Update

2025-07-02 01:27:27 -04:00 · 2022-04-12 13:58:34 +02:00 · 2022-04-12 12:47:07 +02:00 · 2022-04-12 12:25:34 +02:00 · 2022-04-12 12:17:37 +02:00 · 2022-04-12 11:34:16 +02:00
369 changed files with 14552 additions and 12699 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -1,31 +0,0 @@
 # Contribution
 Thank you for your decision to contribute to T-Pot.
 ## Issues
 Please feel free to post your problems, ideas and issues [here](https://github.com/dtag-dev-sec/tpotce/issues). We will try to answer ASAP, but to speed things up we encourage you to ...
 - [ ] Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
 - [ ] Check the FAQs in our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
 - [ ] Provide [basic support information](#info) with regard to your issue
 Thank you :smiley:
 -
 <a name="info"></a>
 ### Basic support information
 - What T-Pot version are you currently using?
 - Are you running on a Intel NUC or a VM?
 - How long has your installation been running?
 - Did you install any upgrades or packages?
 - Did you modify any scripts?
 - Have you turned persistence on/off?
 - How much RAM is available (login via ssh and run `htop`)?
 - How much stress are the CPUs under (login via ssh and run `htop`)?
 - How much swap space is being used (login via ssh and run `htop`)?
 - How much free disk space is available (login via ssh and run `sudo df -h`)?
 - What is the current container status (login via ssh and run `sudo dps.sh`)?
--- a/.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md
+++ b/.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md
@ -0,0 +1,37 @@
 ---
 name: Bug report for T-Pot
 about: Bug report for T-Pot
 title: ''
 labels: ''
 assignees: ''
 ---
 Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
 - 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
 - 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
 - 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
 - **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice**
 <br>
 <br>
 <br>
 <a name="info"></a>
 ## ⚠️ Basic support information (commands are expected to run as `root`)
 - What version of the OS are you currently using `lsb_release -a` and `uname -a`?
 - What T-Pot version are you currently using?
 - What edition (Standard, Nextgen, etc.) of T-Pot are you running?
 - What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
 - Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.
 - How long has your installation been running?
 - Did you install upgrades, packages or use the update script?
 - Did you modify any scripts or configs? If yes, please attach the changes.
 - Please provide a screenshot of `glances` and `htop`.
 - How much free disk space is available (`df -h`)?
 - What is the current container status (`dps.sh`)?
 - What is the status of the T-Pot service (`systemctl status tpot`)?
 - What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`
 - If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries
--- a/.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md
+++ b/.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md
@ -0,0 +1,20 @@
 ---
 name: Feature request for T-Pot
 about: Suggest an idea for T-Pot
 title: ''
 labels: ''
 assignees: ''
 ---
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Describe alternatives you've considered**
 A clear and concise description of any alternative solutions or features you've considered.
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md
+++ b/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md
@ -0,0 +1,39 @@
 ---
 name: General issue for T-Pot
 about: General issue for T-Pot
 title: ''
 labels: ''
 assignees: ''
 ---
 🗨️ Please post your questions in [Discussions](https://github.com/telekom-security/tpotce/discussions) and keep the issues for **issues**. Thank you 😁.<br>
 Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
 - 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
 - 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
 - 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
 - **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice**
 <br>
 <br>
 <br>
 <a name="info"></a>
 ## ⚠️ Basic support information (commands are expected to run as `root`)
 - What version of the OS are you currently using `lsb_release -a` and `uname -a`?
 - What T-Pot version are you currently using?
 - What edition (Standard, Nextgen, etc.) of T-Pot are you running?
 - What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
 - Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.
 - How long has your installation been running?
 - Did you install upgrades, packages or use the update script?
 - Did you modify any scripts or configs? If yes, please attach the changes.
 - Please provide a screenshot of `glances` and `htop`.
 - How much free disk space is available (`df -h`)?
 - What is the current container status (`dps.sh`)?
 - What is the status of the T-Pot service (`systemctl status tpot`)?
 - What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`
 - If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -0,0 +1,45 @@
 # Release Notes / Changelog
 T-Pot 22.04.0 is probably the most feature rich release ever provided with long awaited (wanted!) features readily available after installation. 
 ## New Features
 * **Distributed** Installation with **HIVE** and **HIVE_SENSOR**
 * **ARM64** support for all provided Docker images
 * **GeoIP Attack Map** visualizing Live Attacks on a dedicated webpage
 * **Kibana Live Attack Map** visualizing Live Attacks from different **HIVE_SENSORS**
 * **Blackhole** is a script trying to avoid mass scanner detection 
 * **Elasticvue** a web front end for browsing and interacting with an Elastic Search cluster
 * **Ddospot** a honeypot for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks
 * **Endlessh** is a SSH tarpit that very slowly sends an endless, random SSH banner
 * **HellPot** is an endless honeypot based on Heffalump that sends unruly HTTP bots to hell
 * **qHoneypots** 25 honeypots in a single container for monitoring network traffic, bots activities, and username \ password credentials
 * **Redishoneypot** is a honeypot mimicking some of the Redis' functions
 * **SentryPeer** a dedicated SIP honeypot
 * **Index Lifecycle Management** for Elasticseach indices is now being used
 ## Upgrades
 * **Debian 11.x** is now being used for the T-Pot ISO images and required for post installs
 * **Elastic Stack 8.x** is now provided as Docker images
 ## Updates
 * **Honeypots** and **tools** were updated to their latest masters and releases
 * Updates will be provided continuously through Docker Images updates 
 ## Breaking Changes
 * For security reasons all Py2.x honeypots with the need of PyPi packages have been removed: **HoneyPy**, **HoneySAP** and **RDPY**
 * If you are upgrading from a previous version of T-Pot (20.06.x) you need to import the new Kibana objects or some of the functionality will be broken or will be unavailabe
 * **Cyberchef** is now part of the Nginx Docker image, no longer as individual image
 * **ElasticSearch Head** is superseded by **Elasticvue** and part the Nginx Docker image
 * **Heimdall** is no longer supported and superseded with a new Bento based landing page
 * **Elasticsearch Curator** is no longer supprted and superseded with **Index Lifecycle Policies** available through Kibana.
 # Thanks & Credits
 * @ghenry, for some fun late night debugging and of course SentryPeer!
 * @giga-a, for adding much appreciated features (i.e. JSON logging, 
 X-Forwarded-For, etc.) and of course qHoneypots! 
 * @sp3t3rs, @trixam, for their backend and ews support!
 * @tadashi-oya, for spotting some errors and propose fixes!
 * @tmariuss, @shaderecker for their cloud contributions!
 * @vorband, for much appreciated and helpful insights regarding the GeoIP Attack Map!
 * @yunginnanet, on not giving up on squashing a bug and of course Hellpot!
 ... and many others from the T-Pot community by opening valued issues and discussions, suggesting ideas and thus helping to improve T-Pot!
--- a/CONTRIBUTING.MD
+++ b/CONTRIBUTING.MD
@ -1,31 +0,0 @@
 # Contribution
 Thank you for your decision to contribute to T-Pot.
 ## Issues
 Please feel free to post your problems, ideas and issues [here](https://github.com/dtag-dev-sec/tpotce/issues). We will try to answer ASAP, but to speed things up we encourage you to ...
 - [ ] Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
 - [ ] Check the FAQs in our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
 - [ ] Provide [basic support information](#info) with regard to your issue
 Thank you :smiley:
 -
 <a name="info"></a>
 ### Basic support information
 - What T-Pot version are you currently using?
 - Are you running on a Intel NUC or a VM?
 - How long has your installation been running?
 - Did you install any upgrades or packages?
 - Did you modify any scripts?
 - Have you turned persistence on/off?
 - How much RAM is available (login via ssh and run `htop`)?
 - How much stress are the CPUs under (login via ssh and run `htop`)?
 - How much swap space is being used (login via ssh and run `htop`)?
 - How much free disk space is available (login via ssh and run `sudo df -h`)?
 - What is the current container status (login via ssh and run `sudo dps.sh`)?
--- a/README.md
+++ b/README.md
--- a/bin/2fa.sh
+++ b/bin/2fa.sh
@ -0,0 +1,77 @@
 #!/bin/bash
 # Make sure script is started as non-root.
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" = "root" ]
  then
    echo "Need to run as non-root ..."
    echo ""
    exit
 fi
 # set vars, check deps
 myPAM_COCKPIT_FILE="/etc/pam.d/cockpit"
 if ! [ -s "$myPAM_COCKPIT_FILE" ];
  then
    echo "### Cockpit PAM module config does not exist. Something went wrong."
    echo ""
    exit 1
 fi
 myPAM_COCKPIT_GA="
 # google authenticator for two-factor
 auth required pam_google_authenticator.so
 "
 myAUTHENTICATOR=$(which google-authenticator)
 if [ "$myAUTHENTICATOR" == "" ];
  then
    echo "### Could not locate google-authenticator, trying to install (if asked provide root password)."
    echo ""
    sudo apt-get update
    sudo apt-get install -y libpam-google-authenticator
    exec "$1" "$2"    
    exit 1
 fi
 # write PAM changes 
 function fuWRITE_PAM_CHANGES {
  myCHECK=$(cat $myPAM_COCKPIT_FILE | grep -c "google")
  if ! [ "$myCHECK" == "0" ];
    then
      echo "### PAM config already enabled. Skipped."
      echo ""
    else
      echo "### Updating PAM config for Cockpit (if asked provide root password)."
      echo "$myPAM_COCKPIT_GA" | sudo tee -a $myPAM_COCKPIT_FILE
      sudo systemctl restart cockpit
  fi
 }
 # create 2fa
 function fuGEN_TOKEN {
  echo "### Now generating token for Google Authenticator."
  echo ""
  google-authenticator -t -d -r 3 -R 30 -w 17
 }
 # main
 echo "### This script will enable Two Factor Authentication for Cockpit."
 echo ""
 echo "### Please download one of the many authenticator apps from the appstore of your choice."
 echo ""
 while true;
  do
    read -p "### Ready to start (y/n)? " myANSWER
    case $myANSWER in
      [Yy]* ) echo "### OK. Starting ..."; break;;
      [Nn]* ) echo "### Exiting."; exit;;
    esac
 done
 fuWRITE_PAM_CHANGES
 fuGEN_TOKEN
 echo "Done. Re-run this script by every user who needs Cockpit access."
 echo ""
--- a/bin/backup_es_folders.sh
+++ b/bin/backup_es_folders.sh
@ -1,4 +1,21 @@
 #!/bin/bash
 # Run as root only.
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ];
  then
    echo "Need to run as root ..."
    exit
 fi
 if [ "$1" == "" ] || [ "$1" != "all" ] && [ "$1" != "base" ];
  then
    echo "Usage: backup_es_folders [all, base]"
    echo "       all  = backup all ES folder"
    echo "       base = backup only Kibana index".
    echo
    exit
 fi
 # Backup all ES relevant folders
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
@ -16,8 +33,8 @@ fi
 myCOUNT=1
 myDATE=$(date +%Y%m%d%H%M)
 myELKPATH="/data/elk/data"
-myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/' | grep -w ".kibana_1" | awk '{ print $4 }')
+myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }')
-myKIBANAINDEXPATH=$myELKPATH/nodes/0/indices/$myKIBANAINDEXNAME
+myKIBANAINDEXPATH=$myELKPATH/indices/$myKIBANAINDEXNAME
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
@ -34,5 +51,11 @@ sleep 2
 # Backup DB in 2 flavors
 echo "### Now backing up Elasticsearch folders ..."
-tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
+if [ "$1" == "all" ];
-tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
+  then
    tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
 elif [ "$1" == "base" ];
  then
    tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
 fi
--- a/bin/blackhole.sh
+++ b/bin/blackhole.sh
@ -0,0 +1,109 @@
 #!/bin/bash
 # Run as root only.
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "### Need to run as root ..."
    echo
    exit
 fi
 # Disclaimer
 if [ "$1" == "" ];
  then
    echo "### Warning!"
    echo "### This script will download and add blackhole routes for known mass scanners in an attempt to decrease the chance of detection."
    echo "### IPs are neither curated or verified, use at your own risk!"
    echo "###"
    echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
    echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
    echo
    echo "Usage: blackhole.sh add (add blackhole routes)" 
    echo "       blackhole.sh del (delete blackhole routes)"
    echo
    exit
 fi
 # QnD paths, files
 mkdir -p /etc/blackhole
 cd /etc/blackhole
 myFILE="mass_scanner.txt"
 myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"
 myBASELINE="500"
 # Alternatively, using less routes, but blocking complete /24 networks
 #myFILE="mass_scanner_cidr.txt"
 #myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner_cidr.txt"
 # Calculate age of downloaded list, read IPs
 if [ -f "$myFILE" ];
  then
    myNOW=$(date +%s)
    myOLD=$(date +%s -r "$myFILE")
    myDAYS=$(( ($myNOW-$myOLD) / (60*60*24) ))
    echo "### Downloaded $myFILE list is $myDAYS days old."
    myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
 fi
 # Let's load ip list
 if [[ ! -f "$myFILE" && "$1" == "add" || "$myDAYS" -gt 30 ]];
  then
    echo "### Downloading $myFILE list."
    aria2c --allow-overwrite -s16 -x 16 "$myURL" && \
    myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u) 
 fi
 myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w)
 # Let's extract mass scanner IPs
 if [ "$myCOUNT" -lt "$myBASELINE" ] && [ "$1" == "add" ];
  then
    echo "### Something went wrong. Please check contents of /etc/blackhole/$myFILE."
    echo "### Aborting."
    echo
    exit
 elif [ "$(ip r | grep 'blackhole' -c)" -gt "$myBASELINE" ] && [ "$1" == "add" ];
  then
    echo "### Blackhole already enabled."
    echo "### Aborting."
    echo
    exit
 fi
 # Let's add blackhole routes for all mass scanner IPs
 if [ "$1" == "add" ];
  then
    echo
    echo -n "Now adding $myCOUNT IPs to blackhole."
    for i in $myBLACKHOLE_IPS;
      do
        ip route add blackhole "$i"
 	echo -n "."
    done
    echo
    echo "Added $(ip r | grep "blackhole" -c) IPs to blackhole."
    echo
    echo "### Remember!"
    echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
    echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
    echo
    exit
 fi
 # Let's delete blackhole routes for all mass scanner IPs
 if [ "$1" == "del" ] && [ "$myCOUNT" -gt "$myBASELINE" ];
  then
    echo
    echo -n "Now deleting $myCOUNT IPs from blackhole."
      for i in $myBLACKHOLE_IPS;
        do
          ip route del blackhole "$i"
 	  echo -n "."
      done
      echo
      echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole."
      echo
      rm "$myFILE"
  else
    echo "### Blackhole already disabled."
    echo
 fi
--- a/bin/change_ews_config.sh
+++ b/bin/change_ews_config.sh
@ -0,0 +1,89 @@
 #!/bin/bash
 echo """
 ##############################
 # T-POT DTAG Data Submission #
 # Contact:                   #
 # cert@telekom.de            # 
 ##############################
 """
 # Got root?
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "Need to run as root ..."
    sudo ./$0
    exit
 fi
 printf "[*] Enter your API UserID: "
 read apiUser
 printf "[*] Enter your API Token: "
 read apiToken
 printf "[*] If you have multiple T-Pots running, give them each a unique NUMBER, e.g. '2' for your second T-Pot installation. Enter unique number for THIS T-Pot: "
 read indexNumber
 if ! [[ "$indexNumber" =~ ^[0-9]+$ ]]
    then
        echo "Sorry integers only. You have to start over..."
        exit 1
 fi
 apiURL="https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage"
 printf "[*] Currently, your honeypot is configured to transmit data the default backend at 'https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage'. Do you want to change this API endpoint? Only do this if you run your own PEBA backend instance? (N/y): "
 read replyAPI
 if [[ $replyAPI =~ ^[Yy]$ ]]
 then    
    printf "[*] Enter your API endpoint URL and make sure it contains the full path, e.g. 'https://myDomain.local:9922/ews-0.1/alert/postSimpleMessage': "
    read apiURL
 fi
 echo ""
 echo "[*] Recap! You defined: "
 echo "############################"
 echo "API User: " $apiUser
 echo "API Token: " $apiToken
 echo "API URL: " $apiURL
 echo "Unique numeric ID for your T-Pot Installation: "  $indexNumber
 echo "Specific honeypot-IDs will look like : <honeypotType>-"$apiUser"-"$indexNumber
 echo "############################"
 echo ""
 printf  "[*] Is the above correct (y/N)? "
 read reply
 if [[ ! $reply =~ ^[Yy]$ ]]
 then	
 	echo "OK, then run this again..."
    exit 1
 fi
 echo ""
 echo "[+] Creating config file with API UserID '$apiUser' and API Token '$apiToken'."
 echo "[+] Fetching config file from github. Outgoing https requests must be enabled!"
 wget -q https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist 
 if [[ -f "ews.cfg.dist" ]]; then
 	echo "[+] Successfully downloaded ews.cfg from github."
 else 
 	echo "[+] Could not download ews.cfg from github."
 	exit 1
 fi 
 echo "[+] Patching ews.cfg API Credentials."
 sed 's/community-01-user/'$apiUser'/' ews.cfg.dist > ews.cfg
 sed -i 's/foth{a5maiCee8fineu7/'$apiToken'/' ews.cfg
 echo "[+] Patching ews.cfg API Url."
 apiURL=${apiURL////\\/};
 sed -i 's/https:\/\/community.sicherheitstacho.eu\/ews-0.1\/alert\/postSimpleMessage/'$apiURL'/' ews.cfg
 echo "[+] Patching ews.cfg honeypot IDs."
 sed -i 's/community-01/'$apiUser'-'$indexNumber'/' ews.cfg
 rm ews.cfg.dist
 echo "[+] Changing tpot.yml to include new ews.cfg."
 cp ews.cfg /data/ews/conf/ews.cfg
 cp /opt/tpot/etc/tpot.yml /opt/tpot/etc/tpot.yml.bak
 sed -i '/- \/data\/ews\/conf\/ews.ip:\/opt\/ewsposter\/ews.ip/a\ \ \   - \/data\/ews\/conf\/ews.cfg:\/opt\/ewsposter\/ews.cfg' /opt/tpot/etc/tpot.yml
 echo "[+] Restarting T-Pot."
 systemctl restart tpot
 echo "[+] Done."
--- a/bin/clean.sh
+++ b/bin/clean.sh
@ -1,11 +1,13 @@
 #!/bin/bash
 # T-Pot Container Data Cleaner & Log Rotator
 # Set colors
 myRED="[0;31m"
 myGREEN="[0;32m"
 myWHITE="[0;0m"
 # Set pigz
 myPIGZ=$(which pigz)
 # Set persistence
 myPERSISTENCE=$1
@ -38,7 +40,7 @@ fuLOGROTATE () {
  local myTANNERFTGZ="/data/tanner/files.tgz"
 # Ensure correct permissions and ownerships for logrotate to run without issues
-chmod 760 /data/ -R
+chmod 770 /data/ -R
 chown tpot:tpot /data -R
 chmod 644 /data/nginx/conf -R
 chmod 644 /data/nginx/cert -R
@ -47,17 +49,17 @@ chmod 644 /data/nginx/cert -R
 logrotate -f -s $mySTATUS $myCONF
 # Compressing some folders first and rotate them later
-if [ "$(fuEMPTY $myADBHONEYDL)" != "0" ]; then tar cvfz $myADBHONEYTGZ $myADBHONEYDL; fi
+if [ "$(fuEMPTY $myADBHONEYDL)" != "0" ]; then tar -I $myPIGZ -cvf $myADBHONEYTGZ $myADBHONEYDL; fi
-if [ "$(fuEMPTY $myCOWRIETTYLOGS)" != "0" ]; then tar cvfz $myCOWRIETTYTGZ $myCOWRIETTYLOGS; fi
+if [ "$(fuEMPTY $myCOWRIETTYLOGS)" != "0" ]; then tar -I $myPIGZ -cvf $myCOWRIETTYTGZ $myCOWRIETTYLOGS; fi
-if [ "$(fuEMPTY $myCOWRIEDL)" != "0" ]; then tar cvfz $myCOWRIEDLTGZ $myCOWRIEDL; fi
+if [ "$(fuEMPTY $myCOWRIEDL)" != "0" ]; then tar -I $myPIGZ -cvf $myCOWRIEDLTGZ $myCOWRIEDL; fi
-if [ "$(fuEMPTY $myDIONAEABI)" != "0" ]; then tar cvfz $myDIONAEABITGZ $myDIONAEABI; fi
+if [ "$(fuEMPTY $myDIONAEABI)" != "0" ]; then tar -I $myPIGZ -cvf $myDIONAEABITGZ $myDIONAEABI; fi
-if [ "$(fuEMPTY $myDIONAEABIN)" != "0" ]; then tar cvfz $myDIONAEABINTGZ $myDIONAEABIN; fi
+if [ "$(fuEMPTY $myDIONAEABIN)" != "0" ]; then tar -I $myPIGZ -cvf $myDIONAEABINTGZ $myDIONAEABIN; fi
-if [ "$(fuEMPTY $myHONEYTRAPATTACKS)" != "0" ]; then tar cvfz $myHONEYTRAPATTACKSTGZ $myHONEYTRAPATTACKS; fi
+if [ "$(fuEMPTY $myHONEYTRAPATTACKS)" != "0" ]; then tar -I $myPIGZ -cvf $myHONEYTRAPATTACKSTGZ $myHONEYTRAPATTACKS; fi
-if [ "$(fuEMPTY $myHONEYTRAPDL)" != "0" ]; then tar cvfz $myHONEYTRAPDLTGZ $myHONEYTRAPDL; fi
+if [ "$(fuEMPTY $myHONEYTRAPDL)" != "0" ]; then tar -I $myPIGZ -cvf $myHONEYTRAPDLTGZ $myHONEYTRAPDL; fi
-if [ "$(fuEMPTY $myTANNERF)" != "0" ]; then tar cvfz $myTANNERFTGZ $myTANNERF; fi
+if [ "$(fuEMPTY $myTANNERF)" != "0" ]; then tar -I $myPIGZ -cvf $myTANNERFTGZ $myTANNERF; fi
 # Ensure correct permissions and ownership for previously created archives
-chmod 760 $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
+chmod 770 $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
 chown tpot:tpot $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
 # Need to remove subfolders since too many files cause rm to exit with errors
@ -65,7 +67,7 @@ rm -rf $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $my
 # Recreate subfolders with correct permissions and ownership
 mkdir -p $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
-chmod 760 $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
+chmod 770 $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
 chown tpot:tpot $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
 # Run logrotate again to account for previously created archives - DO NOT FORCE HERE!
@ -76,7 +78,7 @@ logrotate -s $mySTATUS $myCONF
 fuADBHONEY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/adbhoney/*; fi
  mkdir -p /data/adbhoney/log/ /data/adbhoney/downloads/
-  chmod 760 /data/adbhoney/ -R
+  chmod 770 /data/adbhoney/ -R
  chown tpot:tpot /data/adbhoney/ -R
 }
@ -84,15 +86,23 @@ fuADBHONEY () {
 fuCISCOASA () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ciscoasa/*; fi
  mkdir -p /data/ciscoasa/log
-  chmod 760 /data/ciscoasa -R
+  chmod 770 /data/ciscoasa -R
  chown tpot:tpot /data/ciscoasa -R
 }
 # Let's create a function to clean up and prepare citrixhoneypot data
 fuCITRIXHONEYPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi
  mkdir -p /data/citrixhoneypot/logs/
  chmod 770 /data/citrixhoneypot/ -R
  chown tpot:tpot /data/citrixhoneypot/ -R
 }
 # Let's create a function to clean up and prepare conpot data
 fuCONPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
  mkdir -p /data/conpot/log
-  chmod 760 /data/conpot -R
+  chmod 770 /data/conpot -R
  chown tpot:tpot /data/conpot -R
 }
@ -100,15 +110,32 @@ fuCONPOT () {
 fuCOWRIE () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/cowrie/*; fi
  mkdir -p /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/
-  chmod 760 /data/cowrie -R
+  chmod 770 /data/cowrie -R
  chown tpot:tpot /data/cowrie -R
 }
 # Let's create a function to clean up and prepare ddospot data
 fuDDOSPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
  mkdir -p /data/ddospot/log
  chmod 770 /data/ddospot -R
  chown tpot:tpot /data/ddospot -R
 }
 # Let's create a function to clean up and prepare dicompot data
 fuDICOMPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
  mkdir -p /data/dicompot/log
  mkdir -p /data/dicompot/images
  chmod 770 /data/dicompot -R
  chown tpot:tpot /data/dicompot -R
 }
 # Let's create a function to clean up and prepare dionaea data
 fuDIONAEA () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi
  mkdir -p /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp
-  chmod 760 /data/dionaea -R
+  chmod 770 /data/dionaea -R
  chown tpot:tpot /data/dionaea -R
 }
@ -116,7 +143,7 @@ fuDIONAEA () {
 fuELASTICPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elasticpot/*; fi
  mkdir -p /data/elasticpot/log
-  chmod 760 /data/elasticpot -R
+  chmod 770 /data/elasticpot -R
  chown tpot:tpot /data/elasticpot -R
 }
@ -126,47 +153,95 @@ fuELK () {
  # ELK daemon log files will be removed
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elk/log/*; fi
  mkdir -p /data/elk
-  chmod 760 /data/elk -R
+  chmod 770 /data/elk -R
  chown tpot:tpot /data/elk -R
 }
-# Let's create a function to clean up and prepare glastopf data
+# Let's create a function to clean up and prepare endlessh data
-fuGLASTOPF () {
+fuENDLESSH () {
-  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glastopf/*; fi
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
-  mkdir -p /data/glastopf/db /data/glastopf/log
+  mkdir -p /data/endlessh/log
-  chmod 760 /data/glastopf -R
+  chmod 770 /data/endlessh -R
-  chown tpot:tpot /data/glastopf -R
+  chown tpot:tpot /data/endlessh -R
 }
 # Let's create a function to clean up and prepare fatt data
 fuFATT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
  mkdir -p /data/fatt/log
  chmod 770 -R /data/fatt
  chown tpot:tpot -R /data/fatt
 }
 # Let's create a function to clean up and prepare glastopf data
 fuGLUTTON () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi
  mkdir -p /data/glutton/log
-  chmod 760 /data/glutton -R
+  chmod 770 /data/glutton -R
  chown tpot:tpot /data/glutton -R
 }
 # Let's create a function to clean up and prepare hellpot data
 fuHELLPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
  mkdir -p /data/hellpot/log
  chmod 770 /data/hellpot -R
  chown tpot:tpot /data/hellpot -R
 }
 # Let's create a function to clean up and prepare heralding data
 fuHERALDING () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
  mkdir -p /data/heralding/log
-  chmod 760 /data/heralding -R
+  chmod 770 /data/heralding -R
  chown tpot:tpot /data/heralding -R
 }
 # Let's create a function to clean up and prepare honeypots data
 fuHONEYPOTS () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
  mkdir -p /data/honeypots/log
  chmod 770 /data/honeypots -R
  chown tpot:tpot /data/honeypots -R
 }
 # Let's create a function to clean up and prepare honeysap data
 fuHONEYSAP () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeysap/*; fi
  mkdir -p /data/honeysap/log
  chmod 770 /data/honeysap -R
  chown tpot:tpot /data/honeysap -R
 }
 # Let's create a function to clean up and prepare honeytrap data
 fuHONEYTRAP () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi
  mkdir -p /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/
-  chmod 760 /data/honeytrap/ -R
+  chmod 770 /data/honeytrap/ -R
  chown tpot:tpot /data/honeytrap/ -R
 }
 # Let's create a function to clean up and prepare ipphoney data
 fuIPPHONEY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi
  mkdir -p /data/ipphoney/log
  chmod 770 /data/ipphoney -R
  chown tpot:tpot /data/ipphoney -R
 }
 # Let's create a function to clean up and prepare log4pot data
 fuLOG4POT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
  mkdir -p /data/log4pot/log
  chmod 770 /data/log4pot -R
  chown tpot:tpot /data/log4pot -R
 }
 # Let's create a function to clean up and prepare mailoney data
 fuMAILONEY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
  mkdir -p /data/mailoney/log/
-  chmod 760 /data/mailoney/ -R
+  chmod 770 /data/mailoney/ -R
  chown tpot:tpot /data/mailoney/ -R
 }
@ -174,7 +249,7 @@ fuMAILONEY () {
 fuMEDPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/medpot/*; fi
  mkdir -p /data/medpot/log/
-  chmod 760 /data/medpot/ -R
+  chmod 770 /data/medpot/ -R
  chown tpot:tpot /data/medpot/ -R
 }
@ -190,15 +265,31 @@ fuNGINX () {
 fuRDPY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/rdpy/*; fi
  mkdir -p /data/rdpy/log/
-  chmod 760 /data/rdpy/ -R
+  chmod 770 /data/rdpy/ -R
  chown tpot:tpot /data/rdpy/ -R
 }
 # Let's create a function to clean up and prepare redishoneypot data
 fuREDISHONEYPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
  mkdir -p /data/redishoneypot/log
  chmod 770 /data/redishoneypot -R
  chown tpot:tpot /data/redishoneypot -R
 }
 # Let's create a function to clean up and prepare sentrypeer data
 fuSENTRYPEER () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi
  mkdir -p /data/sentrypeer/log
  chmod 770 /data/sentrypeer -R
  chown tpot:tpot /data/sentrypeer -R
 }
 # Let's create a function to prepare spiderfoot db
 fuSPIDERFOOT () {
  mkdir -p /data/spiderfoot
  touch /data/spiderfoot/spiderfoot.db
-  chmod 760 -R /data/spiderfoot
+  chmod 770 -R /data/spiderfoot
  chown tpot:tpot -R /data/spiderfoot
 }
@ -206,7 +297,7 @@ fuSPIDERFOOT () {
 fuSURICATA () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/suricata/*; fi
  mkdir -p /data/suricata/log
-  chmod 760 -R /data/suricata
+  chmod 770 -R /data/suricata
  chown tpot:tpot -R /data/suricata
 }
@ -214,7 +305,7 @@ fuSURICATA () {
 fuP0F () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/p0f/*; fi
  mkdir -p /data/p0f/log
-  chmod 760 -R /data/p0f
+  chmod 770 -R /data/p0f
  chown tpot:tpot -R /data/p0f
 }
@ -222,7 +313,7 @@ fuP0F () {
 fuTANNER () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/tanner/*; fi
  mkdir -p /data/tanner/log /data/tanner/files
-  chmod 760 -R /data/tanner
+  chmod 770 -R /data/tanner
  chown tpot:tpot -R /data/tanner
 }
@ -250,19 +341,30 @@ if [ "$myPERSISTENCE" = "on" ];
    echo "Cleaning up and preparing data folders."
    fuADBHONEY
    fuCISCOASA
    fuCITRIXHONEYPOT
    fuCONPOT
    fuCOWRIE
    fuDDOSPOT
    fuDICOMPOT
    fuDIONAEA
    fuELASTICPOT
    fuELK
-    fuGLASTOPF
+    fuENDLESSH
    fuFATT
    fuGLUTTON
    fuHERALDING
    fuHELLPOT
    fuHONEYSAP
    fuHONEYPOTS
    fuHONEYTRAP
    fuIPPHONEY
    fuLOG4POT
    fuMAILONEY
    fuMEDPOT
    fuNGINX
    fuREDISHONEYPOT
    fuRDPY
    fuSENTRYPEER
    fuSPIDERFOOT
    fuSURICATA
    fuP0F
--- a/bin/deploy.sh
+++ b/bin/deploy.sh
@ -0,0 +1,182 @@
 #!/bin/bash
 # Do we have root?
 function fuGOT_ROOT {
 echo
 echo -n "### Checking for root: "
 if [ "$(whoami)" != "root" ];
  then
    echo "[ NOT OK ]"
    echo "### Please run as root."
    echo "### Example: sudo $0"
    exit
  else
    echo "[ OK ]"
 fi
 }
 function fuDEPLOY_SENSOR () {
 echo
 echo "###############################"
 echo "# Deploying to T-Pot Hive ... #"
 echo "###############################"
 echo
 sshpass -e ssh -4 -t -T -l "$MY_TPOT_USERNAME" -p 64295 "$MY_HIVE_IP" << EOF
 echo "$SSHPASS" | sudo -S bash -c 'useradd -m -s /sbin/nologin -G tpotlogs "$MY_HIVE_USERNAME";
 mkdir -p /home/"$MY_HIVE_USERNAME"/.ssh;
 echo "$MY_SENSOR_PUBLICKEY" >> /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
 chmod 600 /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
 chmod 755 /home/"$MY_HIVE_USERNAME"/.ssh;
 chown "$MY_HIVE_USERNAME":"$MY_HIVE_USERNAME" -R /home/"$MY_HIVE_USERNAME"/.ssh'
 EOF
 echo
 echo "###########################"
 echo "# Done. Please reboot ... #"
 echo "###########################"
 echo
 exit 0
 }
 # Check Hive availability 
 function fuCHECK_HIVE () {
 echo
 echo "############################################"
 echo "# Checking for T-Pot Hive availability ... #"
 echo "############################################"
 echo
 sshpass -e ssh -4 -t -l "$MY_TPOT_USERNAME" -p 64295 -f -N -L64305:127.0.0.1:64305 "$MY_HIVE_IP" -o "StrictHostKeyChecking=no"
 if [ $? -eq 0 ];
  then
    echo
    echo "#########################"
    echo "# T-Pot Hive available! #"
    echo "#########################"
    echo
    myHIVE_OK=$(curl -s http://127.0.0.1:64305)
    if [ "$myHIVE_OK" == "ok" ];
      then
 	echo
        echo "##############################"
        echo "# T-Pot Hive tunnel test OK! #"
        echo "##############################"
        echo
        kill -9 $(pidof ssh)
      else
        echo
 	echo "######################################################"
        echo "# T-Pot Hive tunnel test FAILED!                     #"
 	echo "# Tunneled port tcp/64305 unreachable on T-Pot Hive. #"
 	echo "# Aborting.                                          #"
        echo "######################################################"
        echo
        kill -9 $(pidof ssh)
 	rm $MY_SENSOR_PUBLICKEYFILE
 	rm $MY_SENSOR_PRIVATEKEYFILE
 	rm $MY_LS_ENVCONFIGFILE
 	exit 1
    fi;
  else
    echo
    echo "#################################################################"
    echo "# Something went wrong, most likely T-Pot Hive was unreachable! #"
    echo "# Aborting.                                                     #"
    echo "#################################################################"
    echo
    rm $MY_SENSOR_PUBLICKEYFILE
    rm $MY_SENSOR_PRIVATEKEYFILE
    rm $MY_LS_ENVCONFIGFILE
    exit 1
 fi;
 }
 function fuGET_DEPLOY_DATA () {
 echo
 echo "### Please provide data from your T-Pot Hive installation."
 echo "### This usually is the one running the 'T-Pot Hive' type."
 echo "### You will be needing the OS user (typically 'tsec'), the users' password and the IP / FQDN."
 echo "### Do not worry, the password will not be persisted!"
 echo
 read -p "Username: " MY_TPOT_USERNAME
 read -s -p "Password: " SSHPASS
 echo
 export SSHPASS
 read -p "IP / FQDN: " MY_HIVE_IP
 MY_HIVE_USERNAME="$(hostname)"
 MY_TPOT_TYPE="SENSOR"
 MY_LS_ENVCONFIGFILE="/data/elk/logstash/ls_environment"
 MY_SENSOR_PUBLICKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME.pub"
 MY_SENSOR_PRIVATEKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME"
 if ! [ -s "$MY_SENSOR_PRIVATEKEYFILE" ] && ! [ -s "$MY_SENSOR_PUBLICKEYFILE" ];
  then
    echo
    echo "##############################"
    echo "# Generating ssh keyfile ... #"
    echo "##############################"
    echo
    mkdir -p /data/elk/logstash
    ssh-keygen -f "$MY_SENSOR_PRIVATEKEYFILE" -N "" -C "$MY_HIVE_USERNAME"
    MY_SENSOR_PUBLICKEY="$(cat "$MY_SENSOR_PUBLICKEYFILE")"
  else
    echo
    echo "#############################################"
    echo "# There is already a ssh keyfile. Aborting. #"
    echo "#############################################"
    echo
    exit 1
 fi
 echo
 echo "###########################################################"
 echo "# Writing config to /data/elk/logstash/ls_environment.    #"
 echo "# If you make changes to this file, you need to reboot or #"
 echo "# run /opt/tpot/bin/updateip.sh.                          #"
 echo "###########################################################"
 echo
 tee $MY_LS_ENVCONFIGFILE << EOF
 MY_TPOT_TYPE=$MY_TPOT_TYPE
 MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
 MY_HIVE_USERNAME=$MY_HIVE_USERNAME
 MY_HIVE_IP=$MY_HIVE_IP
 EOF
 }
 # Deploy Pot to Hive
 fuGOT_ROOT
 echo
 echo "#################################"
 echo "# Ship T-Pot Logs to T-Pot Hive #"
 echo "#################################"
 echo
 echo "If you already have a T-Pot Hive installation running and"
 echo "this T-Pot installation is running the type \"Pot\" the"
 echo "script will automagically setup this T-Pot to ship and"
 echo "prepare the Hive to receive logs from this T-Pot."
 echo
 echo
 echo "###################################"
 echo "# Deploy T-Pot Logs to T-Pot Hive #"
 echo "###################################"
 echo 
 echo "[c] - Continue deplyoment"
 echo "[q] - Abort and exit"
 echo
 while [ 1 != 2 ]
  do
    read -s -n 1 -p "Your choice: " mySELECT
      echo $mySELECT
      case "$mySELECT" in
        [c,C])
          fuGET_DEPLOY_DATA
          fuCHECK_HIVE
 	  fuDEPLOY_SENSOR
          break
          ;;
        [q,Q])
          echo "Aborted."
          exit 0
          ;;
      esac
 done
--- a/bin/deprecated/export_kibana-objects.sh
+++ b/bin/deprecated/export_kibana-objects.sh
@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
  then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
    exit
  else
    echo "### Elasticsearch is available, now continuing."
@ -15,24 +15,25 @@ fi
 # Set vars
 myDATE=$(date +%Y%m%d%H%M)
-myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"')
-myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
+myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
-myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
+myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
-mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
+mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
 myCONFIGS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=config&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
 myCOL1="[0;34m"
 myCOL0="[0;0m"
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
-  rm -rf patterns/ dashboards/ visualizations/ searches/
+  rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
 }
 trap fuCLEANUP EXIT
 # Export index patterns
 mkdir -p patterns
 echo $myCOL1"### Now exporting"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
-curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes}' > patterns/$myINDEXID.json &
+curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes, references}' > patterns/$myINDEXID.json &
 echo
 # Export dashboards
@ -41,7 +42,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"das
 for i in $myDASHBOARDS;
  do
    echo $myCOL1"###### "$i $myCOL0
-    curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes}' > dashboards/$i.json &
+    curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes, references}' > dashboards/$i.json &
  done;
 echo
@ -51,7 +52,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1
 for i in $myVISUALIZATIONS;
  do
    echo $myCOL1"###### "$i $myCOL0
-    curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes}' > visualizations/$i.json &
+    curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes, references}' > visualizations/$i.json &
  done;
 echo
@ -61,7 +62,17 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searc
 for i in $mySEARCHES;
  do
    echo $myCOL1"###### "$i $myCOL0
-    curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes}' > searches/$i.json &
+    curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes, references}' > searches/$i.json &
  done;
 echo
 # Export configs
 mkdir -p configs
 echo $myCOL1"### Now exporting"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
 for i in $myCONFIGS;
  do
    echo $myCOL1"###### "$i $myCOL0
    curl -s -XGET ''$myKIBANA'api/saved_objects/config/'$i'' | jq '. | {attributes, references}' > configs/$i.json &
  done;
 echo
@ -70,7 +81,7 @@ wait
 # Building tar archive
 echo $myCOL1"### Now building archive"$myCOL0 "kibana-objects_"$myDATE".tgz"
-tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches > /dev/null
+tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches configs > /dev/null
 # Stats
 echo
@ -79,4 +90,5 @@ echo $myCOL1"###### Exported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myC
 echo $myCOL1"###### Exported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
 echo $myCOL1"###### Exported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
 echo $myCOL1"###### Exported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
 echo $myCOL1"###### Exported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
 echo
--- a/bin/deprecated/hptest.sh
+++ b/bin/deprecated/hptest.sh
@ -0,0 +1,122 @@
 #!/bin/bash
 myHOST="$1"
 myPACKAGES="dcmtk netcat nmap"
 myMEDPOTPACKET="
 MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
 EVN|A01|198808181123
 PID|||PATID1234^5^M11^^AN||JONES^WILLIAM^A^III||19610615|M||2106-3|677 DELAWARE AVENUE^^EVERETT^MA^02149|GL|(919)379-1212|(919)271-3434~(919)277-3114||S||PATID12345001^2^M10^^ACSN|123456789|9-87654^NC
 NK1|1|JONES^BARBARA^K|SPO|||||20011105
 NK1|1|JONES^MICHAEL^A|FTH
 PV1|1|I|2000^2012^01||||004777^LEBAUER^SIDNEY^J.|||SUR||-||ADM|A0
 AL1|1||^PENICILLIN||CODE16~CODE17~CODE18
 AL1|2||^CAT DANDER||CODE257
 DG1|001|I9|1550|MAL NEO LIVER, PRIMARY|19880501103005|F
 PR1|2234|M11|111^CODE151|COMMON PROCEDURES|198809081123
 ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^SMITH^ELLEN|199505011201
 GT1|1122|1519|BILL^GATES^A
 IN1|001|A357|1234|BCMD|||||132987
 IN2|ID1551001|SSN12345678
 ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^ELLEN|199505011201"
 function fuGOTROOT {
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "Need to run as root ..."
    exit
 fi
 }
 function fuCHECKDEPS {
 myINST=""
 for myDEPS in $myPACKAGES;
 do
  myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
  if [ "$myOK" != "ok" ]
    then
      myINST=$(echo $myINST $myDEPS)
  fi
 done
 if [ "$myINST" != "" ]
  then
    apt-get update -y
    for myDEPS in $myINST;
    do
      apt-get install $myDEPS -y
    done
 fi
 }
 function fuCHECKFORARGS {
 if [ "$myHOST" != "" ];
  then
    echo "All arguments met. Continuing."
  else
    echo "Usage: hp_test.sh <[host or ip]>"
    exit
 fi
 }
 function fuGETPORTS {
 myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
 myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo "$i"; done)
 echo "Found these ports enabled:"
 echo "$myPORTS"
 exit
 }
 function fuSCAN {
 local myTIMEOUT="$1"
 local mySCANPORT="$2"
 local mySCANIP="$3"
 local mySCANOPTS="$4"
 timeout --foreground ${myTIMEOUT} nmap ${mySCANOPTS} -T4 -v -p ${mySCANPORT} ${mySCANIP} &
 }
 # Main
 fuGOTROOT
 fuCHECKDEPS
 fuCHECKFORARGS
 echo "Starting scans ..."
 echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
 curl -XGET "http://$myHOST:9200/logstash-*/_search" &
 curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" &
 echo "I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
 findscu -P -k PatientName="*" $myHOST 11112 &
 getscu -P -k PatientName="*" $myHOST 11112 &
 telnet $myHOST 3299 &
 fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
 fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
 fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"
 fuSCAN "120" "22" "$myHOST" "--script=ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,sshv1 -sC -sS -sV"
 fuSCAN "30" "22" "$myHOST" "--script=ssh-brute"
 fuSCAN "120" "23,2323,2324" "$myHOST" "--script=telnet-encryption,telnet-ntlm-info -sC -sS -sV --version-light"
 fuSCAN "120" "25" "$myHOST" "--script=smtp* -sC -sS -sV"
 fuSCAN "180" "42" "$myHOST" "-sC -sS -sV"
 fuSCAN "120" "69" "$myHOST" "--script=tftp-enum -sU"
 fuSCAN "120" "80,81,8080,8443" "$myHOST" "-sC -sS -sV"
 fuSCAN "120" "110,995" "$myHOST" "--script=pop3-capabilities,pop3-ntlm-info -sC -sS -sV --version-light"
 fuSCAN "30" "110,995" "$myHOST" "--script=pop3-brute -sS"
 fuSCAN "120" "143,993" "$myHOST" "--script=imap-capabilities,imap-ntlm-info -sC -sS -sV --version-light"
 fuSCAN "30" "143,993" "$myHOST" "--script=imap-brute -sS"
 fuSCAN "240" "445" "$myHOST" "--script=smb-vuln* -sS -sU"
 fuSCAN "120" "502" "$myHOST" "--script=modbus-discover -sS -sU"
 fuSCAN "120" "623" "$myHOST" "--script=ipmi-cipher-zero,ipmi-version,supermicro-ipmi -sS -sU"
 fuSCAN "30" "623" "$myHOST" "--script=ipmi-brute -sS -sU"
 fuSCAN "120" "1433" "$myHOST" "--script=ms-sql* -sS"
 fuSCAN "120" "1723" "$myHOST" "--script=pptp-version -sS"
 fuSCAN "120" "1883" "$myHOST" "--script=mqtt-subscribe -sS"
 fuSCAN "120" "2404" "$myHOST" "--script=iec-identify -sS"
 fuSCAN "120" "3306" "$myHOST" "--script=mysql-vuln* -sC -sS -sV"
 fuSCAN "120" "3389" "$myHOST" "--script=rdp* -sC -sS -sV"
 fuSCAN "120" "5000" "$myHOST" "--script=*upnp* -sS -sU"
 fuSCAN "120" "5060,5061" "$myHOST" "--script=sip-call-spoof,sip-enum-users,sip-methods -sS -sU"
 fuSCAN "120" "5900" "$myHOST" "--script=vnc-info,vnc-title,realvnc-auth-bypass -sS"
 fuSCAN "120" "27017" "$myHOST" "--script=mongo* -sS"
 fuSCAN "120" "47808" "$myHOST" "--script=bacnet* -sS"
 wait
 reset
 echo "Done."
--- a/bin/deprecated/import_kibana-objects.sh
+++ b/bin/deprecated/import_kibana-objects.sh
@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
  then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
    exit
  else
    echo "### Elasticsearch is available, now continuing."
@ -20,7 +20,7 @@ myCOL0="[0;0m"
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
-  rm -rf patterns/ dashboards/ visualizations/ searches/
+  rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
 }
 trap fuCLEANUP EXIT
@ -43,7 +43,7 @@ tar xvfz $myDUMP > /dev/null
 # Restore index patterns
 myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev)
-myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
@ -98,6 +98,22 @@ for i in $mySEARCHES;
 echo
 wait
 # Restore configs
 myCONFIGS=$(ls configs/*.json | cut -c 9- | rev | cut -c 6- | rev)
 echo $myCOL1"### Now importing "$myCOL0$(echo $myCONFIGS | wc -w)$myCOL1 "configs." $myCOL0
 for i in $myCONFIGS;
  do
    curl -s -XDELETE ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null &
  done;
 wait
 for i in $myCONFIGS;
  do
    echo $myCOL1"###### "$i $myCOL0
    curl -s -XPOST ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @configs/$i.json > /dev/null &
  done;
 echo
 wait
 # Stats
 echo
 echo $myCOL1"### Statistics"
@ -105,5 +121,6 @@ echo $myCOL1"###### Imported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myC
 echo $myCOL1"###### Imported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
 echo $myCOL1"###### Imported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
 echo $myCOL1"###### Imported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
 echo $myCOL1"###### Imported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
 echo
--- a/bin/dps.sh
+++ b/bin/dps.sh
@ -1,6 +1,21 @@
-#/bin/bash
+#!/bin/bash
-# Show current status of T-Pot containers
+
 # Run as root only.
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "Need to run as root ..."
    exit
 fi
 myPARAM="$1"
 if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
  then
    watch --color -n $myPARAM "dps.sh"
    exit
 fi
 # Show current status of T-Pot containers
 myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")"
 myRED="[1;31m"
 myGREEN="[1;32m"
@ -8,20 +23,39 @@ myBLUE="[1;34m"
 myWHITE="[0;0m"
 myMAGENTA="[1;35m"
 # Blackhole Status
 myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
 if [ "$myBLACKHOLE_STATUS" -gt "500" ];
  then
    myBLACKHOLE_STATUS="${myGREEN}ENABLED"
  else
    myBLACKHOLE_STATUS="${myRED}DISABLED"
 fi
 function fuGETTPOT_STATUS {
 # T-Pot Status
 myTPOT_STATUS=$(systemctl status tpot | grep "Active" | awk '{ print $2 }')
 if [ "$myTPOT_STATUS" == "active" ];
  then
    echo "${myGREEN}ACTIVE"
  else
    echo "${myRED}INACTIVE"
 fi
 }
 function fuGETSTATUS {
 grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
 }
 function fuGETSYS {
-printf "========| System |========\n"
+printf "[ ========| System |======== ]\n"
-printf "%+10s %-20s\n" "Date: " "$(date)"
+printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "DATE: " "$(date)"
-printf "%+10s %-20s\n" "Uptime: " "$(uptime | cut -b 2-)"
+printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "UPTIME: " "$(grc --colour=on uptime)"
-printf "%+10s %-20s\n" "CPU temp: " "$(sensors | grep 'Physical' | awk '{ print $4" " }' | tr -d [:cntrl:])"
+printf "${myMAGENTA}%+11s %-20s\n" "T-POT: " "$(fuGETTPOT_STATUS)"
 printf "${myMAGENTA}%+11s %-20s\n" "BLACKHOLE: " "$myBLACKHOLE_STATUS${myWHITE}"
 echo
 }
 while true
  do
    myDPS=$(fuGETSTATUS)
    myDPSNAMES=$(echo "$myDPS" | awk '{ print $1 }' | sort)
    fuGETSYS
@ -37,10 +71,3 @@ while true
 	  printf "%-28s %-28s\n" "$myRED$i" "DOWN$myWHITE"
      fi
    done
    if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
      then 
        sleep "$myPARAM"
      else 
        break
    fi
 done
--- a/bin/dump_es.sh
+++ b/bin/dump_es.sh
@ -2,10 +2,10 @@
 # Dump all ES data
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
-myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
+myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow")
 if ! [ "$myESSTATUS" = "1" ]
  then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
    exit
  else
    echo "### Elasticsearch is available, now continuing."
@ -20,12 +20,12 @@ trap fuCLEANUP EXIT
 # Set vars
 myDATE=$(date +%Y%m%d%H%M)
-myINDICES=$(curl -s -XGET ''$myES'_cat/indices/' | awk '{ print $3 }' | sort | grep -v 1970)
+myINDICES=$(curl -s -XGET ''$myES'_cat/indices/logstash-*' | awk '{ print $3 }' | sort | grep -v 1970)
-myES="http://127.0.0.1:64298/"
+myINDICES+=" .kibana"
 myCOL1="[0;34m"
 myCOL0="[0;0m"
-# Dumping all ES data
+# Dumping Kibana and Logstash data
 echo $myCOL1"### The following indices will be dumped: "$myCOL0
 echo $myINDICES
 echo
--- a/bin/hpfeeds_optin.sh
+++ b/bin/hpfeeds_optin.sh
@ -0,0 +1,134 @@
 #!/bin/bash
 # Run as root only.
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "Need to run as root ..."
    exit
 fi
 myTPOTYMLFILE="/opt/tpot/etc/tpot.yml"
 function fuGENERIC () {
 echo
 echo "You chose generic, please provide all the details of the broker"
 echo
 myENABLE="true"
 read -p "Host URL: " myHOST
 read -p "Port: " myPORT
 read -p "Channel: " myCHANNEL
 echo "For generic providers set this to 'false'"
 echo "If you received a CA certficate mount it into the ewsposter container by modifying $myTPOTYMLFILE"
 read -p "TLS - 'false' or path to CA in container: " myCERT
 read -p "Ident: " myIDENT
 read -p "Secret: " mySECRET
 read -p "Format ews (xml) or json: " myFORMAT
 }
 function fuOPTOUT () {
 echo
 while [ 1 != 2 ]
  do
    read -s -n 1 -p "You chose to opt out (y/n)? " mySELECT
      echo $mySELECT
      case "$mySELECT" in
        [y,Y])
          echo "Opt out."
          break
          ;;
        [n,N])
          echo "Aborted."
          exit
          ;;
      esac
 done
 myENABLE="false"
 myHOST="host"
 myPORT="port"
 myCHANNEL="channels"
 myCERT="false"
 myIDENT="user"
 mySECRET="secret"
 myFORMAT="json"
 }
 function fuWRITETOFILE () {
 if [ -f '/data/ews/conf/hpfeeds.cfg' ]; then
  echo "Creating backup of current config in /data/ews/conf/hpfeeds.cfg.old"
  mv /data/ews/conf/hpfeeds.cfg /data/ews/conf/hpfeeds.cfg.old
 fi
 echo "Storing new config in /data/ews/conf/hpfeeds.cfg"
 cat >> /data/ews/conf/hpfeeds.cfg <<EOF
 myENABLE=$myENABLE
 myHOST=$myHOST
 myPORT=$myPORT
 myCHANNEL=$myCHANNEL
 myCERT=$myCERT
 myIDENT=$myIDENT
 mySECRET=$mySECRET
 myFORMAT=$myFORMAT
 EOF
 }
 function fuAPPLY () {
 echo "Now stopping T-Pot ..."
 systemctl stop tpot
 echo "Applying your settings to tpot.yml ... "
 sed --follow-symlinks -i "s/EWS_HPFEEDS_ENABLE.*/EWS_HPFEEDS_ENABLE=${myENABLE}/g" "$myTPOTYMLFILE"
 sed --follow-symlinks -i "s/EWS_HPFEEDS_HOST.*/EWS_HPFEEDS_HOST=${myHOST}/g" "$myTPOTYMLFILE"
 sed --follow-symlinks -i "s/EWS_HPFEEDS_PORT.*/EWS_HPFEEDS_PORT=${myPORT}/g" "$myTPOTYMLFILE"
 sed --follow-symlinks -i "s/EWS_HPFEEDS_CHANNELS.*/EWS_HPFEEDS_CHANNELS=${myCHANNEL}/g" "$myTPOTYMLFILE"
 sed --follow-symlinks -i "s#EWS_HPFEEDS_TLSCERT.*#EWS_HPFEEDS_TLSCERT=${myCERT}#g" "$myTPOTYMLFILE"
 sed --follow-symlinks -i "s/EWS_HPFEEDS_IDENT.*/EWS_HPFEEDS_IDENT=${myIDENT}/g" "$myTPOTYMLFILE"
 sed --follow-symlinks -i "s/EWS_HPFEEDS_SECRET.*/EWS_HPFEEDS_SECRET=${mySECRET}/g" "$myTPOTYMLFILE"
 sed --follow-symlinks -i "s/EWS_HPFEEDS_FORMAT.*/EWS_HPFEEDS_FORMAT=${myFORMAT}/g" "$myTPOTYMLFILE"
 echo "Now starting T-Pot ..."
 systemctl start tpot
 echo "You can always change or review your settings in /data/ews/conf/hpfeeds.cfg and apply changes by"
 echo "running \"./hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg\""
 echo "Done."
 }
 # Check for cmdline argument and parse config file
 filename=$(echo $@ | cut -d= -f2)
 if [ $# == 1 ] && echo $@ | grep '\-\-conf=' > /dev/null && [ ! -z $filename ] && [ -f $filename ]
  then
    source $filename
 else
 # Proceed with interactive setup when no config file is found
 echo "HPFEEDS Delivery Opt-In for T-Pot"
 echo "---------------------------------"
 echo "By running this script you agree to share your data with a 3rd party and agree to their corresponding sharing terms."
 echo
 echo
 echo "Please choose your broker"
 echo "---------------------------"
 echo "[1] - Generic (enter details manually)"
 echo "[0] - Opt out of HPFEEDS"
 echo "[q] - Do not agree end exit"
 echo
 while [ 1 != 2 ]
  do
    read -s -n 1 -p "Your choice: " mySELECT
      echo $mySELECT
      case "$mySELECT" in
        [1])
 	  fuGENERIC
          break
          ;;
        [0])
 	  fuOPTOUT
          break
          ;;
        [q,Q])
 	  echo "Aborted."
          exit
          ;;
      esac
 done
 fi
 fuWRITETOFILE
 fuAPPLY
--- a/bin/hptest.sh
+++ b/bin/hptest.sh
@ -0,0 +1,68 @@
 #!/bin/bash
 myHOST="$1"
 myPACKAGES="nmap"
 myDOCKERCOMPOSEYML="/opt/tpot/etc/tpot.yml"
 function fuGOTROOT {
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "Need to run as root ..."
    exit
 fi
 }
 function fuCHECKDEPS {
 myINST=""
 for myDEPS in $myPACKAGES;
 do
  myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
  if [ "$myOK" != "ok" ]
    then
      myINST=$(echo $myINST $myDEPS)
  fi
 done
 if [ "$myINST" != "" ]
  then
    apt-get update -y
    for myDEPS in $myINST;
    do
      apt-get install $myDEPS -y
    done
 fi
 }
 function fuCHECKFORARGS {
 if [ "$myHOST" != "" ];
  then
    echo "All arguments met. Continuing."
    echo
  else
    echo "Usage: hptest.sh <[host or ip]>"
    echo
    exit
 fi
 }
 function fuGETPORTS {
 myDOCKERCOMPOSEUDPPORTS=$(cat $myDOCKERCOMPOSEYML | grep "udp" | tr -d '"\|#\-' | cut -d ":" -f2 | cut -d "/" -f1 | sort -gu)
 myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
 myUDPPORTS=$(for i in $myDOCKERCOMPOSEUDPPORTS; do echo -n "U:$i,"; done)
 myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo -n "T:$i,"; done)
 }
 # Main
 fuGETPORTS
 fuGOTROOT
 fuCHECKDEPS
 fuCHECKFORARGS
 echo
 echo "Starting scan on all UDP / TCP ports defined in /opt/tpot/etc/tpot.yml ..."
 nmap -sV -sC -v -p $myPORTS $1 &
 nmap -sU -sV -sC -v -p $myUDPPORTS $1 &
 echo
 wait
 echo "Done."
 echo
--- a/bin/mytopips.sh
+++ b/bin/mytopips.sh
@ -0,0 +1,27 @@
 #!/bin/bash
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
  then
    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
    exit 1
  else
    echo "### Elasticsearch is available, now continuing."
    echo
 fi
 function fuMYTOPIPS {
 curl -s -XGET $myES"_search" -H 'Content-Type: application/json' -d'
 {
  "aggs": {
    "ips": {
      "terms": { "field": "src_ip.keyword", "size": 100 }
    }
  },
  "size" : 0
 }'
 }
 echo "### Aggregating top 100 source IPs in ES"
 fuMYTOPIPS | jq '.aggregations.ips.buckets[].key' | tr -d '"'
--- a/bin/restore_es.sh
+++ b/bin/restore_es.sh
@ -2,10 +2,10 @@
 # Restore folder based ES backup
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
-myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
+myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow")
 if ! [ "$myESSTATUS" = "1" ]
  then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
    exit
  else
    echo "### Elasticsearch is available, now continuing."
@ -41,17 +41,50 @@ echo $myCOL1"### Now unpacking tar archive: "$myDUMP $myCOL0
 tar xvf $myDUMP
 # Build indices list
-myINDICES=$(ls tmp/logstash*.gz | cut -c 5- | rev | cut -c 4- | rev)
+myINDICES="$(ls tmp/logstash*.gz | cut -c 5- | rev | cut -c 4- | rev)"
 myINDICES+=" .kibana"
 echo $myCOL1"### The following indices will be restored: "$myCOL0
 echo $myINDICES
 echo
 # Force single seat template for everything
 echo -n $myCOL1"### Forcing single seat template: "$myCOL0
 curl -s XPUT ''$myES'_template/.*' -H 'Content-Type: application/json' -d'
 { "index_patterns": ".*",
  "order": 1,
  "settings": 
    { 
      "number_of_shards": 1,
      "number_of_replicas": 0 
    }
 }'
 echo
 # Set logstash template
 echo -n $myCOL1"### Setting up logstash template: "$myCOL0
 curl -s XPUT ''$myES'_template/logstash' -H 'Content-Type: application/json' -d'
 {
  "index_patterns": "logstash-*",
    "settings" : {
      "index" : { 
        "number_of_shards": 1,
        "number_of_replicas": 0,
          "mapping" : { 
            "total_fields" : {
              "limit" : "2000"
            } 
          }  
      }
    }
 }'
 echo
 # Restore indices
 curl -s -X DELETE ''$myES'.kibana*' > /dev/null
 for i in $myINDICES;
  do
    # Delete index if it already exists
-    curl -s -XDELETE $myES$i > /dev/null
+    curl -s -X DELETE $myES$i > /dev/null
    echo $myCOL1"### Now uncompressing: tmp/$i.gz" $myCOL0
    gunzip -f tmp/$i.gz
    # Restore index to ES
--- a/bin/rules.sh
+++ b/bin/rules.sh
@ -23,10 +23,10 @@ function fuNFQCHECK {
 myNFQCHECK=$(grep -e '^\s*honeytrap:\|^\s*glutton:' $myDOCKERCOMPOSEYML | tr -d ': ' | uniq)
 if [ "$myNFQCHECK" == "" ];
  then
-    echo "No NFQ related honeypot detected, no iptables rules needed. Exiting."
+    echo "No NFQ related honeypot detected, no iptables-legacy rules needed. Exiting."
    exit
  else
-    echo "Detected $myNFQCHECK as NFQ based honeypot, iptables rules needed. Continuing."
+    echo "Detected $myNFQCHECK as NFQ based honeypot, iptables-legacy rules needed. Continuing."
 fi
 }
@ -41,54 +41,54 @@ echo "$myRULESPORTS"
 }
 function fuSETRULES {
-### Setting up iptables rules for honeytrap
+### Setting up iptables-legacy rules for honeytrap
 if [ "$myNFQCHECK" == "honeytrap" ];
  then
-    /sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -A INPUT -s 127.0.0.1 -j ACCEPT
-    /sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -A INPUT -d 127.0.0.1 -j ACCEPT
    for myPORT in $myRULESPORTS; do
-      /sbin/iptables -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
+      /usr/sbin/iptables-legacy -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
    done
-    /sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+    /usr/sbin/iptables-legacy -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 fi
-### Setting up iptables rules for glutton
+### Setting up iptables-legacy rules for glutton
 if [ "$myNFQCHECK" == "glutton" ];
  then
-    /sbin/iptables -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT
-    /sbin/iptables -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT
    for myPORT in $myRULESPORTS; do
-      /sbin/iptables -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT
+      /usr/sbin/iptables-legacy -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT
    done
    # No need for NFQ forwarding, such rules are set up by glutton
 fi
 }
 function fuUNSETRULES {
-### Removing  iptables rules for honeytrap
+### Removing  iptables-legacy rules for honeytrap
 if [ "$myNFQCHECK" == "honeytrap" ];
  then
-    /sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -D INPUT -s 127.0.0.1 -j ACCEPT
-    /sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -D INPUT -d 127.0.0.1 -j ACCEPT
    for myPORT in $myRULESPORTS; do
-      /sbin/iptables -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
+      /usr/sbin/iptables-legacy -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
    done
-    /sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+    /usr/sbin/iptables-legacy -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 fi
-### Removing iptables rules for glutton
+### Removing iptables-legacy rules for glutton
 if [ "$myNFQCHECK" == "glutton" ];
  then
-    /sbin/iptables -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT
-    /sbin/iptables -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT
+    /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT
    for myPORT in $myRULESPORTS; do
-      /sbin/iptables -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT
+      /usr/sbin/iptables-legacy -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT
    done
    # No need for removing NFQ forwarding, such rules are removed by glutton
 fi
--- a/bin/setup_builder.sh
+++ b/bin/setup_builder.sh
@ -0,0 +1,45 @@
 #!/bin/bash
 # Got root?
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "Need to run as root ..."
    exit
 fi
 # Only run with command switch
 if [ "$1" != "-y" ]; then
  echo "### Setting up docker for Multi Arch Builds."
  echo "### Use on x64 only!"
  echo "### Run with -y to install!"
  echo
  exit
 fi
 # Main
 mkdir -p /root/.docker/cli-plugins/
 cd /root/.docker/cli-plugins/
 wget https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-amd64 -O docker-buildx
 chmod +x docker-buildx
 docker buildx ls
 # We need to create a new builder as the default one cannot handle multi-arch builds
 # https://docs.docker.com/desktop/multi-arch/
 docker buildx create --name mybuilder
 # Set as default
 docker buildx use mybuilder
 # We need to install emulators, arm64 should be fine for now
 # https://github.com/tonistiigi/binfmt/
 docker run --privileged --rm tonistiigi/binfmt --install arm64
 # Check if everything is setup correctly
 docker buildx inspect --bootstrap
 echo
 echo "### Done."
 echo
 echo "Example: docker buildx build --platform linux/amd64,linux/arm64 -t username/demo:latest --push ."
 echo "Docs: https://docs.docker.com/desktop/multi-arch/"
--- a/bin/tpdclean.sh
+++ b/bin/tpdclean.sh
@ -0,0 +1,29 @@
 #!/bin/bash
 # T-Pot Compose and Container Cleaner
 # Set colors
 myRED="[0;31m"
 myGREEN="[0;32m"
 myWHITE="[0;0m"
 # Only run with command switch
 if [ "$1" != "-y" ]; then
  echo $myRED"### WARNING"$myWHITE
  echo ""
  echo $myRED"###### This script is only intended for the tpot.service."$myWHITE
  echo $myRED"###### Run <systemctl stop tpot> first and then <tpdclean.sh -y>."$myWHITE
  echo $myRED"###### Be aware, all T-Pot container volumes and images will be removed."$myWHITE
  echo ""
  echo $myRED"### WARNING "$myWHITE
  echo
  exit
 fi
 # Remove old containers, images and volumes
 docker-compose -f /opt/tpot/etc/tpot.yml down -v >> /dev/null 2>&1
 docker-compose -f /opt/tpot/etc/tpot.yml rm -v >> /dev/null 2>&1
 docker network rm $(docker network ls -q) >> /dev/null 2>&1
 docker volume rm $(docker volume ls -q) >> /dev/null 2>&1
 docker rm -v $(docker ps -aq) >> /dev/null 2>&1
 docker rmi $(docker images | grep "<none>" | awk '{print $3}') >> /dev/null 2>&1
 docker rmi $(docker images | grep "2203" | awk '{print $3}') >> /dev/null 2>&1
 exit 0
--- a/bin/tped.sh
+++ b/bin/tped.sh
@ -1,5 +1,13 @@
 #!/bin/bash
 # Run as root only.
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "Need to run as root ..."
    exit
 fi
 # set backtitle, get filename
 myBACKTITLE="T-Pot Edition Selection Tool"
 myYMLS=$(cd /opt/tpot/etc/compose/ && ls -1 *.yml)
@ -21,7 +29,7 @@ for i in $myYMLS;
  do
    myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " 
 done
-myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 13 50 6 $myITEMS 3>&1 1>&2 2>&3 3>&-)
+myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 18 50 1 $myITEMS 3>&1 1>&2 2>&3 3>&-)
 if [ "$myEDITION" == "" ];
  then
    echo "Have a nice day!"
--- a/bin/unlock_es.sh
+++ b/bin/unlock_es.sh
@ -0,0 +1,19 @@
 #/bin/bash
 # Unlock all ES indices for read / write mode
 # Useful in cases where ES locked all indices after disk quota has been reached
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow")
 if ! [ "$myESSTATUS" = "1" ]
  then
    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
    exit
  else
    echo "### Elasticsearch is available, now continuing."
    echo
 fi
 echo "### Trying to unlock all ES indices for read / write operation: "
 curl -XPUT -H "Content-Type: application/json" ''$myES'_all/_settings' -d '{"index.blocks.read_only_allow_delete": null}'
 echo
--- a/bin/updateip.sh
+++ b/bin/updateip.sh
@ -2,22 +2,62 @@
 # Let's add the first local ip to the /etc/issue and external ip to ews.ip file
 # If the external IP cannot be detected, the internal IP will be inherited.
 source /etc/environment
 myCHECKIFSENSOR=$(head -n 1 /opt/tpot/etc/tpot.yml | grep "Sensor" | wc -l)
 myUUID=$(lsblk -o MOUNTPOINT,UUID | grep "/" | awk '{ print $2 }')
 myLOCALIP=$(hostname -I | awk '{ print $1 }')
 myEXTIP=$(/opt/tpot/bin/myip.sh)
 if [ "$myEXTIP" = "" ];
  then
    myEXTIP=$myLOCALIP
    myEXTIP_LAT="49.865835022498125"
    myEXTIP_LONG="8.62606472775735"
  else
    myEXTIP_LOC=$(curl -s ipinfo.io/$myEXTIP/loc)
    myEXTIP_LAT=$(echo "$myEXTIP_LOC" | cut -f1 -d",")
    myEXTIP_LONG=$(echo "$myEXTIP_LOC" | cut -f2 -d",")
 fi
 # Load Blackhole routes if enabled 
 myBLACKHOLE_FILE1="/etc/blackhole/mass_scanner.txt"
 myBLACKHOLE_FILE2="/etc/blackhole/mass_scanner_cidr.txt"
 if [ -f "$myBLACKHOLE_FILE1" ] || [ -f "$myBLACKHOLE_FILE2" ];
  then
    /opt/tpot/bin/blackhole.sh add
 fi
 myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
 if [ "$myBLACKHOLE_STATUS" -gt "500" ];
  then
    myBLACKHOLE_STATUS="| [1;34mBLACKHOLE: [ [0;37mENABLED[1;34m ][0m"
  else
    myBLACKHOLE_STATUS="| [1;34mBLACKHOLE: [ [1;30mDISABLED[1;34m ][0m"
 fi
 mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1)
 # Export
 export myUUID
 export myLOCALIP
 export myEXTIP
 export myEXTIP_LAT
 export myEXTIP_LONG
 export myBLACKHOLE_STATUS
 export mySSHUSER
 # Build issue
 echo "[H[2J" > /etc/issue
-toilet -f ivrit -F metal --filter border:metal "T-Pot   19.03" | sed 's/\\/\\\\/g' >> /etc/issue
+toilet -f ivrit -F metal --filter border:metal "T-Pot   22.04" | sed 's/\\/\\\\/g' >> /etc/issue
 echo >> /etc/issue
 echo ",---- [ [1;34m\n[0m ] [ [0;34m\d[0m ] [ [1;30m\t[0m ]" >> /etc/issue
 echo "|" >> /etc/issue
 echo "| [1;34mIP: $myLOCALIP ($myEXTIP)[0m" >> /etc/issue
 echo "| [0;34mSSH: ssh -l tsec -p 64295 $myLOCALIP[0m" >> /etc/issue 
-echo "| [1;30mWEB: https://$myLOCALIP:64297[0m" >> /etc/issue
+if [ "$myCHECKIFSENSOR" == "0" ];
  then
    echo "| [1;30mWEB: https://$myLOCALIP:64297[0m" >> /etc/issue
 fi
 echo "| [0;37mADMIN: https://$myLOCALIP:64294[0m" >> /etc/issue
 echo "$myBLACKHOLE_STATUS" >> /etc/issue
 echo "|" >> /etc/issue
 echo "\`----" >> /etc/issue
 echo >> /etc/issue
@ -26,9 +66,24 @@ tee /data/ews/conf/ews.ip << EOF
 ip = $myEXTIP
 EOF
 tee /opt/tpot/etc/compose/elk_environment << EOF
 HONEY_UUID=$myUUID
 MY_EXTIP=$myEXTIP
 MY_EXTIP_LAT=$myEXTIP_LAT
 MY_EXTIP_LONG=$myEXTIP_LONG
 MY_INTIP=$myLOCALIP
 MY_HOSTNAME=$HOSTNAME
 EOF
 if [ -s "/data/elk/logstash/ls_environment" ];
  then
    source /data/elk/logstash/ls_environment
    tee -a /opt/tpot/etc/compose/elk_environment << EOF
 MY_TPOT_TYPE=$MY_TPOT_TYPE
 MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
 MY_HIVE_USERNAME=$MY_HIVE_USERNAME
 MY_HIVE_IP=$MY_HIVE_IP
 EOF
 fi
 chown tpot:tpot /data/ews/conf/ews.ip
-chmod 760 /data/ews/conf/ews.ip
+chmod 770 /data/ews/conf/ews.ip
--- a/cloud/.gitignore
+++ b/cloud/.gitignore
@ -0,0 +1,10 @@
 # Ansible
 *.retry
 # Terraform
 **/.terraform
 **/terraform.*
 # OpenStack clouds
 **/clouds.yaml
 **/secure.yaml
--- a/cloud/ansible/README.md
+++ b/cloud/ansible/README.md
@ -0,0 +1,257 @@
 # T-Pot Ansible
 Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/).  
 It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box.  
 Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/scenario_guides/cloud_guides.html). Check out [Ansible Galaxy](https://galaxy.ansible.com/search?keywords=&order_by=-relevance&page=1&deprecated=false&type=collection&tags=cloud) for more cloud collections.
 The Playbook first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them.
 This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en).
 # Table of contents
 - [Preparation of Ansible Master](#ansible-master)
  - [Ansible Installation](#ansible)
  - [OpenStack Collection Installation](#collection)
  - [Agent Forwarding](#agent-forwarding)
 - [Preparations in Open Telekom Cloud Console](#preparation)
  - [Create new project](#project)
  - [Create API user](#api-user)
  - [Import Key Pair](#key-pair)
 - [Clone Git Repository](#clone-git)
 - [Settings and recommended values](#settings)
  - [clouds.yaml](#clouds-yaml)
  - [Ansible remote user](#remote-user)
  - [Number of instances to deploy](#number)
  - [Instance settings](#instance-settings)
  - [User password](#user-password)
  - [Configure `tpot.conf.dist`](#tpot-conf)
  - [Optional: Custom `ews.cfg`](#ews-cfg)
  - [Optional: Custom HPFEEDS](#hpfeeds)
 - [Deploying a T-Pot](#deploy)
 - [Further documentation](#documentation)
 <a name="ansible-master"></a>
 # Preparation of Ansible Master
 You can either run the Ansible Playbook locally on your Linux or macOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did.  
 I used Ubuntu 18.04 for my Ansible Master Server, but other OSes are fine too.  
 Ansible works over the SSH Port, so you don't have to add any special rules to your Security Group.
 <a name="ansible"></a>
 ## Ansible Installation
 :warning: Ansible 2.10 or newer is required!
 Example for Ubuntu 18.04:  
 At first we update the system:  
 `sudo apt update`  
 `sudo apt dist-upgrade`
 Then we need to add the repository and install Ansible:  
 `sudo apt-add-repository --yes --update ppa:ansible/ansible`  
 `sudo apt install ansible`
 For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
 If your OS does not offer a recent version of Ansible (>= 2.10) you should consider [installing Ansible with pip](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-with-pip).  
 In short (if you already have Python3/pip3 installed):
 ```
 pip3 install ansible
 ```
 <a name="collection"></a>
 ## OpenStack Collection Installation
 For interacting with OpenStack resources in Ansible, you need to install the collection from Ansible Galaxy:  
 `ansible-galaxy collection install openstack.cloud`
 <a name="agent-forwarding"></a>
 ## Agent Forwarding
 If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines.  
 - On Linux or macOS:  
  - Create or edit `~/.ssh/config`
    ```
    Host ANSIBLE_MASTER_IP
    ForwardAgent yes
    ```
 - On Windows using Putty:  
 ![Putty Agent Forwarding](doc/putty_agent_forwarding.png)
 <a name="preparation"></a>
 # Preparations in Open Telekom Cloud Console
 (You can skip this if you have already set up a project and an API account with key pair)  
 (Just make sure you know the naming for everything, as you need to configure the Ansible variables.)
 Before we can start deploying, we have to prepare the Open Telekom Cloud tenant.  
 For that, go to the [Web Console](https://auth.otc.t-systems.com/authui/login) and log in with an admin user.
 <a name="project"></a>
 ## Create new project
 I strongly advise you to create a separate project for the T-Pots in your tenant.  
 In my case I named it `tpot`.
 ![Create new project](doc/otc_1_project.gif)
 <a name="api-user"></a>
 ## Create API user
 The next step is to create a new user account, which is restricted to the project.  
 This ensures that the API access is limited to that project.
 ![Create API user](doc/otc_2_user.gif)
 <a name="key-pair"></a>
 ## Import Key Pair
 :warning: Now log in with the newly created API user account and select your project.
 ![Login as API user](doc/otc_3_login.gif)
 Import your SSH public key.
 ![Import SSH Public Key](doc/otc_4_import_key.gif)
 <a name="clone-git"></a>
 # Clone Git Repository
 Clone the `tpotce` repository to your Ansible Master:  
 `git clone https://github.com/telekom-security/tpotce.git`  
 All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder.
 <a name="settings"></a>
 # Settings and recommended values
 You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook:
 <a name="clouds-yaml"></a>
 ## clouds.yaml
 Located at [`openstack/clouds.yaml`](openstack/clouds.yaml).  
 Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name):  
 ```
 clouds:
  open-telekom-cloud:
    profile: otc
    auth:
      project_name: eu-de_your_project
      username: your_api_user
      password: your_password
      user_domain_name: OTC-EU-DE-000000000010000XXXXX
 ```
 You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary.  
 For more information have a look in the [openstack.cloud.server](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html) Ansible module documentation.
 If you already have your own `clouds.yaml` file or have multiple clouds in there, you can specify which one to use in the `openstack/my_os_cloud.yaml` file:
 ```
 # Enter the name of your cloud to use from clouds.yaml
 cloud: open-telekom-cloud
 ```
 <a name="remote-user"></a>
 ## Ansible remote user
 You may have to adjust the `remote_user` in the Ansible Playbook under [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml) depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is `linux`).
 <a name="number"></a>
 ## Number of instances to deploy
 You can adjust the number of VMs/T-Pots that you want to create in [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml):
 ```
 loop: "{{ range(0, 1) }}"
 ```
 One instance is set as the default, increase to your liking.
 <a name="instance-settings"></a>
 ## Instance settings
 Located at [`openstack/roles/create_vm/vars/main.yaml`](openstack/roles/create_vm/vars/main.yaml).  
 Here you can customize your virtual machine specifications:
  - Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html).
  - Change the OS image (For T-Pot we need Debian)
  - (Optional) Change the volume size
  - Specify your key pair (:warning: Mandatory)
  - (Optional) Change the instance type (flavor)  
    `s3.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.  
    A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html).
 ```
 availability_zone: eu-de-03
 image: Standard_Debian_10_latest
 volume_size: 128
 key_name: your-KeyPair
 flavor: s3.medium.8
 ```
 <a name="user-password"></a>
 ## User password
 Located at [`openstack/roles/install/vars/main.yaml`](openstack/roles/install/vars/main.yaml).  
 Here you can set the password for your Debian user (**you should definitely change that**).
 ```
 user_password: LiNuXuSeRPaSs#
 ```
 <a name="tpot-conf"></a>
 ## Configure `tpot.conf.dist`
 The file is located in [`iso/installer/tpot.conf.dist`](/iso/installer/tpot.conf.dist).  
 Here you can choose:
  - between the various T-Pot editions
  - a username for the web interface
  - a password for the web interface (**you should definitely change that**)
 <a name="ews-cfg"></a>
 ## Optional: Custom `ews.cfg`
 Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
 ```
 #    - custom_ews
 ```
 You can use a custom config file for `ewsposter`.  
 e.g. when you have your own credentials for delivering data to our [Sicherheitstacho](https://sicherheitstacho.eu/start/main).  
 You can find the `ews.cfg` template file here: [`openstack/roles/custom_ews/templates/ews.cfg`](openstack/roles/custom_ews/templates/ews.cfg) and adapt it for your needs.
 For setting custom credentials, these settings would be relevant for you (the rest of the file can stay as is):  
 ```
 [MAIN]
 ...
 contact = your_email_address
 ...
 [EWS]
 ...
 username = your_username
 token = your_token
 ...
 ```
 <a name="hpfeeds"></a>
 ## Optional: Custom HPFEEDS
 Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
 ```
 #    - custom_hpfeeds
 ```
 You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/files/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/files/hpfeeds.cfg).  
 That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN:
 ```
 myENABLE=true
 myHOST=hpfeeds.sissden.eu
 myPORT=10000
 myCHANNEL=t-pot.events
 myCERT=/opt/ewsposter/sissden.pem
 myIDENT=your_user
 mySECRET=your_secret
 myFORMAT=json
 ```
 <a name="deploy"></a>
 # Deploying a T-Pot :honey_pot::honeybee:
 Now, after configuring everything, we can finally start deploying T-Pots!  
 Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:  
 `ansible-playbook deploy_tpot.yaml`  
 (Yes, it is as easy as that :smile:)
 If you are running on a machine which asks for a sudo password, you can use:  
 `ansible-playbook --ask-become-pass deploy_tpot.yaml`
 The Playbook will first install required packages on the Ansible Master and then deploy one (or more) new server instances.  
 After that, T-Pot gets installed and configured on them, optionally custom configs are applied and finally it reboots.
 Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
 <a name="documentation"></a>
 # Further documentation
 - [Ansible Documentation](https://docs.ansible.com/ansible/latest/)
 - [openstack.cloud.server – Create/Delete Compute Instances from OpenStack](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html)
 - [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/)
--- a/cloud/ansible/doc/otc_1_project.gif
+++ b/cloud/ansible/doc/otc_1_project.gif
--- a/cloud/ansible/doc/otc_2_user.gif
+++ b/cloud/ansible/doc/otc_2_user.gif
--- a/cloud/ansible/doc/otc_3_login.gif
+++ b/cloud/ansible/doc/otc_3_login.gif
--- a/cloud/ansible/doc/otc_4_import_key.gif
+++ b/cloud/ansible/doc/otc_4_import_key.gif
--- a/cloud/ansible/doc/putty_agent_forwarding.png
+++ b/cloud/ansible/doc/putty_agent_forwarding.png
--- a/cloud/ansible/openstack/ansible.cfg
+++ b/cloud/ansible/openstack/ansible.cfg
@ -0,0 +1,6 @@
 [defaults]
 host_key_checking = false
 [ssh_connection]
 scp_if_ssh = true
 ssh_args = -o ServerAliveInterval=60
--- a/cloud/ansible/openstack/clouds.yaml
+++ b/cloud/ansible/openstack/clouds.yaml
@ -0,0 +1,9 @@
 clouds:
  open-telekom-cloud:
    profile: otc
    region_name: eu-de
    auth:
      project_name: eu-de_your_project
      username: your_api_user
      password: your_password
      user_domain_name: OTC-EU-DE-000000000010000XXXXX
--- a/cloud/ansible/openstack/deploy_tpot.yaml
+++ b/cloud/ansible/openstack/deploy_tpot.yaml
@ -0,0 +1,30 @@
 - name: Check host prerequisites
  hosts: localhost
  become: yes
  roles:
    - check
 - name: Deploy instances
  hosts: localhost
  vars_files: my_os_cloud.yaml
  tasks:
    - name: Create security group and network
      ansible.builtin.include_role:
        name: create_net
    - name: Create one or more instances
      ansible.builtin.include_role:
        name: create_vm
      loop: "{{ range(0, 1) }}"
      loop_control:
        extended: yes
 - name: Install T-Pot
  hosts: tpot
  remote_user: linux
  become: yes
  gather_facts: no
  roles:
    - install
 #    - custom_ews
 #    - custom_hpfeeds
    - reboot
--- a/cloud/ansible/openstack/my_os_cloud.yaml
+++ b/cloud/ansible/openstack/my_os_cloud.yaml
@ -0,0 +1,2 @@
 # Enter the name of your cloud to use from clouds.yaml
 cloud: open-telekom-cloud
--- a/cloud/ansible/openstack/requirements.yaml
+++ b/cloud/ansible/openstack/requirements.yaml
@ -0,0 +1,2 @@
 collections:
 - name: openstack.cloud
--- a/cloud/ansible/openstack/roles/check/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/check/tasks/main.yaml
@ -0,0 +1,19 @@
 - name: Install dependencies
  ansible.builtin.package:
    name:
      - gcc
      - python3-dev
      - python3-setuptools
      - python3-pip
    state: present
 - name: Install openstacksdk
  ansible.builtin.pip:
    name: openstacksdk
    executable: pip3
 - name: Check if agent forwarding is enabled
  ansible.builtin.fail:
    msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
  ignore_errors: yes
  failed_when: lookup('env','SSH_AUTH_SOCK') == ""
--- a/cloud/ansible/openstack/roles/create_net/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/create_net/tasks/main.yaml
@ -0,0 +1,33 @@
 - name: Create security group
  openstack.cloud.security_group:
    cloud: "{{ cloud }}"
    name: sg-tpot-ansible
    description: Security Group for T-Pot
 - name: Add rules to security group
  openstack.cloud.security_group_rule:
    cloud: "{{ cloud }}"
    security_group: sg-tpot-ansible
    remote_ip_prefix: 0.0.0.0/0
 - name: Create network
  openstack.cloud.network:
    cloud: "{{ cloud }}"
    name: network-tpot-ansible
 - name: Create subnet
  openstack.cloud.subnet:
    cloud: "{{ cloud }}"
    network_name: network-tpot-ansible
    name: subnet-tpot-ansible
    cidr: 192.168.0.0/24
    dns_nameservers:
      - 100.125.4.25
      - 100.125.129.199
 - name: Create router
  openstack.cloud.router:
    cloud: "{{ cloud }}"
    name: router-tpot-ansible
    interfaces:
      - subnet-tpot-ansible
--- a/cloud/ansible/openstack/roles/create_vm/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/create_vm/tasks/main.yaml
@ -0,0 +1,24 @@
 - name: Generate T-Pot name
  ansible.builtin.set_fact:
    tpot_name: "t-pot-ansible-{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=6') }}"
 - name: Create instance {{ ansible_loop.index }} of {{ ansible_loop.length }}
  openstack.cloud.server:
    cloud: "{{ cloud }}"
    name: "{{ tpot_name }}"
    availability_zone: "{{ availability_zone }}"
    image: "{{ image }}"
    boot_from_volume: yes
    volume_size: "{{ volume_size }}"
    key_name: "{{ key_name }}"
    auto_ip: yes
    flavor: "{{ flavor }}"
    security_groups: sg-tpot-ansible
    network: network-tpot-ansible
  register: tpot
 - name: Add instance to inventory
  ansible.builtin.add_host:
    hostname: "{{ tpot_name }}"
    ansible_host: "{{ tpot.server.public_v4 }}"
    groups: tpot
--- a/cloud/ansible/openstack/roles/create_vm/vars/main.yaml
+++ b/cloud/ansible/openstack/roles/create_vm/vars/main.yaml
@ -0,0 +1,5 @@
 availability_zone: eu-de-03
 image: Standard_Debian_10_latest
 volume_size: 128
 key_name: your-KeyPair
 flavor: s3.medium.8
--- a/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml
@ -0,0 +1,13 @@
 - name: Copy ews configuration file
  ansible.builtin.template:
    src: ews.cfg
    dest: /data/ews/conf
    owner: root
    group: root
    mode: 0644
 - name: Patching tpot.yml with custom ews configuration file
  ansible.builtin.lineinfile:
    path: /opt/tpot/etc/tpot.yml
    insertafter: "/opt/ewsposter/ews.ip"
    line: "     - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg"
--- a/cloud/ansible/openstack/roles/custom_ews/templates/ews.cfg
+++ b/cloud/ansible/openstack/roles/custom_ews/templates/ews.cfg
@ -3,7 +3,7 @@ homedir = /opt/ewsposter/
 spooldir = /opt/ewsposter/spool/
 logdir = /opt/ewsposter/log/
 del_malware_after_send = false
-send_malware = false
+send_malware = true
 sendlimit = 500
 contact = your_email_address
 proxy =
@ -11,19 +11,23 @@ ip =
 [EWS]
 ews = true
-username = community-01-user
+username = your_username
-token = foth{a5maiCee8fineu7
+token = your_token
 rhost_first = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage
 rhost_second = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage
 ignorecert = false
 [HPFEED]
-hpfeed = false
+hpfeed = %(EWS_HPFEEDS_ENABLE)s
-host = 0.0.0.0
+host = %(EWS_HPFEEDS_HOST)s
-port = 0
+port = %(EWS_HPFEEDS_PORT)s
-channels = 0
+channels = %(EWS_HPFEEDS_CHANNELS)s
-ident = 0
+ident = %(EWS_HPFEEDS_IDENT)s
-secret= 0
+secret= %(EWS_HPFEEDS_SECRET)s
 # path/to/certificate for tls broker - or "false" for non-tls broker
 tlscert = %(EWS_HPFEEDS_TLSCERT)s
 # hpfeeds submission format: "ews" (xml) or "json"
 hpfformat = %(EWS_HPFEEDS_FORMAT)s
 [EWSJSON]
 json = false
@ -31,7 +35,7 @@ jsondir = /data/ews/json/
 [GLASTOPFV3]
 glastopfv3 = true
-nodeid = glastopfv3-community-01
+nodeid = glastopfv3-{{ ansible_hostname }}
 sqlitedb = /data/glastopf/db/glastopf.db
 malwaredir = /data/glastopf/data/files/
@ -55,18 +59,18 @@ malwaredir =
 [COWRIE]
 cowrie = true
-nodeid = cowrie-community-01
+nodeid = cowrie-{{ ansible_hostname }}
 logfile = /data/cowrie/log/cowrie.json
 [DIONAEA]
 dionaea = true
-nodeid = dionaea-community-01
+nodeid = dionaea-{{ ansible_hostname }}
 malwaredir = /data/dionaea/binaries/
 sqlitedb = /data/dionaea/log/dionaea.sqlite
 [HONEYTRAP]
 honeytrap = true
-nodeid = honeytrap-community-01
+nodeid = honeytrap-{{ ansible_hostname }}
 newversion = true
 payloaddir = /data/honeytrap/attacks/
 attackerfile = /data/honeytrap/log/attacker.log
@ -79,50 +83,55 @@ targetip =
 [EMOBILITY]
 eMobility = false
-nodeid = emobility-community-01
+nodeid = emobility-{{ ansible_hostname }}
 logfile = /data/emobility/log/centralsystemEWS.log
 [CONPOT]
 conpot = true
-nodeid = conpot-community-01
+nodeid = conpot-{{ ansible_hostname }}
 logfile = /data/conpot/log/conpot*.json
 [ELASTICPOT]
 elasticpot = true
-nodeid = elasticpot-community-01
+nodeid = elasticpot-{{ ansible_hostname }}
 logfile = /data/elasticpot/log/elasticpot.log
 [SURICATA]
 suricata = true
-nodeid = suricata-community-01
+nodeid = suricata-{{ ansible_hostname }}
-logfile = /data/suricata/log/suricata_ews.log
+logfile = /data/suricata/log/eve.json
 [MAILONEY]
 mailoney = true
-nodeid = mailoney-community-01
+nodeid = mailoney-{{ ansible_hostname }}
 logfile = /data/mailoney/log/commands.log
 [RDPY]
 rdpy = true
-nodeid = rdpy-community-01
+nodeid = rdpy-{{ ansible_hostname }}
 logfile = /data/rdpy/log/rdpy.log
 [VNCLOWPOT]
 vnclowpot = true
-nodeid = vnclowpot-community-01
+nodeid = vnclowpot-{{ ansible_hostname }}
 logfile = /data/vnclowpot/log/vnclowpot.log
 [HERALDING]
 heralding = true
-nodeid = heralding-community-01
+nodeid = heralding-{{ ansible_hostname }}
 logfile = /data/heralding/log/auth.csv
 [CISCOASA]
 ciscoasa = true
-nodeid = ciscoasa-community-01
+nodeid = ciscoasa-{{ ansible_hostname }}
 logfile = /data/ciscoasa/log/ciscoasa.log
 [TANNER]
 tanner = true
-nodeid = tanner-community-01
+nodeid = tanner-{{ ansible_hostname }}
 logfile = /data/tanner/log/tanner_report.json
 [GLUTTON]
 glutton = true
 nodeid = glutton-{{ ansible_hostname }}
 logfile = /data/glutton/log/glutton.log
--- a/cloud/ansible/openstack/roles/custom_hpfeeds/files/hpfeeds.cfg
+++ b/cloud/ansible/openstack/roles/custom_hpfeeds/files/hpfeeds.cfg
@ -0,0 +1,8 @@
 myENABLE=false
 myHOST=host
 myPORT=port
 myCHANNEL=channels
 myCERT=false
 myIDENT=user
 mySECRET=secret
 myFORMAT=json
--- a/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml
@ -0,0 +1,12 @@
 - name: Copy hpfeeds configuration file
  ansible.builtin.copy:
    src: hpfeeds.cfg
    dest: /data/ews/conf
    owner: tpot
    group: tpot
    mode: 0770
  register: config
 - name: Applying hpfeeds settings
  ansible.builtin.command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg
  when: config.changed == true
--- a/cloud/ansible/openstack/roles/install/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml
@ -0,0 +1,48 @@
 - name: Waiting for SSH connection
  ansible.builtin.wait_for_connection:
 - name: Gathering facts
  ansible.builtin.setup:
 - name: Cloning T-Pot install directory
  ansible.builtin.git:
    repo: "https://github.com/telekom-security/tpotce.git"
    dest: /root/tpot
 - name: Prepare to set user password
  ansible.builtin.set_fact:
    user_name: "{{ ansible_user }}"
    user_salt: "s0mew1ck3dTpoT"
  no_log: true
 - name: Changing password for user {{ user_name }}
  ansible.builtin.user:
   name: "{{ ansible_user }}"
   password: "{{ user_password | password_hash('sha512', user_salt) }}"
   state: present
   shell: /bin/bash
 - name: Copy T-Pot configuration file
  ansible.builtin.copy:
    src: ../../../../../../iso/installer/tpot.conf.dist
    dest: /root/tpot.conf
    owner: root
    group: root
    mode: 0644
 - name: Install T-Pot on instance -  be patient, this might take 15 to 30 minutes depending on the connection speed.
  ansible.builtin.command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
 - name: Delete T-Pot configuration file
  ansible.builtin.file:
    path: /root/tpot.conf
    state: absent
 - name: Change unattended-upgrades to take default action
  ansible.builtin.blockinfile:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    block: |
      Dpkg::Options {
        "--force-confdef";
        "--force-confold";
      }
--- a/cloud/ansible/openstack/roles/install/vars/main.yaml
+++ b/cloud/ansible/openstack/roles/install/vars/main.yaml
@ -0,0 +1 @@
 user_password: LiNuXuSeRPaSs#
--- a/cloud/ansible/openstack/roles/reboot/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/reboot/tasks/main.yaml
@ -0,0 +1,16 @@
 - name: Finally rebooting T-Pot
  ansible.builtin.command: shutdown -r now
  async: 1
  poll: 0
 - name: Next login options
  ansible.builtin.debug:
    msg:
    - "*****    SSH Access:"
    - "*****    ssh {{ ansible_user }}@{{ ansible_host }} -p 64295"
    - ""
    - "*****    Web UI:"
    - "*****    https://{{ ansible_host }}:64297"
    - ""
    - "*****    Admin UI:"
    - "*****    https://{{ ansible_host }}:64294"
--- a/cloud/terraform/README.md
+++ b/cloud/terraform/README.md
@ -0,0 +1,129 @@
 # T-Pot Terraform
 This [Terraform](https://www.terraform.io/) configuration can be used to launch a virtual machine, bootstrap any dependencies and install T-Pot in a single step.  
 Configuration for Amazon Web Services (AWS) and Open Telekom Cloud (OTC) is currently included.
 This can easily be extended to support other [Terraform providers](https://registry.terraform.io/browse/providers?category=public-cloud%2Ccloud-automation%2Cinfrastructure).
 [Cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used to bootstrap the instance and install T-Pot on startup.
 # Table of Contents
 - [What get's created](#what-created)
  - [Amazon Web Services (AWS)](#what-created-aws)
  - [Open Telekom Cloud (OTC)](#what-created-otc)
 - [Prerequisites](#pre)
  - [Amazon Web Services (AWS)](#pre-aws)
  - [Open Telekom Cloud (OTC)](#pre-otc)
 - [Terraform Variables](#variables)
  - [Common configuration items](#variables-common)
  - [Amazon Web Services (AWS)](#variables-aws)
  - [Open Telekom Cloud (OTC)](#variables-otc)
 - [Initialising](#initialising)
 - [Applying the Configuration](#applying)
 - [Connecting to the Instance](#connecting)
 <a name="what-created"></a>
 ## What get's created
 <a name="what-created-aws"></a>
 ### Amazon Web Services (AWS)
 * EC2 instance:
  * t3.large (2 vCPUs, 8 GB RAM)
  * 128 GB disk
  * Debian 10
  * Public IP
 * Security Group:
  * TCP/UDP ports <= 64000 open to the Internet
  * TCP ports 64294, 64295 and 64297 open to a chosen administrative IP
 <a name="what-created-otc"></a>
 ### Open Telekom Cloud (OTC)
 * ECS instance:
  * s3.medium.8 (1 vCPU, 8 GB RAM)
  * 128 GB disk
  * Debian 10
  * Public EIP
 * Security Group
  * All TCP/UDP ports are open to the Internet
 * Virtual Private Cloud (VPC) and Subnet
 <a name="pre"></a>
 ## Prerequisites
 * [Terraform](https://www.terraform.io/) 0.13
 <a name="pre-aws"></a>
 ### Amazon Web Services (AWS)
 * AWS Account
  * Existing VPC: VPC ID needs to be specified in `aws/variables.tf`
  * Existing subnet: Subnet ID needs to be specified in `aws/variables.tf`
  * Existing SSH key pair: Key name needs to be specified in `aws/variables.tf`
 * AWS Authentication credentials should be [set using environment variables](https://www.terraform.io/docs/providers/aws/index.html#environment-variables)
 <a name="pre-otc"></a>
 ### Open Telekom Cloud (OTC)
 * OTC Account
  * Existing SSH key pair: Key name needs to be specified in `otc/variables.tf`
 * OTC Authentication credentials (Username, Password, Project Name, User Domain Name) can be set in the `otc/clouds.yaml` file
 <a name="variables"></a>
 ## Terraform Variables
 <a name="variables-common"></a>
 ### Common configuration items
 These variables exist in `aws/variables.tf` and `otc/variables.tf` respectively.  
 Settings for cloud-init:  
 * `timezone` - Set the Server's timezone
 * `linux_password`- Set a password for the Linux Operating System user (which is also used on the Admin UI)
 Settings for T-Pot:  
 * `tpot_flavor` - Set the flavor of the T-Pot (Available flavors are listed in the variable's description)
 * `web_user` - Set a username for the T-Pot Kibana Dasboard
 * `web_password` - Set a password for the T-Pot Kibana Dashboard
 <a name="variables-aws"></a>
 ### Amazon Web Services (AWS)
 In `aws/variables.tf`, you can change the additional variables:
 * `admin_ip` - source IP address(es) that you will use to administer the system. Connections to TCP ports 64294, 64295 and 64297 will be allowed from this IP only. Multiple IPs or CIDR blocks can be specified in the format: `["127.0.0.1/32", "192.168.0.0/24"]`
 * `ec2_vpc_id` - Specify an existing VPC ID
 * `ec2_subnet_id` - Specify an existing Subnet ID
 * `ec2_region`
 * `ec2_ssh_key_name` - Specify an existing SSH key pair
 * `ec2_instance_type`
 <a name="variables-otc"></a>
 ### Open Telekom Cloud (OTC)
 In `otc/variables.tf`, you can change the additional variables:
 * `ecs_flavor`
 * `ecs_disk_size`
 * `availability_zone`
 * `key_pair` - Specify an existing SSH key pair
 * `eip_size`
 ... and some more, but these are the most relevant.
 <a name="initialising"></a>
 ## Initialising
 The [`terraform init`](https://www.terraform.io/docs/commands/init.html) command is used to initialize a working directory containing Terraform configuration files.
 ```
 $ cd aws
 $ terraform init
 ```
 OR
 ```
 $ cd otc
 $ terraform init
 ```
 <a name="applying"></a>
 ## Applying the Configuration
 The [`terraform apply`](https://www.terraform.io/docs/commands/apply.html) command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a [`terraform plan`](https://www.terraform.io/docs/commands/plan.html) execution plan.
 ```
 $ terraform apply
 ```
 This will create your infrastructure and start a Cloud Server. On startup, the Server gets bootstrapped with cloud-init and will install T-Pot. Once this is done, the server will reboot.
 If you want the remove the built infrastructure, you can run [`terraform destroy`](https://www.terraform.io/docs/commands/destroy.html) to delete it.
 <a name="connecting"></a>
 ## Connecting to the Instance
 When the installation is completed, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
--- a/cloud/terraform/aws/.terraform.lock.hcl
+++ b/cloud/terraform/aws/.terraform.lock.hcl
@ -0,0 +1,20 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/aws" {
  version     = "3.26.0"
  constraints = "3.26.0"
  hashes = [
    "h1:0i78FItlPeiomd+4ThZrtm56P5K33k7/6dnEe4ZePI0=",
    "zh:26043eed36d070ca032cf04bc980c654a25821a8abc0c85e1e570e3935bbfcbb",
    "zh:2fe68f3f78d23830a04d7fac3eda550eef1f627dfc130486f70a65dc5c254300",
    "zh:3d66484c608c64678e639db25d63872783ce60363a1246e30317f21c9c23b84b",
    "zh:46ffd755cfd4cf94fe66342797b5afdcef010a24e126c67fee141b357d393535",
    "zh:5e96f24357e945c9067cf5e032ad1d003609629c956c2f9f642fefe714e74587",
    "zh:60c27aca36bb63bf3e865c2193be80ca83b376581d00f9c220af4b013e163c4d",
    "zh:896f0f22d19d41e71b22f9240b261714c3915b165ddefeb771e7734d69dc47ea",
    "zh:90de9966cb2fd3e2f326df291595e55d2dd2d90e7d6dd085c2c8691dce82bdb4",
    "zh:ad05a91a88ceb1d6de5a568f7cc0b0e5bc0a79f3da70bc28c1e7f3750e362d58",
    "zh:e8c63f59c6465329e1f3357498face3dd7ef10a033df3c366a33aa9e94b46c01",
  ]
 }
--- a/cloud/terraform/aws/main.tf
+++ b/cloud/terraform/aws/main.tf
@ -0,0 +1,66 @@
 provider "aws" {
  region = var.ec2_region
 }
 resource "aws_security_group" "tpot" {
  name        = "T-Pot"
  description = "T-Pot Honeypot"
  vpc_id      = var.ec2_vpc_id
  ingress {
    from_port   = 0
    to_port     = 64000
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 0
    to_port     = 64000
    protocol    = "udp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 64294
    to_port     = 64294
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  ingress {
    from_port   = 64295
    to_port     = 64295
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  ingress {
    from_port   = 64297
    to_port     = 64297
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
    Name = "T-Pot"
  }
 }
 resource "aws_instance" "tpot" {
  ami           = var.ec2_ami[var.ec2_region]
  instance_type = var.ec2_instance_type
  key_name      = var.ec2_ssh_key_name
  subnet_id     = var.ec2_subnet_id
  tags = {
    Name = "T-Pot Honeypot"
  }
  root_block_device {
    volume_type           = "gp2"
    volume_size           = 128
    delete_on_termination = true
  }
  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
  vpc_security_group_ids      = [aws_security_group.tpot.id]
  associate_public_ip_address = true
 }
--- a/cloud/terraform/aws/outputs.tf
+++ b/cloud/terraform/aws/outputs.tf
@ -0,0 +1,12 @@
 output "Admin_UI" {
  value = "https://${aws_instance.tpot.public_dns}:64294/"
 }
 output "SSH_Access" {
  value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
 }
 output "Web_UI" {
  value = "https://${aws_instance.tpot.public_dns}:64297/"
 }
--- a/cloud/terraform/aws/variables.tf
+++ b/cloud/terraform/aws/variables.tf
@ -0,0 +1,93 @@
 variable "admin_ip" {
  default     = ["127.0.0.1/32"]
  description = "admin IP addresses in CIDR format"
 }
 variable "ec2_vpc_id" {
  description = "ID of AWS VPC"
  default     = "vpc-XXX"
 }
 variable "ec2_subnet_id" {
  description = "ID of AWS VPC subnet"
  default     = "subnet-YYY"
 }
 variable "ec2_region" {
  description = "AWS region to launch servers"
  default     = "eu-west-1"
 }
 variable "ec2_ssh_key_name" {
  default = "default"
 }
 # https://aws.amazon.com/ec2/instance-types/
 # t3.large = 2 vCPU, 8 GiB RAM
 variable "ec2_instance_type" {
  default = "t3.large"
 }
 # Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
 variable "ec2_ami" {
  type = map(string)
  default = {
    "af-south-1"     = "ami-0c372f041acae6d49"
    "ap-east-1"      = "ami-079b8d011d4655385"
    "ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
    "ap-northeast-2" = "ami-0269fe7d013b8e2dd"
    "ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
    "ap-south-1"     = "ami-020d429f17c9f1d0a"
    "ap-southeast-1" = "ami-09625a221230d9fe6"
    "ap-southeast-2" = "ami-03cbc6cddb06af2c2"
    "ca-central-1"   = "ami-09125623b02302014"
    "eu-central-1"   = "ami-00c36c60f07e21791"
    "eu-north-1"     = "ami-052bea934e2d9dbfe"
    "eu-south-1"     = "ami-04e2bb16d37324719"
    "eu-west-1"      = "ami-0f87948fe2cf1b2a4"
    "eu-west-2"      = "ami-02ed1bc837487d535"
    "eu-west-3"      = "ami-080efd2add7e29430"
    "me-south-1"     = "ami-0dbde382c834c4a72"
    "sa-east-1"      = "ami-0a0792814cb068077"
    "us-east-1"      = "ami-05dd1b6e7ef6f8378"
    "us-east-2"      = "ami-04dd0542609808c50"
    "us-west-1"      = "ami-07af5f877b3db9f73"
    "us-west-2"      = "ami-0d0d8694ba492c02b"
  }
 }
 ## cloud-init configuration ##
 variable "timezone" {
  default = "UTC"
 }
 variable "linux_password" {
  #default = "LiNuXuSeRPaSs#"
  description = "Set a password for the default user"
  validation {
    condition     = length(var.linux_password) > 0
    error_message = "Please specify a password for the default user."
  }
 }
 ## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
  default     = "STANDARD"
  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
 }
 variable "web_user" {
  default     = "webuser"
  description = "Set a username for the web user"
 }
 variable "web_password" {
  #default = "w3b$ecret"
  description = "Set a password for the web user"
  validation {
    condition     = length(var.web_password) > 0
    error_message = "Please specify a password for the web user."
  }
 }
--- a/cloud/terraform/aws/versions.tf
+++ b/cloud/terraform/aws/versions.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 0.13"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "3.26.0"
    }
  }
 }
--- a/cloud/terraform/aws_multi_region/_provider.tf
+++ b/cloud/terraform/aws_multi_region/_provider.tf
@ -0,0 +1,9 @@
 provider "aws" {
  alias  = "eu-west-2"
  region = "eu-west-2"
 }
 provider "aws" {
  alias  = "us-west-1"
  region = "us-west-1"
 }
--- a/cloud/terraform/aws_multi_region/main.tf
+++ b/cloud/terraform/aws_multi_region/main.tf
@ -0,0 +1,27 @@
 module "eu-west-2" {
  source = "./modules/multi-region"
  ec2_vpc_id = "vpc-xxxxxxxx"
  ec2_subnet_id = "subnet-xxxxxxxx"
  ec2_region = "eu-west-2"
  tpot_name = "T-Pot Honeypot"
  linux_password = var.linux_password
  web_password = var.web_password
  providers = {
    aws = aws.eu-west-2
  }
 }
 module "us-west-1" {
  source = "./modules/multi-region"
  ec2_vpc_id = "vpc-xxxxxxxx"
  ec2_subnet_id = "subnet-xxxxxxxx"
  ec2_region = "us-west-1"
  tpot_name = "T-Pot Honeypot"
  linux_password = var.linux_password
  web_password = var.web_password
  providers = {
    aws = aws.us-west-1
  }
 }
--- a/cloud/terraform/aws_multi_region/modules/multi-region/main.tf
+++ b/cloud/terraform/aws_multi_region/modules/multi-region/main.tf
@ -0,0 +1,69 @@
 variable "ec2_vpc_id" {}
 variable "ec2_subnet_id" {}
 variable "ec2_region" {}
 variable "linux_password" {}
 variable "web_password" {}
 variable "tpot_name" {}
 resource "aws_security_group" "tpot" {
  name        = "T-Pot"
  description = "T-Pot Honeypot"
  vpc_id      = var.ec2_vpc_id
  ingress {
    from_port   = 0
    to_port     = 64000
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 0
    to_port     = 64000
    protocol    = "udp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 64294
    to_port     = 64294
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  ingress {
    from_port   = 64295
    to_port     = 64295
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  ingress {
    from_port   = 64297
    to_port     = 64297
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
    Name = "T-Pot"
  }
 }
 resource "aws_instance" "tpot" {
  ami           = var.ec2_ami[var.ec2_region]
  instance_type = var.ec2_instance_type
  key_name      = var.ec2_ssh_key_name
  subnet_id     = var.ec2_subnet_id
  tags = {
    Name = var.tpot_name
  }
  root_block_device {
    volume_type           = "gp2"
    volume_size           = 128
    delete_on_termination = true
  }
  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
  vpc_security_group_ids      = [aws_security_group.tpot.id]
  associate_public_ip_address = true
 }
--- a/cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf
+++ b/cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf
@ -0,0 +1,12 @@
 output "Admin_UI" {
  value = "https://${aws_instance.tpot.public_dns}:64294/"
 }
 output "SSH_Access" {
  value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
 }
 output "Web_UI" {
  value = "https://${aws_instance.tpot.public_dns}:64297/"
 }
--- a/cloud/terraform/aws_multi_region/modules/multi-region/variables.tf
+++ b/cloud/terraform/aws_multi_region/modules/multi-region/variables.tf
@ -0,0 +1,57 @@
 variable "admin_ip" {
  default     = ["127.0.0.1/32"]
  description = "admin IP addresses in CIDR format"
 }
 variable "ec2_ssh_key_name" {
  default = "default"
 }
 # https://aws.amazon.com/ec2/instance-types/
 variable "ec2_instance_type" {
  default = "t3.xlarge"
 }
 # Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
 variable "ec2_ami" {
  type = map(string)
  default = {
    "af-south-1"     = "ami-0c372f041acae6d49"
    "ap-east-1"      = "ami-079b8d011d4655385"
    "ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
    "ap-northeast-2" = "ami-0269fe7d013b8e2dd"
    "ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
    "ap-south-1"     = "ami-020d429f17c9f1d0a"
    "ap-southeast-1" = "ami-09625a221230d9fe6"
    "ap-southeast-2" = "ami-03cbc6cddb06af2c2"
    "ca-central-1"   = "ami-09125623b02302014"
    "eu-central-1"   = "ami-00c36c60f07e21791"
    "eu-north-1"     = "ami-052bea934e2d9dbfe"
    "eu-south-1"     = "ami-04e2bb16d37324719"
    "eu-west-1"      = "ami-0f87948fe2cf1b2a4"
    "eu-west-2"      = "ami-02ed1bc837487d535"
    "eu-west-3"      = "ami-080efd2add7e29430"
    "me-south-1"     = "ami-0dbde382c834c4a72"
    "sa-east-1"      = "ami-0a0792814cb068077"
    "us-east-1"      = "ami-05dd1b6e7ef6f8378"
    "us-east-2"      = "ami-04dd0542609808c50"
    "us-west-1"      = "ami-07af5f877b3db9f73"
    "us-west-2"      = "ami-0d0d8694ba492c02b"
  }
 }
 ## cloud-init configuration ##
 variable "timezone" {
  default = "UTC"
 }
 ## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
  default     = "STANDARD"
  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
 }
 variable "web_user" {
  default     = "webuser"
  description = "Set a username for the web user"
 }
--- a/cloud/terraform/aws_multi_region/modules/multi-region/versions.tf
+++ b/cloud/terraform/aws_multi_region/modules/multi-region/versions.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 0.13"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "3.72.0"
    }
  }
 }
--- a/cloud/terraform/aws_multi_region/outputs.tf
+++ b/cloud/terraform/aws_multi_region/outputs.tf
@ -0,0 +1,7 @@
 output "eu-west-2_Web_UI" {
  value = module.eu-west-2.Web_UI
 }
 output "us-west-1_Web_UI" {
  value = module.us-west-1.Web_UI
 }
--- a/cloud/terraform/aws_multi_region/variables.tf
+++ b/cloud/terraform/aws_multi_region/variables.tf
@ -0,0 +1,19 @@
 variable "linux_password" {
  #default = "LiNuXuSeRP4Ss!"
  description = "Set a password for the default user"
  validation {
    condition     = length(var.linux_password) > 0
    error_message = "Please specify a password for the default user."
  }
 }
 variable "web_password" {
  #default = "w3b$ecret20"
  description = "Set a password for the web user"
  validation {
    condition     = length(var.web_password) > 0
    error_message = "Please specify a password for the web user."
  }
 }
--- a/cloud/terraform/cloud-init.yaml
+++ b/cloud/terraform/cloud-init.yaml
@ -0,0 +1,26 @@
 #cloud-config
 timezone: ${timezone}
 packages:
  - git
 runcmd:
  - curl -sS --retry 5 https://github.com
  - git clone https://github.com/telekom-security/tpotce /root/tpot
  - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
  - rm /root/tpot.conf
  - /sbin/shutdown -r now
 password: ${password}
 chpasswd:
  expire: false
 write_files:
  - content: |
      # tpot configuration file
      myCONF_TPOT_FLAVOR='${tpot_flavor}'
      myCONF_WEB_USER='${web_user}'
      myCONF_WEB_PW='${web_password}'
    owner: root:root
    path: /root/tpot.conf
    permissions: '0600'
--- a/cloud/terraform/otc/.terraform.lock.hcl
+++ b/cloud/terraform/otc/.terraform.lock.hcl
@ -0,0 +1,38 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/random" {
  version     = "3.1.0"
  constraints = "~> 3.1.0"
  hashes = [
    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
  ]
 }
 provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
  version     = "1.23.6"
  constraints = "~> 1.23.4"
  hashes = [
    "h1:B/1Md957jWaDgFqsJDzmJc75KwL0eC/PCVuZ8HV5xSc=",
    "zh:1aa79010869d082157fb44fc83c3bff4e40938ec0ca916f704d974c7f7ca39e4",
    "zh:3155b8366828ce50231f69962b55df1e2261ed63c44bb64e2c950dd68769df1b",
    "zh:4a909617aa96a6d8aead14f56996ad94e0a1cae9d28e8df1ddae19c2095ed337",
    "zh:4f71046719632b4b90f88d29d8ba88915ee6ad66cd9d7ebe84a7459013e5003a",
    "zh:67e4d10b2db79ad78ae2ec8d9dfac53c4721028f97f4436a7aa45e80b1beefd3",
    "zh:7f12541fc5a3513e5522ff2bd5fee17d1e67bfe64f9ef59d03863fc7389e12ce",
    "zh:86fadabfc8307cf6084a412ffc9c797ec94932d08bc663a3fcebf98101e951f6",
    "zh:98744b39c2bfe3e8e6f929f750a689971071b257f3f066f669f93c8e0b76d179",
    "zh:c363d41debb060804e2c6bd9cb50b4e8daa37362299e3ea74e187265cd85f2ca",
  ]
 }
--- a/cloud/terraform/otc/clouds.yaml
+++ b/cloud/terraform/otc/clouds.yaml
@ -0,0 +1,9 @@
 clouds:
  open-telekom-cloud:
    region_name: eu-de
    auth:
      project_name: eu-de_your_project
      username: your_api_user
      password: your_password
      user_domain_name: OTC-EU-DE-000000000010000XXXXX
      auth_url: https://iam.eu-de.otc.t-systems.com/v3
--- a/cloud/terraform/otc/main.tf
+++ b/cloud/terraform/otc/main.tf
@ -0,0 +1,68 @@
 data "opentelekomcloud_images_image_v2" "debian" {
  name = "Standard_Debian_10_latest"
 }
 resource "opentelekomcloud_networking_secgroup_v2" "secgroup_1" {
  name        = var.secgroup_name
  description = var.secgroup_desc
 }
 resource "opentelekomcloud_networking_secgroup_rule_v2" "secgroup_rule_1" {
  direction         = "ingress"
  ethertype         = "IPv4"
  remote_ip_prefix  = "0.0.0.0/0"
  security_group_id = opentelekomcloud_networking_secgroup_v2.secgroup_1.id
 }
 resource "opentelekomcloud_vpc_v1" "vpc_1" {
  name = var.vpc_name
  cidr = var.vpc_cidr
 }
 resource "opentelekomcloud_vpc_subnet_v1" "subnet_1" {
  name   = var.subnet_name
  cidr   = var.subnet_cidr
  vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
  gateway_ip = var.subnet_gateway_ip
  dns_list   = ["100.125.4.25", "100.125.129.199"]
 }
 resource "random_id" "tpot" {
  byte_length = 6
  prefix      = var.ecs_prefix
 }
 resource "opentelekomcloud_ecs_instance_v1" "ecs_1" {
  name     = random_id.tpot.b64_url
  image_id = data.opentelekomcloud_images_image_v2.debian.id
  flavor   = var.ecs_flavor
  vpc_id   = opentelekomcloud_vpc_v1.vpc_1.id
  nics {
    network_id = opentelekomcloud_vpc_subnet_v1.subnet_1.id
  }
  system_disk_size  = var.ecs_disk_size
  system_disk_type  = "SAS"
  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.id]
  availability_zone = var.availability_zone
  key_name          = var.key_pair
  user_data         = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
 }
 resource "opentelekomcloud_vpc_eip_v1" "eip_1" {
  publicip {
    type = "5_bgp"
  }
  bandwidth {
    name       = "bandwidth-${random_id.tpot.b64_url}"
    size       = var.eip_size
    share_type = "PER"
  }
 }
 resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_1" {
  floating_ip = opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address
  instance_id = opentelekomcloud_ecs_instance_v1.ecs_1.id
 }
--- a/cloud/terraform/otc/outputs.tf
+++ b/cloud/terraform/otc/outputs.tf
@ -0,0 +1,11 @@
 output "Admin_UI" {
  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64294"
 }
 output "SSH_Access" {
  value = "ssh -p 64295 linux@${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}"
 }
 output "Web_UI" {
  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64297"
 }
--- a/cloud/terraform/otc/provider.tf
+++ b/cloud/terraform/otc/provider.tf
@ -0,0 +1,3 @@
 provider "opentelekomcloud" {
  cloud = "open-telekom-cloud"
 }
--- a/cloud/terraform/otc/variables.tf
+++ b/cloud/terraform/otc/variables.tf
@ -0,0 +1,98 @@
 ## cloud-init configuration ##
 variable "timezone" {
  default = "UTC"
 }
 variable "linux_password" {
  #default = "LiNuXuSeRPaSs#"
  description = "Set a password for the default user"
  validation {
    condition     = length(var.linux_password) > 0
    error_message = "Please specify a password for the default user."
  }
 }
 ## Security Group ##
 variable "secgroup_name" {
  default = "sg-tpot"
 }
 variable "secgroup_desc" {
  default = "Security Group for T-Pot"
 }
 ## Virtual Private Cloud ##
 variable "vpc_name" {
  default = "vpc-tpot"
 }
 variable "vpc_cidr" {
  default = "192.168.0.0/16"
 }
 ## Subnet ##
 variable "subnet_name" {
  default = "subnet-tpot"
 }
 variable "subnet_cidr" {
  default = "192.168.0.0/24"
 }
 variable "subnet_gateway_ip" {
  default = "192.168.0.1"
 }
 ## Elastic Cloud Server ##
 variable "ecs_prefix" {
  default = "tpot-"
 }
 variable "ecs_flavor" {
  default = "s3.medium.8"
 }
 variable "ecs_disk_size" {
  default = "128"
 }
 variable "availability_zone" {
  default = "eu-de-03"
 }
 variable "key_pair" {
  #default = ""
  description = "Specify your SSH key pair"
  validation {
    condition     = length(var.key_pair) > 0
    error_message = "Please specify a Key Pair."
  }
 }
 ## Elastic IP ##
 variable "eip_size" {
  default = "100"
 }
 ## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
  default     = "STANDARD"
  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
 }
 variable "web_user" {
  default     = "webuser"
  description = "Set a username for the web user"
 }
 variable "web_password" {
  #default = "w3b$ecret"
  description = "Set a password for the web user"
  validation {
    condition     = length(var.web_password) > 0
    error_message = "Please specify a password for the web user."
  }
 }
--- a/cloud/terraform/otc/versions.tf
+++ b/cloud/terraform/otc/versions.tf
@ -0,0 +1,13 @@
 terraform {
  required_version = ">= 0.13"
  required_providers {
    opentelekomcloud = {
      source  = "opentelekomcloud/opentelekomcloud"
      version = "~> 1.23.4"
    }
    random = {
      source  = "hashicorp/random"
      version = "~> 3.1.0"
    }
  }
 }
--- a/doc/architecture.png
+++ b/doc/architecture.png
--- a/doc/attackmap.png
+++ b/doc/attackmap.png
--- a/doc/cockpit1.png
+++ b/doc/cockpit1.png
--- a/doc/cockpit2.png
+++ b/doc/cockpit2.png
--- a/doc/cockpit3.png
+++ b/doc/cockpit3.png
--- a/doc/cockpit_a.png
+++ b/doc/cockpit_a.png
--- a/doc/cockpit_b.png
+++ b/doc/cockpit_b.png
--- a/doc/cyberchef.png
+++ b/doc/cyberchef.png
--- a/doc/dashboard.png
+++ b/doc/dashboard.png
--- a/doc/dockerui.png
+++ b/doc/dockerui.png
--- a/doc/elasticvue.png
+++ b/doc/elasticvue.png
--- a/doc/headplugin.png
+++ b/doc/headplugin.png
--- a/doc/kibana.png
+++ b/doc/kibana.png
--- a/doc/kibana_a.png
+++ b/doc/kibana_a.png
--- a/doc/kibana_b.png
+++ b/doc/kibana_b.png
--- a/doc/kibana_c.png
+++ b/doc/kibana_c.png
--- a/doc/netdata.png
+++ b/doc/netdata.png
--- a/doc/spiderfoot.png
+++ b/doc/spiderfoot.png
--- a/doc/t-pot_qr.png
+++ b/doc/t-pot_qr.png
--- a/doc/t-pot_wallpaper_19201080.png
+++ b/doc/t-pot_wallpaper_19201080.png
--- a/doc/t-pot_wallpaper_4k.png
+++ b/doc/t-pot_wallpaper_4k.png
--- a/doc/tpotsocial.png
+++ b/doc/tpotsocial.png
--- a/doc/tpotwebui.png
+++ b/doc/tpotwebui.png
--- a/doc/webssh.png
+++ b/doc/webssh.png
--- a/docker/adbhoney/Dockerfile
+++ b/docker/adbhoney/Dockerfile
@ -1,31 +1,36 @@
-FROM alpine 
+FROM alpine:3.15
-
+#
 # Include dist
 COPY dist/ /root/dist/
 #
 # Install packages
-RUN apk -U --no-cache add \
+RUN apk --no-cache -U add \
            git \
-            libcap \
+	    procps \
-            python \
+            python3 && \
-            python-dev && \
+#
 # Install adbhoney from git
-    git clone --depth=1 https://github.com/huuck/ADBHoney /opt/adbhoney && \
+    git clone https://github.com/huuck/ADBHoney /opt/adbhoney && \
-    sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/main.py && \
+    cd /opt/adbhoney && \
-    sed -i 's/dst_port/dest_port/' /opt/adbhoney/main.py && \
+#    git checkout ad7c17e78d01f6860d58ba826a4b6a4e4f83acbd && \
-
+    git checkout 2417a7a982f4fd527b3a048048df9a23178767ad && \
    cp /root/dist/adbhoney.cfg /opt/adbhoney && \
    sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \
    sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \
 #
 # Setup user, groups and configs
    addgroup -g 2000 adbhoney && \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 adbhoney && \
    chown -R adbhoney:adbhoney /opt/adbhoney && \
-    setcap cap_net_bind_service=+ep /usr/bin/python2.7 && \
+#
 # Clean up
-    apk del --purge git \
+    apk del --purge git && \
-                    python-dev && \
+    rm -rf /root/* /opt/adbhoney/.git /var/cache/apk/*
-    rm -rf /root/* && \
+#
    rm -rf /var/cache/apk/*
 # Set workdir and start adbhoney
 STOPSIGNAL SIGINT
 # Adbhoney sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings
 HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi
 USER adbhoney:adbhoney
 WORKDIR /opt/adbhoney/
-CMD nohup /usr/bin/python main.py -l log/adbhoney.log -j log/adbhoney.json -d dl/
+CMD /usr/bin/python3 run.py
--- a/docker/adbhoney/dist/adbhoney.cfg
+++ b/docker/adbhoney/dist/adbhoney.cfg
@ -0,0 +1,19 @@
 [honeypot]
 hostname = honeypot01
 address = 0.0.0.0
 port = 5555
 download_dir = dl/
 log_dir = log/
 device_id = device::http://ro.product.name =starltexx;ro.product.model=SM-G960F;ro.product.device=starlte;features=cmd,stat_v2,shell_v2
 [output_log]
 enabled = true
 log_file = adbhoney.log
 log_level = info
 [output_json]
 enabled = true
 log_file = adbhoney.json
--- a/docker/adbhoney/docker-compose.yml
+++ b/docker/adbhoney/docker-compose.yml
@ -10,11 +10,13 @@ services:
    build: .
    container_name: adbhoney
    restart: always
    #    cpu_count: 1
    #    cpus: 0.25
    networks:
     - adbhoney_local
    ports:
     - "5555:5555"
-    image: "dtagdevsec/adbhoney:1811"
+    image: "dtagdevsec/adbhoney:2204"
    read_only: true
    volumes:
     - /data/adbhoney/log:/opt/adbhoney/log
--- a/Show More
+++ b/Show More
		`@ -0,0 +1,2 @@`
							`# Enter the name of your cloud to use from clouds.yaml`
							`cloud: open-telekom-cloud`