Web based access

It is now possible to access T-Pot web based and without a SSH tunnel
This commit is contained in:
Marco Ochse
2016-08-08 02:21:02 +02:00
parent 5200af3ccf
commit f038173920
9 changed files with 89 additions and 267 deletions

View File

@ -47,29 +47,6 @@ exec > >(tee "install.log")
fuECHO "### Removing link to NGINX default website."
rm /etc/nginx/sites-enabled/default
# Let's ask user for web password
fuECHO "### Please enter a web user name and password."
myOK="n"
myUSER="tsec"
while [ "$myOK" != "y" ]
do
while [ "$myUSER" = "tsec" ]
do
echo -n "Username (tsec not allowed): "
read myUSER
echo "Your username is: "$myUSER
done
echo -n "OK (y/n)? "
read myOK
done
htpasswd -c /etc/nginx/nginxpasswd $myUSER
# Let's generate a SSL certificate
fuECHO "### Generating a self-signed-certificate for NGINX."
fuECHO "### If you are unsure you can use the default values."
mkdir -p /etc/nginx/ssl
openssl req -nodes -x509 -sha512 -newkey rsa:8192 -keyout "/etc/nginx/ssl/nginx.key" -out "/etc/nginx/ssl/nginx.crt" -days 3650
# Let's setup the proxy for env
if [ -f $myPROXYFILEPATH ];
then fuECHO "### Setting up the proxy."
@ -203,25 +180,25 @@ npm install git://github.com/t3chn0m4g3/wetty -g
# Let's install docker
#fuECHO "### Installing docker-engine."
#wget -qO- https://test.docker.com/ | sh
#wget -qO- https://get.docker.com/ | sh
# Let's add the docker repository
#fuECHO "### Adding the docker repository."
#apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
#tee /etc/apt/sources.list.d/docker.list <<EOF
#deb https://apt.dockerproject.org/repo ubuntu-xenial main
#EOF
fuECHO "### Adding the docker repository."
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
tee /etc/apt/sources.list.d/docker.list <<EOF
deb https://apt.dockerproject.org/repo ubuntu-xenial main
EOF
# Let's pull some updates
#fuECHO "### Pulling Updates."
#apt-get update -y
fuECHO "### Pulling Updates."
apt-get update -y
# Let's install docker
#fuECHO "### Installing docker-engine."
#fuECHO "### You can safely ignore the [FAILED] message,"
#fuECHO "### which is caused by a bug in the docker installer."
fuECHO "### Installing docker-engine."
fuECHO "### You can safely ignore the [FAILED] message,"
fuECHO "### which is caused by a bug in the docker installer."
#apt-get install docker-engine=1.10.2-0~trusty -y
#apt-get install docker-engine -y || true && sleep 5
apt-get install docker-engine=1.12.0-0~xenial -y || true && sleep 5
# Let's add proxy settings to docker defaults
if [ -f $myPROXYFILEPATH ];
@ -254,7 +231,7 @@ sed -i 's#Port 22#Port 64295#' /etc/ssh/sshd_config
sed -i 's#\#PasswordAuthentication yes#PasswordAuthentication no#' /etc/ssh/sshd_config
# Let's allow ssh password authentication from RFC1918 networks
fuECHO "### Allow SSH password authentication from RFC1918 networks"
fuECHO "### Allow SSH password authentication from RFC1918 networks"
tee -a /etc/ssh/sshd_config <<EOF
Match address 127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
PasswordAuthentication yes
@ -328,7 +305,7 @@ fuECHO "### Adding cronjobs."
tee -a /etc/crontab <<EOF
# Show running containers every 60s via /dev/tty2
*/2 * * * * root status.sh > /dev/tty2
#*/2 * * * * root status.sh > /dev/tty2
# Check if containers and services are up
*/5 * * * * root check.sh
@ -362,15 +339,13 @@ mkdir -p /data/conpot/log \
/data/glastopf /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \
/data/emobility/log \
/data/ews/log /data/ews/conf /data/ews/dionaea /data/ews/emobility \
/data/suricata/log /home/tsec/.ssh/
/data/suricata/log /home/tsec/.ssh/
# Let's take care of some files and permissions before copying
chmod 500 /root/tpot/bin/*
chmod 600 /root/tpot/data/*
chmod 644 /root/tpot/etc/issue
chmod 755 /root/tpot/etc/rc.local
chmod 700 /root/tpot/home/*
chown tsec:tsec /root/tpot/home/*
chmod 644 /root/tpot/data/systemd/*
# Let's copy some files
@ -379,10 +354,9 @@ cp /root/tpot/data/elkbase.tgz /data/
cp -R /root/tpot/bin/* /usr/bin/
cp -R /root/tpot/data/* /data/
cp /root/tpot/data/systemd/* /etc/systemd/system/
cp -R /root/tpot/etc/issue /etc/
cp /root/tpot/etc/nginx/ssl/* /etc/nginx/ssl/
cp /root/tpot/etc/issue /etc/
cp -R /root/tpot/etc/nginx/ssl /etc/nginx/
cp /root/tpot/etc/nginx/tpotweb.conf /etc/nginx/sites-available/
cp -R /root/tpot/home/* /home/tsec/
cp /root/tpot/keys/authorized_keys /home/tsec/.ssh/authorized_keys
cp /root/tpot/usr/share/nginx/html/* /usr/share/nginx/html/
for i in $(cat /data/images.conf);
@ -391,7 +365,7 @@ for i in $(cat /data/images.conf);
done
systemctl enable wetty
# Let's enable T-Pot website
# Let's enable T-Pot website
fuECHO "### Enabling T-Pot website."
ln -s /etc/nginx/sites-available/tpotweb.conf /etc/nginx/sites-enabled/tpotweb.conf
@ -399,7 +373,7 @@ ln -s /etc/nginx/sites-available/tpotweb.conf /etc/nginx/sites-enabled/tpotweb.c
chmod 760 -R /data
chown tpot:tpot -R /data
chmod 600 /home/tsec/.ssh/authorized_keys
chown tsec:tsec /home/tsec/*.sh /home/tsec/.ssh /home/tsec/.ssh/authorized_keys
chown tsec:tsec /home/tsec/.ssh /home/tsec/.ssh/authorized_keys
# Let's replace "quiet splash" options, set a console font for more screen canvas and update grub
sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"#GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0"#' /etc/default/grub
@ -421,15 +395,50 @@ sed -i 's#\#force_color_prompt=yes#force_color_prompt=yes#' /home/tsec/.bashrc
sed -i 's#\#force_color_prompt=yes#force_color_prompt=yes#' /root/.bashrc
# Let's create ews.ip before reboot and prevent race condition for first start
source /etc/environment
myLOCALIP=$(hostname -I | awk '{ print $1 }')
myEXTIP=$(curl myexternalip.com/raw)
sed -i "s#IP:.*#IP: $myLOCALIP, $myEXTIP#" /etc/issue
myEXTIP=$(curl -s myexternalip.com/raw)
sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue
sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue
sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue
tee /data/ews/conf/ews.ip << EOF
[MAIN]
ip = $myEXTIP
EOF
echo $myLOCALIP > /data/elk/logstash/mylocal.ip
chown tpot:tpot /data/ews/conf/ews.ip
# Let's ask user for web password
fuECHO "### Please enter a web user name and password."
myOK="n"
myUSER="tsec"
while [ 1 != 2 ]
do
read -p "Username (tsec not allowed): " myUSER
echo "Your username is: "$myUSER
read -p "OK (y/n)? " myOK
if [ "$myOK" = "y" ] && [ "$myUSER" != "tsec" ];
then
break
fi
done
myPASS1="pass1"
myPASS2="pass2"
while [ "$myPASS1" != "$myPASS2" ]
do
read -s -p "Password: " myPASS1
echo
read -s -p "Repeat password: " myPASS2
echo
done
htpasswd -b -c /etc/nginx/nginxpasswd $myUSER $myPASS1
# Let's generate a SSL certificate
fuECHO "### Generating a self-signed-certificate for NGINX."
fuECHO "### If you are unsure you can use the default values."
mkdir -p /etc/nginx/ssl
openssl req -nodes -x509 -sha512 -newkey rsa:8192 -keyout "/etc/nginx/ssl/nginx.key" -out "/etc/nginx/ssl/nginx.crt" -days 3650
# Final steps
fuECHO "### Thanks for your patience. Now rebooting."
#mv /root/tpot/etc/rc.local /etc/rc.local && rm -rf /root/tpot/ && chage -d 0 tsec && sleep 2 && reboot