From 2f6a8014bcbcc2500e1020b08ffef4a6a8e81d7e Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Sat, 31 Mar 2018 15:18:28 +0000 Subject: [PATCH] tweaking, hardening --- docker/dionaea/Dockerfile | 3 + docker/dionaea/dist/etc/services/http.yaml | 2 +- docker/dionaea/docker-compose.yml | 14 ++--- docker/elasticpot/Dockerfile | 4 +- docker/elasticpot/docker-compose.yml | 3 +- docker/elk/docker-compose.yml | 65 +++++++++++++++++++++ docker/elk/elasticsearch/Dockerfile | 4 +- docker/elk/elasticsearch/docker-compose.yml | 30 ++++++++++ docker/elk/head/Dockerfile | 4 +- docker/elk/head/docker-compose.yml | 18 ++++++ docker/elk/kibana/Dockerfile | 4 +- docker/elk/kibana/docker-compose.yml | 17 ++++++ docker/elk/logstash/Dockerfile | 10 +++- docker/elk/logstash/docker-compose.yml | 20 +++++++ docker/ews/Dockerfile | 2 + docker/ews/docker-compose.yml | 23 ++++++++ etc/compose/collect.yml | 1 + etc/compose/tpot.yml | 14 +++-- 18 files changed, 214 insertions(+), 24 deletions(-) create mode 100644 docker/elk/docker-compose.yml create mode 100644 docker/elk/elasticsearch/docker-compose.yml create mode 100644 docker/elk/head/docker-compose.yml create mode 100644 docker/elk/kibana/docker-compose.yml create mode 100644 docker/elk/logstash/docker-compose.yml create mode 100644 docker/ews/docker-compose.yml diff --git a/docker/dionaea/Dockerfile b/docker/dionaea/Dockerfile index 4f016b5f..e60c7541 100644 --- a/docker/dionaea/Dockerfile +++ b/docker/dionaea/Dockerfile @@ -15,6 +15,7 @@ RUN apt-get update -y && \ check \ cython3 \ git \ + libcap2-bin \ libcurl4-openssl-dev \ libemu-dev \ libev-dev \ @@ -54,6 +55,7 @@ RUN apt-get update -y && \ # Setup user and groups addgroup --gid 2000 dionaea && \ adduser --system --no-create-home --shell /bin/bash --uid 2000 --disabled-password --disabled-login --gid 2000 dionaea && \ + setcap cap_net_bind_service=+ep /opt/dionaea/bin/dionaea && \ # Supply configs and set permissions chown -R dionaea:dionaea /opt/dionaea/var && \ @@ -105,4 +107,5 @@ RUN apt-get update -y && \ rm -rf /root/* /var/lib/apt/lists/* /tmp/* /var/tmp/* # Start dionaea +USER dionaea:dionaea CMD ["/opt/dionaea/bin/dionaea", "-u", "dionaea", "-g", "dionaea", "-c", "/opt/dionaea/etc/dionaea/dionaea.cfg"] diff --git a/docker/dionaea/dist/etc/services/http.yaml b/docker/dionaea/dist/etc/services/http.yaml index 9a22e39b..6e398f78 100644 --- a/docker/dionaea/dist/etc/services/http.yaml +++ b/docker/dionaea/dist/etc/services/http.yaml @@ -2,7 +2,7 @@ config: root: "/opt/dionaea/var/dionaea/roots/www" ports: - - 80 + - 8081 ssl_ports: - 443 max_request_size: 32768 # maximum size in kbytes of the request (32MB) diff --git a/docker/dionaea/docker-compose.yml b/docker/dionaea/docker-compose.yml index 575aa6e4..a9fda263 100644 --- a/docker/dionaea/docker-compose.yml +++ b/docker/dionaea/docker-compose.yml @@ -2,8 +2,8 @@ # For docker-compose ... version: '2.2' -networks: - dionaea_local: +#networks: +# dionaea_local: services: @@ -13,16 +13,15 @@ services: container_name: dionaea stdin_open: true restart: always - networks: - - dionaea_local - cap_add: - - NET_BIND_SERVICE + network_mode: "host" + # networks: + # - dionaea_local ports: - "20:20" - "21:21" - "42:42" - "69:69/udp" - - "8081:80" + - "8081:8081" - "135:135" - "443:443" - "445:445" @@ -35,6 +34,7 @@ services: - "5061:5061" - "27017:27017" image: "dtagdevsec/dionaea:1804" + read_only: true volumes: - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp diff --git a/docker/elasticpot/Dockerfile b/docker/elasticpot/Dockerfile index 789d0447..4b7a04b8 100644 --- a/docker/elasticpot/Dockerfile +++ b/docker/elasticpot/Dockerfile @@ -24,11 +24,11 @@ RUN apk -U upgrade && \ mkdir /opt/ElasticpotPY/log && \ # Clean up - apk del git && \ + apk del --purge git && \ rm -rf /root/* && \ rm -rf /var/cache/apk/* # Start elasticpot -USER elasticpot +USER elasticpot:elasticpot WORKDIR /opt/ElasticpotPY/ CMD ["/usr/bin/python3","main.py"] diff --git a/docker/elasticpot/docker-compose.yml b/docker/elasticpot/docker-compose.yml index 5316a076..c8674abd 100644 --- a/docker/elasticpot/docker-compose.yml +++ b/docker/elasticpot/docker-compose.yml @@ -1,4 +1,4 @@ -version: '2.1' +version: '2.2' networks: elasticpot_local: @@ -15,5 +15,6 @@ services: ports: - "9200:9200" image: "dtagdevsec/elasticpot:1804" + read_only: true volumes: - /data/elasticpot/log:/opt/ElasticpotPY/log diff --git a/docker/elk/docker-compose.yml b/docker/elk/docker-compose.yml new file mode 100644 index 00000000..6dd946ff --- /dev/null +++ b/docker/elk/docker-compose.yml @@ -0,0 +1,65 @@ +# T-Pot (Standard) +# For docker-compose ... +version: '2.2' + +services: + +# ELK services +## Elasticsearch service + elasticsearch: + container_name: elasticsearch + restart: always + environment: + - bootstrap.memory_lock=true + - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" + cap_add: + - IPC_LOCK + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + mem_limit: 2g + ports: + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elasticsearch:1804" + volumes: + - /data:/data + +## Kibana service + kibana: + container_name: kibana + restart: always + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64296:5601" + image: "dtagdevsec/kibana:1804" + +## Logstash service + logstash: + container_name: logstash + restart: always + depends_on: + elasticsearch: + condition: service_healthy + env_file: + - /opt/tpot/etc/compose/elk_environment + image: "dtagdevsec/logstash:1804" + volumes: + - /data:/data + - /var/log:/data/host/log + +## Elasticsearch-head service + head: + container_name: head + restart: always + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64302:9100" + image: "dtagdevsec/head:1804" diff --git a/docker/elk/elasticsearch/Dockerfile b/docker/elk/elasticsearch/Dockerfile index afd1ab59..10817927 100644 --- a/docker/elk/elasticsearch/Dockerfile +++ b/docker/elk/elasticsearch/Dockerfile @@ -28,12 +28,12 @@ RUN apk -U upgrade && \ chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ && \ # Clean up - apk del wget && \ + apk del --purge wget && \ rm -rf /root/* # Healthcheck HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9200/_cat/health' # Start ELK -USER elasticsearch +USER elasticsearch:elasticsearch CMD ["/usr/share/elasticsearch/bin/elasticsearch"] diff --git a/docker/elk/elasticsearch/docker-compose.yml b/docker/elk/elasticsearch/docker-compose.yml new file mode 100644 index 00000000..dd71c85b --- /dev/null +++ b/docker/elk/elasticsearch/docker-compose.yml @@ -0,0 +1,30 @@ +# T-Pot (Standard) +# For docker-compose ... +version: '2.2' + +services: + +# ELK services +## Elasticsearch service + elasticsearch: + build: . + container_name: elasticsearch + restart: always + environment: + - bootstrap.memory_lock=true + - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" + cap_add: + - IPC_LOCK + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + mem_limit: 2g + ports: + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elasticsearch:1804" + volumes: + - /data:/data diff --git a/docker/elk/head/Dockerfile b/docker/elk/head/Dockerfile index 6408b2f0..630e341e 100644 --- a/docker/elk/head/Dockerfile +++ b/docker/elk/head/Dockerfile @@ -22,12 +22,12 @@ RUN apk -U upgrade && \ chown -R head:head /usr/src/app/ && \ # Clean up - apk del git + apk del --purge git # Healthcheck HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9100' # Start elasticsearch-head -USER head +USER head:head WORKDIR /usr/src/app CMD ["node_modules/http-server/bin/http-server", "_site", "-p", "9100"] diff --git a/docker/elk/head/docker-compose.yml b/docker/elk/head/docker-compose.yml new file mode 100644 index 00000000..c8ba8a05 --- /dev/null +++ b/docker/elk/head/docker-compose.yml @@ -0,0 +1,18 @@ +# T-Pot (Standard) +# For docker-compose ... +version: '2.2' + +services: + +## Elasticsearch-head service + head: + build: . + container_name: head + restart: always + # depends_on: + # elasticsearch: + # condition: service_healthy + ports: + - "127.0.0.1:64302:9100" + image: "dtagdevsec/head:1804" + read_only: true diff --git a/docker/elk/kibana/Dockerfile b/docker/elk/kibana/Dockerfile index 8b6a7533..34471cd9 100644 --- a/docker/elk/kibana/Dockerfile +++ b/docker/elk/kibana/Dockerfile @@ -44,12 +44,12 @@ RUN apk -U upgrade && \ chown -R kibana:kibana /usr/share/kibana/ && \ # Clean up - apk del wget && \ + apk del --purge wget && \ rm -rf /root/* # Healthcheck HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:5601' # Start kibana -USER kibana +USER kibana:kibana CMD ["/usr/share/kibana/bin/kibana"] diff --git a/docker/elk/kibana/docker-compose.yml b/docker/elk/kibana/docker-compose.yml new file mode 100644 index 00000000..fcae008f --- /dev/null +++ b/docker/elk/kibana/docker-compose.yml @@ -0,0 +1,17 @@ +# T-Pot (Standard) +# For docker-compose ... +version: '2.2' + +services: + +## Kibana service + kibana: + build: . + container_name: kibana + restart: always +# depends_on: +# elasticsearch: +# condition: service_healthy + ports: + - "127.0.0.1:64296:5601" + image: "dtagdevsec/kibana:1804" diff --git a/docker/elk/logstash/Dockerfile b/docker/elk/logstash/Dockerfile index 8a312f5e..6ebdd823 100644 --- a/docker/elk/logstash/Dockerfile +++ b/docker/elk/logstash/Dockerfile @@ -33,12 +33,20 @@ RUN apk -U upgrade && \ cp logstash.conf /etc/logstash/conf.d/ && \ cp elasticsearch-template-es5x.json /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/lib/logstash/outputs/elasticsearch/ && \ +# Setup user, groups and configs + addgroup -g 2000 logstash && \ + adduser -S -H -s /bin/bash -u 2000 -D -g 2000 logstash && \ + chown -R logstash:logstash /usr/share/logstash && \ + chown -R logstash:logstash /etc/listbot && \ + chmod 755 /usr/bin/update.sh && \ + # Clean up - apk del wget && \ + apk del --purge wget && \ rm -rf /root/* # Healthcheck HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600' # Start logstash +USER logstash:logstash CMD update.sh && /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf diff --git a/docker/elk/logstash/docker-compose.yml b/docker/elk/logstash/docker-compose.yml new file mode 100644 index 00000000..2cd51320 --- /dev/null +++ b/docker/elk/logstash/docker-compose.yml @@ -0,0 +1,20 @@ +# T-Pot (Standard) +# For docker-compose ... +version: '2.2' + +services: + +## Logstash service + logstash: + build: . + container_name: logstash + restart: always +# depends_on: +# elasticsearch: +# condition: service_healthy + env_file: + - /opt/tpot/etc/compose/elk_environment + image: "dtagdevsec/logstash:1804" + volumes: + - /data:/data + - /var/log:/data/host/log diff --git a/docker/ews/Dockerfile b/docker/ews/Dockerfile index 86057904..d4023f18 100644 --- a/docker/ews/Dockerfile +++ b/docker/ews/Dockerfile @@ -30,6 +30,7 @@ RUN apk -U upgrade && \ # Setup user and groups addgroup -g 2000 ews && \ adduser -S -H -u 2000 -D -g 2000 ews && \ + chown -R ews:ews /opt/ewsposter && \ # Supply configs mv /root/dist/ews.cfg /opt/ewsposter/ && \ @@ -45,4 +46,5 @@ RUN apk -U upgrade && \ rm -rf /var/cache/apk/* # Run ewsposter +USER ews:ews CMD sleep 10 && /usr/bin/python /opt/ewsposter/ews.py -l 60 diff --git a/docker/ews/docker-compose.yml b/docker/ews/docker-compose.yml new file mode 100644 index 00000000..54145ed5 --- /dev/null +++ b/docker/ews/docker-compose.yml @@ -0,0 +1,23 @@ +# T-Pot (Standard) +# For docker-compose ... +version: '2.2' + +networks: + ewsposter_local: + +services: + +# Ewsposter service + ewsposter: + build: . + container_name: ewsposter + restart: always + networks: + - ewsposter_local + env_file: + - /opt/tpot/etc/compose/elk_environment + image: "dtagdevsec/ewsposter:1804" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + diff --git a/etc/compose/collect.yml b/etc/compose/collect.yml index a0fb1f8f..1257e45b 100644 --- a/etc/compose/collect.yml +++ b/etc/compose/collect.yml @@ -69,6 +69,7 @@ services: ports: - "127.0.0.1:64302:9100" image: "dtagdevsec/head:1804" + read_only: true # Ewsposter service ewsposter: diff --git a/etc/compose/tpot.yml b/etc/compose/tpot.yml index 82b201c0..0ffcd943 100644 --- a/etc/compose/tpot.yml +++ b/etc/compose/tpot.yml @@ -5,7 +5,7 @@ version: '2.2' networks: ciscoasa_local: cowrie_local: - dionaea_local: +# dionaea_local: elasticpot_local: ewsposter_local: glastopf_local: @@ -51,16 +51,15 @@ services: container_name: dionaea stdin_open: true restart: always - networks: - - dionaea_local - cap_add: - - NET_BIND_SERVICE + network_mode: "host" +# networks: +# - dionaea_local ports: - "20:20" - "21:21" - "42:42" - "69:69/udp" - - "8081:80" + - "8081:8081" - "135:135" - "443:443" - "445:445" @@ -73,6 +72,7 @@ services: - "5061:5061" - "27017:27017" image: "dtagdevsec/dionaea:1804" + read_only: true volumes: - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp @@ -92,6 +92,7 @@ services: ports: - "9200:9200" image: "dtagdevsec/elasticpot:1804" + read_only: true volumes: - /data/elasticpot/log:/opt/ElasticpotPY/log @@ -154,6 +155,7 @@ services: ports: - "127.0.0.1:64302:9100" image: "dtagdevsec/head:1804" + read_only: true # Ewsposter service ewsposter: