From 365e1a1e5cf6fe44b3319b391f86d5a3b31b6f73 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Sun, 30 Apr 2017 23:34:30 +0000 Subject: [PATCH 1/2] prepare switch to docker-compose --- installer/bin/clean.sh | 41 +---- installer/bin/dps.sh | 6 +- installer/data/imgcfg/all_images.conf | 13 -- installer/data/imgcfg/hp_images.conf | 6 - installer/data/imgcfg/industrial_images.conf | 8 - installer/data/imgcfg/tpot_images.conf | 11 -- installer/data/systemd/conpot.service | 15 -- installer/data/systemd/cowrie.service | 15 -- installer/data/systemd/dionaea.service | 15 -- installer/data/systemd/elasticpot.service | 15 -- installer/data/systemd/elk.service | 15 -- installer/data/systemd/emobility.service | 15 -- installer/data/systemd/ewsposter.service | 14 -- installer/data/systemd/glastopf.service | 15 -- installer/data/systemd/honeytrap.service | 23 --- installer/data/systemd/netdata.service | 15 -- installer/data/systemd/spiderfoot.service | 14 -- installer/data/systemd/suricata.service | 19 -- installer/data/systemd/ui-for-docker.service | 14 -- installer/etc/tpot/compose/all.yml | 174 ++++++++++++++++++ installer/etc/tpot/compose/hp.yml | 84 +++++++++ installer/etc/tpot/compose/industrial.yml | 103 +++++++++++ installer/etc/tpot/compose/tpot.yml | 149 +++++++++++++++ installer/{data => etc/tpot}/elkbase.tgz | Bin .../{data => etc/tpot}/kibana-objects.tgz | Bin installer/etc/tpot/systemd/tpot.service | 44 +++++ .../{data => etc/tpot}/systemd/wetty.service | 0 installer/install.sh | 37 ++-- preseed/tpot.seed | 2 +- 29 files changed, 586 insertions(+), 296 deletions(-) delete mode 100644 installer/data/imgcfg/all_images.conf delete mode 100644 installer/data/imgcfg/hp_images.conf delete mode 100644 installer/data/imgcfg/industrial_images.conf delete mode 100644 installer/data/imgcfg/tpot_images.conf delete mode 100644 installer/data/systemd/conpot.service delete mode 100644 installer/data/systemd/cowrie.service delete mode 100644 installer/data/systemd/dionaea.service delete mode 100644 installer/data/systemd/elasticpot.service delete mode 100644 installer/data/systemd/elk.service delete mode 100644 installer/data/systemd/emobility.service delete mode 100644 installer/data/systemd/ewsposter.service delete mode 100644 installer/data/systemd/glastopf.service delete mode 100644 installer/data/systemd/honeytrap.service delete mode 100644 installer/data/systemd/netdata.service delete mode 100644 installer/data/systemd/spiderfoot.service delete mode 100644 installer/data/systemd/suricata.service delete mode 100644 installer/data/systemd/ui-for-docker.service create mode 100644 installer/etc/tpot/compose/all.yml create mode 100644 installer/etc/tpot/compose/hp.yml create mode 100644 installer/etc/tpot/compose/industrial.yml create mode 100644 installer/etc/tpot/compose/tpot.yml rename installer/{data => etc/tpot}/elkbase.tgz (100%) rename installer/{data => etc/tpot}/kibana-objects.tgz (100%) create mode 100644 installer/etc/tpot/systemd/tpot.service rename installer/{data => etc/tpot}/systemd/wetty.service (100%) diff --git a/installer/bin/clean.sh b/installer/bin/clean.sh index 2e23a9e7..f3906114 100755 --- a/installer/bin/clean.sh +++ b/installer/bin/clean.sh @@ -8,7 +8,7 @@ ######################################################## # Set persistence -myPERSISTENCE=$2 +myPERSISTENCE=$1 # Check persistence if [ "$myPERSISTENCE" = "on" ]; @@ -36,7 +36,6 @@ fuCOWRIE () { # Let's create a function to clean up and prepare dionaea data fuDIONAEA () { rm -rf /data/dionaea/* - rm /data/ews/dionaea/ews.json mkdir -p /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp chmod 760 /data/dionaea -R chown tpot:tpot /data/dionaea -R @@ -93,32 +92,12 @@ fuSURICATA () { chown tpot:tpot -R /data/suricata } -case $1 in - conpot) - fuCONPOT $1 - ;; - cowrie) - fuCOWRIE $1 - ;; - dionaea) - fuDIONAEA $1 - ;; - elasticpot) - fuELASTICPOT $1 - ;; - elk) - fuELK $1 - ;; - emobility) - fuEMOBILITY $1 - ;; - glastopf) - fuGLASTOPF $1 - ;; - honeytrap) - fuHONEYTRAP $1 - ;; - suricata) - fuSURICATA $1 - ;; -esac +fuCONPOT +fuCOWRIE +fuDIONAEA +fuELASTICPOT +fuELK +fuEMOBILITY +fuGLASTOPF +fuHONEYTRAP +fuSURICATA diff --git a/installer/bin/dps.sh b/installer/bin/dps.sh index 3a12913f..6607b170 100755 --- a/installer/bin/dps.sh +++ b/installer/bin/dps.sh @@ -7,7 +7,9 @@ function fuCLEANUP { trap fuCLEANUP EXIT stty -echo -icanon time 0 min 0 -myIMAGES=$(cat /etc/tpot/images.conf) +#myIMAGES=$(cat /etc/tpot/images.conf) +#myIMAGES=$(/usr/bin/docker ps -a -f name=$i --format "table {{.Names}}" | grep -v NAMES) +myIMAGES=$(cat /etc/tpot/tpot.yml | grep container_name | cut -d: -f2) while true do clear @@ -18,7 +20,7 @@ while true echo echo "NAME CREATED PORTS" for i in $myIMAGES; do - mySTATUS=$(/usr/bin/docker ps -f name=$i --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" -f status=running -f status=exited | GREP_COLORS='mt=01;35' /bin/egrep --color=always "(^[_a-z-]+ |$)|$" | GREP_COLORS='mt=01;32' /bin/egrep --color=always "(Up[ 0-9a-Z ]+ |$)|$" | GREP_COLORS='mt=01;31' /bin/egrep --color=always "(Exited[ \(0-9\) ]+ [0-9a-Z ]+ ago|$)|$" | tail -n 1) + mySTATUS=$(/usr/bin/docker ps -f name=$i --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" -f status=running -f status=exited | GREP_COLORS='mt=01;35' /bin/egrep --color=always "(^[_0-9a-z-]+ |$)|$" | GREP_COLORS='mt=01;32' /bin/egrep --color=always "(Up[ 0-9a-Z ]+ |$)|$" | GREP_COLORS='mt=01;31' /bin/egrep --color=always "(Exited[ \(0-9\) ]+ [0-9a-Z ]+ ago|$)|$" | tail -n 1) myDOWN=$(echo "$mySTATUS" | grep -c "NAMES") if [ "$myDOWN" = "1" ]; then diff --git a/installer/data/imgcfg/all_images.conf b/installer/data/imgcfg/all_images.conf deleted file mode 100644 index 0b64dfee..00000000 --- a/installer/data/imgcfg/all_images.conf +++ /dev/null @@ -1,13 +0,0 @@ -conpot -cowrie -dionaea -elasticpot -elk -emobility -ewsposter -glastopf -honeytrap -netdata -spiderfoot -suricata -ui-for-docker diff --git a/installer/data/imgcfg/hp_images.conf b/installer/data/imgcfg/hp_images.conf deleted file mode 100644 index e5aa3e75..00000000 --- a/installer/data/imgcfg/hp_images.conf +++ /dev/null @@ -1,6 +0,0 @@ -cowrie -dionaea -elasticpot -ewsposter -glastopf -honeytrap diff --git a/installer/data/imgcfg/industrial_images.conf b/installer/data/imgcfg/industrial_images.conf deleted file mode 100644 index 6c242158..00000000 --- a/installer/data/imgcfg/industrial_images.conf +++ /dev/null @@ -1,8 +0,0 @@ -conpot -elk -emobility -ewsposter -netdata -spiderfoot -suricata -ui-for-docker diff --git a/installer/data/imgcfg/tpot_images.conf b/installer/data/imgcfg/tpot_images.conf deleted file mode 100644 index 62e9f29b..00000000 --- a/installer/data/imgcfg/tpot_images.conf +++ /dev/null @@ -1,11 +0,0 @@ -cowrie -dionaea -elasticpot -elk -ewsposter -glastopf -honeytrap -netdata -spiderfoot -suricata -ui-for-docker diff --git a/installer/data/systemd/conpot.service b/installer/data/systemd/conpot.service deleted file mode 100644 index a60d6b04..00000000 --- a/installer/data/systemd/conpot.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=conpot -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop conpot -ExecStartPre=-/usr/bin/docker rm -v conpot -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh conpot off' -ExecStart=/usr/bin/docker run --name conpot --rm=true -v /data/conpot:/data/conpot -v /data/ews:/data/ews -p 1025:1025 -p 50100:50100 dtagdevsec/conpot:1706 -ExecStop=/usr/bin/docker stop conpot - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/cowrie.service b/installer/data/systemd/cowrie.service deleted file mode 100644 index a52633ce..00000000 --- a/installer/data/systemd/cowrie.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=cowrie -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop cowrie -ExecStartPre=-/usr/bin/docker rm -v cowrie -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh cowrie off' -ExecStart=/usr/bin/docker run --name cowrie --rm=true -p 22:2222 -p 23:2223 -v /data/cowrie:/data/cowrie -v /data/ews:/data/ews dtagdevsec/cowrie:1706 -ExecStop=/usr/bin/docker stop cowrie - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/dionaea.service b/installer/data/systemd/dionaea.service deleted file mode 100644 index 87385f7f..00000000 --- a/installer/data/systemd/dionaea.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=dionaea -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop dionaea -ExecStartPre=-/usr/bin/docker rm -v dionaea -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh dionaea off' -ExecStart=/usr/bin/docker run --name dionaea --cap-add=NET_BIND_SERVICE --rm=true -p 21:21 -p 42:42 -p 69:69/udp -p 8081:80 -p 135:135 -p 443:443 -p 445:445 -p 1433:1433 -p 1723:1723 -p 1883:1883 -p 1900:1900 -p 3306:3306 -p 5060:5060 -p 5061:5061 -p 5060:5060/udp -p 11211:11211 -v /data/dionaea:/data/dionaea dtagdevsec/dionaea:1706 -ExecStop=/usr/bin/docker stop dionaea - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/elasticpot.service b/installer/data/systemd/elasticpot.service deleted file mode 100644 index 3b0ed484..00000000 --- a/installer/data/systemd/elasticpot.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=elasticpot -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop elasticpot -ExecStartPre=-/usr/bin/docker rm -v elasticpot -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh elasticpot off' -ExecStart=/usr/bin/docker run --name elasticpot --rm=true -v /data/elasticpot:/data/elasticpot -p 9200:9200 dtagdevsec/elasticpot:1706 -ExecStop=/usr/bin/docker stop elasticpot - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/elk.service b/installer/data/systemd/elk.service deleted file mode 100644 index 3fe38e38..00000000 --- a/installer/data/systemd/elk.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=elk -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop elk -ExecStartPre=-/usr/bin/docker rm -v elk -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh elk' -ExecStart=/usr/bin/docker run --name=elk --env-file /etc/tpot/elk/environment --cap-add=IPC_LOCK --ulimit memlock=-1:-1 --ulimit nofile=65536:65536 -v /data:/data -v /var/log:/data/host/log -p 127.0.0.1:64296:5601 -p 127.0.0.1:64302:9100 -p 127.0.0.1:64298:9200 --rm=true dtagdevsec/elk:1706 -ExecStop=/usr/bin/docker stop elk - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/emobility.service b/installer/data/systemd/emobility.service deleted file mode 100644 index cc96e0b8..00000000 --- a/installer/data/systemd/emobility.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=emobility -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop emobility -ExecStartPre=-/usr/bin/docker rm -v emobility -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh emobility off' -ExecStart=/usr/bin/docker run --name emobility --cap-add=NET_ADMIN -p 8080:8080 -v /data/emobility:/data/eMobility -v /data/ews:/data/ews --rm=true dtagdevsec/emobility:1706 -ExecStop=/usr/bin/docker stop emobility - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/ewsposter.service b/installer/data/systemd/ewsposter.service deleted file mode 100644 index 3979aa2f..00000000 --- a/installer/data/systemd/ewsposter.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=ewsposter -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop ewsposter -ExecStartPre=-/usr/bin/docker rm -v ewsposter -ExecStart=/usr/bin/docker run --name ewsposter --rm=true -v /data:/data -v /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip dtagdevsec/ewsposter:1706 -ExecStop=/usr/bin/docker stop ewsposter - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/glastopf.service b/installer/data/systemd/glastopf.service deleted file mode 100644 index 1ac6f39b..00000000 --- a/installer/data/systemd/glastopf.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=glastopf -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop glastopf -ExecStartPre=-/usr/bin/docker rm -v glastopf -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh glastopf off' -ExecStart=/usr/bin/docker run --name glastopf --rm=true -v /data/glastopf:/data/glastopf -v /data/ews:/data/ews -p 80:80 dtagdevsec/glastopf:1706 -ExecStop=/usr/bin/docker stop glastopf - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/honeytrap.service b/installer/data/systemd/honeytrap.service deleted file mode 100644 index a3b2f5f2..00000000 --- a/installer/data/systemd/honeytrap.service +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=honeytrap -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop honeytrap -ExecStartPre=-/usr/bin/docker rm -v honeytrap -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh honeytrap off' -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295,64296,64297,64298,64299,64300,64301,64302,64303 -j NFQUEUE -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE -ExecStart=/usr/bin/docker run --name honeytrap --cap-add=NET_ADMIN --net=host --rm=true -v /data/honeytrap:/data/honeytrap -v /data/ews:/data/ews dtagdevsec/honeytrap:1706 -ExecStop=/usr/bin/docker stop honeytrap -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295,64296,64297,64298,64299,64300,64301,64302,64303 -j NFQUEUE -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/netdata.service b/installer/data/systemd/netdata.service deleted file mode 100644 index d4d6e1f5..00000000 --- a/installer/data/systemd/netdata.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=netdata -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop netdata -ExecStartPre=-/usr/bin/docker rm -v netdata -ExecStartPre=-/bin/chmod 666 /var/run/docker.sock -ExecStart=/usr/bin/docker run --name netdata --net=host --cap-add=SYS_PTRACE --security-opt apparmor=unconfined --rm=true -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /var/run/docker.sock:/var/run/docker.sock dtagdevsec/netdata:1706 -ExecStop=/usr/bin/docker stop netdata - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/spiderfoot.service b/installer/data/systemd/spiderfoot.service deleted file mode 100644 index acae2287..00000000 --- a/installer/data/systemd/spiderfoot.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=spiderfoot -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop spiderfoot -ExecStartPre=-/usr/bin/docker rm -v spiderfoot -ExecStart=/usr/bin/docker run --name spiderfoot --rm=true -p 127.0.0.1:64303:8080 dtagdevsec/spiderfoot:1706 -ExecStop=/usr/bin/docker stop spiderfoot - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/suricata.service b/installer/data/systemd/suricata.service deleted file mode 100644 index d062895f..00000000 --- a/installer/data/systemd/suricata.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -Description=suricata -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop suricata -ExecStartPre=-/usr/bin/docker rm -v suricata -# Get IF, disable offloading, enable promiscious mode -ExecStartPre=/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') rx off tx off' -ExecStartPre=/bin/bash -c '/sbin/ethtool -K $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') gso off gro off' -ExecStartPre=/bin/bash -c '/sbin/ip link set $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') promisc on' -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh suricata off' -ExecStart=/usr/bin/docker run --name suricata --cap-add=NET_ADMIN --net=host --rm=true -v /data/suricata:/data/suricata dtagdevsec/suricata:1706 -ExecStop=/usr/bin/docker stop suricata - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/ui-for-docker.service b/installer/data/systemd/ui-for-docker.service deleted file mode 100644 index c833f756..00000000 --- a/installer/data/systemd/ui-for-docker.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=ui-for-docker -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop ui-for-docker -ExecStartPre=-/usr/bin/docker rm -v ui-for-docker -ExecStart=/usr/bin/docker run --name ui-for-docker --rm=true -v /var/run/docker.sock:/var/run/docker.sock -p 127.0.0.1:64299:9000 dtagdevsec/ui-for-docker:1706 -H unix:///var/run/docker.sock --no-auth -ExecStop=/usr/bin/docker stop ui-for-docker - -[Install] -WantedBy=multi-user.target diff --git a/installer/etc/tpot/compose/all.yml b/installer/etc/tpot/compose/all.yml new file mode 100644 index 00000000..ca6dfc38 --- /dev/null +++ b/installer/etc/tpot/compose/all.yml @@ -0,0 +1,174 @@ +# T-Pot (Everything) +# For docker-compose version ... +version: '2' +services: + +# Conpot service + conpot: + container_name: conpot + restart: always + ports: + - "1025:1025" + - "50100:50100" + image: "dtagdevsec/conpot:1706" + volumes: + - /data/conpot:/data/conpot + - /data/ews:/data/ews + +# Cowrie service + cowrie: + container_name: cowrie + restart: always + ports: + - "22:2222" + - "23:2223" + image: "dtagdevsec/cowrie:1706" + volumes: + - /data/cowrie:/data/cowrie + +# Dionaea service + dionaea: + container_name: dionaea + restart: always + cap_add: + - NET_BIND_SERVICE + ports: + - "21:21" + - "42:42" + - "69:69/udp" + - "8081:80" + - "135:135" + - "443:443" + - "445:445" + - "1433:1433" + - "1723:1723" + - "1883:1883" + - "1900:1900" + - "3306:3306" + - "5060:5060" + - "5061:5061" + - "5060:5060/udp" + - "11211:11211" + image: "dtagdevsec/dionaea:1706" + volumes: + - /data/dionaea:/data/dionaea + +# Elasticpot service + elasticpot: + container_name: elasticpot + restart: always + ports: + - "9200:9200" + image: "dtagdevsec/elasticpot:1706" + volumes: + - /data/elasticpot:/data/elasticpot + +# ELK service + elk: + container_name: elk + restart: always + env_file: + - /etc/tpot/elk/environment + cap_add: + - IPC_LOCK + ulimits: + memlock: -1 + nofile: 65536 + ports: + - "127.0.0.1:64296:5601" + - "127.0.0.1:64302:9100" + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elk:1706" + volumes: + - /data:/data + - /var/log:/data/host/log + +# Emobility service + emobility: + container_name: emobility + restart: always + cap_add: + - NET_ADMIN + ports: + - "8080:8080" + image: "dtagdevsec/emobility:1706" + volumes: + - /data/emobility:/data/eMobility + - /data/ews:/data/ews + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + image: "dtagdevsec/ewsposter:1706" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Glastopf service + glastopf: + container_name: glastopf + restart: always + ports: + - "80:80" + image: "dtagdevsec/glastopf:1706" + volumes: + - /data/glastopf:/data/glastopf + - /data/ews:/data/ews + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1706" + volumes: + - /data/honeytrap:/data/honeytrap + - /data/ews:/data/ews + +# Netdata service + netdata: + container_name: netdata + restart: always + network_mode: "host" + cap_add: + - SYS_PTRACE + security_opt: + - apparmor=unconfined + image: "dtagdevsec/netdata:1706" + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /var/run/docker.sock:/var/run/docker.sock + +# Spiderfoot service + spiderfoot: + container_name: spiderfoot + restart: always + ports: + - "127.0.0.1:64303:8080" + image: "dtagdevsec/spiderfoot:1706" + +# Ui-for-docker service + ui-for-docker: + container_name: ui-for-docker + command: -H unix:///var/run/docker.sock --no-auth + restart: always + ports: + - "127.0.0.1:64299:9000" + image: "dtagdevsec/ui-for-docker:1706" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + +# Suricata service + suricata: + container_name: suricata + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/suricata:1706" + volumes: + - /data/suricata:/data/suricata diff --git a/installer/etc/tpot/compose/hp.yml b/installer/etc/tpot/compose/hp.yml new file mode 100644 index 00000000..ea3ed8f4 --- /dev/null +++ b/installer/etc/tpot/compose/hp.yml @@ -0,0 +1,84 @@ +# T-Pot (Standard) +# For docker-compose version ... +version: '2' +services: + +# Cowrie service + cowrie: + container_name: cowrie + restart: always + ports: + - "22:2222" + - "23:2223" + image: "dtagdevsec/cowrie:1706" + volumes: + - /data/cowrie:/data/cowrie + +# Dionaea service + dionaea: + container_name: dionaea + restart: always + cap_add: + - NET_BIND_SERVICE + ports: + - "21:21" + - "42:42" + - "69:69/udp" + - "8081:80" + - "135:135" + - "443:443" + - "445:445" + - "1433:1433" + - "1723:1723" + - "1883:1883" + - "1900:1900" + - "3306:3306" + - "5060:5060" + - "5061:5061" + - "5060:5060/udp" + - "11211:11211" + image: "dtagdevsec/dionaea:1706" + volumes: + - /data/dionaea:/data/dionaea + +# Elasticpot service + elasticpot: + container_name: elasticpot + restart: always + ports: + - "9200:9200" + image: "dtagdevsec/elasticpot:1706" + volumes: + - /data/elasticpot:/data/elasticpot + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + image: "dtagdevsec/ewsposter:1706" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Glastopf service + glastopf: + container_name: glastopf + restart: always + ports: + - "80:80" + image: "dtagdevsec/glastopf:1706" + volumes: + - /data/glastopf:/data/glastopf + - /data/ews:/data/ews + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1706" + volumes: + - /data/honeytrap:/data/honeytrap + - /data/ews:/data/ews diff --git a/installer/etc/tpot/compose/industrial.yml b/installer/etc/tpot/compose/industrial.yml new file mode 100644 index 00000000..1f451c33 --- /dev/null +++ b/installer/etc/tpot/compose/industrial.yml @@ -0,0 +1,103 @@ +# T-Pot (Everything) +# For docker-compose version ... +version: '2' +services: + +# Conpot service + conpot: + container_name: conpot + restart: always + ports: + - "1025:1025" + - "50100:50100" + image: "dtagdevsec/conpot:1706" + volumes: + - /data/conpot:/data/conpot + - /data/ews:/data/ews + +# ELK service + elk: + container_name: elk + restart: always + env_file: + - /etc/tpot/elk/environment + cap_add: + - IPC_LOCK + ulimits: + memlock: -1 + nofile: 65536 + ports: + - "127.0.0.1:64296:5601" + - "127.0.0.1:64302:9100" + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elk:1706" + volumes: + - /data:/data + - /var/log:/data/host/log + +# Emobility service + emobility: + container_name: emobility + restart: always + cap_add: + - NET_ADMIN + ports: + - "8080:8080" + image: "dtagdevsec/emobility:1706" + volumes: + - /data/emobility:/data/eMobility + - /data/ews:/data/ews + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + image: "dtagdevsec/ewsposter:1706" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Netdata service + netdata: + container_name: netdata + restart: always + network_mode: "host" + cap_add: + - SYS_PTRACE + security_opt: + - apparmor=unconfined + image: "dtagdevsec/netdata:1706" + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /var/run/docker.sock:/var/run/docker.sock + +# Spiderfoot service + spiderfoot: + container_name: spiderfoot + restart: always + ports: + - "127.0.0.1:64303:8080" + image: "dtagdevsec/spiderfoot:1706" + +# Ui-for-docker service + ui-for-docker: + container_name: ui-for-docker + command: -H unix:///var/run/docker.sock --no-auth + restart: always + ports: + - "127.0.0.1:64299:9000" + image: "dtagdevsec/ui-for-docker:1706" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + +# Suricata service + suricata: + container_name: suricata + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/suricata:1706" + volumes: + - /data/suricata:/data/suricata diff --git a/installer/etc/tpot/compose/tpot.yml b/installer/etc/tpot/compose/tpot.yml new file mode 100644 index 00000000..39150568 --- /dev/null +++ b/installer/etc/tpot/compose/tpot.yml @@ -0,0 +1,149 @@ +# T-Pot (Standard) +# For docker-compose version ... +version: '2' +services: + +# Cowrie service + cowrie: + container_name: cowrie + restart: always + ports: + - "22:2222" + - "23:2223" + image: "dtagdevsec/cowrie:1706" + volumes: + - /data/cowrie:/data/cowrie + +# Dionaea service + dionaea: + container_name: dionaea + restart: always + cap_add: + - NET_BIND_SERVICE + ports: + - "21:21" + - "42:42" + - "69:69/udp" + - "8081:80" + - "135:135" + - "443:443" + - "445:445" + - "1433:1433" + - "1723:1723" + - "1883:1883" + - "1900:1900" + - "3306:3306" + - "5060:5060" + - "5061:5061" + - "5060:5060/udp" + - "11211:11211" + image: "dtagdevsec/dionaea:1706" + volumes: + - /data/dionaea:/data/dionaea + +# Elasticpot service + elasticpot: + container_name: elasticpot + restart: always + ports: + - "9200:9200" + image: "dtagdevsec/elasticpot:1706" + volumes: + - /data/elasticpot:/data/elasticpot + +# ELK service + elk: + container_name: elk + restart: always + env_file: + - /etc/tpot/elk/environment + cap_add: + - IPC_LOCK + ulimits: + memlock: -1 + nofile: 65536 + ports: + - "127.0.0.1:64296:5601" + - "127.0.0.1:64302:9100" + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elk:1706" + volumes: + - /data:/data + - /var/log:/data/host/log + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + image: "dtagdevsec/ewsposter:1706" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Glastopf service + glastopf: + container_name: glastopf + restart: always + ports: + - "80:80" + image: "dtagdevsec/glastopf:1706" + volumes: + - /data/glastopf:/data/glastopf + - /data/ews:/data/ews + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1706" + volumes: + - /data/honeytrap:/data/honeytrap + - /data/ews:/data/ews + +# Netdata service + netdata: + container_name: netdata + restart: always + network_mode: "host" + cap_add: + - SYS_PTRACE + security_opt: + - apparmor=unconfined + image: "dtagdevsec/netdata:1706" + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /var/run/docker.sock:/var/run/docker.sock + +# Spiderfoot service + spiderfoot: + container_name: spiderfoot + restart: always + ports: + - "127.0.0.1:64303:8080" + image: "dtagdevsec/spiderfoot:1706" + +# Ui-for-docker service + ui-for-docker: + container_name: ui-for-docker + command: -H unix:///var/run/docker.sock --no-auth + restart: always + ports: + - "127.0.0.1:64299:9000" + image: "dtagdevsec/ui-for-docker:1706" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + +# Suricata service + suricata: + container_name: suricata + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/suricata:1706" + volumes: + - /data/suricata:/data/suricata diff --git a/installer/data/elkbase.tgz b/installer/etc/tpot/elkbase.tgz similarity index 100% rename from installer/data/elkbase.tgz rename to installer/etc/tpot/elkbase.tgz diff --git a/installer/data/kibana-objects.tgz b/installer/etc/tpot/kibana-objects.tgz similarity index 100% rename from installer/data/kibana-objects.tgz rename to installer/etc/tpot/kibana-objects.tgz diff --git a/installer/etc/tpot/systemd/tpot.service b/installer/etc/tpot/systemd/tpot.service new file mode 100644 index 00000000..40344551 --- /dev/null +++ b/installer/etc/tpot/systemd/tpot.service @@ -0,0 +1,44 @@ +[Unit] +Description=tpot +Requires=docker.service +After=docker.service + +[Service] +Restart=always + +# Clear state from /data +ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh off' + +# Remove old containers and volumes +ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v +ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml rm -v +ExecStartPre=-/bin/bash -c 'docker volume rm $(docker volume ls -q)' + +# Get IF, disable offloading, enable promiscious mode for p0f and suricata +ExecStartPre=/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') rx off tx off' +ExecStartPre=/bin/bash -c '/sbin/ethtool -K $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') gso off gro off' +ExecStartPre=/bin/bash -c '/sbin/ip link set $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') promisc on' + +# Modify access rights on docker.sock for netdata +ExecStartPre=-/bin/chmod 666 /var/run/docker.sock + +# Prepare iptables rules for honeytrap +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295,64296,64297,64298,64299,64300,64301,64302,64303 -j NFQUEUE +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE + +# Compose T-Pot up and run as daemon +ExecStart=/usr/bin/docker-compose -f /etc/tpot/tpot.yml up + +# Compose T-Pot down and remove containers +ExecStop=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v + +# Remove iptables rules for honeytrap +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295,64296,64297,64298,64299,64300,64301,64302,64303 -j NFQUEUE +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE + +[Install] +WantedBy=multi-user.target diff --git a/installer/data/systemd/wetty.service b/installer/etc/tpot/systemd/wetty.service similarity index 100% rename from installer/data/systemd/wetty.service rename to installer/etc/tpot/systemd/wetty.service diff --git a/installer/install.sh b/installer/install.sh index 05fb622b..472146ce 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -353,26 +353,26 @@ EOF case $myFLAVOR in HP) echo "### Preparing HONEYPOT flavor installation." - cp /root/tpot/data/imgcfg/hp_images.conf /root/tpot/data/images.conf 2>&1>/dev/null + cp /root/tpot/etc/tpot/compose/hp.yml /root/tpot/etc/tpot/tpot.yml 2>&1>/dev/null ;; INDUSTRIAL) echo "### Preparing INDUSTRIAL flavor installation." - cp /root/tpot/data/imgcfg/industrial_images.conf /root/tpot/data/images.conf 2>&1>/dev/null + cp /root/tpot/etc/tpot/compose/industrial.yml /root/tpot/etc/tpot/tpot.yml 2>&1>/dev/null ;; TPOT) echo "### Preparing TPOT flavor installation." - cp /root/tpot/data/imgcfg/tpot_images.conf /root/tpot/data/images.conf 2>&1>/dev/null + cp /root/tpot/etc/tpot/compose/tpot.yml /root/tpot/etc/tpot/tpot.yml 2>&1>/dev/null ;; EVERYTHING) echo "### Preparing EVERYTHING flavor installation." - cp /root/tpot/data/imgcfg/all_images.conf /root/tpot/data/images.conf 2>&1>/dev/null + cp /root/tpot/etc/tpot/compose/all.yml /root/tpot/etc/tpot/tpot.yml 2>&1>/dev/null ;; esac # Let's load docker images -myIMAGESCOUNT=$(cat /root/tpot/data/images.conf | wc -w) +myIMAGESCOUNT=$(cat /root/tpot/etc/tpot/tpot.yml | grep container_name | cut -d: -f2 | wc -l) j=0 -for name in $(cat /root/tpot/data/images.conf) +for name in $(cat /root/tpot/etc/tpot/tpot.yml | grep container_name | cut -d: -f2) do dialog --title "[ Downloading docker images, please be patient ]" --backtitle "$myBACKTITLE" \ --gauge "\n Now downloading: dtagdevsec/$name:1706\n" 8 80 $(expr 100 \* $j / $myIMAGESCOUNT) <&1>/dev/null <:/api delete --filters resource= && alerta --endpoint-url http://:/api send -e IP -r -E Production -s ok -S T-Pot -t \$(cat /data/elk/logstash/mylocal.ip) --status open # Check if updated images are available and download them -27 1 * * * root for i in \$(cat /etc/tpot/images.conf); do docker pull dtagdevsec/\$i:1706; done +27 1 * * * root /usr/bin/docker-compose -f /etc/tpot/tpot.yml pull # Restart docker service and containers -27 3 * * * root dcres.sh +#27 3 * * * root dcres.sh # Delete elastic indices older than 90 days (kibana index is omitted by default) -27 4 * * * root docker exec elk bash -c '/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 90 --time-unit days --timestring \%Y.\%m.\%d' +#27 4 * * * root docker exec elk bash -c '/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 90 --time-unit days --timestring \%Y.\%m.\%d' # Update IP and erase check.lock if it exists 27 5 * * * root /etc/rc.local @@ -445,31 +445,28 @@ mkdir -p /data/conpot/log \ /data/emobility/log \ /data/ews/conf \ /data/suricata/log /home/tsec/.ssh/ \ - /etc/tpot/elk /etc/tpot/imgcfg /etc/tpot/systemd \ + /etc/tpot/elk /etc/tpot/compose /etc/tpot/systemd \ /usr/share/tpot/bin 2>&1 | dialog --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF # Let's take care of some files and permissions before copying chmod 500 /root/tpot/bin/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF -chmod 600 /root/tpot/data/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF +chmod 600 -R /root/tpot/etc/tpot 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF chmod 644 /root/tpot/etc/issue 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF chmod 755 /root/tpot/etc/rc.local 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF -chmod 644 /root/tpot/data/systemd/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF +chmod 644 /root/tpot/etc/tpot/systemd/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF # Let's copy some files -tar xvfz /root/tpot/data/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF +tar xvfz /root/tpot/etc/tpot/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF cp -R /root/tpot/bin/* /usr/share/tpot/bin/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -cp -R /root/tpot/data/* /etc/tpot/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -cp /root/tpot/data/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF +cp -R /root/tpot/etc/tpot/* /etc/tpot/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF +cp /root/tpot/etc/tpot/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/etc/issue /etc/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp -R /root/tpot/etc/nginx/ssl /etc/nginx/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/etc/nginx/tpotweb.conf /etc/nginx/sites-available/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/etc/nginx/nginx.conf /etc/nginx/nginx.conf 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/keys/authorized_keys /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/usr/share/nginx/html/* /usr/share/nginx/html/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -for i in $(cat /etc/tpot/images.conf); - do - systemctl enable $i 2>&1 | dialog --title "[ Enabling service for $i ]" $myPROGRESSBOXCONF -done +systemctl enable tpot 2>&1 | dialog --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF systemctl enable wetty 2>&1 | dialog --title "[ Enabling service for wetty ]" $myPROGRESSBOXCONF # Let's enable T-Pot website diff --git a/preseed/tpot.seed b/preseed/tpot.seed index c42a48c6..5f6502bc 100755 --- a/preseed/tpot.seed +++ b/preseed/tpot.seed @@ -100,7 +100,7 @@ tasksel tasksel/first multiselect ubuntu-server ######################## ### Package Installation ######################## -d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dnsutils docker.io dstat ethtool genisoimage git glances html2text htop iptables iw jq libcrack2 libltdl7 lm-sensors man nginx-extras nodejs npm ntp openssh-server openssl syslinux psmisc pv python-pip vim wireless-tools wpasupplicant +d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dnsutils docker.io docker-compose dstat ethtool genisoimage git glances html2text htop iptables iw jq libcrack2 libltdl7 lm-sensors man nginx-extras nodejs npm ntp openssh-server openssl syslinux psmisc pv python-pip vim wireless-tools wpasupplicant ################# ### Update Policy From 3de02ee7b02d3040f6e190351e0eef3f84bc99b9 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Mon, 1 May 2017 19:03:27 +0000 Subject: [PATCH 2/2] tweaking for docker-compose get rid of self-check scripts, docker-compose takes care of that now use tpot.yml config for tpot scripts wipe crontab clean of legacy scripts check.lock no longer needed (rc.local) adjust installer (invisible cursor, get image info from tpot.yml, some tweaking) --- installer/bin/backup_es_folders.sh | 1 + installer/bin/check.sh | 41 -------------- installer/bin/clean.sh | 8 +-- installer/bin/dcres.sh | 76 ------------------------- installer/bin/dps.sh | 4 +- installer/bin/dump_es.sh | 1 + installer/bin/export_kibana-objects.sh | 1 + installer/bin/import_kibana-objects.sh | 1 + installer/bin/myip.sh | 5 -- installer/bin/restore_es.sh | 1 + installer/bin/status.sh | 10 +--- installer/bin/update-images.sh | 78 -------------------------- installer/etc/rc.local | 3 - installer/install.sh | 38 +++++-------- 14 files changed, 23 insertions(+), 245 deletions(-) delete mode 100755 installer/bin/check.sh delete mode 100755 installer/bin/dcres.sh delete mode 100755 installer/bin/update-images.sh diff --git a/installer/bin/backup_es_folders.sh b/installer/bin/backup_es_folders.sh index c3c19de0..08155332 100755 --- a/installer/bin/backup_es_folders.sh +++ b/installer/bin/backup_es_folders.sh @@ -1,4 +1,5 @@ #!/bin/bash +# Backup all ES relevant folders # Make sure ES is available myES="http://127.0.0.1:64298/" myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) diff --git a/installer/bin/check.sh b/installer/bin/check.sh deleted file mode 100755 index 0ea3423c..00000000 --- a/installer/bin/check.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash - -######################################################## -# T-Pot # -# Check container and services script # -# # -# v16.10.0 by mo, DTAG, 2016-05-12 # -######################################################## -if [ -a /var/run/check.lock ]; - then - echo "Lock exists. Exiting now." - exit -fi - -myIMAGES=$(cat /etc/tpot/images.conf) - -touch /var/run/check.lock - -myUPTIME=$(awk '{print int($1/60)}' /proc/uptime) -for i in $myIMAGES - do - if [ "$i" != "ui-for-docker" ] && [ "$i" != "netdata" ] && [ "$i" != "spiderfoot" ]; - then - myCIDSTATUS=$(docker exec $i supervisorctl status) - if [ $? -ne 0 ]; - then - myCIDSTATUS=1 - else - myCIDSTATUS=$(echo $myCIDSTATUS | egrep -c "(STOPPED|FATAL)") - fi - if [ $myUPTIME -gt 4 ] && [ $myCIDSTATUS -gt 0 ]; - then - echo "Restarting "$i"." - systemctl stop $i - sleep 5 - systemctl start $i - fi - fi -done - -rm /var/run/check.lock diff --git a/installer/bin/clean.sh b/installer/bin/clean.sh index f3906114..ae60d124 100755 --- a/installer/bin/clean.sh +++ b/installer/bin/clean.sh @@ -1,11 +1,5 @@ #!/bin/bash - -######################################################## -# T-Pot # -# Container Data Cleaner # -# # -# v16.10.0 by mo, DTAG, 2016-05-28 # -######################################################## +# T-Pot Container Data Cleaner # Set persistence myPERSISTENCE=$1 diff --git a/installer/bin/dcres.sh b/installer/bin/dcres.sh deleted file mode 100755 index 26e1f884..00000000 --- a/installer/bin/dcres.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -######################################################## -# T-Pot # -# Container and services restart script # -# # -# v16.10.0 by mo, DTAG, 2016-05-12 # -######################################################## -myCOUNT=1 - -while true -do - if ! [ -a /var/run/check.lock ]; - then break - fi - sleep 0.1 - if [ "$myCOUNT" = "1" ]; - then - echo -n "Waiting for services " - else echo -n . - fi - if [ "$myCOUNT" = "6000" ]; - then - echo - echo "Overriding check.lock" - rm /var/run/check.lock - break - fi - myCOUNT=$[$myCOUNT +1] -done - -myIMAGES=$(cat /etc/tpot/images.conf) - -touch /var/run/check.lock - -myUPTIME=$(awk '{print int($1/60)}' /proc/uptime) -if [ $myUPTIME -gt 4 ]; - then - for i in $myIMAGES - do - systemctl stop $i - done - echo "### Waiting 10 seconds before restarting docker ..." - sleep 10 - iptables -w -F - systemctl restart docker - while true - do - docker info > /dev/null - if [ $? -ne 0 ]; - then - echo Docker daemon is still starting. - else - echo Docker daemon is now available. - break - fi - sleep 0.1 - done - echo "### Docker is now up and running again." - echo "### Removing obsolete container data ..." - docker rm -v $(docker ps -aq) - echo "### Removing obsolete image data ..." - docker rmi $(docker images | grep "" | awk '{print $3}') - echo "### Starting T-Pot services ..." - for i in $myIMAGES - do - systemctl start $i - done - sleep 5 - else - echo "### T-Pot needs to be up and running for at least 5 minutes." -fi - -rm /var/run/check.lock - -/etc/rc.local diff --git a/installer/bin/dps.sh b/installer/bin/dps.sh index 6607b170..2f3910b1 100755 --- a/installer/bin/dps.sh +++ b/installer/bin/dps.sh @@ -1,5 +1,5 @@ #/bin/bash - +# Show current status of all running containers # Let's ensure normal operation on exit or if interrupted ... function fuCLEANUP { stty sane @@ -7,8 +7,6 @@ function fuCLEANUP { trap fuCLEANUP EXIT stty -echo -icanon time 0 min 0 -#myIMAGES=$(cat /etc/tpot/images.conf) -#myIMAGES=$(/usr/bin/docker ps -a -f name=$i --format "table {{.Names}}" | grep -v NAMES) myIMAGES=$(cat /etc/tpot/tpot.yml | grep container_name | cut -d: -f2) while true do diff --git a/installer/bin/dump_es.sh b/installer/bin/dump_es.sh index 74e95043..d496a98e 100755 --- a/installer/bin/dump_es.sh +++ b/installer/bin/dump_es.sh @@ -1,4 +1,5 @@ #/bin/bash +# Dump all ES data # Make sure ES is available myES="http://127.0.0.1:64298/" myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) diff --git a/installer/bin/export_kibana-objects.sh b/installer/bin/export_kibana-objects.sh index ac630dd3..a48b9011 100755 --- a/installer/bin/export_kibana-objects.sh +++ b/installer/bin/export_kibana-objects.sh @@ -1,4 +1,5 @@ #!/bin/bash +# Export all Kibana objects # Make sure ES is available myES="http://127.0.0.1:64298/" myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) diff --git a/installer/bin/import_kibana-objects.sh b/installer/bin/import_kibana-objects.sh index c291ce63..2ae37e6a 100755 --- a/installer/bin/import_kibana-objects.sh +++ b/installer/bin/import_kibana-objects.sh @@ -1,4 +1,5 @@ #!/bin/bash +# Import Kibana objects # Make sure ES is available myES="http://127.0.0.1:64298/" myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) diff --git a/installer/bin/myip.sh b/installer/bin/myip.sh index 10580971..86a9114e 100755 --- a/installer/bin/myip.sh +++ b/installer/bin/myip.sh @@ -34,8 +34,6 @@ httplist=( whatismyip.akamai.com ) - - # function to shuffle the global array "array" shuffle() { local i tmp size max rand @@ -48,7 +46,6 @@ shuffle() { done } - # if we have dig and a list of dns methods, try that first if hash dig 2>/dev/null && [ ${#dnslist[*]} -gt 0 ]; then eval array=( \"\${dnslist[@]}\" ) @@ -64,9 +61,7 @@ if hash dig 2>/dev/null && [ ${#dnslist[*]} -gt 0 ]; then done fi - # if we haven't succeeded with DNS, try HTTP - if [ ${#httplist[*]} == 0 ]; then echo "No hosts in httplist array!" >&2 exit 1 diff --git a/installer/bin/restore_es.sh b/installer/bin/restore_es.sh index e1dc01d3..506a5c8c 100755 --- a/installer/bin/restore_es.sh +++ b/installer/bin/restore_es.sh @@ -1,4 +1,5 @@ #/bin/bash +# Restore folder based ES backup # Make sure ES is available myES="http://127.0.0.1:64298/" myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green) diff --git a/installer/bin/status.sh b/installer/bin/status.sh index a37900c1..c4f27eb9 100755 --- a/installer/bin/status.sh +++ b/installer/bin/status.sh @@ -1,16 +1,10 @@ #!/bin/bash - -######################################################## -# T-Pot # -# Container and services status script # -# # -# v16.10.0 by mo, DTAG, 2016-05-12 # -######################################################## +# Show status of SupervisorD within running containers myCOUNT=1 if [[ $1 == "" ]] then - myIMAGES=$(cat /etc/tpot/images.conf) + myIMAGES=$(cat /etc/tpot/tpot.yml | grep container_name | cut -d: -f2) else myIMAGES=$1 fi diff --git a/installer/bin/update-images.sh b/installer/bin/update-images.sh deleted file mode 100755 index 0ee431eb..00000000 --- a/installer/bin/update-images.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash - -########################################################## -# T-Pot # -# Only start the containers found in /etc/systemd/system # -# # -# v17.06 by mo, DTAG, 2017-03-13 # -########################################################## - -# Make sure not to interrupt a check -while true -do - if ! [ -a /var/run/check.lock ]; - then break - fi - sleep 0.1 - if [ "$myCOUNT" = "1" ]; - then - echo -n "Waiting for services " - else echo -n . - fi - if [ "$myCOUNT" = "6000" ]; - then - echo - echo "Overriding check.lock" - rm /var/run/check.lock - break - fi - myCOUNT=$[$myCOUNT +1] -done - -# We do not want to get interrupted by a check -touch /var/run/check.lock - -# Stop T-Pot services and disable all T-Pot services -echo "### Stopping T-Pot services and cleaning up." -for i in $(cat /etc/tpot/imgcfg/all_images.conf); - do - systemctl stop $i - sleep 2 - systemctl disable $i; - rm /etc/systemd/system/$i.service -done - -# Restarting docker services and optionally clear local repository -echo "### Stopping docker services ..." -systemctl stop docker -sleep 1 -# If option "hard" clear the whole repository -if [ "$1" = "hard" ]; - then - echo "### Clearing local docker repository." - rm -rf /var/lib/docker - sleep 1 -fi -echo "### Starting docker services ..." -systemctl start docker -sleep 1 - -# Enable only T-Pot systemd scripts from images.conf and pull the images -for i in $(cat /etc/tpot/images.conf); - do - echo - echo "### Now pulling "$i - docker pull dtagdevsec/$i:1706; - cp /etc/tpot/systemd/$i.service /etc/systemd/system/ - systemctl enable $i; -done - -# Announce reboot -echo -echo "### Rebooting." - -# Allow checks to resume -rm /var/run/check.lock - -# Reboot -reboot diff --git a/installer/etc/rc.local b/installer/etc/rc.local index 8e5ade55..7b64eb94 100755 --- a/installer/etc/rc.local +++ b/installer/etc/rc.local @@ -16,6 +16,3 @@ MY_HOSTNAME=$HOSTNAME EOF echo $myLOCALIP > /data/elk/logstash/mylocal.ip chown tpot:tpot /data/ews/conf/ews.ip -if [ -f /var/run/check.lock ]; - then rm /var/run/check.lock -fi diff --git a/installer/install.sh b/installer/install.sh index 472146ce..24717ac9 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -1,10 +1,5 @@ #!/bin/bash -######################################################## -# T-Pot post install script # -# Ubuntu server 16.04.0, x64 # -# # -# v17.06 by mo, DTAG, 2017-03-22 # -######################################################## +# T-Pot post install script # Set TERM, DIALOGRC export TERM=linux @@ -32,6 +27,8 @@ fuRANDOMWORD () { } # Let's wait a few seconds to avoid interference with service messages +sleep 3 +tput civis dialog --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Wait to avoid interference with service messages ]" --pause "" 6 80 7 # Let's setup the proxy for env @@ -104,6 +101,7 @@ rm -rf /usr/share/nginx/html/index.html 2>&1 | dialog --title "[ Removing NGINX # Let's ask user for install flavor # Install types are TPOT, HP, INDUSTRIAL, ALL +tput cnorm myFLAVOR=$(dialog --no-cancel --backtitle "$myBACKTITLE" --title "[ Choose your edition ]" --no-tags --menu \ "\nRequired: 4GB RAM, 64GB disk\nRecommended: 8GB RAM, 128GB SSD" 14 60 4 \ "TPOT" "Standard Honeypots, Suricata & ELK" \ @@ -198,6 +196,7 @@ while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ] htpasswd -b -c /etc/nginx/nginxpasswd "$myUSER" "$myPASS1" 2>&1 | dialog --title "[ Setting up user and password ]" $myPROGRESSBOXCONF; # Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway) +tput civis mkdir -p /etc/nginx/ssl 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; openssl req \ -nodes \ @@ -372,15 +371,15 @@ esac # Let's load docker images myIMAGESCOUNT=$(cat /root/tpot/etc/tpot/tpot.yml | grep container_name | cut -d: -f2 | wc -l) j=0 -for name in $(cat /root/tpot/etc/tpot/tpot.yml | grep container_name | cut -d: -f2) +for name in $(cat /root/tpot/etc/tpot/tpot.yml | grep image | cut -d'"' -f2) do dialog --title "[ Downloading docker images, please be patient ]" --backtitle "$myBACKTITLE" \ - --gauge "\n Now downloading: dtagdevsec/$name:1706\n" 8 80 $(expr 100 \* $j / $myIMAGESCOUNT) <&1>/dev/null + docker pull $name 2>&1>/dev/null let j+=1 dialog --title "[ Downloading docker images, please be patient ]" --backtitle "$myBACKTITLE" \ - --gauge "\n Now downloading: dtagdevsec/$name:1706\n" 8 80 $(expr 100 \* $j / $myIMAGESCOUNT) <&1>/dev/null <:/api delete --filters resource= && alerta --endpoint-url http://:/api send -e IP -r -E Production -s ok -S T-Pot -t \$(cat /data/elk/logstash/mylocal.ip) --status open +#*/5 * * * * root alerta --endpoint-url http://:/api delete --filters resource= && alerta --endpoint-url http://:/api send -e IP -r -E Production -s ok -S T-Pot -t \$(cat /data/elk/logstash/mylocal.ip) --status open # Check if updated images are available and download them -27 1 * * * root /usr/bin/docker-compose -f /etc/tpot/tpot.yml pull - -# Restart docker service and containers -#27 3 * * * root dcres.sh +27 1 * * * root /usr/bin/docker-compose -f /etc/tpot/tpot.yml pull # Delete elastic indices older than 90 days (kibana index is omitted by default) -#27 4 * * * root docker exec elk bash -c '/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 90 --time-unit days --timestring \%Y.\%m.\%d' - -# Update IP and erase check.lock if it exists -27 5 * * * root /etc/rc.local +#27 4 * * * root docker exec elk bash -c '/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 90 --time-unit days --timestring \%Y.\%m.\%d' # Daily reboot -27 23 * * * root reboot +27 3 * * * root reboot # Check for updated packages every sunday, upgrade and reboot -27 16 * * 0 root apt-get autoclean -y && apt-get autoremove -y && apt-get update -y && apt-get upgrade -y && sleep 10 && reboot +27 16 * * 0 root apt-get autoclean -y && apt-get autoremove -y && apt-get update -y && apt-get upgrade -y && sleep 10 && reboot EOF # Let's create some files and folders