||||
echo "$myUPDATECHECK" 2>&1 | tee /etc/apt/apt.conf.d/10periodic | dialog --keep-window --title "[ Modifying update checks ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Modify update checks"
|
||||
echo "$myUPDATECHECK" | tee /etc/apt/apt.conf.d/10periodic
|
||||
|
||||
# Let's make sure to reboot the system after a kernel panic
|
||||
mySYSCTLCONF="
|
||||
@ -619,7 +635,8 @@ net.ipv6.conf.all.disable_ipv6 = 1
|
||||
net.ipv6.conf.default.disable_ipv6 = 1
|
||||
net.ipv6.conf.lo.disable_ipv6 = 1
|
||||
"
|
||||
echo "$mySYSCTLCONF" 2>&1 | tee -a /etc/sysctl.conf | dialog --keep-window --title "[ Tweak Sysctl ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Tweak systctl"
|
||||
echo "$mySYSCTLCONF" | tee -a /etc/sysctl.conf
|
||||
|
||||
# Let's setup fail2ban config
|
||||
myFAIL2BANCONF="[DEFAULT]
|
||||
@ -646,14 +663,16 @@ port = 64295
|
||||
filter = sshd
|
||||
logpath = /var/log/auth.log
|
||||
"
|
||||
echo "$myFAIL2BANCONF" 2>&1 | tee /etc/fail2ban/jail.d/tpot.conf | dialog --keep-window --title "[ Setup fail2ban config ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Setup fail2ban"
|
||||
echo "$myFAIL2BANCONF" | tee /etc/fail2ban/jail.d/tpot.conf
|
||||
|
||||
# Fix systemd error https://github.com/systemd/systemd/issues/3374
|
||||
mySYSTEMDFIX="[Link]
|
||||
NamePolicy=kernel database onboard slot path
|
||||
MACAddressPolicy=none
|
||||
"
|
||||
echo "$mySYSTEMDFIX" 2>&1 | tee /etc/systemd/network/99-default.link | dialog --keep-window --title "[ systemd fix ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Systemd fix"
|
||||
echo "$mySYSTEMDFIX" | tee /etc/systemd/network/99-default.link
|
||||
|
||||
# Let's add some cronjobs
|
||||
myCRONJOBS="
|
||||
@ -672,9 +691,11 @@ myCRONJOBS="
|
||||
# Check for updated packages every sunday, upgrade and reboot
|
||||
27 16 * * 0 root apt-get autoclean -y && apt-get autoremove -y && apt-get update -y && apt-get upgrade -y && sleep 10 && reboot
|
||||
"
|
||||
echo "$myCRONJOBS" 2>&1 | tee -a /etc/crontab | dialog --keep-window --title "[ Adding cronjobs ]" $myPROGRESSBOXCONF
|
||||
fuBANNNER "Add cronjobs"
|
||||
echo "$myCRONJOBS" | tee -a /etc/crontab
|
||||
|
||||
# Let's create some files and folders
|
||||
fuBANNER "Create files & folders"
|
||||
mkdir -p /data/adbhoney/downloads /data/adbhoney/log \
|
||||
/data/ciscoasa/log \
|
||||
/data/conpot/log \
|
||||
@ -695,33 +716,39 @@ mkdir -p /data/adbhoney/downloads /data/adbhoney/log \
|
||||
/data/spiderfoot \
|
||||
/data/suricata/log /home/tsec/.ssh/ \
|
||||
/data/tanner/log /data/tanner/files \
|
||||
/data/p0f/log 2>&1 | dialog --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF
|
||||
touch /data/spiderfoot/spiderfoot.db 2>&1 | dialog --keep-window --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF
|
||||
touch /data/nginx/log/error.log 2>&1 | dialog --keep-window --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF
|
||||
/data/p0f/log
|
||||
touch /data/spiderfoot/spiderfoot.db
|
||||
touch /data/nginx/log/error.log
|
||||
|
||||
# Let's copy some files
|
||||
tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / 2>&1 | dialog --keep-window --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF
|
||||
cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ 2>&1 | dialog --keep-window --title "[ Copy configs ]" $myPROGRESSBOXCONF
|
||||
systemctl enable tpot 2>&1 | dialog --keep-window --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Copy configs"
|
||||
tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C /
|
||||
cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/
|
||||
systemctl enable tpot
|
||||
|
||||
# Let's take care of some files and permissions
|
||||
chmod 760 -R /data 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
|
||||
chown tpot:tpot -R /data 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
|
||||
chmod 644 -R /data/nginx/conf 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
|
||||
chmod 644 -R /data/nginx/cert 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Set permissions"
|
||||
chmod 760 -R /data
|
||||
chown tpot:tpot -R /data
|
||||
chmod 644 -R /data/nginx/conf
|
||||
chmod 644 -R /data/nginx/cert
|
||||
|
||||
# Let's replace "quiet splash" options, set a console font for more screen canvas and update grub
|
||||
sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet"#GRUB_CMDLINE_LINUX_DEFAULT="quiet consoleblank=0"#' /etc/default/grub 2>&1>/dev/null
|
||||
sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"#' /etc/default/grub 2>&1>/dev/null
|
||||
update-grub 2>&1 | dialog --keep-window --title "[ Update grub ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Set options"
|
||||
sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet"#GRUB_CMDLINE_LINUX_DEFAULT="quiet consoleblank=0"#' /etc/default/grub
|
||||
sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"#' /etc/default/grub
|
||||
update-grub 2>&1
|
||||
|
||||
fuBANNER "Setup console"
|
||||
cp /usr/share/consolefonts/Uni2-Terminus12x6.psf.gz /etc/console-setup/
|
||||
gunzip /etc/console-setup/Uni2-Terminus12x6.psf.gz
|
||||
sed -i 's#FONTFACE=".*#FONTFACE="Terminus"#' /etc/default/console-setup
|
||||
sed -i 's#FONTSIZE=".*#FONTSIZE="12x6"#' /etc/default/console-setup
|
||||
update-initramfs -u 2>&1 | dialog --keep-window --title "[ Update initramfs ]" $myPROGRESSBOXCONF
|
||||
sed -i 's#After=.*#After=systemd-tmpfiles-setup.service console-screen.service kbd.service local-fs.target#' /etc/systemd/system/multi-user.target.wants/console-setup.service 2>&1 | dialog --keep-window --title "[ Fix race with console setup ]" $myPROGRESSBOXCONF
|
||||
update-initramfs -u
|
||||
sed -i 's#After=.*#After=systemd-tmpfiles-setup.service console-screen.service kbd.service local-fs.target#' /etc/systemd/system/multi-user.target.wants/console-setup.service
|
||||
|
||||
# Let's enable a color prompt and add /opt/tpot/bin to path
|
||||
fuBANNER "Setup prompts"
|
||||
myROOTPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;1m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;1m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"'
|
||||
myUSERPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;2m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;2m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"'
|
||||
myROOTCOLORS="export LS_OPTIONS='--color=auto'
|
||||
@ -729,25 +756,27 @@ eval \"\`dircolors\`\"
|
||||
alias ls='ls \$LS_OPTIONS'
|
||||
alias ll='ls \$LS_OPTIONS -l'
|
||||
alias l='ls \$LS_OPTIONS -lA'"
|
||||
tee -a /root/.bashrc 2>&1>/dev/null <<EOF
|
||||
tee -a /root/.bashrc <<EOF
|
||||
$myROOTPROMPT
|
||||
$myROOTCOLORS
|
||||
PATH="$PATH:/opt/tpot/bin"
|
||||
EOF
|
||||
for i in $(ls -d /home/*/)
|
||||
do
|
||||
tee -a $i.bashrc 2>&1>/dev/null <<EOF
|
||||
tee -a $i.bashrc <<EOF
|
||||
$myUSERPROMPT
|
||||
PATH="$PATH:/opt/tpot/bin"
|
||||
EOF
|
||||
done
|
||||
|
||||
# Let's create ews.ip before reboot and prevent race condition for first start
|
||||
/opt/tpot/bin/updateip.sh 2>&1>/dev/null
|
||||
fuBANNER "Update IP"
|
||||
/opt/tpot/bin/updateip.sh
|
||||
|
||||
# Let's clean up apt
|
||||
apt-get autoclean -y 2>&1 | dialog --keep-window --title "[ Cleaning up ]" $myPROGRESSBOXCONF
|
||||
apt-get autoremove -y 2>&1 | dialog --keep-window --title "[ Cleaning up ]" $myPROGRESSBOXCONF
|
||||
fuBANNER "Clean up"
|
||||
apt-get autoclean -y
|
||||
apt-get autoremove -y
|
||||
|
||||
# Final steps
|
||||
cp /opt/tpot/host/etc/rc.local /etc/rc.local 2>&1>/dev/null && \
|
||||
@ -762,5 +791,6 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "auto" ];
|
||||
else
|
||||
dialog --keep-window --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Thanks for your patience. Now rebooting. ]" --pause "" 6 80 2 && \
|
||||
systemctl restart console-setup.service
|
||||
dialog --clear
|
||||
reboot
|
||||
fi
|
||||
|
Reference in New Issue
Block a user