tweaking

where possible kibana visualizations are converted to lens objects (more than 100 objects)
all dashboards have been updated
fixes #1392 for leaving SentryPeer log tag out
add wordpot dashboard
after discussion (#1486) and testing iptables-legacy is no longer required
include all kibana objects for installation
cleaning up some service scripts

docker/hellpot/docker-compose.yml

@@ -15,7 +15,7 @@ services:
     networks:
      - hellpot_local
     ports:
-     - "80:8080"    
+     - "80:8080"
     image: "dtagdevsec/hellpot:alpha"
     read_only: true
     volumes:

docker/honeypots/Dockerfile

@@ -54,8 +54,8 @@ RUN apk -U --no-cache add \
     cd /opt/ && \
     git clone https://github.com/qeeqbox/honeypots && \
     cd honeypots && \
-    # git checkout bee3147cf81837ba7639f1e27fe34d717ecccf29 && \
-    git checkout 5b3bfbecbf85c1f5235b320b333bdeff2d312372 && \
+    git checkout a990b2c1ab04ffafde229e478ced54ffbb665d5c && \
+    # git checkout 5b3bfbecbf85c1f5235b320b333bdeff2d312372 && \
     # cp /root/dist/pyproject.toml . && \
     pip3 install --break-system-packages --upgrade pip && \
     pip3 install --break-system-packages . && \

docker/honeypots/docker-compose.yml

@@ -38,7 +38,8 @@ services:
      - "1521:1521"
      - "3306:3306"
      - "3389:3389"
-     - "5060:5060"
+     - "5060:5060/tcp"
+     - "5060:5060/udp"
      - "5432:5432"
      - "5900:5900"
      - "6379:6379"

docker/tpotinit/Dockerfile

@@ -18,7 +18,7 @@ RUN apk --no-cache -U add \
         grep \
         iproute2 \
         iptables \
-        iptables-legacy \
+#        iptables-legacy \
         jq \
         logrotate \
         lsblk \

docker/tpotinit/dist/bin/backup_es_folders.sh

@@ -1,11 +1,4 @@
 #!/bin/bash
-# Run as root only.
-myWHOAMI=$(whoami)
-if [ "$myWHOAMI" != "root" ];
-  then
-    echo "Need to run as root ..."
-    exit
-fi
 
 if [ "$1" == "" ] || [ "$1" != "all" ] && [ "$1" != "base" ];
   then
@@ -22,7 +15,7 @@ myES="http://127.0.0.1:64298/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
   then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
+    echo "### Elasticsearch is not available."
     exit
   else
     echo "### Elasticsearch is available, now continuing."
@@ -30,32 +23,26 @@ if ! [ "$myESSTATUS" = "1" ]
 fi
 
 # Set vars
-myCOUNT=1
 myDATE=$(date +%Y%m%d%H%M)
-myELKPATH="/data/elk/data"
-myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }')
-myKIBANAINDEXPATH=$myELKPATH/indices/$myKIBANAINDEXNAME
-
-# Let's ensure normal operation on exit or if interrupted ...
-function fuCLEANUP {
-  ### Start ELK
-  systemctl start tpot
-  echo "### Now starting T-Pot ..."
-}
-trap fuCLEANUP EXIT
-
-# Stop T-Pot to lift db lock
-echo "### Now stopping T-Pot"
-systemctl stop tpot
-sleep 2
+myPATH=$PWD
+myELKPATH="data/elk/data"
+myKIBANAINDEXNAMES=$(curl -s -XGET ''$myES'_cat/indices/.kibana_*?v&s=index&h=uuid' | tail -n +2)
+#echo $myKIBANAINDEXNAMES
+for i in $myKIBANAINDEXNAMES;
+  do
+    myKIBANAINDEXPATHS="$myKIBANAINDEXPATHS $myELKPATH/indices/$i"
+done
 
 # Backup DB in 2 flavors
+cd $HOME/tpotce
+
 echo "### Now backing up Elasticsearch folders ..."
 if [ "$1" == "all" ];
   then
-    tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
+    tar cvfz $myPATH"/elkall_"$myDATE".tgz" $myELKPATH
 elif [ "$1" == "base" ];
   then
-    tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
+    tar cvfz $myPATH"/elkbase_"$myDATE".tgz" $myKIBANAINDEXPATHS
 fi
 
+cd $myPATH

docker/tpotinit/dist/bin/mytopips.sh

@@ -4,7 +4,7 @@ myES="http://127.0.0.1:64298/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
   then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available."
     exit 1
   else
     echo "### Elasticsearch is available, now continuing."

docker/tpotinit/dist/bin/rules.sh

@@ -44,14 +44,14 @@ function fuSETRULES {
 ### Setting up iptables-legacy rules for honeytrap
 if [ "$myNFQCHECK" == "honeytrap" ];
   then
-    iptables-legacy -w -A INPUT -s 127.0.0.1 -j ACCEPT
-    iptables-legacy -w -A INPUT -d 127.0.0.1 -j ACCEPT
+    iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
+    iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
 
     for myPORT in $myRULESPORTS; do
-      iptables-legacy -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
+      iptables -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
     done
 
-    iptables-legacy -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+    iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 fi
 
 ### Setting up iptables-legacy rules for glutton
@@ -71,14 +71,14 @@ function fuUNSETRULES {
 ### Removing  iptables-legacy rules for honeytrap
 if [ "$myNFQCHECK" == "honeytrap" ];
   then
-    iptables-legacy -w -D INPUT -s 127.0.0.1 -j ACCEPT
-    iptables-legacy -w -D INPUT -d 127.0.0.1 -j ACCEPT
+    iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
+    iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
 
     for myPORT in $myRULESPORTS; do
-      iptables-legacy -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
+      iptables -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
     done
 
-    iptables-legacy -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+    iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 fi
 
 ### Removing iptables-legacy rules for glutton