From 8a844e6dd3f95e9b84ce0ae92ba29644fd808038 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Wed, 15 Jan 2020 12:14:23 +0000 Subject: [PATCH] prepare for CitrixHoneypot --- CHANGELOG.md | 6 ++++++ README.md | 7 +++++-- bin/clean.sh | 9 +++++++++ docker/citrixhoneypot/Dockerfile | 8 +------- docker/citrixhoneypot/docker-compose.yml | 7 +++---- etc/compose/industrial.yml | 1 - etc/compose/nextgen.yml | 19 +++++++++++++++---- etc/logrotate/logrotate.conf | 1 + iso/installer/install.sh | 1 + 9 files changed, 41 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 921a49d9..f2083b82 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## 20200115 +- **Prepare integration of CitrixHoneypot** + - Prepare integration of [CitrixHoneypot](https://github.com/MalwareTech/CitrixHoneypot) by MalwareTech + - Integration into ELK is still open + - Please run `/opt/tpot/update.sh` for the necessary modifications + ## 20191224 - **Use pigz, optimize logrotate.conf** - Use `pigz` for faster archiving, especially with regard to high volumes of logs - Thanks to @workandresearchgithub! diff --git a/README.md b/README.md index 285ace69..e6600dfb 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ and includes dockerized versions of the following honeypots * [adbhoney](https://github.com/huuck/ADBHoney), * [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot), +* [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot), * [conpot](http://conpot.org/), * [cowrie](https://github.com/cowrie/cowrie), * [dionaea](https://github.com/DinoTools/dionaea), @@ -139,6 +140,7 @@ This allows us to run multiple honeypot daemons on the same network interface wh In T-Pot we combine the dockerized honeypots ... * [adbhoney](https://github.com/huuck/ADBHoney), * [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot), +* [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot), * [conpot](http://conpot.org/), * [cowrie](http://www.micheloosterhof.com/cowrie/), * [dionaea](https://github.com/DinoTools/dionaea), @@ -221,7 +223,7 @@ Depending on your installation type, whether you install on [real hardware](#har - A working, non-proxied, internet connection ##### NextGen Installation (Glutton replacing Honeytrap, HoneyPy replacing Elasticpot) -- Honeypots: adbhoney, ciscoasa, conpot, cowrie, dionaea, glutton, heralding, honeypy, mailoney, rdpy, snare & tanner +- Honeypots: adbhoney, ciscoasa, citrixhoneypot, conpot, cowrie, dionaea, glutton, heralding, honeypy, mailoney, rdpy, snare & tanner - Tools: cockpit, cyberchef, ELK, elasticsearch head, ewsposter, fatt, NGINX, spiderfoot, p0f and suricata - 6-8 GB RAM (less RAM is possible but might introduce swapping) @@ -529,7 +531,7 @@ The software that T-Pot is built on uses the following licenses.
GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://github.com/schmalle/ElasticpotPY), [ewsposter](https://github.com/dtag-dev-sec/ews/), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE), [elasticsearch-head](https://github.com/mobz/elasticsearch-head/blob/master/LICENCE)
MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE) -
Other: [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/) +
Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/) # Credits @@ -540,6 +542,7 @@ Without open source and the fruitful development community (we are proud to be a * [adbhoney](https://github.com/huuck/ADBHoney/graphs/contributors) * [apt-fast](https://github.com/ilikenwf/apt-fast/graphs/contributors) * [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/graphs/contributors) +* [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot/graphs/contributors) * [cockpit](https://github.com/cockpit-project/cockpit/graphs/contributors) * [conpot](https://github.com/mushorg/conpot/graphs/contributors) * [cowrie](https://github.com/micheloosterhof/cowrie/graphs/contributors) diff --git a/bin/clean.sh b/bin/clean.sh index fb982a02..f73ccb3c 100755 --- a/bin/clean.sh +++ b/bin/clean.sh @@ -90,6 +90,14 @@ fuCISCOASA () { chown tpot:tpot /data/ciscoasa -R } +# Let's create a function to clean up and prepare citrixhoneypot data +fuCITRIXHONEYPOT () { + if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi + mkdir -p /data/citrixhoneypot/log/ + chmod 770 /data/citrixhoneypot/ -R + chown tpot:tpot /data/citrixhoneypot/ -R +} + # Let's create a function to clean up and prepare conpot data fuCONPOT () { if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi @@ -260,6 +268,7 @@ if [ "$myPERSISTENCE" = "on" ]; echo "Cleaning up and preparing data folders." fuADBHONEY fuCISCOASA + fuCITRIXHONEYPOT fuCONPOT fuCOWRIE fuDIONAEA diff --git a/docker/citrixhoneypot/Dockerfile b/docker/citrixhoneypot/Dockerfile index e025389a..273faf57 100644 --- a/docker/citrixhoneypot/Dockerfile +++ b/docker/citrixhoneypot/Dockerfile @@ -1,8 +1,5 @@ FROM alpine # -# Include dist -#ADD dist/ /root/dist/ -# # Install packages RUN apk -U add \ git \ @@ -11,17 +8,14 @@ RUN apk -U add \ python3 \ python3-dev && \ # -# Install Citrix Honeypot from GitHub +# Install CitrixHoneypot from GitHub git clone --depth=1 https://github.com/malwaretech/citrixhoneypot /opt/citrixhoneypot && \ -# sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \ -# sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \ # # Setup user, groups and configs mkdir -p /opt/citrixhoneypot/logs /opt/citrixhoneypot/ssl && \ openssl req \ -nodes \ -x509 \ - -sha512 \ -newkey rsa:2048 \ -keyout "/opt/citrixhoneypot/ssl/key.pem" \ -out "/opt/citrixhoneypot/ssl/cert.pem" \ diff --git a/docker/citrixhoneypot/docker-compose.yml b/docker/citrixhoneypot/docker-compose.yml index 3e0f31a5..c61cd140 100644 --- a/docker/citrixhoneypot/docker-compose.yml +++ b/docker/citrixhoneypot/docker-compose.yml @@ -15,7 +15,6 @@ services: ports: - "443:443" image: "dtagdevsec/citrixhoneypot:1903" -# read_only: true -# volumes: -# - /data/adbhoney/log:/opt/adbhoney/log -# - /data/adbhoney/downloads:/opt/adbhoney/dl + read_only: true + volumes: + - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs diff --git a/etc/compose/industrial.yml b/etc/compose/industrial.yml index 7b65b23d..a70b6012 100644 --- a/etc/compose/industrial.yml +++ b/etc/compose/industrial.yml @@ -24,7 +24,6 @@ services: # Conpot default service conpot_default: - build: . container_name: conpot_default restart: always environment: diff --git a/etc/compose/nextgen.yml b/etc/compose/nextgen.yml index ca109f68..c6c6afdb 100644 --- a/etc/compose/nextgen.yml +++ b/etc/compose/nextgen.yml @@ -4,6 +4,7 @@ version: '2.3' networks: adbhoney_local: + citrixhoneypot_local: conpot_local_IEC104: conpot_local_guardian_ast: conpot_local_ipmi: @@ -54,6 +55,19 @@ services: volumes: - /data/ciscoasa/log:/var/log/ciscoasa +# CitrixHoneypot service + citrixhoneypot: + container_name: citrixhoneypot + restart: always + networks: + - citrixhoneypot_local + ports: + - "443:443" + image: "dtagdevsec/citrixhoneypot:1903" + read_only: true + volumes: + - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs + # Conpot IEC104 service conpot_IEC104: container_name: conpot_iec104 @@ -174,7 +188,7 @@ services: - "69:69/udp" - "81:81" - "135:135" - - "443:443" + # - "443:443" - "445:445" - "1433:1433" - "1723:1723" @@ -198,7 +212,6 @@ services: # Glutton service glutton: - build: . container_name: glutton restart: always tmpfs: @@ -244,7 +257,6 @@ services: # HoneyPy service honeypy: - build: . container_name: honeypy restart: always networks: @@ -410,7 +422,6 @@ services: # Fatt service fatt: - build: . container_name: fatt restart: always network_mode: "host" diff --git a/etc/logrotate/logrotate.conf b/etc/logrotate/logrotate.conf index 9bed4b22..0feaba36 100644 --- a/etc/logrotate/logrotate.conf +++ b/etc/logrotate/logrotate.conf @@ -1,6 +1,7 @@ /data/adbhoney/log/*.json /data/adbhoney/log/*.log /data/ciscoasa/log/ciscoasa.log +/data/citrixhoneypot/logs/server.log /data/conpot/log/conpot*.json /data/conpot/log/conpot*.log /data/cowrie/log/cowrie.json diff --git a/iso/installer/install.sh b/iso/installer/install.sh index 4d0f9647..8b0a3408 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -778,6 +778,7 @@ echo "$myCRONJOBS" | tee -a /etc/crontab fuBANNER "Files & folders" mkdir -p /data/adbhoney/downloads /data/adbhoney/log \ /data/ciscoasa/log \ + /data/citrixhoneypot/logs \ /data/conpot/log \ /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/ \ /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp \