diff --git a/bin/updateip.sh b/bin/updateip.sh index b7d8080d..a0eecba1 100755 --- a/bin/updateip.sh +++ b/bin/updateip.sh @@ -12,6 +12,7 @@ mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1) sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue +sed -i "s#ADMIN:.*#ADMIN: https://$myLOCALIP:64294#" /etc/issue tee /data/ews/conf/ews.ip << EOF [MAIN] ip = $myEXTIP @@ -21,8 +22,5 @@ MY_EXTIP=$myEXTIP MY_INTIP=$myLOCALIP MY_HOSTNAME=$HOSTNAME EOF -tee /opt/tpot/etc/compose/wetty_environment << EOF -MY_SSHUSER=$mySSHUSER -EOF chown tpot:tpot /data/ews/conf/ews.ip chmod 760 /data/ews/conf/ews.ip diff --git a/docker/nginx/dist/conf/tpotweb.conf b/docker/nginx/dist/conf/tpotweb.conf index 67cf9208..5dc71ec5 100644 --- a/docker/nginx/dist/conf/tpotweb.conf +++ b/docker/nginx/dist/conf/tpotweb.conf @@ -2,11 +2,6 @@ ### NGINX T-Pot configuration file by mo ### ############################################ -################################### -### Allow for 60 reloads per minute -################################### -limit_req_zone $binary_remote_addr zone=base:1m rate=1r/s; - server { ######################### @@ -39,16 +34,16 @@ server { ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; - + #################################### ### OWASP recommendations / settings #################################### ### Size Limits & Buffer Overflows ### the size may be configured based on the needs. - client_body_buffer_size 100K; + client_body_buffer_size 128k; client_header_buffer_size 1k; - client_max_body_size 100k; + client_max_body_size 256k; large_client_header_buffers 2 1k; ### Mitigate Slow HHTP DoS Attack @@ -89,14 +84,6 @@ server { auth_basic_user_file /etc/nginx/nginxpasswd; - ############################## - ### Limit brute-force attempts - ############################## - location = / { - limit_req zone=base burst=1 nodelay; - } - - ################# ### Proxied sites ################# @@ -119,27 +106,6 @@ server { rewrite /myhead/(.*)$ /$1 break; } - ### portainer - location /ui { - proxy_pass http://127.0.0.1:64299; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - proxy_set_header Host $host; - proxy_redirect off; - rewrite /ui/(.*)$ /$1 break; - } - ### web tty - location /wetty { - proxy_pass http://127.0.0.1:64300/wetty; - } - - ### netdata - location /netdata/ { - proxy_pass http://localhost:64301; - rewrite /netdata/(.*)$ /$1 break; - } - ### spiderfoot location /spiderfoot { proxy_pass http://127.0.0.1:64303; @@ -156,4 +122,5 @@ server { location /scandelete { proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete; } + } diff --git a/docker/nginx/dist/html/navbar.html b/docker/nginx/dist/html/navbar.html index e3954f74..0069a138 100644 --- a/docker/nginx/dist/html/navbar.html +++ b/docker/nginx/dist/html/navbar.html @@ -10,12 +10,13 @@
Home - Kibana + ES Head - Netdata + Kibana Spiderfoot - Portainer - WebTTY
+ diff --git a/etc/compose/collector.yml b/etc/compose/collector.yml index 1586fc39..36619a18 100644 --- a/etc/compose/collector.yml +++ b/etc/compose/collector.yml @@ -171,26 +171,6 @@ services: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip -# Netdata service - netdata: - container_name: netdata - restart: always - network_mode: "host" - depends_on: - elasticsearch: - condition: service_healthy - cap_add: - - SYS_PTRACE - security_opt: - - apparmor=unconfined - ports: - - "64301:64301" - image: "dtagdevsec/netdata:1804" - volumes: - - /proc:/host/proc:ro - - /sys:/host/sys:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - # Nginx service nginx: container_name: nginx @@ -212,20 +192,6 @@ services: - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/log/:/var/log/nginx/ -# Portainer service - portainer: - container_name: portainer - command: -H unix:///var/run/docker.sock --no-auth - restart: always - networks: - - portainer_local - ports: - - "127.0.0.1:64299:9000" - image: "dtagdevsec/portainer:1804" - read_only: true - volumes: - - /var/run/docker.sock:/var/run/docker.sock - # Spiderfoot service spiderfoot: container_name: spiderfoot @@ -238,15 +204,3 @@ services: volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db -# Wetty service - wetty: - container_name: wetty - restart: always - stop_signal: SIGKILL - network_mode: "host" - env_file: - - /opt/tpot/etc/compose/wetty_environment - tmpfs: - - /home/wetty/.ssh/:uid=2000,gid=2000 - image: "dtagdevsec/wetty:1804" - read_only: true diff --git a/etc/compose/experimental.yml b/etc/compose/experimental.yml index 39f928cb..b20d1f26 100644 --- a/etc/compose/experimental.yml +++ b/etc/compose/experimental.yml @@ -505,26 +505,6 @@ services: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip -# Netdata service - netdata: - container_name: netdata - restart: always - network_mode: "host" - depends_on: - elasticsearch: - condition: service_healthy - cap_add: - - SYS_PTRACE - security_opt: - - apparmor=unconfined - ports: - - "64301:64301" - image: "dtagdevsec/netdata:1804" - volumes: - - /proc:/host/proc:ro - - /sys:/host/sys:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - # Nginx service nginx: container_name: nginx @@ -546,20 +526,6 @@ services: - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/log/:/var/log/nginx/ -# Portainer service - portainer: - container_name: portainer - command: -H unix:///var/run/docker.sock --no-auth - restart: always - networks: - - portainer_local - ports: - - "127.0.0.1:64299:9000" - image: "dtagdevsec/portainer:1804" - read_only: true - volumes: - - /var/run/docker.sock:/var/run/docker.sock - # Spiderfoot service spiderfoot: container_name: spiderfoot @@ -572,15 +538,3 @@ services: volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db -# Wetty service - wetty: - container_name: wetty - restart: always - stop_signal: SIGKILL - network_mode: "host" - env_file: - - /opt/tpot/etc/compose/wetty_environment - tmpfs: - - /home/wetty/.ssh/:uid=2000,gid=2000 - image: "dtagdevsec/wetty:1804" - read_only: true diff --git a/etc/compose/industrial.yml b/etc/compose/industrial.yml index 04330c77..c653e6af 100644 --- a/etc/compose/industrial.yml +++ b/etc/compose/industrial.yml @@ -324,26 +324,6 @@ services: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip -# Netdata service - netdata: - container_name: netdata - restart: always - network_mode: "host" - depends_on: - elasticsearch: - condition: service_healthy - cap_add: - - SYS_PTRACE - security_opt: - - apparmor=unconfined - ports: - - "64301:64301" - image: "dtagdevsec/netdata:1804" - volumes: - - /proc:/host/proc:ro - - /sys:/host/sys:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - # Nginx service nginx: container_name: nginx @@ -365,20 +345,6 @@ services: - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/log/:/var/log/nginx/ -# Portainer service - portainer: - container_name: portainer - command: -H unix:///var/run/docker.sock --no-auth - restart: always - networks: - - portainer_local - ports: - - "127.0.0.1:64299:9000" - image: "dtagdevsec/portainer:1804" - read_only: true - volumes: - - /var/run/docker.sock:/var/run/docker.sock - # Spiderfoot service spiderfoot: container_name: spiderfoot @@ -390,16 +356,3 @@ services: image: "dtagdevsec/spiderfoot:1804" volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db - -# Wetty service - wetty: - container_name: wetty - restart: always - stop_signal: SIGKILL - network_mode: "host" - env_file: - - /opt/tpot/etc/compose/wetty_environment - tmpfs: - - /home/wetty/.ssh/:uid=2000,gid=2000 - image: "dtagdevsec/wetty:1804" - read_only: true diff --git a/etc/compose/legacy.yml b/etc/compose/legacy.yml index 7c11b663..0aafb2ea 100644 --- a/etc/compose/legacy.yml +++ b/etc/compose/legacy.yml @@ -290,26 +290,6 @@ services: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip -# Netdata service - netdata: - container_name: netdata - restart: always - network_mode: "host" - depends_on: - elasticsearch: - condition: service_healthy - cap_add: - - SYS_PTRACE - security_opt: - - apparmor=unconfined - ports: - - "64301:64301" - image: "dtagdevsec/netdata:1804" - volumes: - - /proc:/host/proc:ro - - /sys:/host/sys:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - # Nginx service nginx: container_name: nginx @@ -331,20 +311,6 @@ services: - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/log/:/var/log/nginx/ -# Portainer service - portainer: - container_name: portainer - command: -H unix:///var/run/docker.sock --no-auth - restart: always - networks: - - portainer_local - ports: - - "127.0.0.1:64299:9000" - image: "dtagdevsec/portainer:1804" - read_only: true - volumes: - - /var/run/docker.sock:/var/run/docker.sock - # Spiderfoot service spiderfoot: container_name: spiderfoot @@ -357,15 +323,3 @@ services: volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db -# Wetty service - wetty: - container_name: wetty - restart: always - stop_signal: SIGKILL - network_mode: "host" - env_file: - - /opt/tpot/etc/compose/wetty_environment - tmpfs: - - /home/wetty/.ssh/:uid=2000,gid=2000 - image: "dtagdevsec/wetty:1804" - read_only: true diff --git a/etc/compose/standard.yml b/etc/compose/standard.yml index 21d432a7..6ec62fee 100644 --- a/etc/compose/standard.yml +++ b/etc/compose/standard.yml @@ -16,7 +16,6 @@ networks: vnclowpot_local: ewsposter_local: spiderfoot_local: - portainer_local: services: @@ -505,26 +504,6 @@ services: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip -# Netdata service - netdata: - container_name: netdata - restart: always - network_mode: "host" - depends_on: - elasticsearch: - condition: service_healthy - cap_add: - - SYS_PTRACE - security_opt: - - apparmor=unconfined - ports: - - "64301:64301" - image: "dtagdevsec/netdata:1804" - volumes: - - /proc:/host/proc:ro - - /sys:/host/sys:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - # Nginx service nginx: container_name: nginx @@ -546,20 +525,6 @@ services: - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/log/:/var/log/nginx/ -# Portainer service - portainer: - container_name: portainer - command: -H unix:///var/run/docker.sock --no-auth - restart: always - networks: - - portainer_local - ports: - - "127.0.0.1:64299:9000" - image: "dtagdevsec/portainer:1804" - read_only: true - volumes: - - /var/run/docker.sock:/var/run/docker.sock - # Spiderfoot service spiderfoot: container_name: spiderfoot @@ -572,15 +537,3 @@ services: volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db -# Wetty service - wetty: - container_name: wetty - restart: always - stop_signal: SIGKILL - network_mode: "host" - env_file: - - /opt/tpot/etc/compose/wetty_environment - tmpfs: - - /home/wetty/.ssh/:uid=2000,gid=2000 - image: "dtagdevsec/wetty:1804" - read_only: true diff --git a/host/etc/issue b/host/etc/issue index 55e4287e..fcad492c 100644 --- a/host/etc/issue +++ b/host/etc/issue @@ -1,12 +1,12 @@  -┌───────────────────────────────────────────────────┐ -│ _____ ____ _ _ ___ ___ _ _ │ -│|_ _| | _ \\ ___ | |_ / |( _ ) / _ \\| || | │ -│ | |_____| |_) / _ \\| __| | |/ _ \\| | | | || |_ │ -│ | |_____| __/ (_) | |_ | | (_) | |_| |__ _|│ -│ |_| |_| \\___/ \\__| |_|\\___(_)___/ |_| │ -│ │ -└───────────────────────────────────────────────────┘ +┌────────────────────────────────────────────────┐ +│ _____ ____ _ _ ___ _ ___ │ +│|_ _| | _ \\ ___ | |_ / |( _ ) / |/ _ \\ │ +│ | |_____| |_) / _ \\| __| | |/ _ \\ | | | | |│ +│ | |_____| __/ (_) | |_ | | (_) || | |_| |│ +│ |_| |_| \\___/ \\__| |_|\\___(_)_|\\___/ │ +│ │ +└────────────────────────────────────────────────┘ ,---- [ \n ] [ \d ] [ \t ] @@ -14,6 +14,7 @@ | IP: | SSH: | WEB: +| ADMIN: | `---- diff --git a/iso/installer/install.sh b/iso/installer/install.sh index 837c3487..a59ce738 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -1,23 +1,219 @@ #!/bin/bash -# T-Pot post install script +# T-Pot Universal Installer + +################################## +# Extract command line arguments # +################################## + +myLSB=$(lsb_release -r | awk '{ print $2 }') +myLSB_SUPPORTED="18.04" +myINFO="\ +############################################ +### T-Pot Installer for Ubuntu $myLSB_SUPPORTED LTS ### +############################################ + +Disclaimer: +This script will install T-Pot on this system, by running the script you know what you are doing: +1. SSH will be reconfigured to tcp/64295 +2. Some packages will be installed, some will be upgraded +3. Please ensure other means of access to this system in case something goes wrong. +4. At best this script well be executed on the console instead through a SSH session. + +########################################### + +Usage: + $0 --help - Help. + +Example: + $0 --type=user - Best option for most users." + +if [ "$myLSB" != "$myLSB_SUPPORTED" ]; + then + echo "Aborting. Ubuntu $myLSB is not supported." + exit +fi +if [ "$1" == "" ]; + then + echo "$myINFO" + exit +fi +for i in "$@" + do + case $i in + --conf=*) + myTPOT_CONF_FILE="${i#*=}" + shift + ;; + --type=user) + myTPOT_DEPLOYMENT_TYPE="${i#*=}" + shift + ;; + --type=auto) + myTPOT_DEPLOYMENT_TYPE="${i#*=}" + shift + ;; + --type=iso) + myTPOT_DEPLOYMENT_TYPE="${i#*=}" + shift + ;; + --help) + echo "Usage: $0 " + echo + echo "--conf=" + echo " Use this if you want to automatically deploy a T-Pot instance (--type=auto implied)." + echo " A configuration example is available in \"tpotce/iso/installer/tpot.conf.dist\"." + echo + echo "--type=<[user, auto, iso]>" + echo " user, use this if you want to manually install a T-Pot on a Ubuntu 18.04 LTS machine." + echo " auto, implied if a configuration file is passed as an argument for automatic deployment." + echo " iso, use this if you are a T-Pot developer and want to install a T-Pot from a pre-compiled iso." + echo + exit + ;; + *) + echo "$myINFO" + exit + ;; + esac + done + + +################################################### +# Validate command line arguments and load config # +################################################### + +# If a valid config file exists, set deployment type to "auto" and load the configuration +if [ "$myTPOT_DEPLOYMENT_TYPE" == "auto" ] && [ "$myTPOT_CONF_FILE" == "" ]; + then + echo "Aborting. No configuration file given." + exit +fi +if [ -s "$myTPOT_CONF_FILE" ] && [ "$myTPOT_CONF_FILE" != "" ]; + then + myTPOT_DEPLOYMENT_TYPE="auto" + if [ "$(head -n 1 $myTPOT_CONF_FILE | grep -c "# tpot")" == "1" ]; + then + source "$myTPOT_CONF_FILE" + echo "$myCONF_PROXY_IP" + else + echo "Aborting. Config file \"$myTPOT_CONF_FILE\" not a T-Pot configuration file." + exit + fi + elif ! [ -s "$myTPOT_CONF_FILE" ] && [ "$myTPOT_CONF_FILE" != "" ]; + then + echo "Aborting. Config file \"$myTPOT_CONF_FILE\" not found." + exit +fi + + +####################### +# Prepare environment # +####################### + +# Got root? +function fuGOT_ROOT { +echo +echo -n "### Checking for root: " +if [ "$(whoami)" != "root" ]; + then + echo "[ NOT OK ]" + echo "### Please run as root." + echo "### Example: sudo $0" + exit + else + echo "[ OK ]" +fi +} + +# Let's check if all dependencies are met +function fuGET_DEPS { +local myPACKAGES="apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker curl dialog dnsutils docker.io docker-compose dstat ethtool fail2ban genisoimage git glances grc html2text htop ifupdown iptables iw jq libcrack2 libltdl7 lm-sensors man multitail net-tools npm ntp openssh-server openssl pass prips syslinux psmisc pv python-pip unattended-upgrades unzip vim wireless-tools wpasupplicant" +echo +echo "### Getting update information." +echo +apt-get -y update +echo +echo "### Upgrading packages." +echo +apt-get -y dist-upgrade +echo +echo "### Installing T-Pot dependencies." +echo +apt-get -y install $myPACKAGES +} + +# Let's load dialog color theme +function fuDIALOG_SETUP { +echo +echo -n "### Checking for dialogrc: " +if [ -f "dialogrc" ]; + then + echo "[ OK ]" + cp dialogrc /etc/ + else + echo "[ NOT OK ]" + echo "### 'dialogrc' is missing. Please run 'install.sh' from within the setup folder." + fi +} + +# Let's check for other services +function fuCHECK_PORTS { +if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; + then + echo + echo "### Checking for active services." + echo + grc netstat -tulpen + echo + echo "### Please review your running services." + echo "### We will take care of SSH (22), but other services i.e. FTP (21), TELNET (23), SMTP (25), HTTP (80), HTTPS (443), etc." + echo "### might collide with T-Pot's honeypots and prevent T-Pot from starting successfully." + echo + while [ 1 != 2 ] + do + read -s -n 1 -p "Continue [y/n]? " mySELECT + echo + case "$mySELECT" in + [y,Y]) + break + ;; + [n,N]) + exit + ;; + esac + done +fi +} + + +# Prepare running the installer +echo "$myINFO" | head -n 3 +fuGOT_ROOT +fuGET_DEPS +fuCHECK_PORTS +fuDIALOG_SETUP + +############# +# Installer # +############# # Set TERM, DIALOGRC export TERM=linux export DIALOGRC=/etc/dialogrc -# Let's load dialog color theme -cp /root/installer/dialogrc /etc/ +####################### +# Global vars section # +####################### -# Some global vars -myPROXYFILEPATH="/root/installer/proxy" -myNTPCONFPATH="/root/installer/ntp" -myPFXPATH="/root/installer/keys/8021x.pfx" -myPFXPWPATH="/root/installer/keys/8021x.pw" -myPFXHOSTIDPATH="/root/installer/keys/8021x.id" -myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml" myBACKTITLE="T-Pot-Installer" -mySITES="https://index.docker.io https://github.com https://pypi.python.org https://ubuntu.com" +myCONF_FILE="/root/installer/iso.conf" myPROGRESSBOXCONF=" --backtitle "$myBACKTITLE" --progressbox 24 80" +mySITES="https://hub.docker.com https://github.com https://pypi.python.org https://ubuntu.com" +myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml" + +##################### +# Functions section # +##################### fuRANDOMWORD () { local myWORDFILE="$1" @@ -27,17 +223,35 @@ fuRANDOMWORD () { echo -n $(sed -n "$myNUM p" $myWORDFILE | tr -d \' | tr A-Z a-z) } -# Let's wait a few seconds to avoid interference with service messages -sleep 3 -tput civis -dialog --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Wait to avoid interference with service messages ]" --pause "" 6 80 7 +# If this is a ISO installation we need to wait a few seconds to avoid interference with service messages +if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ]; + then + sleep 5 + tput civis + dialog --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Wait to avoid interference with service messages ]" --pause "" 6 80 7 +fi -# Let's setup the proxy for env -if [ -f $myPROXYFILEPATH ]; +# Let's load the iso config file if there is one +if [ -f $myCONF_FILE ]; + then + dialog --backtitle "$myBACKTITLE" --title "[ Found personalized iso.config ]" --msgbox "\nYour personalized settings will be applied!" 7 47 + source $myCONF_FILE + else + # dialog logic considers 1=false, 0=true + myCONF_PROXY_USE="1" + myCONF_PFX_USE="1" + myCONF_NTP_USE="1" +fi + +### <--- Begin proxy setup +# If a proxy is set in iso.conf it needs to be setup. +# However, none of the other installation types will automatically take care of a proxy. +# Please open a feature request if you think this is something worth considering. +if [ "$myCONF_PROXY_USE" == "0" ]; then dialog --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF <&1>/dev/null <&1>/dev/null <&1 | dialog --title "[ Stop docker service ]" $myPROGRESSBOXCONF systemctl start docker 2>&1 | dialog --title "[ Start docker service ]" $myPROGRESSBOXCONF fi +### ---> End proxy setup # Let's test the internet connection -mySITESCOUNT=$(echo $mySITES | wc -w) -j=0 -for i in $mySITES; - do - dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ - --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <&1>/dev/null - if [ $? -ne 0 ]; - then - dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nInternet connection test failed. This might indicate some problems with your connection. You can continue, but the installation might fail." 10 50 - if [ $? = 1 ]; - then - dialog --backtitle "$myBACKTITLE" --title "[ Abort ]" --msgbox "\nInstallation aborted. Exiting the installer." 7 50 - exit - else - break; - fi; - fi; - let j+=1 - dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ - --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <&1 1>&2 2>&3 3>&-) - -# Let's ask for a secure tsec password -myUSER="tsec" -myPASS1="pass1" -myPASS2="pass2" -mySECURE="0" -while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ] - do - while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ] +if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; + then + mySITESCOUNT=$(echo $mySITES | wc -w) + j=0 + for i in $mySITES; do - myPASS1=$(dialog --insecure --backtitle "$myBACKTITLE" \ - --title "[ Enter password for console user (tsec) ]" \ - --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) - done - myPASS2=$(dialog --insecure --backtitle "$myBACKTITLE" \ - --title "[ Repeat password for console user (tsec) ]" \ - --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) - if [ "$myPASS1" != "$myPASS2" ]; - then - dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ - --msgbox "\nPlease re-enter your password." 7 60 - myPASS1="pass1" - myPASS2="pass2" - fi - mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK") - if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ]; - then - dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 - myOK=$? - if [ "$myOK" == "1" ]; + dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ + --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <&1>/dev/null + if [ $? -ne 0 ]; then + dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nInternet connection test failed. This might indicate some problems with your connection. You can continue, but the installation might fail." 10 50 + if [ $? = 1 ]; + then + dialog --backtitle "$myBACKTITLE" --title "[ Abort ]" --msgbox "\nInstallation aborted. Exiting the installer." 7 50 + exit + else + break; + fi; + fi; + let j+=1 + dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ + --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <&1 1>&2 2>&3 3>&-) +fi + +# Let's ask for a username if installation type is user +if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; + then + while [ 1 != 2 ] + do + myCONF_TPOT_USER=$(dialog --backtitle "$myBACKTITLE" --title "[ Existing console user name ]" --inputbox "\nUsername (root is not allowed)" 9 50 "$(who am i | awk '{ print $1 }')" 3>&1 1>&2 2>&3 3>&-) + myCONF_TPOT_USER=$(echo $myCONF_TPOT_USER | tr -cd "[:alnum:]_.-") + dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myCONF_TPOT_USER" 7 50 + myOK=$? + if [ "$myOK" = "0" ] && [ "$myCONF_TPOT_USER" != "root" ] && [ "$myCONF_TPOT_USER" != "" ] && [ "$(cat /etc/passwd | grep -wc $myCONF_TPOT_USER)" == "1" ]; + then + break + fi + done +fi + +# Let's ask for a secure tsec password if installation type is iso +if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ]; + then + myCONF_TPOT_USER="tsec" + myPASS1="pass1" + myPASS2="pass2" + mySECURE="0" + while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ] + do + while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ] + do + myPASS1=$(dialog --insecure --backtitle "$myBACKTITLE" \ + --title "[ Enter password for console user (tsec) ]" \ + --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) + done + myPASS2=$(dialog --insecure --backtitle "$myBACKTITLE" \ + --title "[ Repeat password for console user (tsec) ]" \ + --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) + if [ "$myPASS1" != "$myPASS2" ]; + then + dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ + --msgbox "\nPlease re-enter your password." 7 60 myPASS1="pass1" myPASS2="pass2" fi - fi - done -printf "%s" "$myUSER:$myPASS1" | chpasswd - -# Let's ask for a web username with secure password -myOK="1" -myUSER="tsec" -myPASS1="pass1" -myPASS2="pass2" -mySECURE="0" -while [ 1 != 2 ] - do - myUSER=$(dialog --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-) - myUSER=$(echo $myUSER | tr -cd "[:alnum:]_.-") - dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myUSER" 7 50 - myOK=$? - if [ "$myOK" = "0" ] && [ "$myUSER" != "tsec" ] && [ "$myUSER" != "" ]; - then - break - fi - done -while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ] - do - while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ] - do - myPASS1=$(dialog --insecure --backtitle "$myBACKTITLE" \ - --title "[ Enter password for your web user ]" \ - --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) + mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK") + if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ]; + then + dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 + myOK=$? + if [ "$myOK" == "1" ]; + then + myPASS1="pass1" + myPASS2="pass2" + fi + fi done - myPASS2=$(dialog --insecure --backtitle "$myBACKTITLE" \ + printf "%s" "$myCONF_TPOT_USER:$myPASS1" | chpasswd +fi + +# Let's ask for a web user credentials if deployment type is iso or user +# In case of auto, credentials are created from config values +# Skip this step entirely if SENSOR flavor +if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; + then + myOK="1" + myCONF_WEB_USER="webuser" + myCONF_WEB_PW="pass1" + myCONF_WEB_PW2="pass2" + mySECURE="0" + while [ 1 != 2 ] + do + myCONF_WEB_USER=$(dialog --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-) + myCONF_WEB_USER=$(echo $myCONF_WEB_USER | tr -cd "[:alnum:]_.-") + dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myCONF_WEB_USER" 7 50 + myOK=$? + if [ "$myOK" = "0" ] && [ "$myCONF_WEB_USER" != "tsec" ] && [ "$myCONF_WEB_USER" != "" ]; + then + break + fi + done + while [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2" ] && [ "$mySECURE" == "0" ] + do + while [ "$myCONF_WEB_PW" == "pass1" ] || [ "$myCONF_WEB_PW" == "" ] + do + myCONF_WEB_PW=$(dialog --insecure --backtitle "$myBACKTITLE" \ + --title "[ Enter password for your web user ]" \ + --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) + done + myCONF_WEB_PW2=$(dialog --insecure --backtitle "$myBACKTITLE" \ --title "[ Repeat password for your web user ]" \ --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) - if [ "$myPASS1" != "$myPASS2" ]; - then - dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ - --msgbox "\nPlease re-enter your password." 7 60 - myPASS1="pass1" - myPASS2="pass2" - fi - mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK") - if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ]; - then - dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 - myOK=$? - if [ "$myOK" == "1" ]; + if [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2" ]; then - myPASS1="pass1" - myPASS2="pass2" + dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ + --msgbox "\nPlease re-enter your password." 7 60 + myCONF_WEB_PW="pass1" + myCONF_WEB_PW2="pass2" fi - fi - done -mkdir -p /data/nginx/conf 2>&1 -htpasswd -b -c /data/nginx/conf/nginxpasswd "$myUSER" "$myPASS1" 2>&1 | dialog --title "[ Setting up user and password ]" $myPROGRESSBOXCONF; + mySECURE=$(printf "%s" "$myCONF_WEB_PW" | cracklib-check | grep -c "OK") + if [ "$mySECURE" == "0" ] && [ "$myCONF_WEB_PW" == "$myCONF_WEB_PW2" ]; + then + dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 + myOK=$? + if [ "$myOK" == "1" ]; + then + myCONF_WEB_PW="pass1" + myCONF_WEB_PW2="pass2" + fi + fi + done +fi +# If flavor is SENSOR do not write credentials +if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ]; + then + mkdir -p /data/nginx/conf 2>&1 + htpasswd -b -c /data/nginx/conf/nginxpasswd "$myCONF_WEB_USER" "$myCONF_WEB_PW" 2>&1 | dialog --title "[ Setting up user and password ]" $myPROGRESSBOXCONF; +fi + + +######################## +# Installation section # +######################## + +# Put cursor in invisible mode +tput civis # Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway) -tput civis -mkdir -p /data/nginx/cert 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; -openssl req \ - -nodes \ - -x509 \ - -sha512 \ - -newkey rsa:8192 \ - -keyout "/data/nginx/cert/nginx.key" \ - -out "/data/nginx/cert/nginx.crt" \ - -days 3650 \ - -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; +if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ]; + then + mkdir -p /data/nginx/cert 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; + openssl req \ + -nodes \ + -x509 \ + -sha512 \ + -newkey rsa:8192 \ + -keyout "/data/nginx/cert/nginx.key" \ + -out "/data/nginx/cert/nginx.crt" \ + -days 3650 \ + -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; +fi # Let's setup the ntp server -if [ -f $myNTPCONFPATH ]; +if [ "$myCONF_NTP_USE" == "0" ]; then -dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF <&1 | dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF + cp $myCONF_NTP_CONF_FILE /etc/ntp.conf 2>&1 | dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF fi # Let's setup 802.1x networking -if [ -f $myPFXPATH ]; +if [ "myCONF_PFX_USE" == "0" ]; then -dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF <&1 | dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF - if [ -f $myPFXPWPATH ]; - then -dialog --title "[ Setting up 802.1x password ]" $myPROGRESSBOXCONF <&1>/dev/null <&1 | dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF + tee -a /etc/network/interfaces 2>&1>/dev/null <&1>/dev/null <&1>/dev/null <&1>/dev/null <&1>/dev/null <&1>/dev/null <&1>/dev/null <&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF -apt-get upgrade -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF - -# Let's clean up apt -apt-get autoclean -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF -apt-get autoremove -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF - -# Installing ctop, elasticdump, tpot +# Installing ctop, elasticdump, tpot, yq +if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ]; + then + npm install https://github.com/taskrabbit/elasticsearch-dump#9fcc8cc -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF +fi pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF +hash -r 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF pip install elasticsearch-curator==5.4.1 2>&1 | dialog --title "[ Installing elasticsearch-curator ]" $myPROGRESSBOXCONF pip install yq==2.4.1 2>&1 | dialog --title "[ Installing yq ]" $myPROGRESSBOXCONF -npm install https://github.com/taskrabbit/elasticsearch-dump#9fcc8cc -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF -wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF -mv ctop /usr/bin/ 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF +wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF chmod +x /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF git clone https://github.com/dtag-dev-sec/tpotce -b 18.04 /opt/tpot 2>&1 | dialog --title "[ Cloning T-Pot ]" $myPROGRESSBOXCONF -# Let's add a new user -addgroup --gid 2000 tpot 2>&1 | dialog --title "[ Adding new user ]" $myPROGRESSBOXCONF -adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --title "[ Adding new user ]" $myPROGRESSBOXCONF +# Let's create the T-Pot user +addgroup --gid 2000 tpot 2>&1 | dialog --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF +adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF # Let's set the hostname a=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/a.txt) @@ -345,18 +596,12 @@ myHOST=$a$n hostnamectl set-hostname $myHOST 2>&1 | dialog --title "[ Setting new hostname ]" $myPROGRESSBOXCONF sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts 2>&1 | dialog --title "[ Setting new hostname ]" $myPROGRESSBOXCONF -# Let's patch sshd_config +# Let's patch cockpit.socket, sshd_config +sed -i 's#ListenStream=9090#ListeStream=64294#' /etc/systemd/system/sockets.target.wants/cockpit.socket 2>&1 | dialog --title "[ Cockpit listen on tcp/64294 ]" $myPROGRESSBOXCONF sed -i 's#\#Port 22#Port 64295#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF -sed -i 's#\#PasswordAuthentication yes#PasswordAuthentication no#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH password authentication only from RFC1918 networks ]" $myPROGRESSBOXCONF -tee -a /etc/ssh/sshd_config 2>&1>/dev/null <&1>/dev/null @@ -422,6 +667,35 @@ net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 EOF +# Let's setup fail2ban config +dialog --title "[ Setup fail2ban config ]" $myPROGRESSBOXCONF <&1>/dev/null <&1 | dialog --title "[ Creating some file # Let's copy some files tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF -cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -cp /opt/tpot/host/etc/issue /etc/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -cp /root/installer/keys/authorized_keys /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF +cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF +cp /opt/tpot/host/etc/issue /etc/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF systemctl enable tpot 2>&1 | dialog --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF # Let's take care of some files and permissions @@ -477,8 +750,6 @@ chmod 760 -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $m chown tpot:tpot -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF chmod 644 -R /data/nginx/conf 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF chmod 644 -R /data/nginx/cert 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF -chmod 600 /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF -chown tsec:tsec /home/tsec/.ssh /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF # Let's replace "quiet splash" options, set a console font for more screen canvas and update grub sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"#GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0"#' /etc/default/grub 2>&1>/dev/null @@ -505,6 +776,10 @@ EOF # Let's create ews.ip before reboot and prevent race condition for first start /opt/tpot/bin/updateip.sh 2>&1>/dev/null +# Let's clean up apt +apt-get autoclean -y 2>&1 | dialog --title "[ Cleaning up ]" $myPROGRESSBOXCONF +apt-get autoremove -y 2>&1 | dialog --title "[ Cleaning up ]" $myPROGRESSBOXCONF + # Final steps cp /opt/tpot/host/etc/rc.local /etc/rc.local 2>&1>/dev/null && \ rm -rf /root/installer 2>&1>/dev/null && \ diff --git a/iso/installer/iso.conf.dist b/iso/installer/iso.conf.dist new file mode 100644 index 00000000..f695f381 --- /dev/null +++ b/iso/installer/iso.conf.dist @@ -0,0 +1,12 @@ +# makeiso configuration file +myCONF_PROXY_USE='0' +myCONF_PROXY_IP='1.2.3.4' +myCONF_PROXY_PORT='3128' +myCONF_PFX_USE='0' +myCONF_PFX_FILE='/' +myCONF_PFX_PW_USE='0' +myCONF_PFX_PW='' +myCONF_PFX_HOST_ID='.' +myCONF_NTP_USE='0' +myCONF_NTP_IP='1.2.3.4' +myCONF_NTP_CONF_FILE='/' diff --git a/iso/installer/tpot.conf.dist b/iso/installer/tpot.conf.dist new file mode 100644 index 00000000..d8c14459 --- /dev/null +++ b/iso/installer/tpot.conf.dist @@ -0,0 +1,7 @@ +# tpot configuration file +# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, EXPERIMENTAL, LEGACY] +myCONF_TPOT_FLAVOR='STANDARD' +myCONF_TPOT_USER='tsec' +myCONF_TPOT_PW='$ecret123' +myCONF_WEB_USER='webuser' +myCONF_WEB_PW='w3b$ecret' diff --git a/iso/preseed/tpot.seed b/iso/preseed/tpot.seed index d2064ee3..15b2f7ff 100755 --- a/iso/preseed/tpot.seed +++ b/iso/preseed/tpot.seed @@ -101,7 +101,7 @@ tasksel tasksel/first multiselect ubuntu-server ######################## ### Package Installation ######################## -d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dnsutils docker.io docker-compose dstat ethtool genisoimage git glances grc html2text htop ifupdown iptables iw jq libcrack2 libltdl7 lm-sensors man net-tools npm ntp openssh-server openssl pass prips syslinux psmisc pv python-pip unzip vim wireless-tools wpasupplicant +d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker curl dialog dnsutils docker.io docker-compose dstat ethtool fail2ban genisoimage git glances grc html2text htop ifupdown iptables iw jq libcrack2 libltdl7 lm-sensors man multitail net-tools npm ntp openssh-server openssl pass prips syslinux psmisc pv python-pip unzip vim wireless-tools wpasupplicant ################# ### Update Policy diff --git a/makeiso.sh b/makeiso.sh index f5c884e7..a33c665b 100755 --- a/makeiso.sh +++ b/makeiso.sh @@ -1,8 +1,8 @@ #!/bin/bash # Set TERM, DIALOGRC -export DIALOGRC=/etc/dialogrc export TERM=linux +export DIALOGRC=/etc/dialogrc # Let's define some global vars myBACKTITLE="T-Pot - ISO Creator" @@ -14,14 +14,13 @@ myTPOTISO="tpot.iso" myTPOTDIR="tpotiso" myTPOTSEED="iso/preseed/tpot.seed" myPACKAGES="dialog genisoimage syslinux syslinux-utils pv udisks2" -myAUTHKEYSPATH="iso/installer/keys/authorized_keys" -myPFXPATH="iso/installer/keys/8021x.pfx" -myPFXPWPATH="iso/installer/keys/8021x.pw" -myPFXHOSTIDPATH="iso/installer/keys/8021x.id" +myAUTHKEYSFILE="iso/installer/keys/authorized_keys" +myPFXFILE="iso/installer/keys/8021x.pfx" myINSTALLERPATH="iso/installer/install.sh" -myPROXYCONFIG="iso/installer/proxy" -myNTPCONFPATH="iso/installer/ntp" +myNTPCONFFILE="iso/installer/ntp.conf" myTMP="tmp" +myCONF_FILE="iso/installer/iso.conf" +myCONF_DEFAULT_FILE="iso/installer/iso.conf.dist" # Got root? myWHOAMI=$(whoami) @@ -32,13 +31,32 @@ if [ "$myWHOAMI" != "root" ] exit fi +# Let's check if all dependencies are met +myINST="" +for myDEPS in $myPACKAGES; +do + myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }'); + if [ "$myOK" != "ok" ] + then + myINST=$(echo $myINST $myDEPS) + fi +done +if [ "$myINST" != "" ] + then + apt-get update -y + for myDEPS in $myINST; + do + apt-get install $myDEPS -y + done +fi + # Let's load dialog color theme cp host/etc/dialogrc /etc/ # Let's clean up at the end or if something goes wrong ... function fuCLEANUP { -rm -rf $myTMP $myTPOTDIR $myPROXYCONFIG $myPFXPATH $myPFXPWPATH $myPFXHOSTIDPATH $myNTPCONFPATH -echo > $myAUTHKEYSPATH +rm -rf $myTMP $myTPOTDIR $myPFXFILE $myNTPCONFFILE $myCONF_FILE +echo > $myAUTHKEYSFILE if [ -f $myTPOTSEED.bak ]; then mv $myTPOTSEED.bak $myTPOTSEED @@ -64,25 +82,6 @@ function valid_ip() return $stat } -# Let's check if all dependencies are met -myINST="" -for myDEPS in $myPACKAGES; -do - myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }'); - if [ "$myOK" != "ok" ] - then - myINST=$(echo $myINST $myDEPS) - fi -done -if [ "$myINST" != "" ] - then - apt-get update -y - for myDEPS in $myINST; - do - apt-get install $myDEPS -y - done -fi - # Let's ask if the user wants to run the script ... dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nDownload latest supported Ubuntu Mini ISO and build the T-Pot Install Image." 8 50 mySTART=$? @@ -91,50 +90,36 @@ if [ "$mySTART" = "1" ]; exit fi +# Let's load the default config file +if [ -f $myCONF_DEFAULT_FILE ]; + then + source $myCONF_DEFAULT_FILE +fi + # Let's ask the user for a proxy ... while true; do dialog --backtitle "$myBACKTITLE" --title "[ Proxy Settings ]" --yesno "\nDo you want to configure a proxy?" 7 50 - myADDPROXY=$? - if [ "$myADDPROXY" = "0" ] + myCONF_PROXY_USE=$? + if [ "$myCONF_PROXY_USE" = "0" ] then myIPRESULT="false" while [ "$myIPRESULT" = "false" ]; do - myPROXYIP=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "Proxy IP?" --inputbox "" 7 50 "1.2.3.4" 3>&1 1>&2 2>&3 3>&-) - if valid_ip $myPROXYIP; then myIPRESULT="true"; fi + myCONF_PROXY_IP=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "Proxy IP?" --inputbox "" 7 50 "$myCONF_PROXY_IP" 3>&1 1>&2 2>&3 3>&-) + if valid_ip $myCONF_PROXY_IP; then myIPRESULT="true"; fi done myPORTRESULT="false" while [ "$myPORTRESULT" = "false" ]; do - myPROXYPORT=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "Proxy Port (i.e. 3128)?" --inputbox "" 7 50 "3128" 3>&1 1>&2 2>&3 3>&-) - if [[ $myPROXYPORT =~ ^-?[0-9]+$ ]] && [ $myPROXYPORT -gt 0 ] && [ $myPROXYPORT -lt 65536 ]; then myPORTRESULT="true"; fi + myCONF_PROXY_PORT=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "Proxy Port (i.e. 3128)?" --inputbox "" 7 50 "$myCONF_PROXY_PORT" 3>&1 1>&2 2>&3 3>&-) + if [[ $myCONF_PROXY_PORT =~ ^-?[0-9]+$ ]] && [ $myCONF_PROXY_PORT -gt 0 ] && [ $myCONF_PROXY_PORT -lt 65536 ]; then myPORTRESULT="true"; fi done - echo http://$myPROXYIP:$myPROXYPORT > $myPROXYCONFIG - sed -i.bak 's#d-i mirror/http/proxy.*#d-i mirror/http/proxy string http://'$myPROXYIP':'$myPROXYPORT'/#' $myTPOTSEED + sed -i.bak 's#d-i mirror/http/proxy.*#d-i mirror/http/proxy string http://'$myCONF_PROXY_IP':'$myCONF_PROXY_PORT'/#' $myTPOTSEED break else - break - fi -done - -# Let's ask the user for ssh keys ... -while true; -do - dialog --backtitle "$myBACKTITLE" --title "[ Add ssh keys? ]" --yesno "\nDo you want to add public key(s) to authorized_keys file?" 8 50 - myADDKEYS=$? - if [ "$myADDKEYS" = "0" ] - then - myKEYS=$(dialog --backtitle "$myBACKTITLE" --fselect "/" 15 50 3>&1 1>&2 2>&3 3>&-) - if [ -f "$myKEYS" ] - then - cat $myKEYS > $myAUTHKEYSPATH - break - else - dialog --backtitle "$myBACKTITLE" --title "[ Try again! ]" --msgbox "\nThis is no regular file." 7 50; - fi - else - echo > $myAUTHKEYSPATH + myCONF_PROXY_IP="" + myCONF_PROXY_PORT="" break fi done @@ -143,27 +128,30 @@ done while true; do dialog --backtitle "$myBACKTITLE" --title "[ Need 802.1x auth? ]" --yesno "\nDo you want to add a 802.1x host certificate?" 7 50 - myADDPFX=$? - if [ "$myADDPFX" = "0" ] + myCONF_PFX_USE=$? + if [ "$myCONF_PFX_USE" = "0" ] then - myPFX=$(dialog --backtitle "$myBACKTITLE" --fselect "/" 15 50 3>&1 1>&2 2>&3 3>&-) - if [ -f "$myPFX" ] + myCONF_PFX_FILE=$(dialog --backtitle "$myBACKTITLE" --fselect "$myCONF_PFX_FILE" 15 50 3>&1 1>&2 2>&3 3>&-) + if [ -f "$myCONF_PFX_FILE" ] then - cp $myPFX $myPFXPATH + cp $myCONF_PFX_FILE $myPFXFILE dialog --backtitle "$myBACKTITLE" --title "[ Password protected? ]" --yesno "\nDoes the certificate need your password?" 7 50 - myADDPFXPW=$? - if [ "$myADDPFXPW" = "0" ] + myCONF_PFX_PW_USE=$? + if [ "$myCONF_PFX_PW_USE" = "0" ] then - myPFXPW=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Password?" 7 50 3>&1 1>&2 2>&3 3>&-) - echo $myPFXPW > $myPFXPWPATH + myCONF_PFX_PW=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Password?" 7 50 3>&1 1>&2 2>&3 3>&-) + else + myCONF_PFX_PW="" fi - myPFXHOSTID=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Host ID?" 7 50 "." 3>&1 1>&2 2>&3 3>&-) - echo $myPFXHOSTID > $myPFXHOSTIDPATH + myCONF_PFX_HOST_ID=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Host ID?" 7 50 "$myCONF_PFX_HOST_ID" 3>&1 1>&2 2>&3 3>&-) break else dialog --backtitle "$myBACKTITLE" --title "[ Try again! ]" --msgbox "\nThis is no regular file." 7 50; fi else + myCONF_PFX_FILE="" + myCONF_PFX_HOST_ID="" + myCONF_PFX_PW="" break fi done @@ -172,16 +160,16 @@ done while true; do dialog --backtitle "$myBACKTITLE" --title "[ NTP server? ]" --yesno "\nDo you want to configure a ntp server?" 7 50 - myADDNTP=$? - if [ "$myADDNTP" = "0" ] + myCONF_NTP_USE=$? + if [ "$myCONF_NTP_USE" = "0" ] then myIPRESULT="false" while [ "$myIPRESULT" = "false" ]; do - myNTPIP=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "NTP IP?" --inputbox "" 7 50 "1.2.3.4" 3>&1 1>&2 2>&3 3>&-) - if valid_ip $myNTPIP; then myIPRESULT="true"; fi + myCONF_NTP_IP=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "NTP IP?" --inputbox "" 7 50 "$myCONF_NTP_IP" 3>&1 1>&2 2>&3 3>&-) + if valid_ip $myCONF_NTP_IP; then myIPRESULT="true"; fi done -tee $myNTPCONFPATH < $myCONF_FILE +echo "myCONF_PROXY_USE=\"$myCONF_PROXY_USE\"" >> $myCONF_FILE +echo "myCONF_PROXY_IP=\"$myCONF_PROXY_IP\"" >> $myCONF_FILE +echo "myCONF_PROXY_PORT=\"$myCONF_PROXY_PORT\"" >> $myCONF_FILE +echo "myCONF_PFX_USE=\"$myCONF_PFX_USE\"" >> $myCONF_FILE +echo "myCONF_PFX_FILE=\"/root/installer/keys/8021x.pfx\"" >> $myCONF_FILE +echo "myCONF_PFX_PW_USE=\"$myCONF_PFX_PW_USE\"" >> $myCONF_FILE +echo "myCONF_PFX_PW=\"$myCONF_PFX_PW\"" >> $myCONF_FILE +echo "myCONF_PFX_HOST_ID=\"$myCONF_PFX_HOST_ID\"" >> $myCONF_FILE +echo "myCONF_NTP_USE=\"$myCONF_NTP_USE\"" >> $myCONF_FILE +echo "myCONF_NTP_IP=\"$myCONF_NTP_IP\"" >> $myCONF_FILE +echo "myCONF_NTP_CONF_FILE=\"/root/installer/ntp.conf\"" >> $myCONF_FILE + # Let's download Ubuntu Minimal ISO if [ ! -f $myUBUNTUISO ] then