telekom-security/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 01:27:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

improvements

Browse Source 
use docker-compose from pypi with support for 2.1 compose file version
logstash, kibana, head & netdata are now depending on a healthy elasticsearch container before starting
remove alerta-cli
tweak installer
This commit is contained in:
Marco Ochse
2017-05-22 19:36:41 +00:00
parent 931ac2dd85
commit 345df08941
10 changed files with 114 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
installer/etc/tpot/compose/all.yml
View File

@ -1,6 +1,6 @@
# T-Pot (Everything)
# For docker-compose ...
version: '2'
version: '2.1'
networks:
conpot_local:
@ -35,9 +35,11 @@ services:
restart: always
networks:
- cowrie_local
cap_add:
- NET_BIND_SERVICE
ports:
- "22:2222"
- "23:2223"
- "22:22"
- "23:23"
image: "dtagdevsec/cowrie:1706"
volumes:
- /data/cowrie:/data/cowrie
@ -101,7 +103,7 @@ services:
nofile:
soft: 65536
hard: 65536
# mem_limit: 3g
# mem_limit: 2g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:1706"
@ -113,7 +115,8 @@ services:
container_name: kibana
restart: always
depends_on:
- elasticsearch
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:1706"
@ -123,7 +126,8 @@ services:
container_name: logstash
restart: always
depends_on:
- elasticsearch
elasticsearch:
condition: service_healthy
env_file:
- /etc/tpot/elk/environment
image: "dtagdevsec/logstash:1706"
@ -136,7 +140,8 @@ services:
container_name: head
restart: always
depends_on:
- elasticsearch
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64302:9100"
image: "dtagdevsec/head:1706"
@ -195,8 +200,13 @@ services:
# Netdata service
netdata:
container_name: netdata
hostname: ${HOSTNAME}
restart: always
network_mode: "host"
depends_on:
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64301:19999"
cap_add:
- SYS_PTRACE
security_opt:

14
installer/etc/tpot/compose/hp.yml
View File

@ -1,6 +1,6 @@
# T-Pot (Honeypots)
# For docker-compose ...
version: '2'
version: '2.1'
networks:
cowrie_local:
@ -17,9 +17,11 @@ services:
restart: always
networks:
- cowrie_local
cap_add:
- NET_BIND_SERVICE
ports:
- "22:2222"
- "23:2223"
- "22:22"
- "23:23"
image: "dtagdevsec/cowrie:1706"
volumes:
- /data/cowrie:/data/cowrie
@ -34,7 +36,7 @@ services:
cap_add:
- NET_BIND_SERVICE
ports:
- "21:21"
- "21:21"
- "42:42"
- "69:69/udp"
- "8081:80"
@ -45,11 +47,11 @@ services:
- "1723:1723"
- "1883:1883"
- "1900:1900"
- "3306:3306"
- "3306:3306"
- "5060:5060"
- "5061:5061"
- "5060:5060/udp"
- "11211:11211"
- "11211:11211"
image: "dtagdevsec/dionaea:1706"
volumes:
- /data/dionaea:/data/dionaea

20
installer/etc/tpot/compose/industrial.yml
View File

@ -1,6 +1,6 @@
# T-Pot (Industrial)
# For docker-compose ...
version: '2'
version: '2.1'
networks:
conpot_local:
@ -32,7 +32,7 @@ services:
restart: always
environment:
- bootstrap.memory_lock=true
# - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
# - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
cap_add:
- IPC_LOCK
ulimits:
@ -54,7 +54,8 @@ services:
container_name: kibana
restart: always
depends_on:
- elasticsearch
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:1706"
@ -64,7 +65,8 @@ services:
container_name: logstash
restart: always
depends_on:
- elasticsearch
elasticsearch:
condition: service_healthy
env_file:
- /etc/tpot/elk/environment
image: "dtagdevsec/logstash:1706"
@ -77,7 +79,8 @@ services:
container_name: head
restart: always
depends_on:
- elasticsearch
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64302:9100"
image: "dtagdevsec/head:1706"
@ -111,8 +114,13 @@ services:
# Netdata service
netdata:
container_name: netdata
hostname: ${HOSTNAME}
restart: always
network_mode: "host"
depends_on:
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64301:19999"
cap_add:
- SYS_PTRACE
security_opt:

26
installer/etc/tpot/compose/tpot.yml
View File

@ -1,6 +1,6 @@
# T-Pot (Standard)
# For docker-compose ...
version: '2'
version: '2.1'
networks:
cowrie_local:
@ -19,9 +19,11 @@ services:
restart: always
networks:
- cowrie_local
cap_add:
- NET_BIND_SERVICE
ports:
- "22:2222"
- "23:2223"
- "22:22"
- "23:23"
image: "dtagdevsec/cowrie:1706"
volumes:
- /data/cowrie:/data/cowrie
@ -75,7 +77,7 @@ services:
restart: always
environment:
- bootstrap.memory_lock=true
# - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
cap_add:
- IPC_LOCK
ulimits:
@ -97,7 +99,8 @@ services:
container_name: kibana
restart: always
depends_on:
- elasticsearch
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:1706"
@ -107,7 +110,8 @@ services:
container_name: logstash
restart: always
depends_on:
- elasticsearch
elasticsearch:
condition: service_healthy
env_file:
- /etc/tpot/elk/environment
image: "dtagdevsec/logstash:1706"
@ -120,7 +124,8 @@ services:
container_name: head
restart: always
depends_on:
- elasticsearch
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64302:9100"
image: "dtagdevsec/head:1706"
@ -164,8 +169,13 @@ services:
# Netdata service
netdata:
container_name: netdata
hostname: ${HOSTNAME}
restart: always
network_mode: "host"
depends_on:
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64301:19999"
cap_add:
- SYS_PTRACE
security_opt:

31
installer/etc/tpot/systemd/tpot.service
View File

@ -5,16 +5,21 @@ After=docker.service
[Service]
Restart=always
RestartSec=5
Environment=HOSTNAME=%H
# Get and set internal, external IP infos, but ignore errors
ExecStartPre=-/usr/share/tpot/bin/updateip.sh
# Clear state from /data
ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh off'
ExecStartPre=-/bin/bash -c '/usr/share/tpot/bin/clean.sh off'
# Remove old containers, images and volumes
ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v
ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml rm -v
ExecStartPre=-/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml down -v
ExecStartPre=-/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml rm -v
ExecStartPre=-/bin/bash -c 'docker volume rm $(docker volume ls -q)'
ExecStartPre=-/bin/bash -c 'docker rmi $(docker images | grep "<none>" | awk \'{print $3}\')'
ExecStartPre=-/bin/bash -c 'docker rm -v $(docker ps -aq)'
ExecStartPre=-/bin/bash -c 'docker rmi $(docker images | grep "<none>" | awk \'{print $3}\')'
# Get IF, disable offloading, enable promiscious mode for p0f and suricata
ExecStartPre=/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip address | grep "^2: " | awk \'{ print $2 }\' | tr -d [:punct:]) rx off tx off'
@ -24,17 +29,17 @@ ExecStartPre=/bin/bash -c '/sbin/ip link set $(/sbin/ip address | grep "^2: " |
# Modify access rights on docker.sock for netdata
ExecStartPre=-/bin/chmod 666 /var/run/docker.sock
# Prepare iptables rules for honeytrap
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295:64303 -j NFQUEUE
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE
# Compose T-Pot up
ExecStart=/usr/bin/docker-compose -f /etc/tpot/tpot.yml up
ExecStart=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml up
# Compose T-Pot down and remove containers
ExecStop=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v
# Prepare iptables rules for honeytrap
ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE
ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE
ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295:64303 -j NFQUEUE
ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE
# Compose T-Pot down, remove containers and volumes
ExecStop=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml down -v
# Remove iptables rules for honeytrap
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE