work on permissions, folders and tpotinit

Add more functions to customizer.py (improve port and service checks, improve user output)
Adjust docker-compose files

.env

@@ -0,0 +1,121 @@
+# T-Pot config file. Do not remove.
+
+###############################################
+# T-Pot Base Settings - Adjust to your needs. #
+###############################################
+
+# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd.
+#  Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
+#  Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
+#  Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
+WEB_USER='change:me'
+
+# T-Pot Blackhole
+#  ENABLED: T-Pot will download a db of known mass scanners and nullroute them
+#           Be aware, this will put T-Pot off the map for stealth reasons and
+#           you will get less traffic. Routes will active until reboot and will
+#           be re-added with every T-Pot start until disabled.
+#  DISABLED: This is the default and no stealth efforts are in place.
+TPOT_BLACKHOLE=DISABLED
+
+# T-Pot Persistence
+# on: This is the default. T-Pot will keep the honeypot logfiles and rotate
+#     with logrotate for 30 days.
+# off: This is recommended for Raspberry Pi or setups with weaker CPUs or
+#      if you just do not need any of the logfiles.
+TPOT_PERSISTENCE=on
+
+# T-Pot Type
+# HIVE: This is the default and offers everything to connect T-Pot sensors.
+# SENSOR: This needs to be used when running a sensor. Be aware to adjust all other
+#         settings as well.
+#         1. You will need to copy compose/sensor.yml to ./docker-comopose.yml
+#         2. From HIVE host you will need to copy ~/tpotce/data/nginx/cert/nginx.crt to
+#            your SENSOR host to ~/tpotce/data/hive.crt
+#         3. On HIVE: Create a web user per SENSOR on HIVE and provide credentials below
+#            Create credentials with 'htpasswd ~/tpotce/data/nginx/conf/lswebpasswd <username>'
+#         4. On SENSOR: Provide username / password from (3) for TPOT_HIVE_USER as base64 encoded string:
+#                       "echo -n 'username:password' | base64"
+TPOT_TYPE=HIVE
+
+# T-Pot Hive User (only relevant for SENSOR deployment)
+# <empty>: This is empty by default.
+# <base64 encoded string>: Provide a base64 encoded string "echo -n 'username:password' | base64"
+#                          i.e. TPOT_HIVE_USER='dXNlcm5hbWU6cGFzc3dvcmQ='
+TPOT_HIVE_USER=
+
+# T-Pot Hive IP (only relevant for SENSOR deployment)
+# <empty>: This is empty by default.
+# <IP, FQDN>: This can be either a IP (i.e. 192.168.1.1) or a FQDN (i.e. foo.bar.local)
+TPOT_HIVE_IP=
+
+# T-Pot AttackMap Text Output
+#  ENABLED: This is the default and the docker container map_data will print events to the console.
+#  DISABLED: Printing events to the console is disabled.
+TPOT_ATTACKMAP_TEXT=ENABLED
+
+# T-Pot AttackMap Text Output Timezone
+#  UTC: (T-Pot default) This is usually the best option.
+#  Continent/City: In Linux you can check our timezone with `readlink` /etc/localtime or
+#                  see the full list here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+#  Examples: America/New_York, Asia/Taipei, Australia/Melbourne, Europe/Athens, Europe/Berlin
+TPOT_ATTACKMAP_TEXT_TIMEZONE=UTC
+
+###################################################################################
+# Honeypots / Tools settings
+###################################################################################
+# Some services / tools offer adjustments using ENVs which can be adjusted here.
+###################################################################################
+
+# SentryPeer P2P mode
+# Exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
+# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
+# the bad actors in its logs. Therefore this option is opt-in based.
+# 0: This is the default, P2P mode is disabled.
+# 1: Enable P2P mode.
+SENTRYPEER_PEER_TO_PEER=0
+
+# Suricata ET Pro ruleset
+# OPEN: This is the default and will the ET Open ruleset
+# OINKCODE: Replace OPEN with your Oinkcode to use the ET Pro ruleset
+OINKCODE=OPEN
+
+
+###################################################################################
+# NEVER MAKE CHANGES TO THIS SECTION UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!!! #
+###################################################################################
+
+# T-Pot Landing page provides Cockpit Link
+COCKPIT=false
+
+# docker.sock Path
+TPOT_DOCKER_SOCK=/var/run/docker.sock
+
+# docker compose .env
+TPOT_DOCKER_ENV=./.env
+
+# Docker-Compose file
+TPOT_DOCKER_COMPOSE=./docker-compose.yml
+
+# T-Pot Repo
+# Depending on where you are located you may choose between DockerHub and GHCR
+# dtagdevsec: This will use the DockerHub image registry
+# ghcr.io/telekom-security: This will use the GitHub container registry
+TPOT_REPO=ghcr.io/telekom-security
+
+# T-Pot Version Tag
+TPOT_VERSION=dev
+
+# T-Pot Pull Policy
+#  always: (T-Pot default) Compose implementations SHOULD always pull the image from the registry.
+#  never: Compose implementations SHOULD NOT pull the image from a registry and SHOULD rely on the platform cached image.
+#  missing: Compose implementations SHOULD pull the image only if it's not available in the platform cache.
+#  build: Compose implementations SHOULD build the image. Compose implementations SHOULD rebuild the image if already present.
+TPOT_PULL_POLICY=always
+
+# T-Pot Data Path
+TPOT_DATA_PATH=./data
+
+# OSType (linux, mac, win)
+#  Most docker features are available on linux
+TPOT_OSTYPE=linux

.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md

@@ -1,6 +1,14 @@
-# Issues
+---
+name: Bug report for T-Pot
+about: Bug report for T-Pot
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
 
-Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue:
 - 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
 - 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
 - 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).

.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md

@@ -0,0 +1,20 @@
+---
+name: Feature request for T-Pot
+about: Suggest an idea for T-Pot
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md

@@ -0,0 +1,39 @@
+---
+name: General issue for T-Pot
+about: General issue for T-Pot
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+🗨️ Please post your questions in [Discussions](https://github.com/telekom-security/tpotce/discussions) and keep the issues for **issues**. Thank you 😁.<br>
+
+Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
+
+- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
+- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
+- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
+- **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice**
+
+<br>
+<br>
+<br>
+
+<a name="info"></a>
+## ⚠️ Basic support information (commands are expected to run as `root`)
+
+- What version of the OS are you currently using `lsb_release -a` and `uname -a`?
+- What T-Pot version are you currently using?
+- What edition (Standard, Nextgen, etc.) of T-Pot are you running?
+- What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
+- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.
+- How long has your installation been running?
+- Did you install upgrades, packages or use the update script?
+- Did you modify any scripts or configs? If yes, please attach the changes.
+- Please provide a screenshot of `glances` and `htop`.
+- How much free disk space is available (`df -h`)?
+- What is the current container status (`dps.sh`)?
+- What is the status of the T-Pot service (`systemctl status tpot`)?
+- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`
+- If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

.gitignore

@@ -0,0 +1,4 @@
+# Ignore data folder
+data/
+**/.DS_Store
+.idea

CHANGELOG.md

@@ -1,86 +1,45 @@
-# Changelog
+# Release Notes / Changelog
+T-Pot 22.04.0 is probably the most feature rich release ever provided with long awaited (wanted!) features readily available after installation. 
 
+## New Features
+* **Distributed** Installation with **HIVE** and **HIVE_SENSOR**
+* **ARM64** support for all provided Docker images
+* **GeoIP Attack Map** visualizing Live Attacks on a dedicated webpage
+* **Kibana Live Attack Map** visualizing Live Attacks from different **HIVE_SENSORS**
+* **Blackhole** is a script trying to avoid mass scanner detection 
+* **Elasticvue** a web front end for browsing and interacting with an Elastic Search cluster
+* **Ddospot** a honeypot for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks
+* **Endlessh** is a SSH tarpit that very slowly sends an endless, random SSH banner
+* **HellPot** is an endless honeypot based on Heffalump that sends unruly HTTP bots to hell
+* **qHoneypots** 25 honeypots in a single container for monitoring network traffic, bots activities, and username \ password credentials
+* **Redishoneypot** is a honeypot mimicking some of the Redis' functions
+* **SentryPeer** a dedicated SIP honeypot
+* **Index Lifecycle Management** for Elasticseach indices is now being used
 
-## 20190802
-- **Add support for Buster as base image**
-  - Install ISO is now based on Debian Buster
-  - Installation upon Debian Buster is now supported
+## Upgrades
+* **Debian 11.x** is now being used for the T-Pot ISO images and required for post installs
+* **Elastic Stack 8.x** is now provided as Docker images
 
-## 20190701
-- **Reworked Ansible T-Pot Deployment**
-  - Transitioned from bash script to all Ansible
-  - Reusable Ansible Playbook for OpenStack clouds
-  - Example Showcase with our Open Telekom Cloud
-  - Adaptable for other cloud providers
+## Updates
+* **Honeypots** and **tools** were updated to their latest masters and releases
+* Updates will be provided continuously through Docker Images updates 
 
-## 20190626
-- **HPFEEDS Opt-In commandline option**
-  - Pass a hpfeeds config file as a commandline argument
-  - hpfeeds config is saved in `/data/ews/conf/hpfeeds.cfg`
-  - Update script restores hpfeeds config
+## Breaking Changes
+* For security reasons all Py2.x honeypots with the need of PyPi packages have been removed: **HoneyPy**, **HoneySAP** and **RDPY**
+* If you are upgrading from a previous version of T-Pot (20.06.x) you need to import the new Kibana objects or some of the functionality will be broken or will be unavailabe
+* **Cyberchef** is now part of the Nginx Docker image, no longer as individual image
+* **ElasticSearch Head** is superseded by **Elasticvue** and part the Nginx Docker image
+* **Heimdall** is no longer supported and superseded with a new Bento based landing page
+* **Elasticsearch Curator** is no longer supprted and superseded with **Index Lifecycle Policies** available through Kibana.
 
-## 20190604
-- **Finalize Fatt support**
-  - Build visualizations, searches, dashboards
-  - Rebuild index patterns
-  - Some finishing touches
+# Thanks & Credits
+* @ghenry, for some fun late night debugging and of course SentryPeer!
+* @giga-a, for adding much appreciated features (i.e. JSON logging, 
+X-Forwarded-For, etc.) and of course qHoneypots! 
+* @sp3t3rs, @trixam, for their backend and ews support!
+* @tadashi-oya, for spotting some errors and propose fixes!
+* @tmariuss, @shaderecker for their cloud contributions!
+* @vorband, for much appreciated and helpful insights regarding the GeoIP Attack Map!
+* @yunginnanet, on not giving up on squashing a bug and of course Hellpot!
 
-## 20190601
-- **Start supporting Fatt, remove Glastopf**
-  - Build Dockerfile, Adjust logstash, installer, update and such.
-  - Glastopf is no longer supported within T-Pot
-
-## 20190528+20190531
-- **Increase total number of fields**
-  - Adjust total number of fileds for logstash templae from 1000 to 2000.
-
-## 20190526
-- **Fix build for Cowrie**
-  - Upstream changes required a new package `py-bcrypt`.
-
-## 20190525
-- **Fix build for RDPY**
-  - Building was prevented due to cache error which occurs lately on Alpine if `apk` is using `--no-ache' as options.
-
-## 20190520
-- **Adjust permissions for /data folder**
-  - Now it is possible to download files from `/data` using SCP, WINSCP or CyberDuck.
-
-## 20190513
-- **Added Ansible T-Pot Deployment on Open Telekom Cloud**
-  - Reusable Ansible Playbooks for all cloud providers
-  - Example Showcase with our Open Telekom Cloud
-
-## 20190511
-- **Add hptest script**
-  - Quickly test if the honeypots are working with `hptest.sh <[ip,host]>` based on nmap.
-
-## 20190508
-- **Add tsec / install user to tpot group**
-  - For users being able to easily download logs from the /data folder the installer now adds the `tpot` or the logged in user (`who am i`) via `usermod -a -G tpot <user>` to the tpot group. Also /data permissions will now be enforced to `770`, which is necessary for directory listings.
-
-## 20190502
-- **Fix KVPs**
-  - Some KVPs for Cowrie changed and the tagcloud was not showing any values in the Cowrie dashboard.
-  - New installations are not affected, however existing installations need to import the objects from /opt/tpot/etc/objects/kibana-objects.json.zip.
-- **Makeiso**
-  - Move to Xorriso for building the ISO image.
-  - This allows to support most of the Debian based distros, i.e. Debian, MxLinux and Ubuntu.
-
-## 20190428
-- **Rebuild ISO**
-  - The install ISO needed a rebuilt after some changes in the Debian mirrors.
-- **Disable Netselect**
-  - After some reports in the issues that some Debian mirrors were not fully synced and thus some packages were unavailable the netselect-apt feature was disabled.
-
-## 20190406
-- **Fix for SSH**
-  - In some situations the SSH Port was not written to a new line (thanks to @dpisano for reporting).
-- **Fix race condition for apt-fast**
-  - Curl and wget need to be installed before apt-fast installation.
-
-## 20190404
-- **Fix #332**
-  - If T-Pot, opposed to the requirements, does not have full internet access netselect-apt fails to determine the fastest mirror as it needs ICMP and UDP outgoing. Should netselect-apt fail the default mirrors will be used.
-- **Improve install speed with apt-fast**
-  - Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package.
+... and many others from the T-Pot community by opening valued issues and discussions, suggesting ideas and thus helping to improve T-Pot!

CITATION.cff

@@ -0,0 +1,43 @@
+# This CITATION.cff file was generated with cffinit.
+# Visit https://bit.ly/cffinit to generate yours today!
+
+cff-version: 1.2.0
+title: T-Pot DEV
+message: >-
+  If you use this software, please cite it using the
+  metadata from this file.
+type: software
+authors:
+  - name: Deutsche Telekom Security GmbH
+    address: Bonner Talweg 100
+    city: Bonn
+    country: DE
+    post-code: '53113'
+    website: 'https://github.com/telekom-security'
+  - given-names: Marco
+    family-names: Ochse
+    affiliation: Deutsche Telekom Security GmbH
+identifiers:
+  - type: url
+    value: >-
+      https://github.com/telekom-security/tpotce/releases/tag/22.04.0
+    description: T-Pot Release 22.04.0
+repository-code: 'https://github.com/telekom-security/tpotce'
+abstract: >-
+  T-Pot is the all in one, optionally distributed, multiarch
+  (amd64, arm64) honeypot plattform, supporting 20+
+  honeypots and countless visualization options using the
+  Elastic Stack, animated live attack maps and lots of
+  security tools to further improve the deception
+  experience.
+keywords:
+  - honeypot
+  - deception
+  - t-pot
+  - telekom security
+  - docker
+  - elk
+license: GPL-3.0
+commit: unreleased, under heavy development
+version: 2x.yy.z
+date-released: '202x-yy-zz'

PREVIEW.md

@@ -0,0 +1,205 @@
+# T-Pot - Dev Preview
+
+T-Pot will be turning 10 years next year and this milestone will be celebrated when the time comes, which brings us today to the best time to reflect on how technology advanced, what this means for the project and how we can ensure T-Pot will meet the current and future requirements of the community.
+<br><br>
+
+# TL;DR
+1. [Download](#choose-your-distro) or use a running, supported distribution
+2. Install the ISO with as minimal packages / services as possible (SSH required!)
+3. Install curl: `$ sudo [apt, dnf, zypper] install curl` if not installed already
+4. Run installer as non-root:
+```
+/bin/bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/dev/install.sh)"
+```
+   * Follow instructions, read messages, check for possible port conflicts and reboot
+5. [Start](#start-t-pot) T-Pot as non-root for the first time:
+```
+cd tpotce/preview/
+docker compose up
+```
+
+
+# Table of Contents
+- [Disclaimer](#disclaimer)
+- [Last Time Departed](#last-time-departed)
+- [Present Time](#present-time)
+- [Destination Time](#destination-time)
+- [Technical Preview](#technical-preview)
+  - [Architecture](#architecture)
+- [Installation](#installation)
+  - [Choose your distro](#choose-your-distro)
+  - [Get and Install T-Pot](#get-and-install-t-pot)
+  - [T-Pot Config File](#t-pot-config-file)
+  - [macOS & Windows](#macos--windows)
+- [Start T-Pot](#start-t-pot)
+- [Stop T-Pot](#stop-t-pot)
+- [Uninstall T-Pot](#uninstall-t-pot)
+- [Feedback](#uninstall-t-pot)
+
+<br><br>
+
+# Disclaimer
+- This is a Technical Preview, a very very early stage in the development T-Pot. You have been warned - there will be dragons steering flying time machines possibly causing paradoxes.
+- The T-Pot [disclaimer](https://github.com/telekom-security/tpotce/blob/master/README.md#disclaimer) and [documentation](https://github.com/telekom-security/tpotce/blob/master/README.md) apply.
+<br><br>
+
+# Last Time Departed
+Jumping back to 2014 T-Pot was born as the direct ancestor of our Raspberry Pi images we used to offer for download (which probably by now only insiders will remember 😅). Docker was just the new kid on the block with the shiny new container engine everyone desperately unknowingly waited for and thus taking the dev-world by storm. At that point we wanted to ensure that T-Pot was something tangible, tethered to a physical device (Hello NUC my old friend 👋) while using latest technologies ensuring an easy transition should we ever leave hardware based installations (or VMs for that matter). And Oh-My-Zsh as you all know that day came faster than anticipated! (Special thanks @vorband, @shaderecker and @tmariuss for all of their contributions!)  
+<br><br>
+
+# Present Time
+Flash Forward to today, T-Pot offers support for Debian, both as an ISO based installation or a post installation method (install your own Debian Server), support for OTC, AWS and other clouds through Ansible and Terraform Support. All of this in many different flavors and even a distributed installation. At the same time we are still relying on the same base concept we originally started with which does not seem fit for the foreseeable future.<br>
+In the last couple of years being independent of a certain platform was the one feature that stood out by far. The reason for this, until today, is the simple fact that T-Pot, although relying heavily on Docker, still relies on a fully controlled environment. This has its advantages but can not meet a demand where cloud based installations need different settings than we can provide (we can only run limited platform tests), companies follow different guidelines for allowed distributions or hosters simply offer Debian images slightly adjusted to their environments causing issues with the setting T-Pot relies on. Roll the dice or ask the Magic-8-Ball.     
+<br><br>
+
+# Destination Time
+Back to the future of T-Pot. For a brief time we had the idea of T-Pot Light which should compensate for the missing platform support. A concept was whipped up to support all of T-Pot's dockered services on minimal installations of Debian, Fedora, OpenSuse and Ubuntu Server. And it worked! It worked so good that we have almost achieved feature parity for this Technical Preview and decided that this is the best candidate for the future of the development of T-Pot<br>
+We are thrilled to share this now, so you can test, provide us with feedback, open issues and discussions and give us the chance to make the next T-Pot the best T-Pot we have ever released!
+<br><br>
+
+## Technical Preview
+For the purpose of the Technical Preview T-Pot will still use the 22.04 images and for a great part rely on the 22.04 release. This will lay the groundwork though for the next T-Pot release by just relying on the latest Docker package repositories (yes, the distros mostly do not offer Docker's bleeding edge features), some tiny modifications on the host (installer and uninstaller provided!) and move all of T-Pot's core in its own Docker image with a simple, user adjustable, configuration.<br>
+<br><br>
+
+## Architecture
+While the basic architecture still remains, the Technical Preview of T-Pot is mostly independent of the underlying OS with only some basic requirements:
+1. Underlying OS is available as supported distribution:
+    * Only the bare minimum of services and packages are installed to avoid possible port conflicts with T-Pot's services
+    * Debian, Fedora, OpenSuse and Ubuntu Server are currently supported, others might follow if the requirements will be met
+2. Latest Docker Engine from Docker's repositories is supported
+    * Only the latest Docker Engine packages offer all the features needed for T-Pot
+    * Docker Desktop does not offer host network capabilities and thus only a limited T-Pot experience (not available for the Technical Preview, but planned to even get started faster!)
+3. Changes to the host
+    * Some changes to the host are necessary but will be kept as minimalistic as possible, just enough T-Pot will be able to run
+    * There are uninstallers available this time 😁
+<br><br>
+
+# System Requirements
+The known T-Pot hardware (CPU, RAM, SSD) requirements and recommendations still apply.
+<br><br>
+
+# Installation
+[Download](#choose-your-distro) one of the supported Linux distro images, `git clone` the T-Pot repository and run the installer specific to your system. Running T-Pot on top of a running and supported Linux system is possible, but a clean installation is recommended to avoid port conflicts with running services.
+<br><br>
+
+## Choose your distro
+Choose a supported distro of your choice. It is recommended to use the minimum / netiso installers linked below and only install a minimalistic set of packages. SSH is mandatory or you will not be able to connect to the machine remotely.
+
+| Distribution Name                              | x64                                                                                                                                   | arm64 
+|:-----------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------|:--------------
+| [AlmaLinux](https://almalinux.org)             | [download](https://mirrors.almalinux.org/isos/x86_64/9.2.html)                                                                        | [download](https://mirrors.almalinux.org/isos/aarch64/9.2.html)
+| [Debian](https://www.debian.org/index.en.html) | [download](https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.0.0-amd64-netinst.iso)                                 | [download](https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-12.0.0-arm64-netinst.iso)
+| [DietPi](https://dietpi.com/#home)             |                                                                                                                                       | [download](https://dietpi.com/downloads/images/DietPi_RPi-ARMv8-Bookworm.7z)
+| [Fedora](https://fedoraproject.org)            | [download](https://download.fedoraproject.org/pub/fedora/linux/releases/38/Server/x86_64/iso/Fedora-Server-netinst-x86_64-38-1.6.iso) | [download](https://download.fedoraproject.org/pub/fedora/linux/releases/38/Server/aarch64/iso/Fedora-Server-netinst-aarch64-38-1.6.iso)
+| [OpenSuse](https://www.opensuse.org)           | [download](https://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-NET-x86_64-Current.iso)                                   | [download](https://download.opensuse.org/ports/aarch64/tumbleweed/iso/openSUSE-Tumbleweed-NET-aarch64-Current.iso)
+| [Rocky Linux](https://rockylinux.org)          | [download](https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.2-x86_64-minimal.iso)                                      | [download](https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.2-aarch64-minimal.iso)
+| [Ubuntu](https://ubuntu.com)                   | [download](https://releases.ubuntu.com/22.04.2/ubuntu-22.04.2-live-server-amd64.iso)                                                  | [download](https://cdimage.ubuntu.com/releases/22.04/release/ubuntu-22.04.2-live-server-arm64.iso)
+
+## Raspberry Pi 4 (8GB) Support
+| Distribution Name                              | arm64                                                                                                                                               | Notes                                                                                                                                 
+|:-----------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|:--------------
+| [DietPi](https://dietpi.com/#home)             | [download](https://dietpi.com/downloads/images/DietPi_RPi-ARMv8-Bookworm.7z)                                                                        | In DietPi config you need to choose OpenSSH instead of Dropbear or T-Pot will fail to install
+| [Raspberry Pi OS](https://www.raspberrypi.com) | [download](https://downloads.raspberrypi.org/raspios_lite_arm64/images/raspios_lite_arm64-2023-05-03/2023-05-03-raspios-bullseye-arm64-lite.img.xz) | Recommended, everything incl. Wifi works as expected right away (when using Raspberry Pi Imager)
+
+<br><br> 
+
+## Get and install T-Pot
+1. Clone the GitHub repository: `$ git clone https://github.com/telekom-security/tpotce`
+2. Change into the **tpotce/preview/installer** folder: `$ cd tpotce/preview/installer`
+3. Locate your distribution, i.e. `fedora`: `$ cd fedora`
+4. Run the installer as non-root: `$ ./install.sh`:
+   * ⚠️ ***Depending on your Linux distribution of choice the installer will:***
+     * Change the SSH port to `tcp/64295`
+     * Disable the DNS Stub Listener to avoid port conflicts with honeypots
+     * Set SELinux to Monitor Mode
+     * Set the firewall target for the public zone to ACCEPT
+     * Add Docker's repository and install Docker
+     * Install recommended packages
+     * Remove package known to cause issues
+     * Add the current user to the docker group (allow docker interaction without `sudo`)
+     * Add `dps` and `dpsw` aliases (`grc docker ps -a`, `watch -c "grc --colour=on docker ps -a`)
+     * Display open ports on the host (compare with T-Pot [required](https://github.com/telekom-security/tpotce#required-ports) ports)
+5. Follow the installer instructions, you will have to enter your password at least once
+6. Check the installer messages for errors and open ports that might cause port conflicts
+7. Reboot: `$ sudo reboot`
+<br><br>
+
+## T-Pot Config File
+T-Pot offers a configuration file providing environment variables not only for the docker services (i.e. honeypots and tools) but also for the docker compose environment. The configuration file is hidden in the `preview` folder and is called `.env`. There is however an example file (`env.example`) which holds the default configuration.<br> Before the first start set the `WEB_USER` and `WEB_PW`. Once T-Pot was initialized it is recommended to remove the password and set `WEB_PW=<changeme>`. Other settings are available also, these however should only be changed if you are comfortable with possible errors 🫠 as some of the features are not fully integrated and tested yet.
+```
+# T-Pot config file. Do not remove.
+
+# Set Web username and password here, only required for first run
+#  Removing the password after first run is recommended
+#  You can always add or remove users as you see fit using htpasswd:
+#  htpasswd -b -c /<data_folder>/nginx/conf/nginxpasswd <username> <password>
+WEB_USER=<changeme>
+WEB_PW=<changeme>
+
+# T-Pot Blackhole
+#  ENABLED: T-Pot will download a db of known mass scanners and nullroute them
+#           Be aware, this will put T-Pot off the map for stealth reasons and
+#           you will get less traffic. Routes will active until reboot and will
+#           be re-added with every T-Pot start until disabled.
+#  DISABLED: This is the default and no stealth efforts are in place.
+TPOT_BLACKHOLE=DISABLED
+```
+
+## macOS & Windows
+Sometimes it is just nice if you can spin up a T-Pot instance on macOS or Windows, i.e. for development, testing or just the fun of it. While Docker Desktop is rather limited not all honeypot types or T-Pot features are supported. Also remember, by default the macOS and Windows firewall are blocking access from remote, so testing is limited to the host. For production it is recommended to run T-Pot on Linux.<br>
+To get things up and running just follow these steps:
+1. Install Docker Desktop for [macOS](https://docs.docker.com/desktop/install/mac-install/) or [Windows](https://docs.docker.com/desktop/install/windows-install/)
+2. Clone the GitHub repository: `$ git clone https://github.com/telekom-security/tpotce`
+2. Change into the **tpotce/preview/compose** folder: `$ cd tpotce/preview/compose`
+3. Copy **mac_win.yml** to the **tpotce/preview** folder by overwriting **docker-compose.yml**: `$ cp mac_win.yml ../docker-compose.yml`
+4. Adjust the **.env** file by changing **TPOT_OSTYPE** to either **mac** or **win**:
+```
+# OSType (linux, mac, win)
+#  Most docker features are available on linux
+TPOT_OSTYPE=mac
+```
+5. You have to ensure on your own there are no port conflicts keeping T-Pot from starting up.
+You can follow the README on how to [Start T-Pot](#start-t-pot), however you may skip the **crontab**.
+
+
+# Start T-Pot
+1. Change into the **tpotce/preview/** folder: `$ cd tpotce/preview/`
+2. Run: `$ docker compose up` (notice the missing dash, `docker-compose` no longer exists with the latest Docker installation)
+   * You can also run `$ docker compose -f /<path_to_tpot>/tpotce/preview/docker-compose.yml up` directly if you want to avoid to change into the `preview` folder or add an alias of your choice.
+3. `docker compose` will now download all the necessary images to run the T-Pot Docker containers
+4. On the first run T-Pot (`tpotinit`) will initialize and create the `data` folder in the path specified (by default it is located in `tpotce/preview/data/`):
+   * It takes about 2-3 minutes to bring all the containers up (should port conflicts arise `docker compose` will simply abort)
+   * Once all containers have started successfully for the first time you can access T-Pot as described [here](https://github.com/telekom-security/tpotce#remote-access-and-tools) or cancel with `CTRL-C` ...
+5. ... and run T-Pot in the background: `$ docker compose up -d`
+   * Unless you run `docker compose down -v` T-Pot's Docker service will remain persistent and restart with a reboot
+   * You can however add a crontab entry with `crontab -e` which will also add some container and image management.
+```
+@reboot docker compose -f /<path_to_tpot_>/tpotce/preview/docker-compose.yml down -v; \
+docker container prune -f; \
+docker image prune -f; \
+docker compose -f /<path_to_tpot_>/tpotce/preview/docker-compose.yml up -d
+```
+6. By default Docker will always check if the local and remote docker images match, if not, Docker will either revert to a fitting locally cached image or download the image from remote. This ensures T-Pot images will always be up-to-date
+
+# Stop T-Pot
+1. Change into the **tpotce/preview/** folder: `$ cd tpotce/preview/`
+2. Run: `$ docker compose down -v` (notice the missing dash, `docker-compose` no longer exists with the latest docker installation)
+3. Docker will now stop all running T-Pot containers and disable reboot persistence (unless you made a [crontab entry](#start-t-pot)
+   * You can also run `$ docker compose -f /<path_to_tpot>/tpotce/preview/docker-compose.yml down -v` directly if you want to avoid to change into the `preview` folder or add an alias of your choice.
+ 
+# Uninstall T-Pot
+1. Change into the **tpotce/preview/uninstaller/** folder: `$ cd tpotce/preview/uninstaller/`
+2. Locate your distribution, i.e. `fedora`: `$ cd fedora`
+3. Run the installer as non-root: `$ ./uninstall.sh`:
+   * The uninstaller will reverse the installation steps
+4. Follow the uninstaller instructions, you will have to enter your password at least once
+5. Check the uninstaller messages for errors
+6. Reboot: `$ sudo reboot`
+<br><br>
+
+# Feedback
+To ensure the next T-Pot release will be everything we and you - The T-Pot Community - have in mind please feel free to leave comments in the `Technical Preview` [discussion](https://github.com/telekom-security/tpotce/discussions/1325) pinned on our GitHub [Discussions](https://github.com/telekom-security/tpotce/discussions) section. Please bear in mind that this Technical Preview is made public in the earliest stage of the T-Pot development process at your convenience for ***your*** valuable input.
+<br><br>
+Thank you for testing 💖
+
+Special thanks to all the [contributors](https://github.com/telekom-security/tpotce/graphs/contributors) and [developers](https://github.com/telekom-security/tpotce#credits) making this project possible!

SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+|---------| ------------------ |
+| 23.12.x | :white_check_mark: |
+
+
+## Reporting a Vulnerability
+
+We take security of T-Pot very seriously. If one of T-Pot's components is affected, it is most likely that a upstream component we rely on is involved, such as a honeypot, docker image, tool or package. Together we will find the best possible way to remedy the situation.
+
+Before you submit a possible vulnerability, please ensure you have done the following:
+1. You have checked the documentation, issues and discussions if the detected behavior is typical and does not revolve around other issues. I.e. Cowrie will be detected with outgoing conncection requests or T-Pot opening all possible TCP ports which Honeytrap enabled install flavors will do as a feature.
+2. You have identified the vulnerable component and isolated your finding (honeypot, docker image, tool, package, etc.).
+3. You have a detailed description including log files, possibly debug files, with all steps necessary for us to reproduce / trigger the behaviour or vulnerability. At best you already have a possible solution, hotfix, fix or patch to remedy the situation and want to submit a PR. 
+4. You have checked if the possible vulnerability is known upstream. If a fix / patch is already available, please provide the necessary info.
+
+We will get back to you as fast as possible. In case you think this is an emergency for the whole T-Pot community feel free to speed things up by **responsibly** informing our [CERT](https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/introducing-deutsche-telekom-cert-358316).

_deprecated/bin/2fa.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Make sure script is started as non-root.
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" = "root" ]
+  then
+    echo "Need to run as non-root ..."
+    echo ""
+    exit
+fi
+
+# set vars, check deps
+myPAM_COCKPIT_FILE="/etc/pam.d/cockpit"
+if ! [ -s "$myPAM_COCKPIT_FILE" ];
+  then
+    echo "### Cockpit PAM module config does not exist. Something went wrong."
+    echo ""
+    exit 1
+fi
+myPAM_COCKPIT_GA="
+
+# google authenticator for two-factor
+auth required pam_google_authenticator.so
+"
+myAUTHENTICATOR=$(which google-authenticator)
+if [ "$myAUTHENTICATOR" == "" ];
+  then
+    echo "### Could not locate google-authenticator, trying to install (if asked provide root password)."
+    echo ""
+    sudo apt-get update
+    sudo apt-get install -y libpam-google-authenticator
+    exec "$1" "$2"    
+    exit 1
+fi
+
+
+# write PAM changes 
+function fuWRITE_PAM_CHANGES {
+  myCHECK=$(cat $myPAM_COCKPIT_FILE | grep -c "google")
+  if ! [ "$myCHECK" == "0" ];
+    then
+      echo "### PAM config already enabled. Skipped."
+      echo ""
+    else
+      echo "### Updating PAM config for Cockpit (if asked provide root password)."
+      echo "$myPAM_COCKPIT_GA" | sudo tee -a $myPAM_COCKPIT_FILE
+      sudo systemctl restart cockpit
+  fi
+}
+
+# create 2fa
+function fuGEN_TOKEN {
+  echo "### Now generating token for Google Authenticator."
+  echo ""
+  google-authenticator -t -d -r 3 -R 30 -w 17
+}
+
+
+# main
+echo "### This script will enable Two Factor Authentication for Cockpit."
+echo ""
+echo "### Please download one of the many authenticator apps from the appstore of your choice."
+echo ""
+while true;
+  do
+    read -p "### Ready to start (y/n)? " myANSWER
+    case $myANSWER in
+      [Yy]* ) echo "### OK. Starting ..."; break;;
+      [Nn]* ) echo "### Exiting."; exit;;
+    esac
+done
+
+fuWRITE_PAM_CHANGES
+fuGEN_TOKEN
+
+echo "Done. Re-run this script by every user who needs Cockpit access."
+echo ""

_deprecated/bin/backup_es_folders.sh

@@ -1,12 +1,21 @@
 #!/bin/bash
 # Run as root only.
 myWHOAMI=$(whoami)
-if [ "$myWHOAMI" != "root" ]
+if [ "$myWHOAMI" != "root" ];
   then
     echo "Need to run as root ..."
     exit
 fi
 
+if [ "$1" == "" ] || [ "$1" != "all" ] && [ "$1" != "base" ];
+  then
+    echo "Usage: backup_es_folders [all, base]"
+    echo "       all  = backup all ES folder"
+    echo "       base = backup only Kibana index".
+    echo
+    exit
+fi
+
 # Backup all ES relevant folders
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
@@ -25,7 +34,7 @@ myCOUNT=1
 myDATE=$(date +%Y%m%d%H%M)
 myELKPATH="/data/elk/data"
 myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }')
-myKIBANAINDEXPATH=$myELKPATH/nodes/0/indices/$myKIBANAINDEXNAME
+myKIBANAINDEXPATH=$myELKPATH/indices/$myKIBANAINDEXNAME
 
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
@@ -42,5 +51,11 @@ sleep 2
 
 # Backup DB in 2 flavors
 echo "### Now backing up Elasticsearch folders ..."
-tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
-tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
+if [ "$1" == "all" ];
+  then
+    tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
+elif [ "$1" == "base" ];
+  then
+    tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
+fi
+

_deprecated/bin/blackhole.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+
+# Run as root only.
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "### Need to run as root ..."
+    echo
+    exit
+fi
+
+# Disclaimer
+if [ "$1" == "" ];
+  then
+    echo "### Warning!"
+    echo "### This script will download and add blackhole routes for known mass scanners in an attempt to decrease the chance of detection."
+    echo "### IPs are neither curated or verified, use at your own risk!"
+    echo "###"
+    echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
+    echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
+    echo
+    echo "Usage: blackhole.sh add (add blackhole routes)" 
+    echo "       blackhole.sh del (delete blackhole routes)"
+    echo
+    exit
+fi
+
+# QnD paths, files
+mkdir -p /etc/blackhole
+cd /etc/blackhole
+myFILE="mass_scanner.txt"
+myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"
+myBASELINE="500"
+# Alternatively, using less routes, but blocking complete /24 networks
+#myFILE="mass_scanner_cidr.txt"
+#myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner_cidr.txt"
+
+# Calculate age of downloaded list, read IPs
+if [ -f "$myFILE" ];
+  then
+    myNOW=$(date +%s)
+    myOLD=$(date +%s -r "$myFILE")
+    myDAYS=$(( ($myNOW-$myOLD) / (60*60*24) ))
+    echo "### Downloaded $myFILE list is $myDAYS days old."
+    myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
+fi
+
+# Let's load ip list
+if [[ ! -f "$myFILE" && "$1" == "add" || "$myDAYS" -gt 30 ]];
+  then
+    echo "### Downloading $myFILE list."
+    aria2c --allow-overwrite -s16 -x 16 "$myURL" && \
+    myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u) 
+fi
+
+myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w)
+# Let's extract mass scanner IPs
+if [ "$myCOUNT" -lt "$myBASELINE" ] && [ "$1" == "add" ];
+  then
+    echo "### Something went wrong. Please check contents of /etc/blackhole/$myFILE."
+    echo "### Aborting."
+    echo
+    exit
+elif [ "$(ip r | grep 'blackhole' -c)" -gt "$myBASELINE" ] && [ "$1" == "add" ];
+  then
+    echo "### Blackhole already enabled."
+    echo "### Aborting."
+    echo
+    exit
+fi
+
+# Let's add blackhole routes for all mass scanner IPs
+if [ "$1" == "add" ];
+  then
+    echo
+    echo -n "Now adding $myCOUNT IPs to blackhole."
+    for i in $myBLACKHOLE_IPS;
+      do
+        ip route add blackhole "$i"
+	echo -n "."
+    done
+    echo
+    echo "Added $(ip r | grep "blackhole" -c) IPs to blackhole."
+    echo
+    echo "### Remember!"
+    echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
+    echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
+    echo
+    exit
+fi
+
+# Let's delete blackhole routes for all mass scanner IPs
+if [ "$1" == "del" ] && [ "$myCOUNT" -gt "$myBASELINE" ];
+  then
+    echo
+    echo -n "Now deleting $myCOUNT IPs from blackhole."
+      for i in $myBLACKHOLE_IPS;
+        do
+          ip route del blackhole "$i"
+	  echo -n "."
+      done
+      echo
+      echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole."
+      echo
+      rm "$myFILE"
+  else
+    echo "### Blackhole already disabled."
+    echo
+fi

_deprecated/bin/change_ews_config.sh

@@ -60,7 +60,7 @@ fi
 echo ""
 echo "[+] Creating config file with API UserID '$apiUser' and API Token '$apiToken'."
 echo "[+] Fetching config file from github. Outgoing https requests must be enabled!"
-wget -q https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist 
+wget -q https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist 
 if [[ -f "ews.cfg.dist" ]]; then
 	echo "[+] Successfully downloaded ews.cfg from github."
 else 

_deprecated/bin/clean.sh

@@ -5,6 +5,9 @@ myRED=""
 myGREEN=""
 myWHITE=""
 
+# Set pigz
+myPIGZ=$(which pigz)
+
 # Set persistence
 myPERSISTENCE=$1
 
@@ -46,14 +49,14 @@ chmod 644 /data/nginx/cert -R
 logrotate -f -s $mySTATUS $myCONF
 
 # Compressing some folders first and rotate them later
-if [ "$(fuEMPTY $myADBHONEYDL)" != "0" ]; then tar cvfz $myADBHONEYTGZ $myADBHONEYDL; fi
-if [ "$(fuEMPTY $myCOWRIETTYLOGS)" != "0" ]; then tar cvfz $myCOWRIETTYTGZ $myCOWRIETTYLOGS; fi
-if [ "$(fuEMPTY $myCOWRIEDL)" != "0" ]; then tar cvfz $myCOWRIEDLTGZ $myCOWRIEDL; fi
-if [ "$(fuEMPTY $myDIONAEABI)" != "0" ]; then tar cvfz $myDIONAEABITGZ $myDIONAEABI; fi
-if [ "$(fuEMPTY $myDIONAEABIN)" != "0" ]; then tar cvfz $myDIONAEABINTGZ $myDIONAEABIN; fi
-if [ "$(fuEMPTY $myHONEYTRAPATTACKS)" != "0" ]; then tar cvfz $myHONEYTRAPATTACKSTGZ $myHONEYTRAPATTACKS; fi
-if [ "$(fuEMPTY $myHONEYTRAPDL)" != "0" ]; then tar cvfz $myHONEYTRAPDLTGZ $myHONEYTRAPDL; fi
-if [ "$(fuEMPTY $myTANNERF)" != "0" ]; then tar cvfz $myTANNERFTGZ $myTANNERF; fi
+if [ "$(fuEMPTY $myADBHONEYDL)" != "0" ]; then tar -I $myPIGZ -cvf $myADBHONEYTGZ $myADBHONEYDL; fi
+if [ "$(fuEMPTY $myCOWRIETTYLOGS)" != "0" ]; then tar -I $myPIGZ -cvf $myCOWRIETTYTGZ $myCOWRIETTYLOGS; fi
+if [ "$(fuEMPTY $myCOWRIEDL)" != "0" ]; then tar -I $myPIGZ -cvf $myCOWRIEDLTGZ $myCOWRIEDL; fi
+if [ "$(fuEMPTY $myDIONAEABI)" != "0" ]; then tar -I $myPIGZ -cvf $myDIONAEABITGZ $myDIONAEABI; fi
+if [ "$(fuEMPTY $myDIONAEABIN)" != "0" ]; then tar -I $myPIGZ -cvf $myDIONAEABINTGZ $myDIONAEABIN; fi
+if [ "$(fuEMPTY $myHONEYTRAPATTACKS)" != "0" ]; then tar -I $myPIGZ -cvf $myHONEYTRAPATTACKSTGZ $myHONEYTRAPATTACKS; fi
+if [ "$(fuEMPTY $myHONEYTRAPDL)" != "0" ]; then tar -I $myPIGZ -cvf $myHONEYTRAPDLTGZ $myHONEYTRAPDL; fi
+if [ "$(fuEMPTY $myTANNERF)" != "0" ]; then tar -I $myPIGZ -cvf $myTANNERFTGZ $myTANNERF; fi
 
 # Ensure correct permissions and ownership for previously created archives
 chmod 770 $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
@@ -87,6 +90,14 @@ fuCISCOASA () {
   chown tpot:tpot /data/ciscoasa -R
 }
 
+# Let's create a function to clean up and prepare citrixhoneypot data
+fuCITRIXHONEYPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi
+  mkdir -p /data/citrixhoneypot/logs/
+  chmod 770 /data/citrixhoneypot/ -R
+  chown tpot:tpot /data/citrixhoneypot/ -R
+}
+
 # Let's create a function to clean up and prepare conpot data
 fuCONPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
@@ -103,6 +114,23 @@ fuCOWRIE () {
   chown tpot:tpot /data/cowrie -R
 }
 
+# Let's create a function to clean up and prepare ddospot data
+fuDDOSPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
+  mkdir -p /data/ddospot/bl /data/ddospot/db /data/ddospot/log
+  chmod 770 /data/ddospot -R
+  chown tpot:tpot /data/ddospot -R
+}
+
+# Let's create a function to clean up and prepare dicompot data
+fuDICOMPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
+  mkdir -p /data/dicompot/log
+  mkdir -p /data/dicompot/images
+  chmod 770 /data/dicompot -R
+  chown tpot:tpot /data/dicompot -R
+}
+
 # Let's create a function to clean up and prepare dionaea data
 fuDIONAEA () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi
@@ -129,6 +157,14 @@ fuELK () {
   chown tpot:tpot /data/elk -R
 }
 
+# Let's create a function to clean up and prepare endlessh data
+fuENDLESSH () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
+  mkdir -p /data/endlessh/log
+  chmod 770 /data/endlessh -R
+  chown tpot:tpot /data/endlessh -R
+}
+
 # Let's create a function to clean up and prepare fatt data
 fuFATT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
@@ -145,6 +181,14 @@ fuGLUTTON () {
   chown tpot:tpot /data/glutton -R
 }
 
+# Let's create a function to clean up and prepare hellpot data
+fuHELLPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
+  mkdir -p /data/hellpot/log
+  chmod 770 /data/hellpot -R
+  chown tpot:tpot /data/hellpot -R
+}
+
 # Let's create a function to clean up and prepare heralding data
 fuHERALDING () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
@@ -153,12 +197,20 @@ fuHERALDING () {
   chown tpot:tpot /data/heralding -R
 }
 
-# Let's create a function to clean up and prepare honeypy data
-fuHONEYPY () {
-  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
-  mkdir -p /data/honeypy/log
-  chmod 770 /data/honeypy -R
-  chown tpot:tpot /data/honeypy -R
+# Let's create a function to clean up and prepare honeypots data
+fuHONEYPOTS () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
+  mkdir -p /data/honeypots/log
+  chmod 770 /data/honeypots -R
+  chown tpot:tpot /data/honeypots -R
+}
+
+# Let's create a function to clean up and prepare honeysap data
+fuHONEYSAP () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeysap/*; fi
+  mkdir -p /data/honeysap/log
+  chmod 770 /data/honeysap -R
+  chown tpot:tpot /data/honeysap -R
 }
 
 # Let's create a function to clean up and prepare honeytrap data
@@ -169,6 +221,22 @@ fuHONEYTRAP () {
   chown tpot:tpot /data/honeytrap/ -R
 }
 
+# Let's create a function to clean up and prepare ipphoney data
+fuIPPHONEY () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi
+  mkdir -p /data/ipphoney/log
+  chmod 770 /data/ipphoney -R
+  chown tpot:tpot /data/ipphoney -R
+}
+
+# Let's create a function to clean up and prepare log4pot data
+fuLOG4POT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
+  mkdir -p /data/log4pot/log
+  chmod 770 /data/log4pot -R
+  chown tpot:tpot /data/log4pot -R
+}
+
 # Let's create a function to clean up and prepare mailoney data
 fuMAILONEY () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
@@ -201,6 +269,22 @@ fuRDPY () {
   chown tpot:tpot /data/rdpy/ -R
 }
 
+# Let's create a function to clean up and prepare redishoneypot data
+fuREDISHONEYPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
+  mkdir -p /data/redishoneypot/log
+  chmod 770 /data/redishoneypot -R
+  chown tpot:tpot /data/redishoneypot -R
+}
+
+# Let's create a function to clean up and prepare sentrypeer data
+fuSENTRYPEER () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi
+  mkdir -p /data/sentrypeer/log
+  chmod 770 /data/sentrypeer -R
+  chown tpot:tpot /data/sentrypeer -R
+}
+
 # Let's create a function to prepare spiderfoot db
 fuSPIDERFOOT () {
   mkdir -p /data/spiderfoot
@@ -257,20 +341,30 @@ if [ "$myPERSISTENCE" = "on" ];
     echo "Cleaning up and preparing data folders."
     fuADBHONEY
     fuCISCOASA
+    fuCITRIXHONEYPOT
     fuCONPOT
     fuCOWRIE
+    fuDDOSPOT
+    fuDICOMPOT
     fuDIONAEA
     fuELASTICPOT
     fuELK
+    fuENDLESSH
     fuFATT
     fuGLUTTON
     fuHERALDING
-    fuHONEYPY
+    fuHELLPOT
+    fuHONEYSAP
+    fuHONEYPOTS
     fuHONEYTRAP
+    fuIPPHONEY
+    fuLOG4POT
     fuMAILONEY
     fuMEDPOT
     fuNGINX
+    fuREDISHONEYPOT
     fuRDPY
+    fuSENTRYPEER
     fuSPIDERFOOT
     fuSURICATA
     fuP0F

_deprecated/bin/deploy.sh

@@ -0,0 +1,182 @@
+#!/bin/bash
+
+# Do we have root?
+function fuGOT_ROOT {
+echo
+echo -n "### Checking for root: "
+if [ "$(whoami)" != "root" ];
+  then
+    echo "[ NOT OK ]"
+    echo "### Please run as root."
+    echo "### Example: sudo $0"
+    exit
+  else
+    echo "[ OK ]"
+fi
+}
+
+function fuDEPLOY_SENSOR () {
+echo
+echo "###############################"
+echo "# Deploying to T-Pot Hive ... #"
+echo "###############################"
+echo
+sshpass -e ssh -4 -t -T -l "$MY_TPOT_USERNAME" -p 64295 "$MY_HIVE_IP" << EOF
+echo "$SSHPASS" | sudo -S bash -c 'useradd -m -s /sbin/nologin -G tpotlogs "$MY_HIVE_USERNAME";
+mkdir -p /home/"$MY_HIVE_USERNAME"/.ssh;
+echo "$MY_SENSOR_PUBLICKEY" >> /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
+chmod 600 /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
+chmod 755 /home/"$MY_HIVE_USERNAME"/.ssh;
+chown "$MY_HIVE_USERNAME":"$MY_HIVE_USERNAME" -R /home/"$MY_HIVE_USERNAME"/.ssh'
+EOF
+
+echo
+echo "###########################"
+echo "# Done. Please reboot ... #"
+echo "###########################"
+echo
+
+exit 0
+}
+
+# Check Hive availability 
+function fuCHECK_HIVE () {
+echo
+echo "############################################"
+echo "# Checking for T-Pot Hive availability ... #"
+echo "############################################"
+echo
+sshpass -e ssh -4 -t -l "$MY_TPOT_USERNAME" -p 64295 -f -N -L64305:127.0.0.1:64305 "$MY_HIVE_IP" -o "StrictHostKeyChecking=no"
+if [ $? -eq 0 ];
+  then
+    echo
+    echo "#########################"
+    echo "# T-Pot Hive available! #"
+    echo "#########################"
+    echo
+    myHIVE_OK=$(curl -s http://127.0.0.1:64305)
+    if [ "$myHIVE_OK" == "ok" ];
+      then
+	echo
+        echo "##############################"
+        echo "# T-Pot Hive tunnel test OK! #"
+        echo "##############################"
+        echo
+        kill -9 $(pidof ssh)
+      else
+        echo
+	echo "######################################################"
+        echo "# T-Pot Hive tunnel test FAILED!                     #"
+	echo "# Tunneled port tcp/64305 unreachable on T-Pot Hive. #"
+	echo "# Aborting.                                          #"
+        echo "######################################################"
+        echo
+        kill -9 $(pidof ssh)
+	rm $MY_SENSOR_PUBLICKEYFILE
+	rm $MY_SENSOR_PRIVATEKEYFILE
+	rm $MY_LS_ENVCONFIGFILE
+	exit 1
+    fi;
+  else
+    echo
+    echo "#################################################################"
+    echo "# Something went wrong, most likely T-Pot Hive was unreachable! #"
+    echo "# Aborting.                                                     #"
+    echo "#################################################################"
+    echo
+    rm $MY_SENSOR_PUBLICKEYFILE
+    rm $MY_SENSOR_PRIVATEKEYFILE
+    rm $MY_LS_ENVCONFIGFILE
+    exit 1
+fi;
+}
+
+function fuGET_DEPLOY_DATA () {
+echo
+echo "### Please provide data from your T-Pot Hive installation."
+echo "### This usually is the one running the 'T-Pot Hive' type."
+echo "### You will be needing the OS user (typically 'tsec'), the users' password and the IP / FQDN."
+echo "### Do not worry, the password will not be persisted!"
+echo
+
+read -p "Username: " MY_TPOT_USERNAME
+read -s -p "Password: " SSHPASS
+echo
+export SSHPASS
+read -p "IP / FQDN: " MY_HIVE_IP
+MY_HIVE_USERNAME="$(hostname)"
+MY_TPOT_TYPE="SENSOR"
+MY_LS_ENVCONFIGFILE="/data/elk/logstash/ls_environment"
+
+MY_SENSOR_PUBLICKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME.pub"
+MY_SENSOR_PRIVATEKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME"
+if ! [ -s "$MY_SENSOR_PRIVATEKEYFILE" ] && ! [ -s "$MY_SENSOR_PUBLICKEYFILE" ];
+  then
+    echo
+    echo "##############################"
+    echo "# Generating ssh keyfile ... #"
+    echo "##############################"
+    echo
+    mkdir -p /data/elk/logstash
+    ssh-keygen -f "$MY_SENSOR_PRIVATEKEYFILE" -N "" -C "$MY_HIVE_USERNAME"
+    MY_SENSOR_PUBLICKEY="$(cat "$MY_SENSOR_PUBLICKEYFILE")"
+  else
+    echo
+    echo "#############################################"
+    echo "# There is already a ssh keyfile. Aborting. #"
+    echo "#############################################"
+    echo
+    exit 1
+fi
+echo
+echo "###########################################################"
+echo "# Writing config to /data/elk/logstash/ls_environment.    #"
+echo "# If you make changes to this file, you need to reboot or #"
+echo "# run /opt/tpot/bin/updateip.sh.                          #"
+echo "###########################################################"
+echo
+tee $MY_LS_ENVCONFIGFILE << EOF
+MY_TPOT_TYPE=$MY_TPOT_TYPE
+MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
+MY_HIVE_USERNAME=$MY_HIVE_USERNAME
+MY_HIVE_IP=$MY_HIVE_IP
+EOF
+}
+
+# Deploy Pot to Hive
+fuGOT_ROOT
+echo
+echo "#################################"
+echo "# Ship T-Pot Logs to T-Pot Hive #"
+echo "#################################"
+echo
+echo "If you already have a T-Pot Hive installation running and"
+echo "this T-Pot installation is running the type \"Pot\" the"
+echo "script will automagically setup this T-Pot to ship and"
+echo "prepare the Hive to receive logs from this T-Pot."
+echo
+echo
+echo "###################################"
+echo "# Deploy T-Pot Logs to T-Pot Hive #"
+echo "###################################"
+echo 
+echo "[c] - Continue deplyoment"
+echo "[q] - Abort and exit"
+echo
+while [ 1 != 2 ]
+  do
+    read -s -n 1 -p "Your choice: " mySELECT
+      echo $mySELECT
+      case "$mySELECT" in
+        [c,C])
+          fuGET_DEPLOY_DATA
+          fuCHECK_HIVE
+	  fuDEPLOY_SENSOR
+          break
+          ;;
+        [q,Q])
+          echo "Aborted."
+          exit 0
+          ;;
+      esac
+done

_deprecated/bin/deprecated/export_kibana-objects.sh

@@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
   then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
     exit
   else
     echo "### Elasticsearch is available, now continuing."
@@ -15,24 +15,25 @@ fi
 
 # Set vars
 myDATE=$(date +%Y%m%d%H%M)
-myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"')
-myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
-myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
-mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
+myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
+myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
+mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
+myCONFIGS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=config&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
 myCOL1=""
 myCOL0=""
 
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
-  rm -rf patterns/ dashboards/ visualizations/ searches/
+  rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
 }
 trap fuCLEANUP EXIT
 
 # Export index patterns
 mkdir -p patterns
 echo $myCOL1"### Now exporting"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
-curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes}' > patterns/$myINDEXID.json &
+curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes, references}' > patterns/$myINDEXID.json &
 echo
 
 # Export dashboards
@@ -41,7 +42,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"das
 for i in $myDASHBOARDS;
   do
     echo $myCOL1"###### "$i $myCOL0
-    curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes}' > dashboards/$i.json &
+    curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes, references}' > dashboards/$i.json &
   done;
 echo
 
@@ -51,7 +52,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1
 for i in $myVISUALIZATIONS;
   do
     echo $myCOL1"###### "$i $myCOL0
-    curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes}' > visualizations/$i.json &
+    curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes, references}' > visualizations/$i.json &
   done;
 echo
 
@@ -61,7 +62,17 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searc
 for i in $mySEARCHES;
   do
     echo $myCOL1"###### "$i $myCOL0
-    curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes}' > searches/$i.json &
+    curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes, references}' > searches/$i.json &
+  done;
+echo
+
+# Export configs
+mkdir -p configs
+echo $myCOL1"### Now exporting"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
+for i in $myCONFIGS;
+  do
+    echo $myCOL1"###### "$i $myCOL0
+    curl -s -XGET ''$myKIBANA'api/saved_objects/config/'$i'' | jq '. | {attributes, references}' > configs/$i.json &
   done;
 echo
 
@@ -70,7 +81,7 @@ wait
 
 # Building tar archive
 echo $myCOL1"### Now building archive"$myCOL0 "kibana-objects_"$myDATE".tgz"
-tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches > /dev/null
+tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches configs > /dev/null
 
 # Stats
 echo
@@ -79,4 +90,5 @@ echo $myCOL1"###### Exported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myC
 echo $myCOL1"###### Exported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
 echo $myCOL1"###### Exported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
 echo $myCOL1"###### Exported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
+echo $myCOL1"###### Exported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
 echo

_deprecated/bin/deprecated/hptest.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 myHOST="$1"
-myPACKAGES="netcat nmap"
+myPACKAGES="dcmtk netcat nmap"
 myMEDPOTPACKET="
 MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
 EVN|A01|198808181123
@@ -83,7 +83,11 @@ fuCHECKFORARGS
 echo "Starting scans ..."
 echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
 curl -XGET "http://$myHOST:9200/logstash-*/_search" &
+curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" &
 echo "
I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
+findscu -P -k PatientName="*" $myHOST 11112 &
+getscu -P -k PatientName="*" $myHOST 11112 &
+telnet $myHOST 3299 &
 fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
 fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
 fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"

_deprecated/bin/deprecated/import_kibana-objects.sh

@@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
   then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
     exit
   else
     echo "### Elasticsearch is available, now continuing."
@@ -20,7 +20,7 @@ myCOL0=""
 
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
-  rm -rf patterns/ dashboards/ visualizations/ searches/
+  rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
 }
 trap fuCLEANUP EXIT
 
@@ -43,7 +43,7 @@ tar xvfz $myDUMP > /dev/null
 
 # Restore index patterns
 myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev)
-myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
@@ -98,6 +98,22 @@ for i in $mySEARCHES;
 echo
 wait
 
+# Restore configs
+myCONFIGS=$(ls configs/*.json | cut -c 9- | rev | cut -c 6- | rev)
+echo $myCOL1"### Now importing "$myCOL0$(echo $myCONFIGS | wc -w)$myCOL1 "configs." $myCOL0
+for i in $myCONFIGS;
+  do
+    curl -s -XDELETE ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null &
+  done;
+wait
+for i in $myCONFIGS;
+  do
+    echo $myCOL1"###### "$i $myCOL0
+    curl -s -XPOST ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @configs/$i.json > /dev/null &
+  done;
+echo
+wait
+
 # Stats
 echo
 echo $myCOL1"### Statistics"
@@ -105,5 +121,6 @@ echo $myCOL1"###### Imported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myC
 echo $myCOL1"###### Imported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
 echo $myCOL1"###### Imported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
 echo $myCOL1"###### Imported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
+echo $myCOL1"###### Imported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
 echo
 

_deprecated/bin/dps.sh

@@ -1,4 +1,4 @@
-#/bin/bash
+#!/bin/bash
 
 # Run as root only.
 myWHOAMI=$(whoami)
@@ -8,8 +8,14 @@ if [ "$myWHOAMI" != "root" ]
     exit
 fi
 
-# Show current status of T-Pot containers
 myPARAM="$1"
+if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
+  then
+    watch --color -n $myPARAM "$0"
+    exit
+fi
+
+# Show current status of T-Pot containers
 myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")"
 myRED=""
 myGREEN=""
@@ -17,19 +23,39 @@ myBLUE=""
 myWHITE=""
 myMAGENTA=""
 
+# Blackhole Status
+myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
+if [ "$myBLACKHOLE_STATUS" -gt "500" ];
+  then
+    myBLACKHOLE_STATUS="${myGREEN}ENABLED"
+  else
+    myBLACKHOLE_STATUS="${myRED}DISABLED"
+fi
+
+function fuGETTPOT_STATUS {
+# T-Pot Status
+myTPOT_STATUS=$(systemctl status tpot | grep "Active" | awk '{ print $2 }')
+if [ "$myTPOT_STATUS" == "active" ];
+  then
+    echo "${myGREEN}ACTIVE"
+  else
+    echo "${myRED}INACTIVE"
+fi
+}
+
 function fuGETSTATUS {
 grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
 }
 
 function fuGETSYS {
-printf "========| System |========\n"
-printf "%+10s %-20s\n" "Date: " "$(date)"
-printf "%+10s %-20s\n" "Uptime: " "$(uptime | cut -b 2-)"
+printf "[ ========| System |======== ]\n"
+printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "DATE: " "$(date)"
+printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "UPTIME: " "$(grc --colour=on uptime)"
+printf "${myMAGENTA}%+11s %-20s\n" "T-POT: " "$(fuGETTPOT_STATUS)"
+printf "${myMAGENTA}%+11s %-20s\n" "BLACKHOLE: " "$myBLACKHOLE_STATUS${myWHITE}"
 echo
 }
 
-while true
-  do
     myDPS=$(fuGETSTATUS)
     myDPSNAMES=$(echo "$myDPS" | awk '{ print $1 }' | sort)
     fuGETSYS
@@ -45,10 +71,3 @@ while true
 	  printf "%-28s %-28s\n" "$myRED$i" "DOWN$myWHITE"
       fi
     done
-    if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
-      then 
-        sleep "$myPARAM"
-      else 
-        break
-    fi
-done

_deprecated/bin/hpfeeds_optin.sh

@@ -10,20 +10,6 @@ fi
 
 myTPOTYMLFILE="/opt/tpot/etc/tpot.yml"
 
-function fuSISSDEN () {
-echo
-echo "You chose SISSDEN, you just need to provide ident and secret"
-echo
-myENABLE="true"
-myHOST="hpfeeds.sissden.eu"
-myPORT="10000"
-myCHANNEL="t-pot.events"
-myCERT="/opt/ewsposter/sissden.pem"
-read -p "Ident: " myIDENT
-read -p "Secret: " mySECRET
-myFORMAT="json"
-}
-
 function fuGENERIC () {
 echo
 echo "You chose generic, please provide all the details of the broker"
@@ -78,9 +64,9 @@ myENABLE=$myENABLE
 myHOST=$myHOST
 myPORT=$myPORT
 myCHANNEL=$myCHANNEL
+myCERT=$myCERT
 myIDENT=$myIDENT
 mySECRET=$mySECRET
-myCERT=$myCERT
 myFORMAT=$myFORMAT
 EOF
 }
@@ -119,8 +105,7 @@ echo
 echo
 echo "Please choose your broker"
 echo "---------------------------"
-echo "[1] - SISSDEN"
-echo "[2] - Generic (enter details manually)"
+echo "[1] - Generic (enter details manually)"
 echo "[0] - Opt out of HPFEEDS"
 echo "[q] - Do not agree end exit"
 echo
@@ -130,10 +115,6 @@ while [ 1 != 2 ]
       echo $mySELECT
       case "$mySELECT" in
         [1])
-	  fuSISSDEN
-          break
-          ;;
-        [2])
 	  fuGENERIC
           break
           ;;

_deprecated/bin/hptest.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+myHOST="$1"
+myPACKAGES="nmap"
+myDOCKERCOMPOSEYML="/opt/tpot/etc/tpot.yml"
+
+function fuGOTROOT {
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "Need to run as root ..."
+    exit
+fi
+}
+
+function fuCHECKDEPS {
+myINST=""
+for myDEPS in $myPACKAGES;
+do
+  myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
+  if [ "$myOK" != "ok" ]
+    then
+      myINST=$(echo $myINST $myDEPS)
+  fi
+done
+if [ "$myINST" != "" ]
+  then
+    apt-get update -y
+    for myDEPS in $myINST;
+    do
+      apt-get install $myDEPS -y
+    done
+fi
+}
+
+function fuCHECKFORARGS {
+if [ "$myHOST" != "" ];
+  then
+    echo "All arguments met. Continuing."
+    echo
+  else
+    echo "Usage: hptest.sh <[host or ip]>"
+    echo
+    exit
+fi
+}
+
+function fuGETPORTS {
+myDOCKERCOMPOSEUDPPORTS=$(cat $myDOCKERCOMPOSEYML | grep "udp" | tr -d '"\|#\-' | cut -d ":" -f2 | cut -d "/" -f1 | sort -gu)
+myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
+myUDPPORTS=$(for i in $myDOCKERCOMPOSEUDPPORTS; do echo -n "U:$i,"; done)
+myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo -n "T:$i,"; done)
+}
+
+# Main
+fuGETPORTS
+fuGOTROOT
+fuCHECKDEPS
+fuCHECKFORARGS
+echo
+echo "Starting scan on all UDP / TCP ports defined in /opt/tpot/etc/tpot.yml ..."
+nmap -sV -sC -v -p $myPORTS $1 &
+nmap -sU -sV -sC -v -p $myUDPPORTS $1 &
+echo
+wait
+echo "Done."
+echo
+

_deprecated/bin/mytopips.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Make sure ES is available
+myES="http://127.0.0.1:64298/"
+myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
+if ! [ "$myESSTATUS" = "1" ]
+  then
+    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    exit 1
+  else
+    echo "### Elasticsearch is available, now continuing."
+    echo
+fi
+
+function fuMYTOPIPS {
+curl -s -XGET $myES"_search" -H 'Content-Type: application/json' -d'
+{
+  "aggs": {
+    "ips": {
+      "terms": { "field": "src_ip.keyword", "size": 100 }
+    }
+  },
+  "size" : 0
+}'
+}
+
+echo "### Aggregating top 100 source IPs in ES"
+fuMYTOPIPS | jq '.aggregations.ips.buckets[].key' | tr -d '"'

_deprecated/bin/rules.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 ### Vars, Ports for Standard services
-myHOSTPORTS="7634 64294 64295"
+myHOSTPORTS="7634 64294 64295 64297 64304"
 myDOCKERCOMPOSEYML="$1"
 myRULESFUNCTION="$2"
 

_deprecated/bin/tpdclean.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# T-Pot Compose and Container Cleaner
+# Set colors
+myRED=""
+myGREEN=""
+myWHITE=""
+
+# Only run with command switch
+if [ "$1" != "-y" ]; then
+  echo $myRED"### WARNING"$myWHITE
+  echo ""
+  echo $myRED"###### This script is only intended for the tpot.service."$myWHITE
+  echo $myRED"###### Run <systemctl stop tpot> first and then <tpdclean.sh -y>."$myWHITE
+  echo $myRED"###### Be aware, all T-Pot container volumes and images will be removed."$myWHITE
+  echo ""
+  echo $myRED"### WARNING "$myWHITE
+  echo
+  exit
+fi
+
+# Remove old containers, images and volumes
+docker-compose -f /opt/tpot/etc/tpot.yml down -v >> /dev/null 2>&1
+docker-compose -f /opt/tpot/etc/tpot.yml rm -v >> /dev/null 2>&1
+docker network rm $(docker network ls -q) >> /dev/null 2>&1
+docker volume rm $(docker volume ls -q) >> /dev/null 2>&1
+docker rm -v $(docker ps -aq) >> /dev/null 2>&1
+docker rmi $(docker images | grep "<none>" | awk '{print $3}') >> /dev/null 2>&1
+docker rmi $(docker images | grep "2203" | awk '{print $3}') >> /dev/null 2>&1
+exit 0

_deprecated/bin/tped.sh

@@ -29,7 +29,7 @@ for i in $myYMLS;
   do
     myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " 
 done
-myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-)
+myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 18 50 1 $myITEMS 3>&1 1>&2 2>&3 3>&-)
 if [ "$myEDITION" == "" ];
   then
     echo "Have a nice day!"

_deprecated/bin/unlock_es.sh

@@ -0,0 +1,19 @@
+#/bin/bash
+# Unlock all ES indices for read / write mode
+# Useful in cases where ES locked all indices after disk quota has been reached
+# Make sure ES is available
+myES="http://127.0.0.1:64298/"
+myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow")
+if ! [ "$myESSTATUS" = "1" ]
+  then
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
+    exit
+  else
+    echo "### Elasticsearch is available, now continuing."
+    echo
+fi
+
+echo "### Trying to unlock all ES indices for read / write operation: "
+curl -XPUT -H "Content-Type: application/json" ''$myES'_all/_settings' -d '{"index.blocks.read_only_allow_delete": null}'
+echo
+

_deprecated/bin/updateip.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+# Let's add the first local ip to the /etc/issue and external ip to ews.ip file
+# If the external IP cannot be detected, the internal IP will be inherited.
+source /etc/environment
+myCHECKIFSENSOR=$(head -n 1 /opt/tpot/etc/tpot.yml | grep "Sensor" | wc -l)
+myUUID=$(lsblk -o MOUNTPOINT,UUID | grep -e "^/ " | awk '{ print $2 }')
+myLOCALIP=$(hostname -I | awk '{ print $1 }')
+myEXTIP=$(/opt/tpot/bin/myip.sh)
+if [ "$myEXTIP" = "" ];
+  then
+    myEXTIP=$myLOCALIP
+    myEXTIP_LAT="49.865835022498125"
+    myEXTIP_LONG="8.62606472775735"
+  else
+    myEXTIP_LOC=$(curl -s ipinfo.io/$myEXTIP/loc)
+    myEXTIP_LAT=$(echo "$myEXTIP_LOC" | cut -f1 -d",")
+    myEXTIP_LONG=$(echo "$myEXTIP_LOC" | cut -f2 -d",")
+fi
+
+# Load Blackhole routes if enabled 
+myBLACKHOLE_FILE1="/etc/blackhole/mass_scanner.txt"
+myBLACKHOLE_FILE2="/etc/blackhole/mass_scanner_cidr.txt"
+if [ -f "$myBLACKHOLE_FILE1" ] || [ -f "$myBLACKHOLE_FILE2" ];
+  then
+    /opt/tpot/bin/blackhole.sh add
+fi
+
+myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
+if [ "$myBLACKHOLE_STATUS" -gt "500" ];
+  then
+    myBLACKHOLE_STATUS="| BLACKHOLE: [ ENABLED ]"
+  else
+    myBLACKHOLE_STATUS="| BLACKHOLE: [ DISABLED ]"
+fi
+
+mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1)
+
+# Export
+export myUUID
+export myLOCALIP
+export myEXTIP
+export myEXTIP_LAT
+export myEXTIP_LONG
+export myBLACKHOLE_STATUS
+export mySSHUSER
+
+# Build issue
+echo "" > /etc/issue
+toilet -f ivrit -F metal --filter border:metal "T-Pot   22.04" | sed 's/\\/\\\\/g' >> /etc/issue
+echo >> /etc/issue
+echo ",---- [ \n ] [ \d ] [ \t ]" >> /etc/issue
+echo "|" >> /etc/issue
+echo "| IP: $myLOCALIP ($myEXTIP)" >> /etc/issue
+echo "| SSH: ssh -l tsec -p 64295 $myLOCALIP" >> /etc/issue 
+if [ "$myCHECKIFSENSOR" == "0" ];
+  then
+    echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue
+fi
+echo "| ADMIN: https://$myLOCALIP:64294" >> /etc/issue
+echo "$myBLACKHOLE_STATUS" >> /etc/issue
+echo "|" >> /etc/issue
+echo "\`----" >> /etc/issue
+echo >> /etc/issue
+tee /data/ews/conf/ews.ip << EOF
+[MAIN]
+ip = $myEXTIP
+EOF
+tee /opt/tpot/etc/compose/elk_environment << EOF
+HONEY_UUID=$myUUID
+MY_EXTIP=$myEXTIP
+MY_EXTIP_LAT=$myEXTIP_LAT
+MY_EXTIP_LONG=$myEXTIP_LONG
+MY_INTIP=$myLOCALIP
+MY_HOSTNAME=$HOSTNAME
+EOF
+
+if [ -s "/data/elk/logstash/ls_environment" ];
+  then
+    source /data/elk/logstash/ls_environment
+    tee -a /opt/tpot/etc/compose/elk_environment << EOF
+MY_TPOT_TYPE=$MY_TPOT_TYPE
+MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
+MY_HIVE_USERNAME=$MY_HIVE_USERNAME
+MY_HIVE_IP=$MY_HIVE_IP
+EOF
+fi
+
+chown tpot:tpot /data/ews/conf/ews.ip
+chmod 770 /data/ews/conf/ews.ip

_deprecated/cloud/.gitignore

@@ -0,0 +1,10 @@
+# Ansible
+*.retry
+
+# Terraform
+**/.terraform
+**/terraform.*
+
+# OpenStack clouds
+**/clouds.yaml
+**/secure.yaml

_deprecated/cloud/ansible/README.md

@@ -2,25 +2,26 @@
 
 Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/).  
 It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box.  
-Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html) (e.g. AWS, Azure, Digital Ocean, Google).
+Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/scenario_guides/cloud_guides.html). Check out [Ansible Galaxy](https://galaxy.ansible.com/search?keywords=&order_by=-relevance&page=1&deprecated=false&type=collection&tags=cloud) for more cloud collections.
 
-The Playbook first creates a new server and then installs and configures T-Pot.
+The Playbook first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them.
 
 This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en).
 
 # Table of contents
 - [Preparation of Ansible Master](#ansible-master)
   - [Ansible Installation](#ansible)
+  - [OpenStack Collection Installation](#collection)
   - [Agent Forwarding](#agent-forwarding)
 - [Preparations in Open Telekom Cloud Console](#preparation)
   - [Create new project](#project)
   - [Create API user](#api-user)
   - [Import Key Pair](#key-pair)
-  - [Create VPC, Subnet and Security Group](#vpc-subnet-securitygroup)
 - [Clone Git Repository](#clone-git)
 - [Settings and recommended values](#settings)
-  - [OpenStack authentication variables](#os-auth)
+  - [clouds.yaml](#clouds-yaml)
   - [Ansible remote user](#remote-user)
+  - [Number of instances to deploy](#number)
   - [Instance settings](#instance-settings)
   - [User password](#user-password)
   - [Configure `tpot.conf.dist`](#tpot-conf)
@@ -37,35 +38,47 @@ Ansible works over the SSH Port, so you don't have to add any special rules to y
 
 <a name="ansible"></a>
 ## Ansible Installation
+:warning: Ansible 2.10 or newer is required!
+
 Example for Ubuntu 18.04:  
-At first we need to add the repository and install Ansible:  
+
+At first we update the system:  
+`sudo apt update`  
+`sudo apt dist-upgrade`
+
+Then we need to add the repository and install Ansible:  
 `sudo apt-add-repository --yes --update ppa:ansible/ansible`  
 `sudo apt install ansible`
 
 For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
 
+If your OS does not offer a recent version of Ansible (>= 2.10) you should consider [installing Ansible with pip](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-with-pip).  
+In short (if you already have Python3/pip3 installed):
+```
+pip3 install ansible
+```
+
+<a name="collection"></a>
+## OpenStack Collection Installation
+For interacting with OpenStack resources in Ansible, you need to install the collection from Ansible Galaxy:  
+`ansible-galaxy collection install openstack.cloud`
+
 <a name="agent-forwarding"></a>
 ## Agent Forwarding
-Agent Forwarding must be enabled in order to let Ansible do its work.  
+If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines.  
 - On Linux or macOS:  
   - Create or edit `~/.ssh/config`
-  - If you run the Ansible Playbook remotely on your Ansible Master Server:
     ```
     Host ANSIBLE_MASTER_IP
     ForwardAgent yes
     ```
-  - If you run the Ansible Playbook locally, enable it for all hosts, as this includes newly generated T-Pots:
-    ```
-    Host *
-    ForwardAgent yes
-    ```
-- On Windows using Putty for connecting to your Ansible Master Server:  
+- On Windows using Putty:  
 ![Putty Agent Forwarding](doc/putty_agent_forwarding.png)
 
 <a name="preparation"></a>
 # Preparations in Open Telekom Cloud Console
-(You can skip this if you have already set up an API account, VPC, Subnet and Security Group)  
-(Just make sure you know the naming for everything, as you will need it to configure the Ansible variables.)
+(You can skip this if you have already set up a project and an API account with key pair)  
+(Just make sure you know the naming for everything, as you need to configure the Ansible variables.)
 
 Before we can start deploying, we have to prepare the Open Telekom Cloud tenant.  
 For that, go to the [Web Console](https://auth.otc.t-systems.com/authui/login) and log in with an admin user.
@@ -90,76 +103,74 @@ This ensures that the API access is limited to that project.
 
 ![Login as API user](doc/otc_3_login.gif)
 
-
 Import your SSH public key.
 
 ![Import SSH Public Key](doc/otc_4_import_key.gif)
 
-<a name="vpc-subnet-securitygroup"></a>
-## Create VPC, Subnet and Security Group
-- VPC (Virtual Private Cloud) and Subnet:
-
-![Create VPC and Subnet](doc/otc_5_vpc_subnet.gif)
-
-- Security Group:  
-The configured Security Group should allow all incoming TCP / UDP traffic.  
-If you want to secure the management interfaces, you can limit the incoming "allow all" traffic to the port range of 1-64000 and allow access to ports > 64000 only from your trusted IPs.
-
-![Create Security Group](doc/otc_6_sec_group.gif)
 
 <a name="clone-git"></a>
 # Clone Git Repository
 Clone the `tpotce` repository to your Ansible Master:  
-`git clone https://github.com/dtag-dev-sec/tpotce.git`  
-All Ansible related files are located in the [`cloud/ansible/openstack`](../../cloud/ansible/openstack) folder.
+`git clone https://github.com/telekom-security/tpotce.git`  
+All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder.
 
 <a name="settings"></a>
 # Settings and recommended values
-You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook.  
-The settings are located in the following Ansible vars files:
+You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook:
 
-<a name="os-auth"></a>
-## OpenStack authentication variables
-Located at [`openstack/roles/deploy/vars/os_auth.yaml`](openstack/roles/deploy/vars/os_auth.yaml).  
+<a name="clouds-yaml"></a>
+## clouds.yaml
+Located at [`openstack/clouds.yaml`](openstack/clouds.yaml).  
 Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name):  
 ```
-auth_url: https://iam.eu-de.otc.t-systems.com/v3
-username: your_api_user
-password: your_password
-project_name: eu-de_your_project
-os_user_domain_name: OTC-EU-DE-000000000010000XXXXX
+clouds:
+  open-telekom-cloud:
+    profile: otc
+    auth:
+      project_name: eu-de_your_project
+      username: your_api_user
+      password: your_password
+      user_domain_name: OTC-EU-DE-000000000010000XXXXX
+```
+You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary.  
+For more information have a look in the [openstack.cloud.server](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html) Ansible module documentation.
+
+If you already have your own `clouds.yaml` file or have multiple clouds in there, you can specify which one to use in the `openstack/my_os_cloud.yaml` file:
+```
+# Enter the name of your cloud to use from clouds.yaml
+cloud: open-telekom-cloud
 ```
-You can also perform different authentication methods like sourcing your `.ostackrc` file or using the OpenStack `clouds.yaml` file.  
-For more information have a look in the [os_server](https://docs.ansible.com/ansible/latest/modules/os_server_module.html) Ansible module documentation.
 
 <a name="remote-user"></a>
 ## Ansible remote user
 You may have to adjust the `remote_user` in the Ansible Playbook under [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml) depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is `linux`).
 
+<a name="number"></a>
+## Number of instances to deploy
+You can adjust the number of VMs/T-Pots that you want to create in [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml):
+```
+loop: "{{ range(0, 1) }}"
+```
+One instance is set as the default, increase to your liking.
+
 <a name="instance-settings"></a>
 ## Instance settings
-Located at [`openstack/roles/deploy/vars/main.yaml`](openstack/roles/deploy/vars/main.yaml).  
+Located at [`openstack/roles/create_vm/vars/main.yaml`](openstack/roles/create_vm/vars/main.yaml).  
 Here you can customize your virtual machine specifications:
-  - Specify the region name
   - Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html).
-  - Change the OS image (For T-Pot we need Debian 9)
+  - Change the OS image (For T-Pot we need Debian)
   - (Optional) Change the volume size
-  - Specify your key pair
+  - Specify your key pair (:warning: Mandatory)
   - (Optional) Change the instance type (flavor)  
-    `s2.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.  
-    A full list of Open telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0035470096.html).
-  - Specify the security group
-  - Specify the network ID (For Open Telekom Cloud you can find the ID in the Web Console under `Virtual Private Cloud --> your-vpc --> your-subnet --> Network ID`; In general for OpenStack clouds you can use the `python-openstackclient` to retrieve information about your resources)
+    `s3.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.  
+    A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html).
 
 ```
-region_name: eu-de
 availability_zone: eu-de-03
-image: Standard_Debian_9_latest
+image: Standard_Debian_10_latest
 volume_size: 128
 key_name: your-KeyPair
-flavor: s2.medium.8
-security_groups: your-sg
-network: your-network-id
+flavor: s3.medium.8
 ```
 
 <a name="user-password"></a>
@@ -172,20 +183,12 @@ user_password: LiNuXuSeRPaSs#
 
 <a name="tpot-conf"></a>
 ## Configure `tpot.conf.dist`
-The file is located in [`iso/installer/tpot.conf.dist`](../../iso/installer/tpot.conf.dist).  
+The file is located in [`iso/installer/tpot.conf.dist`](/iso/installer/tpot.conf.dist).  
 Here you can choose:
   - between the various T-Pot editions
   - a username for the web interface
   - a password for the web interface (**you should definitely change that**)
 
-```
-# tpot configuration file
-# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]
-myCONF_TPOT_FLAVOR='STANDARD'
-myCONF_WEB_USER='webuser'
-myCONF_WEB_PW='w3b$ecret'
-```
-
 <a name="ews-cfg"></a>
 ## Optional: Custom `ews.cfg`
 Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
@@ -218,7 +221,7 @@ Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_
 #    - custom_hpfeeds
 ```
 
-You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg).  
+You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/files/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/files/hpfeeds.cfg).  
 That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN:
 ```
 myENABLE=true
@@ -234,6 +237,7 @@ myFORMAT=json
 <a name="deploy"></a>
 # Deploying a T-Pot :honey_pot::honeybee:
 Now, after configuring everything, we can finally start deploying T-Pots!  
+
 Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:  
 `ansible-playbook deploy_tpot.yaml`  
 (Yes, it is as easy as that :smile:)
@@ -241,13 +245,13 @@ Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:
 If you are running on a machine which asks for a sudo password, you can use:  
 `ansible-playbook --ask-become-pass deploy_tpot.yaml`
 
-The Playbook will first install required packages on the Ansible Master and then deploy a new server instance.  
-After that, T-Pot gets installed and configured on the newly created host, optionally custom configs are applied and finally it reboots.
+The Playbook will first install required packages on the Ansible Master and then deploy one (or more) new server instances.  
+After that, T-Pot gets installed and configured on them, optionally custom configs are applied and finally it reboots.
+
+Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
 
 <a name="documentation"></a>
 # Further documentation
 - [Ansible Documentation](https://docs.ansible.com/ansible/latest/)
-- [Cloud modules — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html)
-- [os_server – Create/Delete Compute Instances from OpenStack — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/os_server_module.html)
+- [openstack.cloud.server – Create/Delete Compute Instances from OpenStack](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html)
 - [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/)
-- [Open Telekom Cloud API Overview](https://docs.otc.t-systems.com/en-us/api/wp/en-us_topic_0052070394.html)

_deprecated/cloud/ansible/openstack/ansible.cfg

@@ -3,3 +3,4 @@ host_key_checking = false
 
 [ssh_connection]
 scp_if_ssh = true
+ssh_args = -o ServerAliveInterval=60

_deprecated/cloud/ansible/openstack/deploy_tpot.yaml

@@ -0,0 +1,30 @@
+- name: Check host prerequisites
+  hosts: localhost
+  become: yes
+  roles:
+    - check
+
+- name: Deploy instances
+  hosts: localhost
+  vars_files: my_os_cloud.yaml
+  tasks:
+    - name: Create security group and network
+      ansible.builtin.include_role:
+        name: create_net
+    - name: Create one or more instances
+      ansible.builtin.include_role:
+        name: create_vm
+      loop: "{{ range(0, 1) }}"
+      loop_control:
+        extended: yes
+
+- name: Install T-Pot
+  hosts: tpot
+  remote_user: linux
+  become: yes
+  gather_facts: no
+  roles:
+    - install
+#    - custom_ews
+#    - custom_hpfeeds
+    - reboot

_deprecated/cloud/ansible/openstack/my_os_cloud.yaml

@@ -0,0 +1,2 @@
+# Enter the name of your cloud to use from clouds.yaml
+cloud: open-telekom-cloud

_deprecated/cloud/ansible/openstack/requirements.yaml

@@ -0,0 +1,2 @@
+collections:
+- name: openstack.cloud

_deprecated/cloud/ansible/openstack/roles/check/tasks/main.yaml

@@ -0,0 +1,19 @@
+- name: Install dependencies
+  ansible.builtin.package:
+    name:
+      - gcc
+      - python3-dev
+      - python3-setuptools
+      - python3-pip
+    state: present
+
+- name: Install openstacksdk
+  ansible.builtin.pip:
+    name: openstacksdk
+    executable: pip3
+
+- name: Check if agent forwarding is enabled
+  ansible.builtin.fail:
+    msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
+  ignore_errors: yes
+  failed_when: lookup('env','SSH_AUTH_SOCK') == ""

_deprecated/cloud/ansible/openstack/roles/create_net/tasks/main.yaml

@@ -0,0 +1,33 @@
+- name: Create security group
+  openstack.cloud.security_group:
+    cloud: "{{ cloud }}"
+    name: sg-tpot-ansible
+    description: Security Group for T-Pot
+
+- name: Add rules to security group
+  openstack.cloud.security_group_rule:
+    cloud: "{{ cloud }}"
+    security_group: sg-tpot-ansible
+    remote_ip_prefix: 0.0.0.0/0
+
+- name: Create network
+  openstack.cloud.network:
+    cloud: "{{ cloud }}"
+    name: network-tpot-ansible
+
+- name: Create subnet
+  openstack.cloud.subnet:
+    cloud: "{{ cloud }}"
+    network_name: network-tpot-ansible
+    name: subnet-tpot-ansible
+    cidr: 192.168.0.0/24
+    dns_nameservers:
+      - 100.125.4.25
+      - 100.125.129.199
+
+- name: Create router
+  openstack.cloud.router:
+    cloud: "{{ cloud }}"
+    name: router-tpot-ansible
+    interfaces:
+      - subnet-tpot-ansible

_deprecated/cloud/ansible/openstack/roles/create_vm/tasks/main.yaml

@@ -0,0 +1,24 @@
+- name: Generate T-Pot name
+  ansible.builtin.set_fact:
+    tpot_name: "t-pot-ansible-{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=6') }}"
+
+- name: Create instance {{ ansible_loop.index }} of {{ ansible_loop.length }}
+  openstack.cloud.server:
+    cloud: "{{ cloud }}"
+    name: "{{ tpot_name }}"
+    availability_zone: "{{ availability_zone }}"
+    image: "{{ image }}"
+    boot_from_volume: yes
+    volume_size: "{{ volume_size }}"
+    key_name: "{{ key_name }}"
+    auto_ip: yes
+    flavor: "{{ flavor }}"
+    security_groups: sg-tpot-ansible
+    network: network-tpot-ansible
+  register: tpot
+
+- name: Add instance to inventory
+  ansible.builtin.add_host:
+    hostname: "{{ tpot_name }}"
+    ansible_host: "{{ tpot.server.public_v4 }}"
+    groups: tpot

_deprecated/cloud/ansible/openstack/roles/create_vm/vars/main.yaml

@@ -0,0 +1,5 @@
+availability_zone: eu-de-03
+image: Standard_Debian_10_latest
+volume_size: 128
+key_name: your-KeyPair
+flavor: s3.medium.8

_deprecated/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml

@@ -1,13 +1,13 @@
 - name: Copy ews configuration file
-  template:
-    src: ../templates/ews.cfg
+  ansible.builtin.template:
+    src: ews.cfg
     dest: /data/ews/conf
     owner: root
     group: root
     mode: 0644
 
 - name: Patching tpot.yml with custom ews configuration file
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /opt/tpot/etc/tpot.yml
-    insertafter: '/opt/ewsposter/ews.ip'
-    line: '     - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg'
+    insertafter: "/opt/ewsposter/ews.ip"
+    line: "     - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg"

_deprecated/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml

@@ -0,0 +1,12 @@
+- name: Copy hpfeeds configuration file
+  ansible.builtin.copy:
+    src: hpfeeds.cfg
+    dest: /data/ews/conf
+    owner: tpot
+    group: tpot
+    mode: 0770
+  register: config
+
+- name: Applying hpfeeds settings
+  ansible.builtin.command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg
+  when: config.changed == true

_deprecated/cloud/ansible/openstack/roles/install/tasks/main.yaml

@@ -1,48 +1,45 @@
 - name: Waiting for SSH connection
-  wait_for_connection:
-    delay: 30
-    timeout: 300
+  ansible.builtin.wait_for_connection:
 
 - name: Gathering facts
-  setup:
+  ansible.builtin.setup:
 
 - name: Cloning T-Pot install directory
-  git:
-    repo: "https://github.com/dtag-dev-sec/tpotce.git"
+  ansible.builtin.git:
+    repo: "https://github.com/telekom-security/tpotce.git"
     dest: /root/tpot
 
 - name: Prepare to set user password
-  set_fact:
+  ansible.builtin.set_fact:
     user_name: "{{ ansible_user }}"
-    user_password: "{{ user_password }}"
     user_salt: "s0mew1ck3dTpoT"
+  no_log: true
 
-- name: Changing password for user {{ user_name }} to {{ user_password }}
-  user:
+- name: Changing password for user {{ user_name }}
+  ansible.builtin.user:
    name: "{{ ansible_user }}"
    password: "{{ user_password | password_hash('sha512', user_salt) }}"
    state: present
    shell: /bin/bash
-   update_password: always
 
 - name: Copy T-Pot configuration file
-  template:
+  ansible.builtin.copy:
     src: ../../../../../../iso/installer/tpot.conf.dist
     dest: /root/tpot.conf
     owner: root
     group: root
     mode: 0644
 
-- name: Install T-Pot on instance -  be patient, this might take 15 to 30 minutes depending on the connection speed. No further output is given.
-  command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
+- name: Install T-Pot on instance -  be patient, this might take 15 to 30 minutes depending on the connection speed.
+  ansible.builtin.command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
 
 - name: Delete T-Pot configuration file
-  file:
+  ansible.builtin.file:
     path: /root/tpot.conf
     state: absent
 
 - name: Change unattended-upgrades to take default action
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/apt/apt.conf.d/50unattended-upgrades
     block: |
       Dpkg::Options {

_deprecated/cloud/ansible/openstack/roles/reboot/tasks/main.yaml

@@ -1,9 +1,10 @@
-- name: Finally rebooting T-Pot in one minute
-  shell: /sbin/shutdown -r -t 1
-  become: true
+- name: Finally rebooting T-Pot
+  ansible.builtin.command: shutdown -r now
+  async: 1
+  poll: 0
 
 - name: Next login options
-  debug:
+  ansible.builtin.debug:
     msg:
     - "*****    SSH Access:"
     - "*****    ssh {{ ansible_user }}@{{ ansible_host }} -p 64295"

_deprecated/cloud/terraform/README.md

@@ -0,0 +1,129 @@
+# T-Pot Terraform
+This [Terraform](https://www.terraform.io/) configuration can be used to launch a virtual machine, bootstrap any dependencies and install T-Pot in a single step.  
+Configuration for Amazon Web Services (AWS) and Open Telekom Cloud (OTC) is currently included.
+This can easily be extended to support other [Terraform providers](https://registry.terraform.io/browse/providers?category=public-cloud%2Ccloud-automation%2Cinfrastructure).
+
+[Cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used to bootstrap the instance and install T-Pot on startup.
+
+# Table of Contents
+- [What get's created](#what-created)
+  - [Amazon Web Services (AWS)](#what-created-aws)
+  - [Open Telekom Cloud (OTC)](#what-created-otc)
+- [Prerequisites](#pre)
+  - [Amazon Web Services (AWS)](#pre-aws)
+  - [Open Telekom Cloud (OTC)](#pre-otc)
+- [Terraform Variables](#variables)
+  - [Common configuration items](#variables-common)
+  - [Amazon Web Services (AWS)](#variables-aws)
+  - [Open Telekom Cloud (OTC)](#variables-otc)
+- [Initialising](#initialising)
+- [Applying the Configuration](#applying)
+- [Connecting to the Instance](#connecting)
+
+<a name="what-created"></a>
+## What get's created
+
+<a name="what-created-aws"></a>
+### Amazon Web Services (AWS)
+* EC2 instance:
+  * t3.large (2 vCPUs, 8 GB RAM)
+  * 128 GB disk
+  * Debian 10
+  * Public IP
+* Security Group:
+  * TCP/UDP ports <= 64000 open to the Internet
+  * TCP ports 64294, 64295 and 64297 open to a chosen administrative IP
+
+<a name="what-created-otc"></a>
+### Open Telekom Cloud (OTC)
+* ECS instance:
+  * s3.medium.8 (1 vCPU, 8 GB RAM)
+  * 128 GB disk
+  * Debian 10
+  * Public EIP
+* Security Group
+  * All TCP/UDP ports are open to the Internet
+* Virtual Private Cloud (VPC) and Subnet
+
+<a name="pre"></a>
+## Prerequisites
+* [Terraform](https://www.terraform.io/) 0.13
+
+<a name="pre-aws"></a>
+### Amazon Web Services (AWS)
+* AWS Account
+  * Existing VPC: VPC ID needs to be specified in `aws/variables.tf`
+  * Existing subnet: Subnet ID needs to be specified in `aws/variables.tf`
+  * Existing SSH key pair: Key name needs to be specified in `aws/variables.tf`
+* AWS Authentication credentials should be [set using environment variables](https://www.terraform.io/docs/providers/aws/index.html#environment-variables)
+
+<a name="pre-otc"></a>
+### Open Telekom Cloud (OTC)
+* OTC Account
+  * Existing SSH key pair: Key name needs to be specified in `otc/variables.tf`
+* OTC Authentication credentials (Username, Password, Project Name, User Domain Name) can be set in the `otc/clouds.yaml` file
+
+<a name="variables"></a>
+## Terraform Variables
+
+<a name="variables-common"></a>
+### Common configuration items
+These variables exist in `aws/variables.tf` and `otc/variables.tf` respectively.  
+Settings for cloud-init:  
+* `timezone` - Set the Server's timezone
+* `linux_password`- Set a password for the Linux Operating System user (which is also used on the Admin UI)
+
+Settings for T-Pot:  
+* `tpot_flavor` - Set the flavor of the T-Pot (Available flavors are listed in the variable's description)
+* `web_user` - Set a username for the T-Pot Kibana Dasboard
+* `web_password` - Set a password for the T-Pot Kibana Dashboard
+
+<a name="variables-aws"></a>
+### Amazon Web Services (AWS)
+In `aws/variables.tf`, you can change the additional variables:
+* `admin_ip` - source IP address(es) that you will use to administer the system. Connections to TCP ports 64294, 64295 and 64297 will be allowed from this IP only. Multiple IPs or CIDR blocks can be specified in the format: `["127.0.0.1/32", "192.168.0.0/24"]`
+* `ec2_vpc_id` - Specify an existing VPC ID
+* `ec2_subnet_id` - Specify an existing Subnet ID
+* `ec2_region`
+* `ec2_ssh_key_name` - Specify an existing SSH key pair
+* `ec2_instance_type`
+
+<a name="variables-otc"></a>
+### Open Telekom Cloud (OTC)
+In `otc/variables.tf`, you can change the additional variables:
+* `ecs_flavor`
+* `ecs_disk_size`
+* `availability_zone`
+* `key_pair` - Specify an existing SSH key pair
+* `eip_size`
+
+... and some more, but these are the most relevant.
+
+<a name="initialising"></a>
+## Initialising
+The [`terraform init`](https://www.terraform.io/docs/commands/init.html) command is used to initialize a working directory containing Terraform configuration files.
+
+```
+$ cd aws
+$ terraform init
+```
+OR
+```
+$ cd otc
+$ terraform init
+```
+
+<a name="applying"></a>
+## Applying the Configuration
+The [`terraform apply`](https://www.terraform.io/docs/commands/apply.html) command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a [`terraform plan`](https://www.terraform.io/docs/commands/plan.html) execution plan.
+
+```
+$ terraform apply
+```
+This will create your infrastructure and start a Cloud Server. On startup, the Server gets bootstrapped with cloud-init and will install T-Pot. Once this is done, the server will reboot.
+
+If you want the remove the built infrastructure, you can run [`terraform destroy`](https://www.terraform.io/docs/commands/destroy.html) to delete it.
+
+<a name="connecting"></a>
+## Connecting to the Instance
+When the installation is completed, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).

_deprecated/cloud/terraform/aws/.terraform.lock.hcl

@@ -0,0 +1,20 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.26.0"
+  constraints = "3.26.0"
+  hashes = [
+    "h1:0i78FItlPeiomd+4ThZrtm56P5K33k7/6dnEe4ZePI0=",
+    "zh:26043eed36d070ca032cf04bc980c654a25821a8abc0c85e1e570e3935bbfcbb",
+    "zh:2fe68f3f78d23830a04d7fac3eda550eef1f627dfc130486f70a65dc5c254300",
+    "zh:3d66484c608c64678e639db25d63872783ce60363a1246e30317f21c9c23b84b",
+    "zh:46ffd755cfd4cf94fe66342797b5afdcef010a24e126c67fee141b357d393535",
+    "zh:5e96f24357e945c9067cf5e032ad1d003609629c956c2f9f642fefe714e74587",
+    "zh:60c27aca36bb63bf3e865c2193be80ca83b376581d00f9c220af4b013e163c4d",
+    "zh:896f0f22d19d41e71b22f9240b261714c3915b165ddefeb771e7734d69dc47ea",
+    "zh:90de9966cb2fd3e2f326df291595e55d2dd2d90e7d6dd085c2c8691dce82bdb4",
+    "zh:ad05a91a88ceb1d6de5a568f7cc0b0e5bc0a79f3da70bc28c1e7f3750e362d58",
+    "zh:e8c63f59c6465329e1f3357498face3dd7ef10a033df3c366a33aa9e94b46c01",
+  ]
+}

_deprecated/cloud/terraform/aws/main.tf

@@ -60,6 +60,7 @@ resource "aws_instance" "tpot" {
     volume_size           = 128
     delete_on_termination = true
   }
-  user_data              = "${file("../cloud-init.yaml")}    content: ${base64encode(file("../tpot.conf"))}"
-  vpc_security_group_ids = [aws_security_group.tpot.id]
+  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
+  vpc_security_group_ids      = [aws_security_group.tpot.id]
+  associate_public_ip_address = true
 }

_deprecated/cloud/terraform/aws/variables.tf

@@ -0,0 +1,93 @@
+variable "admin_ip" {
+  default     = ["127.0.0.1/32"]
+  description = "admin IP addresses in CIDR format"
+}
+
+variable "ec2_vpc_id" {
+  description = "ID of AWS VPC"
+  default     = "vpc-XXX"
+}
+
+variable "ec2_subnet_id" {
+  description = "ID of AWS VPC subnet"
+  default     = "subnet-YYY"
+}
+
+variable "ec2_region" {
+  description = "AWS region to launch servers"
+  default     = "eu-west-1"
+}
+
+variable "ec2_ssh_key_name" {
+  default = "default"
+}
+
+# https://aws.amazon.com/ec2/instance-types/
+# t3.large = 2 vCPU, 8 GiB RAM
+variable "ec2_instance_type" {
+  default = "t3.large"
+}
+
+# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
+variable "ec2_ami" {
+  type = map(string)
+  default = {
+    "af-south-1"     = "ami-0c372f041acae6d49"
+    "ap-east-1"      = "ami-079b8d011d4655385"
+    "ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
+    "ap-northeast-2" = "ami-0269fe7d013b8e2dd"
+    "ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
+    "ap-south-1"     = "ami-020d429f17c9f1d0a"
+    "ap-southeast-1" = "ami-09625a221230d9fe6"
+    "ap-southeast-2" = "ami-03cbc6cddb06af2c2"
+    "ca-central-1"   = "ami-09125623b02302014"
+    "eu-central-1"   = "ami-00c36c60f07e21791"
+    "eu-north-1"     = "ami-052bea934e2d9dbfe"
+    "eu-south-1"     = "ami-04e2bb16d37324719"
+    "eu-west-1"      = "ami-0f87948fe2cf1b2a4"
+    "eu-west-2"      = "ami-02ed1bc837487d535"
+    "eu-west-3"      = "ami-080efd2add7e29430"
+    "me-south-1"     = "ami-0dbde382c834c4a72"
+    "sa-east-1"      = "ami-0a0792814cb068077"
+    "us-east-1"      = "ami-05dd1b6e7ef6f8378"
+    "us-east-2"      = "ami-04dd0542609808c50"
+    "us-west-1"      = "ami-07af5f877b3db9f73"
+    "us-west-2"      = "ami-0d0d8694ba492c02b"
+  }
+}
+
+## cloud-init configuration ##
+variable "timezone" {
+  default = "UTC"
+}
+
+variable "linux_password" {
+  #default = "LiNuXuSeRPaSs#"
+  description = "Set a password for the default user"
+
+  validation {
+    condition     = length(var.linux_password) > 0
+    error_message = "Please specify a password for the default user."
+  }
+}
+
+## These will go in the generated tpot.conf file ##
+variable "tpot_flavor" {
+  default     = "STANDARD"
+  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
+}
+
+variable "web_user" {
+  default     = "webuser"
+  description = "Set a username for the web user"
+}
+
+variable "web_password" {
+  #default = "w3b$ecret"
+  description = "Set a password for the web user"
+
+  validation {
+    condition     = length(var.web_password) > 0
+    error_message = "Please specify a password for the web user."
+  }
+}

_deprecated/cloud/terraform/aws/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "3.26.0"
+    }
+  }
+}

_deprecated/cloud/terraform/aws_multi_region/_provider.tf

@@ -0,0 +1,9 @@
+provider "aws" {
+  alias  = "eu-west-2"
+  region = "eu-west-2"
+}
+
+provider "aws" {
+  alias  = "us-west-1"
+  region = "us-west-1"
+}

_deprecated/cloud/terraform/aws_multi_region/main.tf

@@ -0,0 +1,27 @@
+module "eu-west-2" {
+  source = "./modules/multi-region"
+  ec2_vpc_id = "vpc-xxxxxxxx"
+  ec2_subnet_id = "subnet-xxxxxxxx"
+  ec2_region = "eu-west-2"
+  tpot_name = "T-Pot Honeypot"
+  
+  linux_password = var.linux_password
+  web_password = var.web_password
+  providers = {
+    aws = aws.eu-west-2
+  }
+}
+
+module "us-west-1" {
+  source = "./modules/multi-region"
+  ec2_vpc_id = "vpc-xxxxxxxx"
+  ec2_subnet_id = "subnet-xxxxxxxx"
+  ec2_region = "us-west-1"
+  tpot_name = "T-Pot Honeypot"
+
+  linux_password = var.linux_password
+  web_password = var.web_password
+  providers = {
+    aws = aws.us-west-1
+  }
+}

_deprecated/cloud/terraform/aws_multi_region/modules/multi-region/main.tf

@@ -0,0 +1,69 @@
+variable "ec2_vpc_id" {}
+variable "ec2_subnet_id" {}
+variable "ec2_region" {}
+variable "linux_password" {}
+variable "web_password" {}
+variable "tpot_name" {}
+
+resource "aws_security_group" "tpot" {
+  name        = "T-Pot"
+  description = "T-Pot Honeypot"
+  vpc_id      = var.ec2_vpc_id
+  ingress {
+    from_port   = 0
+    to_port     = 64000
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 0
+    to_port     = 64000
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 64294
+    to_port     = 64294
+    protocol    = "tcp"
+    cidr_blocks = var.admin_ip
+  }
+  ingress {
+    from_port   = 64295
+    to_port     = 64295
+    protocol    = "tcp"
+    cidr_blocks = var.admin_ip
+  }
+  ingress {
+    from_port   = 64297
+    to_port     = 64297
+    protocol    = "tcp"
+    cidr_blocks = var.admin_ip
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "T-Pot"
+  }
+}
+
+resource "aws_instance" "tpot" {
+  ami           = var.ec2_ami[var.ec2_region]
+  instance_type = var.ec2_instance_type
+  key_name      = var.ec2_ssh_key_name
+  subnet_id     = var.ec2_subnet_id
+  tags = {
+    Name = var.tpot_name
+  }
+  root_block_device {
+    volume_type           = "gp2"
+    volume_size           = 128
+    delete_on_termination = true
+  }
+  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
+  vpc_security_group_ids      = [aws_security_group.tpot.id]
+  associate_public_ip_address = true
+}

_deprecated/cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf

@@ -0,0 +1,12 @@
+output "Admin_UI" {
+  value = "https://${aws_instance.tpot.public_dns}:64294/"
+}
+
+output "SSH_Access" {
+  value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
+}
+
+output "Web_UI" {
+  value = "https://${aws_instance.tpot.public_dns}:64297/"
+}
+

_deprecated/cloud/terraform/aws_multi_region/modules/multi-region/variables.tf

@@ -0,0 +1,57 @@
+variable "admin_ip" {
+  default     = ["127.0.0.1/32"]
+  description = "admin IP addresses in CIDR format"
+}
+
+variable "ec2_ssh_key_name" {
+  default = "default"
+}
+
+# https://aws.amazon.com/ec2/instance-types/
+variable "ec2_instance_type" {
+  default = "t3.xlarge"
+}
+
+# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
+variable "ec2_ami" {
+  type = map(string)
+  default = {
+    "af-south-1"     = "ami-0c372f041acae6d49"
+    "ap-east-1"      = "ami-079b8d011d4655385"
+    "ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
+    "ap-northeast-2" = "ami-0269fe7d013b8e2dd"
+    "ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
+    "ap-south-1"     = "ami-020d429f17c9f1d0a"
+    "ap-southeast-1" = "ami-09625a221230d9fe6"
+    "ap-southeast-2" = "ami-03cbc6cddb06af2c2"
+    "ca-central-1"   = "ami-09125623b02302014"
+    "eu-central-1"   = "ami-00c36c60f07e21791"
+    "eu-north-1"     = "ami-052bea934e2d9dbfe"
+    "eu-south-1"     = "ami-04e2bb16d37324719"
+    "eu-west-1"      = "ami-0f87948fe2cf1b2a4"
+    "eu-west-2"      = "ami-02ed1bc837487d535"
+    "eu-west-3"      = "ami-080efd2add7e29430"
+    "me-south-1"     = "ami-0dbde382c834c4a72"
+    "sa-east-1"      = "ami-0a0792814cb068077"
+    "us-east-1"      = "ami-05dd1b6e7ef6f8378"
+    "us-east-2"      = "ami-04dd0542609808c50"
+    "us-west-1"      = "ami-07af5f877b3db9f73"
+    "us-west-2"      = "ami-0d0d8694ba492c02b"
+  }
+}
+
+## cloud-init configuration ##
+variable "timezone" {
+  default = "UTC"
+}
+
+## These will go in the generated tpot.conf file ##
+variable "tpot_flavor" {
+  default     = "STANDARD"
+  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
+}
+
+variable "web_user" {
+  default     = "webuser"
+  description = "Set a username for the web user"
+}

_deprecated/cloud/terraform/aws_multi_region/modules/multi-region/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "3.72.0"
+    }
+  }
+}

_deprecated/cloud/terraform/aws_multi_region/outputs.tf

@@ -0,0 +1,7 @@
+output "eu-west-2_Web_UI" {
+  value = module.eu-west-2.Web_UI
+}
+
+output "us-west-1_Web_UI" {
+  value = module.us-west-1.Web_UI
+}

_deprecated/cloud/terraform/aws_multi_region/variables.tf

@@ -0,0 +1,19 @@
+variable "linux_password" {
+  #default = "LiNuXuSeRP4Ss!"
+  description = "Set a password for the default user"
+
+  validation {
+    condition     = length(var.linux_password) > 0
+    error_message = "Please specify a password for the default user."
+  }
+}
+
+variable "web_password" {
+  #default = "w3b$ecret20"
+  description = "Set a password for the web user"
+
+  validation {
+    condition     = length(var.web_password) > 0
+    error_message = "Please specify a password for the web user."
+  }
+}

_deprecated/cloud/terraform/cloud-init.yaml

@@ -0,0 +1,26 @@
+#cloud-config
+timezone: ${timezone}
+
+packages:
+  - git
+
+runcmd:
+  - curl -sS --retry 5 https://github.com
+  - git clone https://github.com/telekom-security/tpotce /root/tpot
+  - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
+  - rm /root/tpot.conf
+  - /sbin/shutdown -r now
+
+password: ${password}
+chpasswd:
+  expire: false
+
+write_files:
+  - content: |
+      # tpot configuration file
+      myCONF_TPOT_FLAVOR='${tpot_flavor}'
+      myCONF_WEB_USER='${web_user}'
+      myCONF_WEB_PW='${web_password}'
+    owner: root:root
+    path: /root/tpot.conf
+    permissions: '0600'

_deprecated/cloud/terraform/otc/.terraform.lock.hcl

@@ -0,0 +1,38 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.1.0"
+  constraints = "~> 3.1.0"
+  hashes = [
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
+  ]
+}
+
+provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
+  version     = "1.23.6"
+  constraints = "~> 1.23.4"
+  hashes = [
+    "h1:B/1Md957jWaDgFqsJDzmJc75KwL0eC/PCVuZ8HV5xSc=",
+    "zh:1aa79010869d082157fb44fc83c3bff4e40938ec0ca916f704d974c7f7ca39e4",
+    "zh:3155b8366828ce50231f69962b55df1e2261ed63c44bb64e2c950dd68769df1b",
+    "zh:4a909617aa96a6d8aead14f56996ad94e0a1cae9d28e8df1ddae19c2095ed337",
+    "zh:4f71046719632b4b90f88d29d8ba88915ee6ad66cd9d7ebe84a7459013e5003a",
+    "zh:67e4d10b2db79ad78ae2ec8d9dfac53c4721028f97f4436a7aa45e80b1beefd3",
+    "zh:7f12541fc5a3513e5522ff2bd5fee17d1e67bfe64f9ef59d03863fc7389e12ce",
+    "zh:86fadabfc8307cf6084a412ffc9c797ec94932d08bc663a3fcebf98101e951f6",
+    "zh:98744b39c2bfe3e8e6f929f750a689971071b257f3f066f669f93c8e0b76d179",
+    "zh:c363d41debb060804e2c6bd9cb50b4e8daa37362299e3ea74e187265cd85f2ca",
+  ]
+}

_deprecated/cloud/terraform/otc/main.tf

@@ -0,0 +1,68 @@
+data "opentelekomcloud_images_image_v2" "debian" {
+  name = "Standard_Debian_10_latest"
+}
+
+resource "opentelekomcloud_networking_secgroup_v2" "secgroup_1" {
+  name        = var.secgroup_name
+  description = var.secgroup_desc
+}
+
+resource "opentelekomcloud_networking_secgroup_rule_v2" "secgroup_rule_1" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = opentelekomcloud_networking_secgroup_v2.secgroup_1.id
+}
+
+resource "opentelekomcloud_vpc_v1" "vpc_1" {
+  name = var.vpc_name
+  cidr = var.vpc_cidr
+}
+
+resource "opentelekomcloud_vpc_subnet_v1" "subnet_1" {
+  name   = var.subnet_name
+  cidr   = var.subnet_cidr
+  vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
+
+  gateway_ip = var.subnet_gateway_ip
+  dns_list   = ["100.125.4.25", "100.125.129.199"]
+}
+
+resource "random_id" "tpot" {
+  byte_length = 6
+  prefix      = var.ecs_prefix
+}
+
+resource "opentelekomcloud_ecs_instance_v1" "ecs_1" {
+  name     = random_id.tpot.b64_url
+  image_id = data.opentelekomcloud_images_image_v2.debian.id
+  flavor   = var.ecs_flavor
+  vpc_id   = opentelekomcloud_vpc_v1.vpc_1.id
+
+  nics {
+    network_id = opentelekomcloud_vpc_subnet_v1.subnet_1.id
+  }
+
+  system_disk_size  = var.ecs_disk_size
+  system_disk_type  = "SAS"
+  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.id]
+  availability_zone = var.availability_zone
+  key_name          = var.key_pair
+  user_data         = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
+}
+
+resource "opentelekomcloud_vpc_eip_v1" "eip_1" {
+  publicip {
+    type = "5_bgp"
+  }
+  bandwidth {
+    name       = "bandwidth-${random_id.tpot.b64_url}"
+    size       = var.eip_size
+    share_type = "PER"
+  }
+}
+
+resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_1" {
+  floating_ip = opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address
+  instance_id = opentelekomcloud_ecs_instance_v1.ecs_1.id
+}

_deprecated/cloud/terraform/otc/outputs.tf

@@ -0,0 +1,11 @@
+output "Admin_UI" {
+  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64294"
+}
+
+output "SSH_Access" {
+  value = "ssh -p 64295 linux@${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}"
+}
+
+output "Web_UI" {
+  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64297"
+}

_deprecated/cloud/terraform/otc/provider.tf

@@ -0,0 +1,3 @@
+provider "opentelekomcloud" {
+  cloud = "open-telekom-cloud"
+}

_deprecated/cloud/terraform/otc/variables.tf

@@ -0,0 +1,98 @@
+## cloud-init configuration ##
+variable "timezone" {
+  default = "UTC"
+}
+
+variable "linux_password" {
+  #default = "LiNuXuSeRPaSs#"
+  description = "Set a password for the default user"
+
+  validation {
+    condition     = length(var.linux_password) > 0
+    error_message = "Please specify a password for the default user."
+  }
+}
+
+## Security Group ##
+variable "secgroup_name" {
+  default = "sg-tpot"
+}
+
+variable "secgroup_desc" {
+  default = "Security Group for T-Pot"
+}
+
+## Virtual Private Cloud ##
+variable "vpc_name" {
+  default = "vpc-tpot"
+}
+
+variable "vpc_cidr" {
+  default = "192.168.0.0/16"
+}
+
+## Subnet ##
+variable "subnet_name" {
+  default = "subnet-tpot"
+}
+
+variable "subnet_cidr" {
+  default = "192.168.0.0/24"
+}
+
+variable "subnet_gateway_ip" {
+  default = "192.168.0.1"
+}
+
+## Elastic Cloud Server ##
+variable "ecs_prefix" {
+  default = "tpot-"
+}
+
+variable "ecs_flavor" {
+  default = "s3.medium.8"
+}
+
+variable "ecs_disk_size" {
+  default = "128"
+}
+
+variable "availability_zone" {
+  default = "eu-de-03"
+}
+
+variable "key_pair" {
+  #default = ""
+  description = "Specify your SSH key pair"
+
+  validation {
+    condition     = length(var.key_pair) > 0
+    error_message = "Please specify a Key Pair."
+  }
+}
+
+## Elastic IP ##
+variable "eip_size" {
+  default = "100"
+}
+
+## These will go in the generated tpot.conf file ##
+variable "tpot_flavor" {
+  default     = "STANDARD"
+  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
+}
+
+variable "web_user" {
+  default     = "webuser"
+  description = "Set a username for the web user"
+}
+
+variable "web_password" {
+  #default = "w3b$ecret"
+  description = "Set a password for the web user"
+
+  validation {
+    condition     = length(var.web_password) > 0
+    error_message = "Please specify a password for the web user."
+  }
+}

_deprecated/cloud/terraform/otc/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    opentelekomcloud = {
+      source  = "opentelekomcloud/opentelekomcloud"
+      version = "~> 1.23.4"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.1.0"
+    }
+  }
+}

_deprecated/etc/compose/collector.yml

@@ -0,0 +1,260 @@
+# T-Pot (Collector)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  heralding_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+     - "21:21"
+     - "22:22"
+     - "23:23"
+     - "25:25"
+     - "80:80"
+     - "110:110"
+     - "143:143"
+     - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+     - "1080:1080"
+     - "3306:3306"
+     - "3389:3389"
+     - "5432:5432"
+     - "5900:5900"
+    image: "dtagdevsec/heralding:2204"
+    read_only: true
+    volumes:
+     - /data/heralding/log:/var/log/heralding
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/hive.yml

@@ -0,0 +1,141 @@
+# T-Pot (Hive)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+#    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+#    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    ports:
+     - "127.0.0.1:64305:64305"
+#    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/hive_sensor.yml

@@ -1,22 +1,28 @@
-# T-Pot (NextGen)
+# T-Pot (Hive_Sensor)
 # Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
 version: '2.3'
 
 networks:
   adbhoney_local:
+  ciscoasa_local:
+  citrixhoneypot_local:
   conpot_local_IEC104:
   conpot_local_guardian_ast:
   conpot_local_ipmi:
   conpot_local_kamstrup_382:
   cowrie_local:
-  cyberchef_local:
+  ddospot_local:
+  dicompot_local:
+  dionaea_local:
+  elasticpot_local:
   heralding_local:
-  honeypy_local:
+  ipphoney_local:
   mailoney_local:
   medpot_local:
-  rdpy_local:
+  redishoneypot_local:
   tanner_local:
   ewsposter_local:
+  sentrypeer_local:
   spiderfoot_local:
 
 services:
@@ -33,7 +39,7 @@ services:
      - adbhoney_local
     ports:
      - "5555:5555"
-    image: "dtagdevsec/adbhoney:1903"
+    image: "dtagdevsec/adbhoney:2204"
     read_only: true
     volumes:
      - /data/adbhoney/log:/opt/adbhoney/log
@@ -45,15 +51,29 @@ services:
     restart: always
     tmpfs:
      - /tmp/ciscoasa:uid=2000,gid=2000
-    network_mode: "host"
+    networks:
+     - ciscoasa_local
     ports:
      - "5000:5000/udp"
      - "8443:8443"
-    image: "dtagdevsec/ciscoasa:1903"
+    image: "dtagdevsec/ciscoasa:2204"
     read_only: true
     volumes:
      - /data/ciscoasa/log:/var/log/ciscoasa
 
+# CitrixHoneypot service
+  citrixhoneypot:
+    container_name: citrixhoneypot
+    restart: always
+    networks:
+     - citrixhoneypot_local
+    ports:
+     - "443:443"
+    image: "dtagdevsec/citrixhoneypot:2204"
+    read_only: true
+    volumes:
+     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
+
 # Conpot IEC104 service
   conpot_IEC104:
     container_name: conpot_iec104
@@ -69,9 +89,9 @@ services:
     networks:
      - conpot_local_IEC104
     ports:
-     - "161:161"
+     - "161:161/udp"
      - "2404:2404"
-    image: "dtagdevsec/conpot:1903"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -92,7 +112,7 @@ services:
      - conpot_local_guardian_ast
     ports:
      - "10001:10001"
-    image: "dtagdevsec/conpot:1903"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -112,8 +132,8 @@ services:
     networks:
      - conpot_local_ipmi
     ports:
-     - "623:623"
-    image: "dtagdevsec/conpot:1903"
+     - "623:623/udp"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -135,7 +155,7 @@ services:
     ports:
      - "1025:1025"
      - "50100:50100"
-    image: "dtagdevsec/conpot:1903"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -152,7 +172,7 @@ services:
     ports:
      - "22:22"
      - "23:23"
-    image: "dtagdevsec/cowrie:1903"
+    image: "dtagdevsec/cowrie:2204"
     read_only: true
     volumes:
      - /data/cowrie/downloads:/home/cowrie/cowrie/dl
@@ -160,13 +180,50 @@ services:
      - /data/cowrie/log:/home/cowrie/cowrie/log
      - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
 
+# Ddospot service
+  ddospot:
+    container_name: ddospot
+    restart: always
+    networks:
+     - ddospot_local
+    ports:
+     - "19:19/udp"
+     - "53:53/udp"
+     - "123:123/udp"
+#     - "161:161/udp"
+     - "1900:1900/udp"
+    image: "dtagdevsec/ddospot:2204"
+    read_only: true
+    volumes:
+     - /data/ddospot/log:/opt/ddospot/ddospot/logs
+     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
+     - /data/ddospot/db:/opt/ddospot/ddospot/db
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    networks:
+     - dicompot_local
+    ports:
+     - "11112:11112"
+    image: "dtagdevsec/dicompot:2204"
+    read_only: true
+    volumes:
+     - /data/dicompot/log:/var/log/dicompot
+#     - /data/dicompot/images:/opt/dicompot/images
+
 # Dionaea service
   dionaea:
     container_name: dionaea
     stdin_open: true
     tty: true
     restart: always
-    network_mode: "host"
+    networks:
+     - dionaea_local
     ports:
      - "20:20"
      - "21:21"
@@ -174,17 +231,17 @@ services:
      - "69:69/udp"
      - "81:81"
      - "135:135"
-     - "443:443"
+     # - "443:443"
      - "445:445"
      - "1433:1433"
      - "1723:1723"
      - "1883:1883"
      - "3306:3306"
-     - "5060:5060"
-     - "5060:5060/udp"
-     - "5061:5061"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
      - "27017:27017"
-    image: "dtagdevsec/dionaea:1903"
+    image: "dtagdevsec/dionaea:2204"
     read_only: true
     volumes:
      - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
@@ -196,22 +253,18 @@ services:
      - /data/dionaea/log:/opt/dionaea/var/log
      - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
 
-# Glutton service
-  glutton:
-    build: .
-    container_name: glutton
+# ElasticPot service
+  elasticpot:
+    container_name: elasticpot
     restart: always
-    tmpfs:
-     - /var/lib/glutton:uid=2000,gid=2000
-     - /run:uid=2000,gid=2000
-    network_mode: "host"
-    cap_add:
-     - NET_ADMIN
-    image: "dtagdevsec/glutton:1903"
+    networks:
+     - elasticpot_local
+    ports:
+     - "9200:9200"
+    image: "dtagdevsec/elasticpot:2204"
     read_only: true
     volumes:
-     - /data/glutton/log:/var/log/glutton
-#     - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml
+     - /data/elasticpot/log:/opt/elasticpot/log
 
 # Heralding service
   heralding:
@@ -230,35 +283,47 @@ services:
      - "110:110"
      - "143:143"
     # - "443:443"
+     - "465:465"
      - "993:993"
      - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
      - "1080:1080"
      - "5432:5432"
      - "5900:5900"
-    image: "dtagdevsec/heralding:1903"
+    image: "dtagdevsec/heralding:2204"
     read_only: true
     volumes:
      - /data/heralding/log:/var/log/heralding
 
-# HoneyPy service
-  honeypy:
-    build: .
-    container_name: honeypy
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
     restart: always
-    networks:
-     - honeypy_local
-    ports:
-     - "7:7"
-     - "8:8"
-     - "2048:2048"
-     - "2323:2323"
-     - "2324:2324"
-     - "4096:4096"
-     - "9200:9200"
-    image: "dtagdevsec/honeypy:1903"
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
     read_only: true
     volumes:
-     - /data/honeypy/log:/opt/honeypy/log
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: "dtagdevsec/ipphoney:2204"
+    read_only: true
+    volumes:
+     - /data/ipphoney/log:/opt/ipphoney/log
 
 # Mailoney service
   mailoney:
@@ -274,7 +339,7 @@ services:
      - mailoney_local
     ports:
      - "25:25"
-    image: "dtagdevsec/mailoney:1903"
+    image: "dtagdevsec/mailoney:2204"
     read_only: true
     volumes:
      - /data/mailoney/log:/opt/mailoney/logs
@@ -287,31 +352,43 @@ services:
      - medpot_local
     ports:
      - "2575:2575"
-    image: "dtagdevsec/medpot:1903"
+    image: "dtagdevsec/medpot:2204"
     read_only: true
     volumes:
      - /data/medpot/log/:/var/log/medpot
 
-# Rdpy service
-  rdpy:
-    container_name: rdpy
-    extra_hosts:
-     - hpfeeds.example.com:127.0.0.1
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
     restart: always
-    environment:
-     - HPFEEDS_SERVER=hpfeeds.example.com
-     - HPFEEDS_IDENT=user
-     - HPFEEDS_SECRET=pass
-     - HPFEEDS_PORT=65000
-     - SERVERID=id
     networks:
-     - rdpy_local
+     - redishoneypot_local
     ports:
-     - "3389:3389"
-    image: "dtagdevsec/rdpy:1903"
+     - "6379:6379"
+    image: "dtagdevsec/redishoneypot:2204"
     read_only: true
     volumes:
-     - /data/rdpy/log:/var/log/rdpy
+     - /data/redishoneypot/log:/var/log/redishoneypot
+
+# SentryPeer service
+  sentrypeer:
+    container_name: sentrypeer
+    restart: always
+# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
+# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
+# the bad actors in its logs. Therefore this option is opt-in based.
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=0
+    networks:
+     - sentrypeer_local
+    ports:
+#     - "4222:4222/udp"
+     - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
+    image: "dtagdevsec/sentrypeer:2204"
+    read_only: true
+    volumes:
+     - /data/sentrypeer/log:/var/log/sentrypeer
 
 #### Snare / Tanner
 ## Tanner Redis Service
@@ -321,7 +398,7 @@ services:
     tty: true
     networks:
      - tanner_local
-    image: "dtagdevsec/redis:1903"
+    image: "dtagdevsec/redis:2204"
     read_only: true
 
 ## PHP Sandbox service
@@ -331,7 +408,7 @@ services:
     tty: true
     networks:
      - tanner_local
-    image: "dtagdevsec/phpox:1903"
+    image: "dtagdevsec/phpox:2204"
     read_only: true
 
 ## Tanner API Service
@@ -343,7 +420,7 @@ services:
     tty: true
     networks:
      - tanner_local
-    image: "dtagdevsec/tanner:1903"
+    image: "dtagdevsec/tanner:2204"
     read_only: true
     volumes:
      - /data/tanner/log:/var/log/tanner
@@ -351,23 +428,6 @@ services:
     depends_on:
      - tanner_redis
 
-## Tanner WEB Service
-  tanner_web:
-    container_name: tanner_web
-    restart: always
-    tmpfs:
-     - /tmp/tanner:uid=2000,gid=2000
-    tty: true
-    networks:
-     - tanner_local
-    image: "dtagdevsec/tanner:1903"
-    command: tannerweb
-    read_only: true
-    volumes:
-     - /data/tanner/log:/var/log/tanner
-    depends_on:
-     - tanner_redis
-
 ## Tanner Service
   tanner:
     container_name: tanner
@@ -377,7 +437,7 @@ services:
     tty: true
     networks:
      - tanner_local
-    image: "dtagdevsec/tanner:1903"
+    image: "dtagdevsec/tanner:2204"
     command: tanner
     read_only: true
     volumes:
@@ -385,7 +445,7 @@ services:
      - /data/tanner/files:/opt/tanner/files
     depends_on:
      - tanner_api
-     - tanner_web
+#     - tanner_web
      - tanner_phpox
 
 ## Snare Service
@@ -397,7 +457,7 @@ services:
      - tanner_local
     ports:
      - "80:80"
-    image: "dtagdevsec/snare:1903"
+    image: "dtagdevsec/snare:2204"
     depends_on:
      - tanner
 
@@ -408,7 +468,6 @@ services:
 
 # Fatt service
   fatt:
-    build: .
     container_name: fatt
     restart: always
     network_mode: "host"
@@ -416,7 +475,7 @@ services:
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
-    image: "dtagdevsec/fatt:1903"
+    image: "dtagdevsec/fatt:2204"
     volumes:
      - /data/fatt/log:/opt/fatt/log
 
@@ -425,7 +484,7 @@ services:
     container_name: p0f
     restart: always
     network_mode: "host"
-    image: "dtagdevsec/p0f:1903"
+    image: "dtagdevsec/p0f:2204"
     read_only: true
     volumes:
      - /data/p0f/log:/var/log/p0f
@@ -437,12 +496,14 @@ services:
     environment:
     # For ET Pro ruleset replace "OPEN" with your OINKCODE
      - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
     network_mode: "host"
     cap_add:
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
-    image: "dtagdevsec/suricata:1903"
+    image: "dtagdevsec/suricata:2204"
     volumes:
      - /data/suricata/log:/var/log/suricata
 
@@ -451,78 +512,19 @@ services:
 #### Tools
 ##################
 
-# Cyberchef service
-  cyberchef:
-    container_name: cyberchef
-    restart: always
-    networks:
-     - cyberchef_local
-    ports:
-     - "127.0.0.1:64299:8000"
-    image: "dtagdevsec/cyberchef:1903"
-    read_only: true
-
-#### ELK
-## Elasticsearch service
-  elasticsearch:
-    container_name: elasticsearch
-    restart: always
-    environment:
-     - bootstrap.memory_lock=true
-     - ES_JAVA_OPTS=-Xms1024m -Xmx1024m
-     - ES_TMPDIR=/tmp
-    cap_add:
-     - IPC_LOCK
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    mem_limit: 4g
-    ports:
-     - "127.0.0.1:64298:9200"
-    image: "dtagdevsec/elasticsearch:1903"
-    volumes:
-     - /data:/data
-
-## Kibana service
-  kibana:
-    container_name: kibana
-    restart: always
-    depends_on:
-      elasticsearch:
-        condition: service_healthy
-    ports:
-     - "127.0.0.1:64296:5601"
-    image: "dtagdevsec/kibana:1903"
-
 ## Logstash service
   logstash:
     container_name: logstash
     restart: always
-    depends_on:
-      elasticsearch:
-        condition: service_healthy
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
     env_file:
      - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/logstash:1903"
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
     volumes:
      - /data:/data
 
-## Elasticsearch-head service
-  head:
-    container_name: head
-    restart: always
-    depends_on:
-      elasticsearch:
-        condition: service_healthy
-    ports:
-     - "127.0.0.1:64302:9100"
-    image: "dtagdevsec/head:1903"
-    read_only: true
-
 # Ewsposter service
   ewsposter:
     container_name: ewsposter
@@ -540,40 +542,7 @@ services:
      - EWS_HPFEEDS_FORMAT=json
     env_file:
      - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/ewsposter:1903"
+    image: "dtagdevsec/ewsposter:2204"
     volumes:
      - /data:/data
      - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
-
-# Nginx service
-  nginx:
-    container_name: nginx
-    restart: always
-    tmpfs:
-     - /var/tmp/nginx/client_body
-     - /var/tmp/nginx/proxy
-     - /var/tmp/nginx/fastcgi
-     - /var/tmp/nginx/uwsgi
-     - /var/tmp/nginx/scgi
-     - /run
-    network_mode: "host"
-    ports:
-     - "64297:64297"
-    image: "dtagdevsec/nginx:1903"
-    read_only: true
-    volumes:
-     - /data/nginx/cert/:/etc/nginx/cert/:ro
-     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
-     - /data/nginx/log/:/var/log/nginx/
-
-# Spiderfoot service
-  spiderfoot:
-    container_name: spiderfoot
-    restart: always
-    networks:
-     - spiderfoot_local
-    ports:
-     - "127.0.0.1:64303:8080"
-    image: "dtagdevsec/spiderfoot:1903"
-    volumes:
-     - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db

_deprecated/etc/compose/industrial.yml

@@ -0,0 +1,431 @@
+# T-Pot (Industrial)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  conpot_local_default:
+  conpot_local_IEC104:
+  conpot_local_guardian_ast:
+  conpot_local_ipmi:
+  conpot_local_kamstrup_382:
+  cowrie_local:
+  dicompot_local:
+  heralding_local:
+  medpot_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Conpot default service
+  conpot_default:
+    container_name: conpot_default
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_default.json
+     - CONPOT_LOG=/var/log/conpot/conpot_default.log
+     - CONPOT_TEMPLATE=default
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_default
+    ports:
+     - "69:69/udp"
+     - "80:80"
+     - "102:102"
+     - "161:161/udp"
+     - "502:502"
+#     - "623:623/udp"
+     - "21:21"
+     - "44818:44818"
+     - "47808:47808/udp"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot IEC104 service
+  conpot_IEC104:
+    container_name: conpot_iec104
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
+     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
+     - CONPOT_TEMPLATE=IEC104
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_IEC104
+    ports:
+#     - "161:161/udp"
+     - "2404:2404"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot guardian_ast service
+  conpot_guardian_ast:
+    container_name: conpot_guardian_ast
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
+     - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
+     - CONPOT_TEMPLATE=guardian_ast
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_guardian_ast
+    ports:
+     - "10001:10001"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot ipmi
+  conpot_ipmi:
+    container_name: conpot_ipmi
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
+     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
+     - CONPOT_TEMPLATE=ipmi
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_ipmi
+    ports:
+     - "623:623/udp"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot kamstrup_382
+  conpot_kamstrup_382:
+    container_name: conpot_kamstrup_382
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
+     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
+     - CONPOT_TEMPLATE=kamstrup_382
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_kamstrup_382
+    ports:
+     - "1025:1025"
+     - "50100:50100"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Cowrie service
+  cowrie:
+    container_name: cowrie
+    restart: always
+    tmpfs:
+     - /tmp/cowrie:uid=2000,gid=2000
+     - /tmp/cowrie/data:uid=2000,gid=2000
+    networks:
+     - cowrie_local
+    ports:
+     - "22:22"
+     - "23:23"
+    image: "dtagdevsec/cowrie:2204"
+    read_only: true
+    volumes:
+     - /data/cowrie/downloads:/home/cowrie/cowrie/dl
+     - /data/cowrie/keys:/home/cowrie/cowrie/etc
+     - /data/cowrie/log:/home/cowrie/cowrie/log
+     - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    networks:
+     - dicompot_local
+    ports:
+     - "11112:11112"
+    image: "dtagdevsec/dicompot:2204"
+    read_only: true
+    volumes:
+     - /data/dicompot/log:/var/log/dicompot
+#     - /data/dicompot/images:/opt/dicompot/images
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+    # - "110:110"
+    # - "143:143"
+    # - "443:443"
+    # - "465:465"
+    # - "993:993"
+    # - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+    # - "5432:5432"
+     - "5900:5900"
+    image: "dtagdevsec/heralding:2204"
+    read_only: true
+    volumes:
+     - /data/heralding/log:/var/log/heralding
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: "dtagdevsec/medpot:2204"
+    read_only: true
+    volumes:
+     - /data/medpot/log/:/var/log/medpot
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/log4j.yml

@@ -0,0 +1,250 @@
+# T-Pot (Log4j)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  log4pot_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Log4pot service
+  log4pot:
+    container_name: log4pot
+    restart: always
+    tmpfs:
+     - /tmp:uid=2000,gid=2000
+    networks:
+     - log4pot_local
+    ports:
+     - "80:8080"
+     - "443:8080"
+     - "8080:8080"
+     - "9200:8080"
+     - "25565:8080"
+    image: "dtagdevsec/log4pot:2204"
+    read_only: true
+    volumes:
+     - /data/log4pot/log:/var/log/log4pot/log
+     - /data/log4pot/payloads:/var/log/log4pot/payloads
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/medical.yml

@@ -0,0 +1,244 @@
+# T-Pot (Medical)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  dicompot_local:
+  medpot_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    networks:
+     - dicompot_local
+    ports:
+     - "11112:11112"
+    image: "dtagdevsec/dicompot:2204"
+    read_only: true
+    volumes:
+     - /data/dicompot/log:/var/log/dicompot
+#     - /data/dicompot/images:/opt/dicompot/images
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: "dtagdevsec/medpot:2204"
+    read_only: true
+    volumes:
+     - /data/medpot/log/:/var/log/medpot
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/mini.yml

@@ -0,0 +1,271 @@
+# T-Pot (Mini)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  honeypots_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# qHoneypots service
+  honeypots:
+    container_name: honeypots
+    stdin_open: true
+    tty: true
+    restart: always
+    tmpfs:
+     - /tmp:uid=2000,gid=2000
+    networks:
+     - honeypots_local
+    ports:
+     - "21:21"
+     - "22:22"
+     - "23:23"
+     - "25:25"
+     - "53:53/udp"
+     - "80:80"
+     - "110:110"
+     - "123:123"
+     - "143:143"
+     - "161:161"
+     - "389:389"
+     - "443:443"
+     - "445:445"
+     - "1080:1080"
+     - "1433:1433"
+     - "1521:1521"
+     - "3306:3306"
+     - "5060:5060"
+     - "5432:5432"
+     - "5900:5900"
+     - "6379:6379"
+     - "6667:6667"
+     - "8080:8080"
+     - "9200:9200"
+     - "11211:11211"
+    image: "dtagdevsec/honeypots:2204"
+    read_only: true
+    volumes:
+     - /data/honeypots/log:/var/log/honeypots
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/nextgen.yml

@@ -0,0 +1,575 @@
+# T-Pot (NextGen)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  adbhoney_local:
+  ciscoasa_local:
+  citrixhoneypot_local:
+  conpot_local_IEC104:
+  conpot_local_guardian_ast:
+  conpot_local_ipmi:
+  conpot_local_kamstrup_382:
+  ddospot_local:
+  dicompot_local:
+  dionaea_local:
+  elasticpot_local:
+  endlessh_local:
+  hellpot_local:
+  heralding_local:
+  ipphoney_local:
+  mailoney_local:
+  medpot_local:
+  redishoneypot_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Adbhoney service
+  adbhoney:
+    container_name: adbhoney
+    restart: always
+    networks:
+     - adbhoney_local
+    ports:
+     - "5555:5555"
+    image: "dtagdevsec/adbhoney:2204"
+    read_only: true
+    volumes:
+     - /data/adbhoney/log:/opt/adbhoney/log
+     - /data/adbhoney/downloads:/opt/adbhoney/dl
+
+# Ciscoasa service
+  ciscoasa:
+    container_name: ciscoasa
+    restart: always
+    tmpfs:
+     - /tmp/ciscoasa:uid=2000,gid=2000
+    networks:
+     - ciscoasa_local
+    ports:
+     - "5000:5000/udp"
+     - "8443:8443"
+    image: "dtagdevsec/ciscoasa:2204"
+    read_only: true
+    volumes:
+     - /data/ciscoasa/log:/var/log/ciscoasa
+
+# CitrixHoneypot service
+  citrixhoneypot:
+    container_name: citrixhoneypot
+    restart: always
+    networks:
+     - citrixhoneypot_local
+    ports:
+     - "443:443"
+    image: "dtagdevsec/citrixhoneypot:2204"
+    read_only: true
+    volumes:
+     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs       
+
+# Conpot IEC104 service
+  conpot_IEC104:
+    container_name: conpot_iec104
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
+     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
+     - CONPOT_TEMPLATE=IEC104
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_IEC104
+    ports:
+     - "161:161/udp"
+     - "2404:2404"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot guardian_ast service
+  conpot_guardian_ast:
+    container_name: conpot_guardian_ast
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
+     - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
+     - CONPOT_TEMPLATE=guardian_ast
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_guardian_ast
+    ports:
+     - "10001:10001"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot ipmi
+  conpot_ipmi:
+    container_name: conpot_ipmi
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
+     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
+     - CONPOT_TEMPLATE=ipmi
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_ipmi
+    ports:
+     - "623:623/udp"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot kamstrup_382
+  conpot_kamstrup_382:
+    container_name: conpot_kamstrup_382
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
+     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
+     - CONPOT_TEMPLATE=kamstrup_382
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_kamstrup_382
+    ports:
+     - "1025:1025"
+     - "50100:50100"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Ddospot service
+  ddospot:
+    container_name: ddospot
+    restart: always
+    networks:
+     - ddospot_local
+    ports:
+     - "19:19/udp"
+     - "53:53/udp"
+     - "123:123/udp"
+#     - "161:161/udp"
+     - "1900:1900/udp"
+    image: "dtagdevsec/ddospot:2204"
+    read_only: true
+    volumes:
+     - /data/ddospot/log:/opt/ddospot/ddospot/logs
+     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
+     - /data/ddospot/db:/opt/ddospot/ddospot/db
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/ 
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    networks:
+     - dicompot_local
+    ports:
+     - "11112:11112"
+    image: "dtagdevsec/dicompot:2204"
+    read_only: true
+    volumes:
+     - /data/dicompot/log:/var/log/dicompot
+#     - /data/dicompot/images:/opt/dicompot/images
+
+# Dionaea service
+  dionaea:
+    container_name: dionaea
+    stdin_open: true
+    tty: true
+    restart: always
+    networks:
+     - dionaea_local
+    ports:
+     - "20:20"
+     - "21:21"
+     - "42:42"
+     - "69:69/udp"
+     - "81:81"
+     - "135:135"
+     # - "443:443"
+     - "445:445"
+     - "1433:1433"
+     - "1723:1723"
+     - "1883:1883"
+     - "3306:3306"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
+     - "27017:27017"
+    image: "dtagdevsec/dionaea:2204"
+    read_only: true
+    volumes:
+     - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
+     - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
+     - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
+     - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
+     - /data/dionaea:/opt/dionaea/var/dionaea
+     - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
+     - /data/dionaea/log:/opt/dionaea/var/log
+     - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
+
+# ElasticPot service
+  elasticpot:
+    container_name: elasticpot
+    restart: always
+    networks:
+     - elasticpot_local
+    ports:
+     - "9200:9200"
+    image: "dtagdevsec/elasticpot:2204"
+    read_only: true
+    volumes:
+     - /data/elasticpot/log:/opt/elasticpot/log
+
+# Endlessh service
+  endlessh:
+    container_name: endlessh
+    restart: always
+    networks:
+     - endlessh_local
+    ports:
+     - "22:2222"
+    image: "dtagdevsec/endlessh:2204"
+    read_only: true
+    volumes:
+     - /data/endlessh/log:/var/log/endlessh
+
+# Glutton service
+  glutton:
+    container_name: glutton
+    restart: always
+    tmpfs:
+     - /var/lib/glutton:uid=2000,gid=2000
+     - /run:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/glutton:2204"
+    read_only: true
+    volumes:
+     - /data/glutton/log:/var/log/glutton
+#     - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: "dtagdevsec/heralding:2204"
+    read_only: true
+    volumes:
+     - /data/heralding/log:/var/log/heralding
+
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: "dtagdevsec/ipphoney:2204"
+    read_only: true
+    volumes:
+     - /data/ipphoney/log:/opt/ipphoney/log
+
+# Mailoney service
+  mailoney:
+    container_name: mailoney
+    restart: always
+    environment:
+     - HPFEEDS_SERVER=
+     - HPFEEDS_IDENT=user
+     - HPFEEDS_SECRET=pass
+     - HPFEEDS_PORT=20000
+     - HPFEEDS_CHANNELPREFIX=prefix
+    networks:
+     - mailoney_local
+    ports:
+     - "25:25"
+    image: "dtagdevsec/mailoney:2204"
+    read_only: true
+    volumes:
+     - /data/mailoney/log:/opt/mailoney/logs
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: "dtagdevsec/medpot:2204"
+    read_only: true
+    volumes:
+     - /data/medpot/log/:/var/log/medpot
+
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
+    restart: always
+    networks:
+     - redishoneypot_local
+    ports:
+     - "6379:6379"
+    image: "dtagdevsec/redishoneypot:2204"
+    read_only: true
+    volumes:
+     - /data/redishoneypot/log:/var/log/redishoneypot
+
+# Hellpot service
+  hellpot:
+    container_name: hellpot
+    restart: always
+    networks:
+     - hellpot_local
+    ports:
+     - "80:8080"
+    image: "dtagdevsec/hellpot:2204"
+    read_only: true
+    volumes:
+     - /data/hellpot/log:/var/log/hellpot
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/sensor.yml

@@ -1,22 +1,28 @@
-# T-Pot (Standard)
+# T-Pot (Sensor)
 # Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
 version: '2.3'
 
 networks:
   adbhoney_local:
+  ciscoasa_local:
+  citrixhoneypot_local:
   conpot_local_IEC104:
   conpot_local_guardian_ast:
   conpot_local_ipmi:
   conpot_local_kamstrup_382:
   cowrie_local:
-  cyberchef_local:
+  ddospot_local:
+  dicompot_local:
+  dionaea_local:
   elasticpot_local:
   heralding_local:
+  ipphoney_local:
   mailoney_local:
   medpot_local:
-  rdpy_local:
+  redishoneypot_local:
   tanner_local:
   ewsposter_local:
+  sentrypeer_local:
   spiderfoot_local:
 
 services:
@@ -33,7 +39,7 @@ services:
      - adbhoney_local
     ports:
      - "5555:5555"
-    image: "dtagdevsec/adbhoney:1903"
+    image: "dtagdevsec/adbhoney:2204"
     read_only: true
     volumes:
      - /data/adbhoney/log:/opt/adbhoney/log
@@ -45,15 +51,29 @@ services:
     restart: always
     tmpfs:
      - /tmp/ciscoasa:uid=2000,gid=2000
-    network_mode: "host"
+    networks:
+     - ciscoasa_local
     ports:
      - "5000:5000/udp"
      - "8443:8443"
-    image: "dtagdevsec/ciscoasa:1903"
+    image: "dtagdevsec/ciscoasa:2204"
     read_only: true
     volumes:
      - /data/ciscoasa/log:/var/log/ciscoasa
 
+# CitrixHoneypot service
+  citrixhoneypot:
+    container_name: citrixhoneypot
+    restart: always
+    networks:
+     - citrixhoneypot_local
+    ports:
+     - "443:443"
+    image: "dtagdevsec/citrixhoneypot:2204"
+    read_only: true
+    volumes:
+     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
+
 # Conpot IEC104 service
   conpot_IEC104:
     container_name: conpot_iec104
@@ -69,9 +89,9 @@ services:
     networks:
      - conpot_local_IEC104
     ports:
-     - "161:161"
+     - "161:161/udp"
      - "2404:2404"
-    image: "dtagdevsec/conpot:1903"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -92,7 +112,7 @@ services:
      - conpot_local_guardian_ast
     ports:
      - "10001:10001"
-    image: "dtagdevsec/conpot:1903"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -112,8 +132,8 @@ services:
     networks:
      - conpot_local_ipmi
     ports:
-     - "623:623"
-    image: "dtagdevsec/conpot:1903"
+     - "623:623/udp"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -135,7 +155,7 @@ services:
     ports:
      - "1025:1025"
      - "50100:50100"
-    image: "dtagdevsec/conpot:1903"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -152,7 +172,7 @@ services:
     ports:
      - "22:22"
      - "23:23"
-    image: "dtagdevsec/cowrie:1903"
+    image: "dtagdevsec/cowrie:2204"
     read_only: true
     volumes:
      - /data/cowrie/downloads:/home/cowrie/cowrie/dl
@@ -160,13 +180,50 @@ services:
      - /data/cowrie/log:/home/cowrie/cowrie/log
      - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
 
+# Ddospot service
+  ddospot:
+    container_name: ddospot
+    restart: always
+    networks:
+     - ddospot_local
+    ports:
+     - "19:19/udp"
+     - "53:53/udp"
+     - "123:123/udp"
+#     - "161:161/udp"
+     - "1900:1900/udp"
+    image: "dtagdevsec/ddospot:2204"
+    read_only: true
+    volumes:
+     - /data/ddospot/log:/opt/ddospot/ddospot/logs
+     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
+     - /data/ddospot/db:/opt/ddospot/ddospot/db
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    networks:
+     - dicompot_local
+    ports:
+     - "11112:11112"
+    image: "dtagdevsec/dicompot:2204"
+    read_only: true
+    volumes:
+     - /data/dicompot/log:/var/log/dicompot
+#     - /data/dicompot/images:/opt/dicompot/images
+
 # Dionaea service
   dionaea:
     container_name: dionaea
     stdin_open: true
     tty: true
     restart: always
-    network_mode: "host"
+    networks:
+     - dionaea_local
     ports:
      - "20:20"
      - "21:21"
@@ -174,17 +231,17 @@ services:
      - "69:69/udp"
      - "81:81"
      - "135:135"
-     - "443:443"
+     # - "443:443"
      - "445:445"
      - "1433:1433"
      - "1723:1723"
      - "1883:1883"
      - "3306:3306"
-     - "5060:5060"
-     - "5060:5060/udp"
-     - "5061:5061"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
      - "27017:27017"
-    image: "dtagdevsec/dionaea:1903"
+    image: "dtagdevsec/dionaea:2204"
     read_only: true
     volumes:
      - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
@@ -196,7 +253,7 @@ services:
      - /data/dionaea/log:/opt/dionaea/var/log
      - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
 
-# Elasticpot service
+# ElasticPot service
   elasticpot:
     container_name: elasticpot
     restart: always
@@ -204,10 +261,10 @@ services:
      - elasticpot_local
     ports:
      - "9200:9200"
-    image: "dtagdevsec/elasticpot:1903"
+    image: "dtagdevsec/elasticpot:2204"
     read_only: true
     volumes:
-     - /data/elasticpot/log:/opt/ElasticpotPY/log
+     - /data/elasticpot/log:/opt/elasticpot/log
 
 # Heralding service
   heralding:
@@ -226,12 +283,15 @@ services:
      - "110:110"
      - "143:143"
     # - "443:443"
+     - "465:465"
      - "993:993"
      - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
      - "1080:1080"
      - "5432:5432"
      - "5900:5900"
-    image: "dtagdevsec/heralding:1903"
+    image: "dtagdevsec/heralding:2204"
     read_only: true
     volumes:
      - /data/heralding/log:/var/log/heralding
@@ -245,13 +305,26 @@ services:
     network_mode: "host"
     cap_add:
      - NET_ADMIN
-    image: "dtagdevsec/honeytrap:1903"
+    image: "dtagdevsec/honeytrap:2204"
     read_only: true
     volumes:
      - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
      - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
      - /data/honeytrap/log:/opt/honeytrap/var/log
 
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: "dtagdevsec/ipphoney:2204"
+    read_only: true
+    volumes:
+     - /data/ipphoney/log:/opt/ipphoney/log
+
 # Mailoney service
   mailoney:
     container_name: mailoney
@@ -266,7 +339,7 @@ services:
      - mailoney_local
     ports:
      - "25:25"
-    image: "dtagdevsec/mailoney:1903"
+    image: "dtagdevsec/mailoney:2204"
     read_only: true
     volumes:
      - /data/mailoney/log:/opt/mailoney/logs
@@ -279,31 +352,43 @@ services:
      - medpot_local
     ports:
      - "2575:2575"
-    image: "dtagdevsec/medpot:1903"
+    image: "dtagdevsec/medpot:2204"
     read_only: true
     volumes:
      - /data/medpot/log/:/var/log/medpot
 
-# Rdpy service
-  rdpy:
-    container_name: rdpy
-    extra_hosts:
-     - hpfeeds.example.com:127.0.0.1
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
     restart: always
-    environment:
-     - HPFEEDS_SERVER=hpfeeds.example.com
-     - HPFEEDS_IDENT=user
-     - HPFEEDS_SECRET=pass
-     - HPFEEDS_PORT=65000
-     - SERVERID=id
     networks:
-     - rdpy_local
+     - redishoneypot_local
     ports:
-     - "3389:3389"
-    image: "dtagdevsec/rdpy:1903"
+     - "6379:6379"
+    image: "dtagdevsec/redishoneypot:2204"
     read_only: true
     volumes:
-     - /data/rdpy/log:/var/log/rdpy
+     - /data/redishoneypot/log:/var/log/redishoneypot
+
+# SentryPeer service
+  sentrypeer:
+    container_name: sentrypeer
+    restart: always
+# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
+# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
+# the bad actors in its logs. Therefore this option is opt-in based.
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=0
+    networks:
+     - sentrypeer_local
+    ports:
+#     - "4222:4222/udp"
+     - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
+    image: "dtagdevsec/sentrypeer:2204"
+    read_only: true
+    volumes:
+     - /data/sentrypeer/log:/var/log/sentrypeer
 
 #### Snare / Tanner
 ## Tanner Redis Service
@@ -313,7 +398,7 @@ services:
     tty: true
     networks:
      - tanner_local
-    image: "dtagdevsec/redis:1903"
+    image: "dtagdevsec/redis:2204"
     read_only: true
 
 ## PHP Sandbox service
@@ -323,7 +408,7 @@ services:
     tty: true
     networks:
      - tanner_local
-    image: "dtagdevsec/phpox:1903"
+    image: "dtagdevsec/phpox:2204"
     read_only: true
 
 ## Tanner API Service
@@ -335,7 +420,7 @@ services:
     tty: true
     networks:
      - tanner_local
-    image: "dtagdevsec/tanner:1903"
+    image: "dtagdevsec/tanner:2204"
     read_only: true
     volumes:
      - /data/tanner/log:/var/log/tanner
@@ -343,23 +428,6 @@ services:
     depends_on:
      - tanner_redis
 
-## Tanner WEB Service
-  tanner_web:
-    container_name: tanner_web
-    restart: always
-    tmpfs:
-     - /tmp/tanner:uid=2000,gid=2000
-    tty: true
-    networks:
-     - tanner_local
-    image: "dtagdevsec/tanner:1903"
-    command: tannerweb
-    read_only: true
-    volumes:
-     - /data/tanner/log:/var/log/tanner
-    depends_on:
-     - tanner_redis
-
 ## Tanner Service
   tanner:
     container_name: tanner
@@ -369,7 +437,7 @@ services:
     tty: true
     networks:
      - tanner_local
-    image: "dtagdevsec/tanner:1903"
+    image: "dtagdevsec/tanner:2204"
     command: tanner
     read_only: true
     volumes:
@@ -377,7 +445,7 @@ services:
      - /data/tanner/files:/opt/tanner/files
     depends_on:
      - tanner_api
-     - tanner_web
+#     - tanner_web
      - tanner_phpox
 
 ## Snare Service
@@ -389,7 +457,7 @@ services:
      - tanner_local
     ports:
      - "80:80"
-    image: "dtagdevsec/snare:1903"
+    image: "dtagdevsec/snare:2204"
     depends_on:
      - tanner
 
@@ -398,12 +466,25 @@ services:
 #### NSM
 ##################
 
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
 # P0f service
   p0f:
     container_name: p0f
     restart: always
     network_mode: "host"
-    image: "dtagdevsec/p0f:1903"
+    image: "dtagdevsec/p0f:2204"
     read_only: true
     volumes:
      - /data/p0f/log:/var/log/p0f
@@ -415,12 +496,14 @@ services:
     environment:
     # For ET Pro ruleset replace "OPEN" with your OINKCODE
      - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
     network_mode: "host"
     cap_add:
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
-    image: "dtagdevsec/suricata:1903"
+    image: "dtagdevsec/suricata:2204"
     volumes:
      - /data/suricata/log:/var/log/suricata
 
@@ -429,78 +512,6 @@ services:
 #### Tools
 ##################
 
-# Cyberchef service
-  cyberchef:
-    container_name: cyberchef
-    restart: always
-    networks:
-     - cyberchef_local
-    ports:
-     - "127.0.0.1:64299:8000"
-    image: "dtagdevsec/cyberchef:1903"
-    read_only: true
-
-#### ELK
-## Elasticsearch service
-  elasticsearch:
-    container_name: elasticsearch
-    restart: always
-    environment:
-     - bootstrap.memory_lock=true
-     - ES_JAVA_OPTS=-Xms1024m -Xmx1024m
-     - ES_TMPDIR=/tmp
-    cap_add:
-     - IPC_LOCK
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    mem_limit: 4g
-    ports:
-     - "127.0.0.1:64298:9200"
-    image: "dtagdevsec/elasticsearch:1903"
-    volumes:
-     - /data:/data
-
-## Kibana service
-  kibana:
-    container_name: kibana
-    restart: always
-    depends_on:
-      elasticsearch:
-        condition: service_healthy
-    ports:
-     - "127.0.0.1:64296:5601"
-    image: "dtagdevsec/kibana:1903"
-
-## Logstash service
-  logstash:
-    container_name: logstash
-    restart: always
-    depends_on:
-      elasticsearch:
-        condition: service_healthy
-    env_file:
-     - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/logstash:1903"
-    volumes:
-     - /data:/data
-
-## Elasticsearch-head service
-  head:
-    container_name: head
-    restart: always
-    depends_on:
-      elasticsearch:
-        condition: service_healthy
-    ports:
-     - "127.0.0.1:64302:9100"
-    image: "dtagdevsec/head:1903"
-    read_only: true
-
 # Ewsposter service
   ewsposter:
     container_name: ewsposter
@@ -518,40 +529,7 @@ services:
      - EWS_HPFEEDS_FORMAT=json
     env_file:
      - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/ewsposter:1903"
+    image: "dtagdevsec/ewsposter:2204"
     volumes:
      - /data:/data
      - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
-
-# Nginx service
-  nginx:
-    container_name: nginx
-    restart: always
-    tmpfs:
-     - /var/tmp/nginx/client_body
-     - /var/tmp/nginx/proxy
-     - /var/tmp/nginx/fastcgi
-     - /var/tmp/nginx/uwsgi
-     - /var/tmp/nginx/scgi
-     - /run
-    network_mode: "host"
-    ports:
-     - "64297:64297"
-    image: "dtagdevsec/nginx:1903"
-    read_only: true
-    volumes:
-     - /data/nginx/cert/:/etc/nginx/cert/:ro
-     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
-     - /data/nginx/log/:/var/log/nginx/
-
-# Spiderfoot service
-  spiderfoot:
-    container_name: spiderfoot
-    restart: always
-    networks:
-     - spiderfoot_local
-    ports:
-     - "127.0.0.1:64303:8080"
-    image: "dtagdevsec/spiderfoot:1903"
-    volumes:
-     - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db

_deprecated/etc/compose/standard.yml

@@ -0,0 +1,662 @@
+# T-Pot (Standard)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  adbhoney_local:
+  ciscoasa_local:
+  citrixhoneypot_local:
+  conpot_local_IEC104:
+  conpot_local_guardian_ast:
+  conpot_local_ipmi:
+  conpot_local_kamstrup_382:
+  cowrie_local:
+  ddospot_local:
+  dicompot_local:
+  dionaea_local:
+  elasticpot_local:
+  heralding_local:
+  ipphoney_local:
+  mailoney_local:
+  medpot_local:
+  redishoneypot_local:
+  tanner_local:
+  ewsposter_local:
+  sentrypeer_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Adbhoney service
+  adbhoney:
+    container_name: adbhoney
+    restart: always
+    networks:
+     - adbhoney_local
+    ports:
+     - "5555:5555"
+    image: "dtagdevsec/adbhoney:2204"
+    read_only: true
+    volumes:
+     - /data/adbhoney/log:/opt/adbhoney/log
+     - /data/adbhoney/downloads:/opt/adbhoney/dl
+
+# Ciscoasa service
+  ciscoasa:
+    container_name: ciscoasa
+    restart: always
+    tmpfs:
+     - /tmp/ciscoasa:uid=2000,gid=2000
+    networks:
+     - ciscoasa_local
+    ports:
+     - "5000:5000/udp"
+     - "8443:8443"
+    image: "dtagdevsec/ciscoasa:2204"
+    read_only: true
+    volumes:
+     - /data/ciscoasa/log:/var/log/ciscoasa
+
+# CitrixHoneypot service
+  citrixhoneypot:
+    container_name: citrixhoneypot
+    restart: always
+    networks:
+     - citrixhoneypot_local
+    ports:
+     - "443:443"
+    image: "dtagdevsec/citrixhoneypot:2204"
+    read_only: true
+    volumes:
+     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
+
+# Conpot IEC104 service
+  conpot_IEC104:
+    container_name: conpot_iec104
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
+     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
+     - CONPOT_TEMPLATE=IEC104
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_IEC104
+    ports:
+     - "161:161/udp"
+     - "2404:2404"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot guardian_ast service
+  conpot_guardian_ast:
+    container_name: conpot_guardian_ast
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
+     - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
+     - CONPOT_TEMPLATE=guardian_ast
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_guardian_ast
+    ports:
+     - "10001:10001"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot ipmi
+  conpot_ipmi:
+    container_name: conpot_ipmi
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
+     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
+     - CONPOT_TEMPLATE=ipmi
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_ipmi
+    ports:
+     - "623:623/udp"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot kamstrup_382
+  conpot_kamstrup_382:
+    container_name: conpot_kamstrup_382
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
+     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
+     - CONPOT_TEMPLATE=kamstrup_382
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_kamstrup_382
+    ports:
+     - "1025:1025"
+     - "50100:50100"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Cowrie service
+  cowrie:
+    container_name: cowrie
+    restart: always
+    tmpfs:
+     - /tmp/cowrie:uid=2000,gid=2000
+     - /tmp/cowrie/data:uid=2000,gid=2000
+    networks:
+     - cowrie_local
+    ports:
+     - "22:22"
+     - "23:23"
+    image: "dtagdevsec/cowrie:2204"
+    read_only: true
+    volumes:
+     - /data/cowrie/downloads:/home/cowrie/cowrie/dl
+     - /data/cowrie/keys:/home/cowrie/cowrie/etc
+     - /data/cowrie/log:/home/cowrie/cowrie/log
+     - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
+
+# Ddospot service
+  ddospot:
+    container_name: ddospot
+    restart: always
+    networks:
+     - ddospot_local
+    ports:
+     - "19:19/udp"
+     - "53:53/udp"
+     - "123:123/udp"
+#     - "161:161/udp"
+     - "1900:1900/udp"
+    image: "dtagdevsec/ddospot:2204"
+    read_only: true
+    volumes:
+     - /data/ddospot/log:/opt/ddospot/ddospot/logs
+     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
+     - /data/ddospot/db:/opt/ddospot/ddospot/db
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    networks:
+     - dicompot_local
+    ports:
+     - "11112:11112"
+    image: "dtagdevsec/dicompot:2204"
+    read_only: true
+    volumes:
+     - /data/dicompot/log:/var/log/dicompot
+#     - /data/dicompot/images:/opt/dicompot/images
+
+# Dionaea service
+  dionaea:
+    container_name: dionaea
+    stdin_open: true
+    tty: true
+    restart: always
+    networks:
+     - dionaea_local
+    ports:
+     - "20:20"
+     - "21:21"
+     - "42:42"
+     - "69:69/udp"
+     - "81:81"
+     - "135:135"
+     # - "443:443"
+     - "445:445"
+     - "1433:1433"
+     - "1723:1723"
+     - "1883:1883"
+     - "3306:3306"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
+     - "27017:27017"
+    image: "dtagdevsec/dionaea:2204"
+    read_only: true
+    volumes:
+     - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
+     - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
+     - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
+     - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
+     - /data/dionaea:/opt/dionaea/var/dionaea
+     - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
+     - /data/dionaea/log:/opt/dionaea/var/log
+     - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
+
+# ElasticPot service
+  elasticpot:
+    container_name: elasticpot
+    restart: always
+    networks:
+     - elasticpot_local
+    ports:
+     - "9200:9200"
+    image: "dtagdevsec/elasticpot:2204"
+    read_only: true
+    volumes:
+     - /data/elasticpot/log:/opt/elasticpot/log
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: "dtagdevsec/heralding:2204"
+    read_only: true
+    volumes:
+     - /data/heralding/log:/var/log/heralding
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: "dtagdevsec/ipphoney:2204"
+    read_only: true
+    volumes:
+     - /data/ipphoney/log:/opt/ipphoney/log
+
+# Mailoney service
+  mailoney:
+    container_name: mailoney
+    restart: always
+    environment:
+     - HPFEEDS_SERVER=
+     - HPFEEDS_IDENT=user
+     - HPFEEDS_SECRET=pass
+     - HPFEEDS_PORT=20000
+     - HPFEEDS_CHANNELPREFIX=prefix
+    networks:
+     - mailoney_local
+    ports:
+     - "25:25"
+    image: "dtagdevsec/mailoney:2204"
+    read_only: true
+    volumes:
+     - /data/mailoney/log:/opt/mailoney/logs
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: "dtagdevsec/medpot:2204"
+    read_only: true
+    volumes:
+     - /data/medpot/log/:/var/log/medpot
+
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
+    restart: always
+    networks:
+     - redishoneypot_local
+    ports:
+     - "6379:6379"
+    image: "dtagdevsec/redishoneypot:2204"
+    read_only: true
+    volumes:
+     - /data/redishoneypot/log:/var/log/redishoneypot
+
+# SentryPeer service
+  sentrypeer:
+    container_name: sentrypeer
+    restart: always
+# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
+# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
+# the bad actors in its logs. Therefore this option is opt-in based.
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=0
+    networks:
+     - sentrypeer_local
+    ports:
+#     - "4222:4222/udp"
+     - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
+    image: "dtagdevsec/sentrypeer:2204"
+    read_only: true
+    volumes:
+     - /data/sentrypeer/log:/var/log/sentrypeer
+
+#### Snare / Tanner
+## Tanner Redis Service
+  tanner_redis:
+    container_name: tanner_redis
+    restart: always
+    tty: true
+    networks:
+     - tanner_local
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## PHP Sandbox service
+  tanner_phpox:
+    container_name: tanner_phpox
+    restart: always
+    tty: true
+    networks:
+     - tanner_local
+    image: "dtagdevsec/phpox:2204"
+    read_only: true
+
+## Tanner API Service
+  tanner_api:
+    container_name: tanner_api
+    restart: always
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: "dtagdevsec/tanner:2204"
+    read_only: true
+    volumes:
+     - /data/tanner/log:/var/log/tanner
+    command: tannerapi
+    depends_on:
+     - tanner_redis
+
+## Tanner Service
+  tanner:
+    container_name: tanner
+    restart: always
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: "dtagdevsec/tanner:2204"
+    command: tanner
+    read_only: true
+    volumes:
+     - /data/tanner/log:/var/log/tanner
+     - /data/tanner/files:/opt/tanner/files
+    depends_on:
+     - tanner_api
+#     - tanner_web
+     - tanner_phpox
+
+## Snare Service
+  snare:
+    container_name: snare
+    restart: always
+    tty: true
+    networks:
+     - tanner_local
+    ports:
+     - "80:80"
+    image: "dtagdevsec/snare:2204"
+    depends_on:
+     - tanner
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/tarpit.yml

@@ -0,0 +1,287 @@
+# T-Pot (Tarpit)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  endlessh_local:
+  hellpot_local:
+  heralding_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Endlessh service
+  endlessh:
+    container_name: endlessh
+    restart: always
+    networks:
+     - endlessh_local
+    ports:
+     - "22:2222"
+    image: "dtagdevsec/endlessh:2204"
+    read_only: true
+    volumes:
+     - /data/endlessh/log:/var/log/endlessh
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: "dtagdevsec/heralding:2204"
+    read_only: true
+    volumes:
+     - /data/heralding/log:/var/log/heralding
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+# Hellpot service
+  hellpot:
+    container_name: hellpot
+    restart: always
+    networks:
+     - hellpot_local
+    ports:
+     - "80:8080"
+    image: "dtagdevsec/hellpot:2204"
+    read_only: true
+    volumes:
+     - /data/hellpot/log:/var/log/hellpot
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/logrotate/logrotate.conf

@@ -1,36 +1,41 @@
 /data/adbhoney/log/*.json
 /data/adbhoney/log/*.log
-/data/adbhoney/downloads.tgz
 /data/ciscoasa/log/ciscoasa.log
+/data/citrixhoneypot/logs/server.log
 /data/conpot/log/conpot*.json
 /data/conpot/log/conpot*.log
 /data/cowrie/log/cowrie.json
 /data/cowrie/log/cowrie-textlog.log
 /data/cowrie/log/lastlog.txt
-/data/cowrie/log/ttylogs.tgz
-/data/cowrie/downloads.tgz
+/data/ddospot/log/*.log
+/data/dicompot/log/dicompot.log
 /data/dionaea/log/dionaea.json
 /data/dionaea/log/dionaea.sqlite
-/data/dionaea/bistreams.tgz
-/data/dionaea/binaries.tgz
 /data/dionaea/dionaea-errors.log
 /data/elasticpot/log/elasticpot.log
+/data/elasticpot/log/elasticpot.json
 /data/elk/log/*.log
+/data/endlessh/log/*.log
 /data/fatt/log/fatt.log
 /data/glutton/log/*.log
 /data/glutton/log/*.err
+/data/hellpot/log/*.log
 /data/heralding/log/*.log
 /data/heralding/log/*.csv
-/data/honeypy/log/*.log
+/data/heralding/log/*.json
+/data/honeypots/log/*.log
+/data/honeysap/log/*.log
 /data/honeytrap/log/*.log
 /data/honeytrap/log/*.json
-/data/honeytrap/attacks.tgz
-/data/honeytrap/downloads.tgz
-/data/mailoney/log/commands.log
+/data/ipphoney/log/*.json
+/data/log4pot/log/*.log
+/data/mailoney/log/*.log
 /data/medpot/log/*.log
 /data/nginx/log/*.log
 /data/p0f/log/p0f.json
 /data/rdpy/log/rdpy.log
+/data/redishoneypot/log/*.log
+/data/sentrypeer/log/*.json
 /data/suricata/log/*.log
 /data/suricata/log/*.json
 /data/tanner/log/*.json
@@ -43,4 +48,22 @@
         notifempty
 	rotate 30
 	compress
+        compresscmd /usr/bin/pigz
+}
+
+/data/adbhoney/downloads.tgz
+/data/cowrie/log/ttylogs.tgz
+/data/cowrie/downloads.tgz
+/data/dionaea/bistreams.tgz
+/data/dionaea/binaries.tgz
+/data/honeytrap/attacks.tgz
+/data/honeytrap/downloads.tgz
+{
+	su tpot tpot
+        copytruncate
+        create 770 tpot tpot
+	daily
+        missingok
+        notifempty
+	rotate 30
 }

_deprecated/host/etc/rc.local

@@ -0,0 +1,3 @@
+#!/bin/bash
+/opt/tpot/bin/updateip.sh
+exit 0

_deprecated/host/etc/systemd/tpot.service

@@ -15,12 +15,7 @@ ExecStartPre=-/opt/tpot/bin/updateip.sh
 ExecStartPre=-/bin/bash -c '/opt/tpot/bin/clean.sh on'
 
 # Remove old containers, images and volumes
-ExecStartPre=-/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml down -v
-ExecStartPre=-/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml rm -v
-ExecStartPre=-/bin/bash -c 'docker network rm $(docker network ls -q)'
-ExecStartPre=-/bin/bash -c 'docker volume rm $(docker volume ls -q)'
-ExecStartPre=-/bin/bash -c 'docker rm -v $(docker ps -aq)'
-ExecStartPre=-/bin/bash -c 'docker rmi $(docker images | grep "<none>" | awk \'{print $3}\')'
+ExecStartPre=/opt/tpot/bin/tpdclean.sh -y
 
 # Get IF, disable offloading, enable promiscious mode for p0f and suricata
 ExecStartPre=-/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip address | grep "^2: " | awk \'{ print $2 }\' | tr -d [:punct:]) rx off tx off'
@@ -34,6 +29,9 @@ ExecStartPre=/opt/tpot/bin/rules.sh /opt/tpot/etc/tpot.yml set
 # Compose T-Pot up
 ExecStart=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color
 
+# We want to see true source for UDP packets in container (https://github.com/moby/libnetwork/issues/1994)
+ExecStartPost=/bin/bash -c '/usr/bin/sleep 30 && /usr/sbin/conntrack -D -p udp'
+
 # Compose T-Pot down, remove containers and volumes
 ExecStop=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml down -v
 

_deprecated/install.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+cd iso/installer
+./install.sh "$@"

_deprecated/installer/debian/install.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on Debian
+if ! grep -q 'ID=debian' /etc/os-release; then
+  echo "This script is designed to run on Debian. Aborting."
+  exit 1
+fi
+
+if [ -f /var/log/debian-install-lock ]; then
+  echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
+  exit 1
+fi
+
+# Create installer lock file
+sudo touch /var/log/debian-install-lock
+
+# Update SSH config
+echo "Updating SSH config..."
+sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config'
+
+# Install recommended packages
+echo "Installing recommended packages..."
+sudo apt-get -y update
+sudo apt-get -y install bash-completion git grc neovim net-tools
+
+# Remove old Docker
+echo "Removing old docker packages..."
+sudo apt-get -y remove docker docker-engine docker.io containerd runc
+
+# Add Docker to repositories, install latest docker
+echo "Adding Docker to repositories and installing..."
+sudo apt-get -y update
+sudo apt-get -y install ca-certificates curl gnupg
+sudo install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+sudo chmod a+r /etc/apt/keyrings/docker.gpg
+echo \
+  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
+  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+sudo apt-get -y update
+sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+sudo systemctl enable docker
+sudo systemctl stop docker
+sudo systemctl start docker
+
+# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
+echo "Creating T-Pot group and user ..."
+addgroup --gid 2000 tpot
+adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot
+# Add user to Docker, T-Pot group
+echo "Adding $(whoami) to Docker group..."
+sudo usermod -aG docker $(whoami)
+echo "Adding $(whoami) to T-Pot group..."
+sudo usermod -aG tpot $(whoami)
+
+# Add aliases
+echo "Adding aliases..."
+echo "alias dps='grc docker ps -a'" >> ~/.bashrc
+echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
+
+# Show running services
+sudo grc netstat -tulpen
+echo "Please review for possible honeypot port conflicts."
+echo "While SSH is taken care of, other services such as"
+echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
+
+echo "Done. Please reboot and re-connect via SSH on tcp/64295."
+

_deprecated/installer/debian/sudo-install.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+if ! command -v sudo &> /dev/null
+then
+    echo "sudo is not installed. Installing now..."
+    su -c "apt-get -y update && apt-get -y install sudo"
+    su -c "/usr/sbin/usermod -aG sudo $(whoami)"
+else
+    echo "sudo is already installed."
+fi

_deprecated/installer/debian/uninstall.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on Debian
+if ! grep -q 'ID=debian' /etc/os-release; then
+  echo "This script is designed to run on Debian. Aborting."
+  exit 1
+fi
+
+# Check if installer lock file exists
+if [ ! -f /var/log/debian-install-lock ]; then
+  echo "Error: The installer has not been run on this system. Aborting."
+  exit 1
+fi
+
+# Remove SSH config changes
+echo "Removing SSH config changes..."
+sudo sed -i '/Port 64295/d' /etc/ssh/sshd_config
+
+# Uninstall Docker
+echo "Stopping and removing all containers ..."
+docker stop $(docker ps -aq)
+docker rm $(docker ps -aq)
+echo "Uninstalling Docker..."
+sudo systemctl stop docker
+sudo systemctl disable docker
+sudo apt-get -y remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+sudo apt-get -y autoremove
+sudo rm -rf /etc/apt/sources.list.d/docker.list
+sudo rm -rf /etc/apt/keyrings/docker.gpg
+
+# Remove user from Docker, T-Pot group
+echo "Removing $(whoami) from T-Pot group..."
+sudo deluser $(whoami) tpot
+echo "Removing $(whoami) from Docker group..."
+sudo deluser $(whoami) docker
+# Remove T-Pot user and group
+echo "Removing T-Pot user..."
+sudo deluser tpot
+echo "Removing T-Pot group..."
+sudo delgroup tpot
+
+# Remove aliases
+echo "Removing aliases..."
+sed -i '/alias dps=/d' ~/.bashrc
+sed -i '/alias dpsw=/d' ~/.bashrc
+
+# Remove installer lock file
+sudo rm -f /var/log/debian-install-lock
+
+echo "Done. Please reboot and re-connect via SSH on tcp/22"
+

_deprecated/installer/fedora/install.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on Fedora
+if ! grep -q 'ID=fedora' /etc/os-release; then
+  echo "This script is designed to run on Fedora. Aborting."
+  exit 1
+fi
+
+if [ -f /var/log/fedora-install-lock ]; then
+  echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
+  exit 1
+fi
+
+# Create installer lock file
+sudo touch /var/log/fedora-install-lock
+
+# Update SSH config
+echo "Updating SSH config..."
+sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config'
+
+# Update DNS config
+echo "Updating DNS config..."
+sudo bash -c "sed -i 's/^.*DNSStubListener=.*/DNSStubListener=no/' /etc/systemd/resolved.conf"
+sudo systemctl restart systemd-resolved.service
+
+# Update SELinux config
+echo "Updating SELinux config..."
+sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config
+
+# Update Firewall rules
+echo "Updating Firewall rules..."
+sudo firewall-cmd --permanent --add-port=64295/tcp
+sudo firewall-cmd --permanent --zone=public --set-target=ACCEPT
+#sudo firewall-cmd --reload
+sudo firewall-cmd --list-all
+
+# Load kernel modules
+echo "Loading kernel modules..."
+sudo modprobe -v iptable_filter
+echo "iptable_filter" | sudo tee /etc/modules-load.d/iptables.conf
+
+# Add Docker to repositories, install latest docker
+echo "Adding Docker to repositories and installing..."
+sudo dnf -y update
+sudo dnf -y install dnf-plugins-core
+sudo dnf -y config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
+sudo dnf -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+sudo systemctl enable docker
+sudo systemctl start docker
+
+# Install recommended packages
+echo "Installing recommended packages..."
+sudo dnf -y install bash-completion git grc net-tools
+
+# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
+echo "Creating T-Pot group and user..."
+sudo groupadd -g 2000 tpot
+sudo useradd -r -u 2000 -g 2000 -M -s /sbin/nologin tpot
+# Add user to Docker, T-Pot group
+echo "Adding $(whoami) to Docker group..."
+sudo usermod -aG docker $(whoami)
+echo "Adding $(whoami) to T-Pot group..."
+sudo usermod -aG tpot $(whoami)
+
+# Add aliases
+echo "Adding aliases..."
+echo "alias dps='grc docker ps -a'" >> ~/.bashrc
+echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
+
+# Show running services
+sudo grc netstat -tulpen
+echo "Please review for possible honeypot port conflicts."
+echo "While SSH is taken care of, other services such as"
+echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
+
+echo "Done. Please reboot and re-connect via SSH on tcp/64295."
+

_deprecated/installer/fedora/uninstall.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on Fedora
+if ! grep -q 'ID=fedora' /etc/os-release; then
+  echo "This script is designed to run on Fedora. Aborting."
+  exit 1
+fi
+
+if [ ! -f /var/log/fedora-install-lock ]; then
+  echo "Error: The installer has not been run on this system. Aborting uninstallation."
+  exit 1
+fi
+
+# Remove SSH config changes
+echo "Removing SSH config changes..."
+sudo sed -i '/Port 64295/d' /etc/ssh/sshd_config
+
+# Remove DNS config changes
+echo "Updating DNS config..."
+sudo bash -c "sed -i 's/^.*DNSStubListener=.*/#DNSStubListener=yes/' /etc/systemd/resolved.conf"
+sudo systemctl restart systemd-resolved.service
+
+# Restore SELinux config
+echo "Restoring SELinux config..."
+sudo sed -i s/SELINUX=permissive/SELINUX=enforcing/g /etc/selinux/config
+
+# Remove Firewall rules
+echo "Removing Firewall rules..."
+sudo firewall-cmd --permanent --remove-port=64295/tcp
+sudo firewall-cmd --permanent --zone=public --set-target=default
+#sudo firewall-cmd --reload
+sudo firewall-cmd --list-all
+
+# Unload kernel modules
+echo "Unloading kernel modules..."
+sudo modprobe -rv iptable_filter
+sudo rm /etc/modules-load.d/iptables.conf
+
+# Uninstall Docker
+echo "Stopping and removing all containers ..."
+docker stop $(docker ps -aq)
+docker rm $(docker ps -aq)
+echo "Uninstalling Docker..."
+sudo systemctl stop docker
+sudo systemctl disable docker
+sudo dnf -y remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+sudo dnf config-manager --disable docker-ce-stable
+sudo rm /etc/yum.repos.d/docker-ce.repo
+
+# Remove user from Docker, T-Pot group
+echo "Removing $(whoami) from T-Pot group..."
+sudo gpasswd -d $(whoami) tpot
+echo "Removing $(whoami) from Docker group..."
+sudo gpasswd -d $(whoami) docker
+# Remove T-Pot user and group
+echo "Removing T-Pot user..."
+sudo userdel tpot
+echo "Removing T-Pot group..."
+sudo groupdel tpot
+
+# Remove aliases
+echo "Removing aliases..."
+sed -i '/alias dps=/d' ~/.bashrc
+sed -i '/alias dpsw=/d' ~/.bashrc
+
+# Remove installer lock file
+sudo rm /var/log/fedora-install-lock
+
+echo "Done. Please reboot and re-connect via SSH on tcp/22"
+

_deprecated/installer/suse/install.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on OpenSuse Tumbleweed
+if ! grep -q 'ID="opensuse-tumbleweed"' /etc/os-release; then
+  echo "This script is designed to run on OpenSuse Tumbleweed. Aborting."
+  exit 1
+fi
+
+if [ -f /var/log/suse-install-lock ]; then
+  echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
+  exit 1
+fi
+
+# Create installer lock file
+sudo touch /var/log/suse-install-lock
+
+# Update SSH config
+echo "Updating SSH config..."
+sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config.d/port.conf'
+
+# Update Firewall rules
+echo "Updating Firewall rules..."
+sudo firewall-cmd --permanent --add-port=64295/tcp
+sudo firewall-cmd --permanent --zone=public --set-target=ACCEPT
+#sudo firewall-cmd --reload
+sudo firewall-cmd --list-all
+
+# Install docker and recommended packages
+echo "Installing recommended packages..."
+sudo zypper -n update
+sudo zypper -n remove cups net-tools postfix yast2-auth-client yast2-auth-server
+sudo zypper -n install bash-completion docker docker-compose git grc busybox-net-tools
+
+# Enable and start docker
+echo "Enabling and starting docker..."
+systemctl enable docker
+systemctl start docker
+
+# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
+echo "Creating T-Pot group and user ..."
+sudo groupadd -g 2000 tpot
+sudo useradd -r -u 2000 -g 2000 -s /sbin/nologin tpot
+
+# Add user to Docker, T-Pot group
+echo "Adding $(whoami) to Docker group..."
+sudo usermod -a -G docker $(whoami)
+echo "Adding $(whoami) to T-Pot group..."
+sudo usermod -a -G tpot $(whoami)
+
+# Add aliases
+echo "Adding aliases..."
+echo "alias dps='grc docker ps -a'" >> ~/.bashrc
+echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
+
+# Show running services
+sudo grc netstat -tulpen
+echo "Please review for possible honeypot port conflicts."
+echo "While SSH is taken care of, other services such as"
+echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
+
+echo "Done. Please reboot and re-connect via SSH on tcp/64295."
+