cleanup

Ansible updates

.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md

@@ -7,6 +7,8 @@ assignees: ''
 
 ---
 
+🗨️ Please post your questions in [Discussions](https://github.com/telekom-security/tpotce/discussions) and keep the issues for **issues**. Thank you 😁.<br>
+
 Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
 
 - 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first

CHANGELOG.md

@@ -1,5 +1,92 @@
 # Changelog
 
+## 20210222
+- **New Release 20.06.2**
+- **Countless Cloud Contributions**
+  - Thanks to @shaderecker
+
+## 20210219
+- **Rebuild Snare, Tanner, Redis, Phpox**
+  - Rebuild images to their latest masters and upgrade Alpine OS to 3.13 where possible.
+- **Bump Elastic Stack to 7.11.1**
+  - Updgrade Elastic Stack Images to 7.11.1 and update License Info to reflect new Elastic License.
+  - Prepare for new release.
+
+## 20210218
+- **Rebuild Conpot, EWSPoster, Cowrie, Glutton, Dionaea**
+  - Rebuild images to their latest masters and upgrade Alpine OS to 3.13 where possible.
+
+## 20210216
+- **Bump Heralding to 1.0.7**
+  - Rebuild and upgrade image to 1.0.7 and upgrade Alpine OS to 3.13.
+  - Enable SMTPS for Heralding.
+- **Rebuild IPPHoney, Fatt, EWSPoster, Spiderfoot**
+  - Rebuild images to their latest masters and upgrade Alpine OS to 3.13 where possible.
+  - Upgrade Spiderfoot to 3.3
+
+## 20210215
+- **Rebuild Dicompot, p0f, Medpot, Honeysap, Heimdall, Elasticpot, Citrixhoneypot, Ciscoasa**
+  - Rebuild images to their latest masters and upgrade Alpine OS to 3.13 where possible.
+
+## 20210212
+- **Rebuild Cyberchef, Adbhoney, Elastic Stack**
+  - Rebuild images to their latest masters and upgrade Alpine OS to 3.13 where possible.
+  - Bump Elastic Stack to 7.11.0
+  - Bump Cyberchef to 9.27.0
+
+## 20210119
+- **Bump Dionaea to 0.11.0**
+  - Upgrade Dionaea to 0.11.0, rebuild image and upgrade Alpine OS to 3.13.
+
+## 20210106
+- **Update Internet IF retrieval**
+  - To be consistent with @adepasquale PR #746 fatt, glutton and p0f Dockerfiles were updated accordingly.
+  - Merge PR #746 from @adepasquale, thank you!
+
+## 20201228
+- **Fix broken SQlite DB**
+  - Fix a broken `app.sqlite` in Heimdall
+- **Avoid ghcr.io because of slow transfers**
+- **Remove netselect-apt**
+  - causes too many unpredictable errors #733 as the latest example
+
+## 20201210
+- **Bump Elastic Stack 7.10.1, EWSPoster to 1.12**
+
+## 20201202
+- **Update Elastic Stack to 7.10.0**
+
+## 20201130
+- **Suricata, use suricata-update for rule management**
+  - As a bonus we can now run "suricata-update" using docker-exec, triggering both a rule update and a Suricata rule reload.
+  - Thanks to @adepasquale!
+
+## 20201126
+- **Suricata, update suricata.yaml for 6.x**
+  - Merge in the latest updates from suricata-6.0.x while at the same time keeping the custom T-Pot configuration.
+  - Thanks to @adepasquale!
+- **Bump Cowrie to 2.2.0**
+
+## 20201028
+- **Bump Suricata to 5.0.4, Spiderfoot to 3.2.1, Dionaea to 0.9.2, IPPHoney, Heralding, Conpot to latest masters**
+
+## 20201027
+- **Bump Dicompot to latest master, Elastic Stack to 7.9.3**
+
+## 20201005
+- **Bump Elastic Stack to 7.9.2**
+  - @brianlechthaler, thanks for PR #706, which had issues regarding Elastic Stack and resulted in reverting to 7.9.1
+
+## 20200904
+- **Release T-Pot 20.06.1**
+  - Github offers a free Docker Container Registry for public packages. For our Open Source projects we want to make sure to have everything in one place and thus moving from Docker Hub to the GitHub Container Registry.
+- **Bump Elastic Stack**
+  - Update the Elastic Stack to 7.9.1.
+- **Rebuild Images**
+  - All docker images were rebuilt based on the latest (and stable running) versions of the tools and honeypots and have been pinned to specific Alpine / Debian versions and git commits so rebuilds will less likely fail.
+- **Cleaning up**
+  - Clean up old references and links.
+
 ## 20200630
 - **Release T-Pot 20.06**
   - After 4 months of public testing with the NextGen edition T-Pot 20.06 can finally be released.
@@ -51,7 +138,7 @@
 - **Update ISO image to fix upstream bug of missing kernel modules**
 - **Include dashboards for CitrixHoneypot**
   - Please run `/opt/tpot/update.sh` for the necessary modifications, omit the reboot and run `/opt/tpot/bin/tped.sh` to (re-)select the NextGen installation type.
-  - This update requires the latest Kibana objects as well. Download the latest from https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/etc/objects/kibana_export.json.zip, unzip and import the objects within Kibana WebUI > Management > Saved Objects > Export / Import". All objects will be overwritten upon import, make sure to run an export first.
+  - This update requires the latest Kibana objects as well. Download the latest from https://raw.githubusercontent.com/telekom-security/tpotce/master/etc/objects/kibana_export.json.zip, unzip and import the objects within Kibana WebUI > Management > Saved Objects > Export / Import". All objects will be overwritten upon import, make sure to run an export first.
 
 ## 20200115
 - **Prepare integration of CitrixHoneypot**

README.md

@@ -19,6 +19,7 @@ and includes dockerized versions of the following honeypots
 * [honeypy](https://github.com/foospidy/HoneyPy),
 * [honeysap](https://github.com/SecureAuthCorp/HoneySAP),
 * [honeytrap](https://github.com/armedpot/honeytrap/),
+* [ipphoney](https://gitlab.com/bontchev/ipphoney),
 * [mailoney](https://github.com/awhitehatter/mailoney),
 * [medpot](https://github.com/schmalle/medpot),
 * [rdpy](https://github.com/citronneur/rdpy),
@@ -39,7 +40,7 @@ Furthermore T-Pot includes the following tools
 
 # TL;DR
 1. Meet the [system requirements](#requirements). The T-Pot installation needs at least 8 GB RAM and 128 GB free disk space as well as a working (outgoing non-filtered) internet connection.
-2. Download the T-Pot ISO from [GitHub](https://github.com/dtag-dev-sec/tpotce/releases) or [create it yourself](#createiso).
+2. Download the T-Pot ISO from [GitHub](https://github.com/telekom-security/tpotce/releases) or [create it yourself](#createiso).
 3. Install the system in a [VM](#vm) or on [physical hardware](#hw) with [internet access](#placement).
 4. Enjoy your favorite beverage - [watch](https://sicherheitstacho.eu) and [analyze](#kibana).
 
@@ -99,6 +100,7 @@ In T-Pot we combine the dockerized honeypots ...
 * [honeypy](https://github.com/foospidy/HoneyPy),
 * [honeysap](https://github.com/SecureAuthCorp/HoneySAP),
 * [honeytrap](https://github.com/armedpot/honeytrap/),
+* [ipphoney](https://gitlab.com/bontchev/ipphoney),
 * [mailoney](https://github.com/awhitehatter/mailoney),
 * [medpot](https://github.com/schmalle/medpot),
 * [rdpy](https://github.com/citronneur/rdpy),
@@ -130,7 +132,7 @@ The T-Pot project provides all the tools and documentation necessary to build yo
 
 The source code and configuration files are fully stored in the T-Pot GitHub repository. The docker images are preconfigured for the T-Pot environment. If you want to run the docker images separately, make sure you study the docker-compose configuration (`/opt/tpot/etc/tpot.yml`) and the T-Pot systemd script (`/etc/systemd/system/tpot.service`), as they provide a good starting point for implementing changes.
 
-The individual docker configurations are located in the [docker folder](https://github.com/dtag-dev-sec/tpotce/tree/master/docker).
+The individual docker configurations are located in the [docker folder](https://github.com/telekom-security/tpotce/tree/master/docker).
 
 <a name="requirements"></a>
 # System Requirements
@@ -168,7 +170,7 @@ There are prebuilt installation types available each focussing on different aspe
 
 
 ##### NextGen
-- Honeypots: adbhoney, ciscoasa, citrixhoneypot, conpot, cowrie, dicompot, dionaea, glutton, heralding, honeypy, honeysap, mailoney, medpot, rdpy, snare & tanner
+- Honeypots: adbhoney, ciscoasa, citrixhoneypot, conpot, cowrie, dicompot, dionaea, glutton, heralding, honeypy, honeysap, ipphoney, mailoney, medpot, rdpy, snare & tanner
 - Tools: cockpit, cyberchef, ELK, fatt, elasticsearch head, ewsposter, nginx / heimdall, spiderfoot, p0f & suricata
 
 
@@ -181,18 +183,18 @@ There are prebuilt installation types available each focussing on different aspe
 # Installation
 The installation of T-Pot is straight forward and heavily depends on a working, transparent and non-proxied up and running internet connection. Otherwise the installation **will fail!**
 
-Firstly, decide if you want to download the prebuilt installation ISO image from [GitHub](https://github.com/dtag-dev-sec/tpotce/releases), [create it yourself](#createiso) ***or*** [post-install on an existing Debian 10 (Buster)](#postinstall).
+Firstly, decide if you want to download the prebuilt installation ISO image from [GitHub](https://github.com/telekom-security/tpotce/releases), [create it yourself](#createiso) ***or*** [post-install on an existing Debian 10 (Buster)](#postinstall).
 
 Secondly, decide where you the system to run: [real hardware](#hardware) or in a [virtual machine](#vm)?
 
 <a name="prebuilt"></a>
 ## Prebuilt ISO Image
-An installation ISO image is available for download (~50MB), which is created by the [ISO Creator](https://github.com/dtag-dev-sec/tpotce) you can use yourself in order to create your own image. It will basically just save you some time downloading components and creating the ISO image.
-You can download the prebuilt installation ISO from [GitHub](https://github.com/dtag-dev-sec/tpotce/releases) and jump to the [installation](#vm) section.
+An installation ISO image is available for download (~50MB), which is created by the [ISO Creator](https://github.com/telekom-security/tpotce) you can use yourself in order to create your own image. It will basically just save you some time downloading components and creating the ISO image.
+You can download the prebuilt installation ISO from [GitHub](https://github.com/telekom-security/tpotce/releases) and jump to the [installation](#vm) section.
 
 <a name="createiso"></a>
 ## Create your own ISO Image
-For transparency reasons and to give you the ability to customize your install you use the [ISO Creator](https://github.com/dtag-dev-sec/tpotce) that enables you to create your own ISO installation image.
+For transparency reasons and to give you the ability to customize your install you use the [ISO Creator](https://github.com/telekom-security/tpotce) that enables you to create your own ISO installation image.
 
 **Requirements to create the ISO image:**
 - Debian 10 as host system (others *may* work, but *remain* untested)
@@ -204,7 +206,7 @@ For transparency reasons and to give you the ability to customize your install y
 
 1. Clone the repository and enter it.
 ```
-git clone https://github.com/dtag-dev-sec/tpotce
+git clone https://github.com/telekom-security/tpotce
 cd tpotce
 ```
 2. Run the `makeiso.sh` script to build the ISO image.
@@ -235,7 +237,7 @@ You can now jump [here](#firstrun).
 If you decide to run T-Pot on dedicated hardware, just follow these steps:
 
 1. Burn a CD from the ISO image or make a bootable USB stick using the image. <br>
-Whereas most CD burning tools allow you to burn from ISO images, the procedure to create a bootable USB stick from an ISO image depends on your system. There are various Windows GUI tools available, e.g. [this tip](http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows) might help you.<br> On [Linux](http://askubuntu.com/questions/59551/how-to-burn-a-iso-to-a-usb-device) or [MacOS](http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-mac-osx) you can use the tool *dd* or create the USB stick with T-Pot's [ISO Creator](https://github.com/dtag-dev-sec).
+Whereas most CD burning tools allow you to burn from ISO images, the procedure to create a bootable USB stick from an ISO image depends on your system. There are various Windows GUI tools available, e.g. [this tip](http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows) might help you.<br> On [Linux](http://askubuntu.com/questions/59551/how-to-burn-a-iso-to-a-usb-device) or [MacOS](http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-mac-osx) you can use the tool *dd* or create the USB stick with T-Pot's [ISO Creator](https://github.com/telekom-security).
 2. Boot from the USB stick and install.
 
 *Please note*: Limited tests are performed for the Intel NUC platform other hardware platforms **remain untested**. There is no hardware support provided of any kind.
@@ -253,7 +255,7 @@ The T-Pot Universal Installer will upgrade the system and install all required T
 Just follow these steps:
 
 ```
-git clone https://github.com/dtag-dev-sec/tpotce
+git clone https://github.com/telekom-security/tpotce
 cd tpotce/iso/installer/
 ./install.sh --type=user
 ```
@@ -267,7 +269,7 @@ You can also let the installer run automatically if you provide your own `tpot.c
 Just follow these steps while adjusting `tpot.conf` to your needs:
 
 ```
-git clone https://github.com/dtag-dev-sec/tpotce
+git clone https://github.com/telekom-security/tpotce
 cd tpotce/iso/installer/
 cp tpot.conf.dist tpot.conf
 ./install.sh --type=auto --conf=tpot.conf
@@ -288,9 +290,9 @@ If you would like to contribute, you can add other cloud deployments like Chef o
 You can find an [Ansible](https://www.ansible.com/) based T-Pot deployment in the [`cloud/ansible`](cloud/ansible) folder.  
 The Playbook in the [`cloud/ansible/openstack`](cloud/ansible/openstack) folder is reusable for all **OpenStack** clouds out of the box.
 
-It first creates all resources (security group, network, subnet, router), deploys a new server and then installs and configures T-Pot.
+It first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them.
 
-You can have a look at the Playbook and easily adapt the deploy role for other [cloud providers](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html).
+You can have a look at the Playbook and easily adapt the deploy role for other [cloud providers](https://docs.ansible.com/ansible/latest/scenario_guides/cloud_guides.html). Check out [Ansible Galaxy](https://galaxy.ansible.com/search?keywords=&order_by=-relevance&page=1&deprecated=false&type=collection&tags=cloud) for more cloud collections.
 
 *Please note*: Cloud providers usually offer adjusted Debian OS images, which might not be compatible with T-Pot. There is no cloud provider support provided of any kind.
 
@@ -302,7 +304,7 @@ You can find [Terraform](https://www.terraform.io/) configuration in the [`cloud
 This can be used to launch a virtual machine, bootstrap any dependencies and install T-Pot in a single step.
 
 Configuration for **Amazon Web Services** (AWS) and **Open Telekom Cloud** (OTC) is currently included.  
-This can easily be extended to support other [Terraform providers](https://www.terraform.io/docs/providers/index.html).
+This can easily be extended to support other [Terraform providers](https://registry.terraform.io/browse/providers?category=public-cloud%2Ccloud-automation%2Cinfrastructure).
 
 *Please note*: Cloud providers usually offer adjusted Debian OS images, which might not be compatible with T-Pot. There is no cloud provider support provided of any kind.
 
@@ -434,7 +436,7 @@ You may opt out of the submission by removing the `# Ewsposter service` from `/o
     restart: always
     networks:
      - ewsposter_local
-    image: "dtagdevsec/ewsposter:2006"
+    image: "ghcr.io/telekom-security/ewsposter:2006"
     volumes:
      - /data:/data
      - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
@@ -464,7 +466,7 @@ As with every development there is always room for improvements ...
 
 Some features may be provided with updated docker images, others may require some hands on from your side.
 
-You are always invited to participate in development on our [GitHub](https://github.com/dtag-dev-sec/tpotce) page.
+You are always invited to participate in development on our [GitHub](https://github.com/telekom-security/tpotce) page.
 
 <a name="disclaimer"></a>
 # Disclaimer
@@ -476,21 +478,21 @@ You are always invited to participate in development on our [GitHub](https://git
 
 <a name="faq"></a>
 # FAQ
-Please report any issues or questions on our [GitHub issue list](https://github.com/dtag-dev-sec/tpotce/issues), so the community can participate.
+Please report any issues or questions on our [GitHub issue list](https://github.com/telekom-security/tpotce/issues), so the community can participate.
 
 <a name="contact"></a>
 # Contact
 The software is provided **as is** in a Community Edition format. T-Pot is designed to run out of the box and with zero maintenance involved. <br>
-We hope you understand that we cannot provide support on an individual basis. We will try to address questions, bugs and problems on our [GitHub issue list](https://github.com/dtag-dev-sec/tpotce/issues).
+We hope you understand that we cannot provide support on an individual basis. We will try to address questions, bugs and problems on our [GitHub issue list](https://github.com/telekom-security/tpotce/issues).
 
 <a name="licenses"></a>
 # Licenses
 The software that T-Pot is built on uses the following licenses.
 <br>GPLv2: [conpot](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeysap](https://github.com/SecureAuthCorp/HoneySAP/blob/master/COPYING), [honeypy](https://github.com/foospidy/HoneyPy/blob/master/LICENSE), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](http://suricata-ids.org/about/open-source/)
-<br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/dtag-dev-sec/ews/), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
+<br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/telekom-security/ews/), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
 <br>Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE), [elasticsearch-head](https://github.com/mobz/elasticsearch-head/blob/master/LICENCE)
 <br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE)
-<br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/)
+<br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license)
 
 <a name="credits"></a>
 # Credits
@@ -519,6 +521,7 @@ Without open source and the fruitful development community (we are proud to be a
 * [honeypy](https://github.com/foospidy/HoneyPy/graphs/contributors)
 * [honeysap](https://github.com/SecureAuthCorp/HoneySAP/graphs/contributors)
 * [honeytrap](https://github.com/armedpot/honeytrap/graphs/contributors)
+* [ipphoney](https://gitlab.com/bontchev/ipphoney/-/project_members)
 * [kibana](https://github.com/elastic/kibana/graphs/contributors)
 * [logstash](https://github.com/elastic/logstash/graphs/contributors)
 * [mailoney](https://github.com/awhitehatter/mailoney)
@@ -544,6 +547,8 @@ Without open source and the fruitful development community (we are proud to be a
 A new version of T-Pot is released about every 6-12 months, development has shifted more and more towards rolling releases and the usage of `/opt/tpot/update.sh`.
 
 <a name="testimonial"></a>
-# Testimonial
+# Testimonials
 One of the greatest feedback we have gotten so far is by one of the Conpot developers:<br>
-***"[...] I highly recommend T-Pot which is ... it's not exactly a swiss army knife .. it's more like a swiss army soldier, equipped with a swiss army knife. Inside a tank. A swiss tank. [...]"***
+***"[...] I highly recommend T-Pot which is ... it's not exactly a swiss army knife .. it's more like a swiss army soldier, equipped with a swiss army knife. Inside a tank. A swiss tank. [...]"***<br>
+And from @robcowart (creator of [ElastiFlow](https://github.com/robcowart/elastiflow)):<br>
+***"#TPot is one of the most well put together turnkey honeypot solutions. It is a must-have for anyone wanting to analyze and understand the behavior of malicious actors and the threat they pose to your organization."***

bin/change_ews_config.sh

@@ -60,7 +60,7 @@ fi
 echo ""
 echo "[+] Creating config file with API UserID '$apiUser' and API Token '$apiToken'."
 echo "[+] Fetching config file from github. Outgoing https requests must be enabled!"
-wget -q https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist 
+wget -q https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist 
 if [[ -f "ews.cfg.dist" ]]; then
 	echo "[+] Successfully downloaded ews.cfg from github."
 else 

bin/clean.sh

@@ -197,6 +197,14 @@ fuHONEYTRAP () {
   chown tpot:tpot /data/honeytrap/ -R
 }
 
+# Let's create a function to clean up and prepare ipphoney data
+fuIPPHONEY () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi
+  mkdir -p /data/ipphoney/log
+  chmod 770 /data/ipphoney -R
+  chown tpot:tpot /data/ipphoney -R
+}
+
 # Let's create a function to clean up and prepare mailoney data
 fuMAILONEY () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
@@ -298,6 +306,7 @@ if [ "$myPERSISTENCE" = "on" ];
     fuHONEYSAP
     fuHONEYPY
     fuHONEYTRAP
+    fuIPPHONEY
     fuMAILONEY
     fuMEDPOT
     fuNGINX

bin/updateip.sh

@@ -2,6 +2,7 @@
 # Let's add the first local ip to the /etc/issue and external ip to ews.ip file
 # If the external IP cannot be detected, the internal IP will be inherited.
 source /etc/environment
+myUUID=$(lsblk -o MOUNTPOINT,UUID | grep "/" | awk '{ print $2 }')
 myLOCALIP=$(hostname -I | awk '{ print $1 }')
 myEXTIP=$(/opt/tpot/bin/myip.sh)
 if [ "$myEXTIP" = "" ];
@@ -26,6 +27,7 @@ tee /data/ews/conf/ews.ip << EOF
 ip = $myEXTIP
 EOF
 tee /opt/tpot/etc/compose/elk_environment << EOF
+HONEY_UUID=$myUUID
 MY_EXTIP=$myEXTIP
 MY_INTIP=$myLOCALIP
 MY_HOSTNAME=$HOSTNAME

cloud/.gitignore

@@ -0,0 +1,10 @@
+# Ansible
+*.retry
+
+# Terraform
+**/.terraform
+**/terraform.*
+
+# OpenStack clouds
+clouds.yaml
+secure.yaml

cloud/ansible/.gitignore

@@ -1,2 +0,0 @@
-# Ansible
-*.retry

cloud/ansible/README.md

@@ -2,15 +2,16 @@
 
 Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/).  
 It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box.  
-Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html) (e.g. AWS, Azure, Digital Ocean, Google).
+Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/scenario_guides/cloud_guides.html). Check out [Ansible Galaxy](https://galaxy.ansible.com/search?keywords=&order_by=-relevance&page=1&deprecated=false&type=collection&tags=cloud) for more cloud collections.
 
-The Playbook first creates all resources (security group, network, subnet, router), deploys a new server and then installs and configures T-Pot.
+The Playbook first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them.
 
 This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en).
 
 # Table of contents
 - [Preparation of Ansible Master](#ansible-master)
   - [Ansible Installation](#ansible)
+  - [OpenStack Collection Installation](#collection)
   - [Agent Forwarding](#agent-forwarding)
 - [Preparations in Open Telekom Cloud Console](#preparation)
   - [Create new project](#project)
@@ -18,8 +19,9 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of
   - [Import Key Pair](#key-pair)
 - [Clone Git Repository](#clone-git)
 - [Settings and recommended values](#settings)
-  - [Clouds.yaml](#clouds-yaml)
+  - [clouds.yaml](#clouds-yaml)
   - [Ansible remote user](#remote-user)
+  - [Number of instances to deploy](#number)
   - [Instance settings](#instance-settings)
   - [User password](#user-password)
   - [Configure `tpot.conf.dist`](#tpot-conf)
@@ -36,6 +38,8 @@ Ansible works over the SSH Port, so you don't have to add any special rules to y
 
 <a name="ansible"></a>
 ## Ansible Installation
+:warning: Ansible 2.10 or newer is required!
+
 Example for Ubuntu 18.04:  
 
 At first we update the system:  
@@ -48,6 +52,17 @@ Then we need to add the repository and install Ansible:
 
 For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
 
+If your OS does not offer a recent version of Ansible (>= 2.10) you should consider [installing Ansible with pip](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-with-pip).  
+In short (if you already have Python3/pip3 installed):
+```
+pip3 install ansible
+```
+
+<a name="collection"></a>
+## OpenStack Collection Installation
+For interacting with OpenStack resources in Ansible, you need to install the collection from Ansible Galaxy:  
+`ansible-galaxy collection install openstack.cloud`
+
 <a name="agent-forwarding"></a>
 ## Agent Forwarding
 If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines.  
@@ -96,7 +111,7 @@ Import your SSH public key.
 <a name="clone-git"></a>
 # Clone Git Repository
 Clone the `tpotce` repository to your Ansible Master:  
-`git clone https://github.com/dtag-dev-sec/tpotce.git`  
+`git clone https://github.com/telekom-security/tpotce.git`  
 All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder.
 
 <a name="settings"></a>
@@ -104,7 +119,7 @@ All Ansible related files are located in the [`cloud/ansible/openstack`](opensta
 You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook:
 
 <a name="clouds-yaml"></a>
-## Clouds.yaml
+## clouds.yaml
 Located at [`openstack/clouds.yaml`](openstack/clouds.yaml).  
 Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name):  
 ```
@@ -118,22 +133,36 @@ clouds:
       user_domain_name: OTC-EU-DE-000000000010000XXXXX
 ```
 You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary.  
-For more information have a look in the [os_server](https://docs.ansible.com/ansible/latest/modules/os_server_module.html) Ansible module documentation.
+For more information have a look in the [openstack.cloud.server](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html) Ansible module documentation.
+
+If you already have your own `clouds.yaml` file or have multiple clouds in there, you can specify which one to use in the `openstack/my_os_cloud.yaml` file:
+```
+# Enter the name of your cloud to use from clouds.yaml
+cloud: open-telekom-cloud
+```
 
 <a name="remote-user"></a>
 ## Ansible remote user
 You may have to adjust the `remote_user` in the Ansible Playbook under [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml) depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is `linux`).
 
+<a name="number"></a>
+## Number of instances to deploy
+You can adjust the number of VMs/T-Pots that you want to create in [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml):
+```
+loop: "{{ range(0, 1) }}"
+```
+One instance is set as the default, increase to your liking.
+
 <a name="instance-settings"></a>
 ## Instance settings
-Located at [`openstack/roles/deploy/vars/main.yaml`](openstack/roles/deploy/vars/main.yaml).  
+Located at [`openstack/roles/create_vm/vars/main.yaml`](openstack/roles/create_vm/vars/main.yaml).  
 Here you can customize your virtual machine specifications:
   - Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html).
   - Change the OS image (For T-Pot we need Debian)
   - (Optional) Change the volume size
   - Specify your key pair (:warning: Mandatory)
   - (Optional) Change the instance type (flavor)  
-    `s2.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.  
+    `s3.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.  
     A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html).
 
 ```
@@ -141,7 +170,7 @@ availability_zone: eu-de-03
 image: Standard_Debian_10_latest
 volume_size: 128
 key_name: your-KeyPair
-flavor: s2.medium.8
+flavor: s3.medium.8
 ```
 
 <a name="user-password"></a>
@@ -160,14 +189,6 @@ Here you can choose:
   - a username for the web interface
   - a password for the web interface (**you should definitely change that**)
 
-```
-# tpot configuration file
-# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]
-myCONF_TPOT_FLAVOR='STANDARD'
-myCONF_WEB_USER='webuser'
-myCONF_WEB_PW='w3b$ecret'
-```
-
 <a name="ews-cfg"></a>
 ## Optional: Custom `ews.cfg`
 Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
@@ -200,7 +221,7 @@ Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_
 #    - custom_hpfeeds
 ```
 
-You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg).  
+You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/files/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/files/hpfeeds.cfg).  
 That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN:
 ```
 myENABLE=true
@@ -216,6 +237,7 @@ myFORMAT=json
 <a name="deploy"></a>
 # Deploying a T-Pot :honey_pot::honeybee:
 Now, after configuring everything, we can finally start deploying T-Pots!  
+
 Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:  
 `ansible-playbook deploy_tpot.yaml`  
 (Yes, it is as easy as that :smile:)
@@ -223,15 +245,13 @@ Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:
 If you are running on a machine which asks for a sudo password, you can use:  
 `ansible-playbook --ask-become-pass deploy_tpot.yaml`
 
-The Playbook will first install required packages on the Ansible Master and then deploy a new server instance.  
-After that, T-Pot gets installed and configured on the newly created host, optionally custom configs are applied and finally it reboots.
+The Playbook will first install required packages on the Ansible Master and then deploy one (or more) new server instances.  
+After that, T-Pot gets installed and configured on them, optionally custom configs are applied and finally it reboots.
 
-Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/dtag-dev-sec/tpotce#ssh-and-web-access).
+Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
 
 <a name="documentation"></a>
 # Further documentation
 - [Ansible Documentation](https://docs.ansible.com/ansible/latest/)
-- [Cloud modules — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html)
-- [os_server – Create/Delete Compute Instances from OpenStack — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/os_server_module.html)
+- [openstack.cloud.server – Create/Delete Compute Instances from OpenStack](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html)
 - [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/)
-- [Open Telekom Cloud API Overview](https://docs.otc.t-systems.com/en-us/api/wp/en-us_topic_0052070394.html)

cloud/ansible/openstack/clouds.yaml

@@ -1,6 +1,7 @@
 clouds:
   open-telekom-cloud:
     profile: otc
+    region_name: eu-de
     auth:
       project_name: eu-de_your_project
       username: your_api_user

cloud/ansible/openstack/deploy_tpot.yaml

@@ -4,13 +4,22 @@
   roles:
     - check
 
-- name: Deploy instance
+- name: Deploy instances
   hosts: localhost
-  roles:
-    - deploy
+  vars_files: my_os_cloud.yaml
+  tasks:
+    - name: Create security group and network
+      ansible.builtin.include_role:
+        name: create_net
+    - name: Create one or more instances
+      ansible.builtin.include_role:
+        name: create_vm
+      loop: "{{ range(0, 1) }}"
+      loop_control:
+        extended: yes
 
-- name: Install T-Pot on new instance
-  hosts: TPOT
+- name: Install T-Pot
+  hosts: tpot
   remote_user: linux
   become: yes
   gather_facts: no

cloud/ansible/openstack/my_os_cloud.yaml

@@ -0,0 +1,2 @@
+# Enter the name of your cloud to use from clouds.yaml
+cloud: open-telekom-cloud

cloud/ansible/openstack/requirements.yaml

@@ -0,0 +1,2 @@
+collections:
+- name: openstack.cloud

cloud/ansible/openstack/roles/check/tasks/main.yaml

@@ -1,17 +1,19 @@
 - name: Install dependencies
-  package:
+  ansible.builtin.package:
     name:
-      - pwgen
-      - python-setuptools
-      - python-pip
+      - gcc
+      - python3-dev
+      - python3-setuptools
+      - python3-pip
     state: present
 
 - name: Install openstacksdk
-  pip:
+  ansible.builtin.pip:
     name: openstacksdk
+    executable: pip3
 
 - name: Check if agent forwarding is enabled
-  fail:
+  ansible.builtin.fail:
     msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
   ignore_errors: yes
   when: lookup('env','SSH_AUTH_SOCK') == ""

cloud/ansible/openstack/roles/create_net/tasks/main.yaml

@@ -0,0 +1,33 @@
+- name: Create security group
+  openstack.cloud.security_group:
+    cloud: "{{ cloud }}"
+    name: sg-tpot-any
+    description: tpot any-any
+
+- name: Add rules to security group
+  openstack.cloud.security_group_rule:
+    cloud: "{{ cloud }}"
+    security_group: sg-tpot-any
+    remote_ip_prefix: 0.0.0.0/0
+
+- name: Create network
+  openstack.cloud.network:
+    cloud: "{{ cloud }}"
+    name: network-tpot
+
+- name: Create subnet
+  openstack.cloud.subnet:
+    cloud: "{{ cloud }}"
+    network_name: network-tpot
+    name: subnet-tpot
+    cidr: 192.168.0.0/24
+    dns_nameservers:
+      - 1.1.1.1
+      - 8.8.8.8
+
+- name: Create router
+  openstack.cloud.router:
+    cloud: "{{ cloud }}"
+    name: router-tpot
+    interfaces:
+      - subnet-tpot

cloud/ansible/openstack/roles/create_vm/tasks/main.yaml

@@ -0,0 +1,24 @@
+- name: Generate T-Pot name
+  ansible.builtin.set_fact:
+    tpot_name: "t-pot-ansible-{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=6') }}"
+
+- name: Create instance {{ ansible_loop.index }} of {{ ansible_loop.length }}
+  openstack.cloud.server:
+    cloud: "{{ cloud }}"
+    name: "{{ tpot_name }}"
+    availability_zone: "{{ availability_zone }}"
+    image: "{{ image }}"
+    boot_from_volume: yes
+    volume_size: "{{ volume_size }}"
+    key_name: "{{ key_name }}"
+    timeout: 200
+    flavor: "{{ flavor }}"
+    security_groups: sg-tpot-any
+    network: network-tpot
+  register: tpot
+
+- name: Add instance to inventory
+  ansible.builtin.add_host:
+    hostname: "{{ tpot_name }}"
+    ansible_host: "{{ tpot.server.public_v4 }}"
+    groups: tpot

cloud/ansible/openstack/roles/create_vm/vars/main.yaml

@@ -2,4 +2,4 @@ availability_zone: eu-de-03
 image: Standard_Debian_10_latest
 volume_size: 128
 key_name: your-KeyPair
-flavor: s2.medium.8
+flavor: s3.medium.8

cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml

@@ -1,5 +1,5 @@
 - name: Copy ews configuration file
-  template:
+  ansible.builtin.template:
     src: ews.cfg
     dest: /data/ews/conf
     owner: root
@@ -7,7 +7,7 @@
     mode: 0644
 
 - name: Patching tpot.yml with custom ews configuration file
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /opt/tpot/etc/tpot.yml
     insertafter: "/opt/ewsposter/ews.ip"
     line: "     - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg"

cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml

@@ -1,5 +1,5 @@
 - name: Copy hpfeeds configuration file
-  copy:
+  ansible.builtin.copy:
     src: hpfeeds.cfg
     dest: /data/ews/conf
     owner: tpot
@@ -8,5 +8,5 @@
   register: config
 
 - name: Applying hpfeeds settings
-  command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg
+  ansible.builtin.command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg
   when: config.changed == true

cloud/ansible/openstack/roles/deploy/tasks/main.yaml

@@ -1,58 +0,0 @@
-- name: Create T-Pot name
-  shell: echo t-pot-ansible-$(pwgen -ns 6 -1)
-  register: tpot_name
-
-- name: Create security group
-  os_security_group:
-    cloud: open-telekom-cloud
-    name: sg-tpot-any
-    description: tpot any-any
-
-- name: Add rules to security group
-  os_security_group_rule:
-    cloud: open-telekom-cloud
-    security_group: sg-tpot-any
-    remote_ip_prefix: 0.0.0.0/0
-
-- name: Create network
-  os_network:
-    cloud: open-telekom-cloud
-    name: network-tpot
-
-- name: Create subnet
-  os_subnet:
-    cloud: open-telekom-cloud
-    network_name: network-tpot
-    name: subnet-tpot
-    cidr: 192.168.0.0/24
-    dns_nameservers:
-      - 1.1.1.1
-      - 8.8.8.8
-
-- name: Create router
-  os_router:
-    cloud: open-telekom-cloud
-    name: router-tpot
-    interfaces:
-      - subnet-tpot
-
-- name: Launch an instance
-  os_server:
-    cloud: open-telekom-cloud
-    name: "{{ tpot_name.stdout }}"
-    availability_zone: "{{ availability_zone }}"
-    image: "{{ image }}"
-    boot_from_volume: yes
-    volume_size: "{{ volume_size }}"
-    key_name: "{{ key_name }}"
-    timeout: 200
-    flavor: "{{ flavor }}"
-    security_groups: sg-tpot-any
-    network: network-tpot
-  register: tpot
-
-- name: Add instance to inventory
-  add_host:
-    hostname: "{{ tpot_name.stdout }}"
-    ansible_host: "{{ tpot.server.public_v4 }}"
-    groups: TPOT

cloud/ansible/openstack/roles/install/tasks/main.yaml

@@ -1,29 +1,29 @@
 - name: Waiting for SSH connection
-  wait_for_connection:
+  ansible.builtin.wait_for_connection:
 
 - name: Gathering facts
-  setup:
+  ansible.builtin.setup:
 
 - name: Cloning T-Pot install directory
-  git:
-    repo: "https://github.com/dtag-dev-sec/tpotce.git"
+  ansible.builtin.git:
+    repo: "https://github.com/telekom-security/tpotce.git"
     dest: /root/tpot
 
 - name: Prepare to set user password
-  set_fact:
+  ansible.builtin.set_fact:
     user_name: "{{ ansible_user }}"
     user_salt: "s0mew1ck3dTpoT"
   no_log: true
 
 - name: Changing password for user {{ user_name }}
-  user:
+  ansible.builtin.user:
    name: "{{ ansible_user }}"
    password: "{{ user_password | password_hash('sha512', user_salt) }}"
    state: present
    shell: /bin/bash
 
 - name: Copy T-Pot configuration file
-  template:
+  ansible.builtin.template:
     src: ../../../../../../iso/installer/tpot.conf.dist
     dest: /root/tpot.conf
     owner: root
@@ -31,15 +31,15 @@
     mode: 0644
 
 - name: Install T-Pot on instance -  be patient, this might take 15 to 30 minutes depending on the connection speed.
-  command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
+  ansible.builtin.command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
 
 - name: Delete T-Pot configuration file
-  file:
+  ansible.builtin.file:
     path: /root/tpot.conf
     state: absent
 
 - name: Change unattended-upgrades to take default action
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/apt/apt.conf.d/50unattended-upgrades
     block: |
       Dpkg::Options {

cloud/ansible/openstack/roles/reboot/tasks/main.yaml

@@ -1,10 +1,10 @@
 - name: Finally rebooting T-Pot
-  command: shutdown -r now
+  ansible.builtin.command: shutdown -r now
   async: 1
   poll: 0
 
 - name: Next login options
-  debug:
+  ansible.builtin.debug:
     msg:
     - "*****    SSH Access:"
     - "*****    ssh {{ ansible_user }}@{{ ansible_host }} -p 64295"

cloud/terraform/.gitignore

@@ -1,2 +0,0 @@
-**/.terraform
-**/terraform.*

cloud/terraform/README.md

@@ -1,7 +1,7 @@
 # T-Pot Terraform
 This [Terraform](https://www.terraform.io/) configuration can be used to launch a virtual machine, bootstrap any dependencies and install T-Pot in a single step.  
 Configuration for Amazon Web Services (AWS) and Open Telekom Cloud (OTC) is currently included.
-This can easily be extended to support other [Terraform providers](https://www.terraform.io/docs/providers/index.html).
+This can easily be extended to support other [Terraform providers](https://registry.terraform.io/browse/providers?category=public-cloud%2Ccloud-automation%2Cinfrastructure).
 
 [Cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used to bootstrap the instance and install T-Pot on startup.
 
@@ -9,7 +9,7 @@ This can easily be extended to support other [Terraform providers](https://www.t
 - [What get's created](#what-created)
   - [Amazon Web Services (AWS)](#what-created-aws)
   - [Open Telekom Cloud (OTC)](#what-created-otc)
-- [Pre-Requisites](#pre)
+- [Prerequisites](#pre)
   - [Amazon Web Services (AWS)](#pre-aws)
   - [Open Telekom Cloud (OTC)](#pre-otc)
 - [Terraform Variables](#variables)
@@ -45,8 +45,8 @@ This can easily be extended to support other [Terraform providers](https://www.t
 * Network, Subnet, Router (= Virtual Private Cloud [VPC])
 
 <a name="pre"></a>
-## Pre-Requisites
-* [Terraform](https://www.terraform.io/) 0.12
+## Prerequisites
+* [Terraform](https://www.terraform.io/) 0.13
 
 <a name="pre-aws"></a>
 ### Amazon Web Services (AWS)
@@ -90,10 +90,9 @@ In `aws/variables.tf`, you can change the additional variables:
 <a name="variables-otc"></a>
 ### Open Telekom Cloud (OTC)
 In `otc/variables.tf`, you can change the additional variables:
-* `availabiliy_zone`
+* `availability_zone`
 * `flavor`
 * `key_pair` - Specify an existing SSH key pair
-* `image_id`
 * `volume_size`  
 Furthermore you can configure the naming of the created infrastructure (per default everything gets prefixed with "tpot-", e.g. "tpot-router").
 
@@ -124,4 +123,4 @@ If you want the remove the built infrastructure, you can run [`terraform destroy
 
 <a name="connecting"></a>
 ## Connecting to the Instance
-When the installation is completed, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/dtag-dev-sec/tpotce#ssh-and-web-access).
+When the installation is completed, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).

cloud/terraform/aws/.terraform.lock.hcl

@@ -0,0 +1,20 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.26.0"
+  constraints = "3.26.0"
+  hashes = [
+    "h1:0i78FItlPeiomd+4ThZrtm56P5K33k7/6dnEe4ZePI0=",
+    "zh:26043eed36d070ca032cf04bc980c654a25821a8abc0c85e1e570e3935bbfcbb",
+    "zh:2fe68f3f78d23830a04d7fac3eda550eef1f627dfc130486f70a65dc5c254300",
+    "zh:3d66484c608c64678e639db25d63872783ce60363a1246e30317f21c9c23b84b",
+    "zh:46ffd755cfd4cf94fe66342797b5afdcef010a24e126c67fee141b357d393535",
+    "zh:5e96f24357e945c9067cf5e032ad1d003609629c956c2f9f642fefe714e74587",
+    "zh:60c27aca36bb63bf3e865c2193be80ca83b376581d00f9c220af4b013e163c4d",
+    "zh:896f0f22d19d41e71b22f9240b261714c3915b165ddefeb771e7734d69dc47ea",
+    "zh:90de9966cb2fd3e2f326df291595e55d2dd2d90e7d6dd085c2c8691dce82bdb4",
+    "zh:ad05a91a88ceb1d6de5a568f7cc0b0e5bc0a79f3da70bc28c1e7f3750e362d58",
+    "zh:e8c63f59c6465329e1f3357498face3dd7ef10a033df3c366a33aa9e94b46c01",
+  ]
+}

cloud/terraform/aws/variables.tf

@@ -32,24 +32,26 @@ variable "ec2_instance_type" {
 variable "ec2_ami" {
   type = map(string)
   default = {
-    "ap-east-1"      = "ami-f9c58188"
-    "ap-northeast-1" = "ami-0fae5501ae428f9d7"
-    "ap-northeast-2" = "ami-0522874b039290246"
-    "ap-south-1"     = "ami-03b4e18f70aca8973"
-    "ap-southeast-1" = "ami-0852293c17f5240b3"
-    "ap-southeast-2" = "ami-03ea2db714f1f6acf"
-    "ca-central-1"   = "ami-094511e5020cdea18"
-    "eu-central-1"   = "ami-0394acab8c5063f6f"
-    "eu-north-1"     = "ami-0c82d9a7f5674320a"
-    "eu-west-1"      = "ami-006d280940ad4a96c"
-    "eu-west-2"      = "ami-08fe9ea08db6f1258"
-    "eu-west-3"      = "ami-04563f5eab11f2b87"
-    "me-south-1"     = "ami-0492a01b319d1f052"
-    "sa-east-1"      = "ami-05e16feea94258a69"
-    "us-east-1"      = "ami-04d70e069399af2e9"
-    "us-east-2"      = "ami-04100f1cdba76b497"
-    "us-west-1"      = "ami-014c78f266c5b7163"
-    "us-west-2"      = "ami-023b7a69b9328e1f9"
+    "af-south-1"     = "ami-04090a79eb0bcb6c1"
+    "ap-east-1"      = "ami-0327f60df432e2479"
+    "ap-northeast-1" = "ami-06bc324209030cbc8"
+    "ap-northeast-2" = "ami-02ee842962ae7df95"
+    "ap-south-1"     = "ami-0d548fffbb2d54e42"
+    "ap-southeast-1" = "ami-0dcf891cda6248f00"
+    "ap-southeast-2" = "ami-022578f782d4e5d30"
+    "ca-central-1"   = "ami-01444dd84a75e9a82"
+    "eu-central-1"   = "ami-097411fa8fbfdffda"
+    "eu-north-1"     = "ami-026984326b6456f6a"
+    "eu-south-1"     = "ami-07ad114e5df69197e"
+    "eu-west-1"      = "ami-0101794b418f8b2a6"
+    "eu-west-2"      = "ami-00eac9341e72e638a"
+    "eu-west-3"      = "ami-01469c569416f3bd3"
+    "me-south-1"     = "ami-0821f357b877b076d"
+    "sa-east-1"      = "ami-0c87b2c6219e3d5fd"
+    "us-east-1"      = "ami-047f0b13f023f6553"
+    "us-east-2"      = "ami-0988470f4e830799f"
+    "us-west-1"      = "ami-0be6bacfeb2913ac2"
+    "us-west-2"      = "ami-0112d55fbe29acc68"
   }
 }
 
@@ -66,7 +68,7 @@ variable "linux_password" {
 # These will go in the generated tpot.conf file
 variable "tpot_flavor" {
   default = "STANDARD"
-  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]"
+  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, MEDICAL]"
 }
 
 variable "web_user" {

cloud/terraform/aws/versions.tf

@@ -1,3 +1,9 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "3.26.0"
+    }
+  }
 }

cloud/terraform/cloud-init.yaml

@@ -5,7 +5,7 @@ packages:
   - git
 
 runcmd:
-  - git clone https://github.com/dtag-dev-sec/tpotce /root/tpot
+  - git clone https://github.com/telekom-security/tpotce /root/tpot
   - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
   - rm /root/tpot.conf
   - /sbin/shutdown -r now

cloud/terraform/otc/.terraform.lock.hcl

@@ -0,0 +1,39 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.0.1"
+  constraints = "~> 3.0.1"
+  hashes = [
+    "h1:SzM8nt2wzLMI28A3CWAtW25g3ZCm1O4xD0h3Ps/rU1U=",
+    "zh:0d4f683868324af056a9eb2b06306feef7c202c88dbbe6a4ad7517146a22fb50",
+    "zh:4824b3c7914b77d41dfe90f6f333c7ac9860afb83e2a344d91fbe46e5dfbec26",
+    "zh:4b82e43712f3cf0d0cbc95b2cbcd409ba8f0dc7848fdfb7c13633c27468ed04a",
+    "zh:78b3a2b860c3ebc973a794000015f5946eb59b82705d701d487475406b2612f1",
+    "zh:88bc65197bd74ff408d147b32f0045372ae3a3f2a2fdd7f734f315d988c0e4a2",
+    "zh:91bd3c9f625f177f3a5d641a64e54d4b4540cb071070ecda060a8261fb6eb2ef",
+    "zh:a6818842b28d800f784e0c93284ff602b0c4022f407e4750da03f50b853a9a2c",
+    "zh:c4a1a2b52abd05687e6cfded4a789dcd7b43e7a746e4d02dd1055370cf9a994d",
+    "zh:cf65041bf12fc3bde709c1d267dbe94142bc05adcabc4feb17da3b12249132ac",
+    "zh:e385e00e7425dda9d30b74ab4ffa4636f4b8eb23918c0b763f0ffab84ece0c5c",
+  ]
+}
+
+provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
+  version     = "1.22.5"
+  constraints = "1.22.5"
+  hashes = [
+    "h1:H20WxSx+j2JyrqHAgqsrV3rMWEOEZVEQuA7upz/1IgY=",
+    "zh:276ab06e7c011351fc5a803fea0321a9d12b1353bd43f5389f3bbf491e31fc41",
+    "zh:3191dc598ea4e4c99d08a2b1a5f65710dbcc1a892b1f9dde7b52515f32028319",
+    "zh:43db37c5fb6a886ce3bbc2aa730854476da7dd0340622ad874998041fa96f7a2",
+    "zh:45f3e2677a4c35bd88d435c906224092e0dde17055a203b474da2eeacffbf9b7",
+    "zh:504568581e561130fc0a9ceb6514e9664c67e3a89cd6c912f64c82f0a0305a30",
+    "zh:5646c76cbe710fd0acde409cdcfb352dd53a282c0207e46e33ac5714d0eaa0b9",
+    "zh:578b0f5d43f156f86ca6a63604da6e968f035d0b4bf6ccfc83db284fd31057f6",
+    "zh:784459b8350dc650f01e6866bcec0632e8b5a8733d81e6ed53bc8cc1254abb92",
+    "zh:970aa873a81994cddf84279b255d3f51a4138b23cb9162707cefb84042451bfc",
+    "zh:e892b8b6225a46067586b8e54a7102ac1b0fc296b4851dab3d4cc185de538d66",
+    "zh:f8c4699eebe99ac93d9cdccfcc809a5bd3d6c238be136d5a26c4e812ef30ec32",
+  ]
+}

cloud/terraform/otc/clouds.yaml

@@ -1,5 +1,6 @@
 clouds:
   open-telekom-cloud:
+    region_name: eu-de
     auth:
       project_name: eu-de_your_project
       username: your_api_user

cloud/terraform/otc/main.tf

@@ -1,3 +1,7 @@
+data "opentelekomcloud_images_image_v2" "debian" {
+  name = "Standard_Debian_10_latest"
+}
+
 resource "opentelekomcloud_networking_secgroup_v2" "secgroup_1" {
   name        = var.secgroup_name
   description = var.secgroup_desc
@@ -36,8 +40,8 @@ resource "random_id" "tpot" {
 }
 
 resource "opentelekomcloud_compute_instance_v2" "ecs_1" {
-  availability_zone = var.availabiliy_zone
-  name              = random_id.tpot.b64
+  availability_zone = var.availability_zone
+  name              = random_id.tpot.b64_std
   flavor_name       = var.flavor
   key_pair          = var.key_pair
   security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.name]
@@ -48,7 +52,7 @@ resource "opentelekomcloud_compute_instance_v2" "ecs_1" {
   }
 
   block_device {
-    uuid                  = var.image_id
+    uuid                  = data.opentelekomcloud_images_image_v2.debian.id
     source_type           = "image"
     volume_size           = var.volume_size
     destination_type      = "volume"

cloud/terraform/otc/variables.tf

@@ -34,13 +34,13 @@ variable "ecs_prefix" {
 }
 
 # ECS configuration
-variable "availabiliy_zone" {
+variable "availability_zone" {
   default = "eu-de-03"
   description = "Select an availability zone"
 }
 
 variable "flavor" {
-  default = "s2.medium.8"
+  default = "s3.medium.8"
   description = "Select a compute flavor"
 }
 
@@ -49,11 +49,6 @@ variable "key_pair" {
   description = "Specify your SSH key pair"
 }
 
-variable "image_id" {
-  default = "d97dd29c-9318-4e4c-8d3a-7307d1513b77"
-  description = "Select a Debian 10 base image id"
-}
-
 variable "volume_size" {
   default = "128"
   description = "Set the volume size"
@@ -62,7 +57,7 @@ variable "volume_size" {
 # These will go in the generated tpot.conf file
 variable "tpot_flavor" {
   default = "STANDARD"
-  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]"
+  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, MEDICAL]"
 }
 
 variable "web_user" {

cloud/terraform/otc/versions.tf

@@ -1,3 +1,13 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
+  required_providers {
+    opentelekomcloud = {
+      source = "opentelekomcloud/opentelekomcloud"
+      version = "1.22.5"
+    }
+    random = {
+      source = "hashicorp/random"
+      version = "~> 3.0.1"
+    }
+  }
 }

docker/adbhoney/Dockerfile

@@ -1,11 +1,10 @@
-FROM alpine:latest 
+FROM alpine:3.13
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Install packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U add \
+RUN apk -U add \
             git \
             libcap \
 	    py3-pip \
@@ -13,7 +12,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
             python3-dev && \
 #
 # Install adbhoney from git
-    git clone --depth=1 https://github.com/huuck/ADBHoney /opt/adbhoney && \
+    git clone https://github.com/huuck/ADBHoney /opt/adbhoney && \
+    cd /opt/adbhoney && \
+    git checkout ad7c17e78d01f6860d58ba826a4b6a4e4f83acbd && \
     cp /root/dist/adbhoney.cfg /opt/adbhoney && \
     sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \
     sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \

docker/adbhoney/docker-compose.yml

@@ -14,7 +14,7 @@ services:
      - adbhoney_local
     ports:
      - "5555:5555"
-    image: "dtagdevsec/adbhoney:2006"
+    image: "ghcr.io/telekom-security/adbhoney:2006"
     read_only: true
     volumes:
      - /data/adbhoney/log:/opt/adbhoney/log

docker/ciscoasa/Dockerfile

@@ -1,17 +1,17 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup env and apt
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U upgrade && \
+RUN apk -U upgrade && \
     apk add build-base \
             git \
             libffi \
             libffi-dev \
             openssl \
             openssl-dev \
+	    py3-cryptography \
 	    py3-pip \
             python3 \
             python3-dev && \
@@ -23,8 +23,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Get and install packages
     mkdir -p /opt/ && \
     cd /opt/ && \
-    git clone --depth=1 https://github.com/cymmetria/ciscoasa_honeypot && \
+    git clone https://github.com/cymmetria/ciscoasa_honeypot && \
     cd ciscoasa_honeypot && \
+    git checkout d6e91f1aab7fe6fc01fabf2046e76b68dd6dc9e2 && \
     pip3 install --no-cache-dir -r requirements.txt && \
     cp /root/dist/asa_server.py /opt/ciscoasa_honeypot && \
     chown -R ciscoasa:ciscoasa /opt/ciscoasa_honeypot && \

docker/ciscoasa/docker-compose.yml

@@ -13,7 +13,7 @@ services:
     ports:
      - "5000:5000/udp"
      - "8443:8443"
-    image: "dtagdevsec/ciscoasa:2006"
+    image: "ghcr.io/telekom-security/ciscoasa:2006"
     read_only: true
     volumes:
      - /data/ciscoasa/log:/var/log/ciscoasa

docker/citrixhoneypot/Dockerfile

@@ -1,8 +1,7 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Install packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U add \
+RUN apk -U add \
             git \
             libcap \
 	    openssl \
@@ -13,9 +12,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     pip3 install --no-cache-dir python-json-logger && \
 #
 # Install CitrixHoneypot from GitHub
-#    git clone --depth=1 https://github.com/malwaretech/citrixhoneypot /opt/citrixhoneypot && \
-#    git clone --depth=1 https://github.com/vorband/CitrixHoneypot /opt/citrixhoneypot && \
-    git clone --depth=1 https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
+    git clone https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
+    cd /opt/citrixhoneypot && \
+    git checkout f59ad7320dc5bbb8c23c8baa5f111b52c52fbef3 && \
 #
 # Setup user, groups and configs
     mkdir -p /opt/citrixhoneypot/logs /opt/citrixhoneypot/ssl && \

docker/citrixhoneypot/docker-compose.yml

@@ -14,7 +14,7 @@ services:
      - citrixhoneypot_local
     ports:
      - "443:443"
-    image: "dtagdevsec/citrixhoneypot:2006"
+    image: "ghcr.io/telekom-security/citrixhoneypot:2006"
     read_only: true
     volumes:
      - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs

docker/conpot/Dockerfile

@@ -1,11 +1,10 @@
-FROM alpine:latest
+FROM alpine:edge
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup apt
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U add \
+RUN apk -U add \
              build-base \
              file \
              git \
@@ -17,19 +16,20 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
              libxslt-dev \
              mariadb-dev \
              pkgconfig \
-	     py3-pip \
              python3 \
              python3-dev \
-             py-cffi \
-             py-cryptography \
+             py3-cffi \
+             py3-cryptography \
+	     py3-gevent \
+	     py3-pip \
              tcpdump \
              wget && \
 #
 # Setup ConPot
-    git clone --depth=1 https://github.com/mushorg/conpot /opt/conpot && \
+    git clone https://github.com/mushorg/conpot /opt/conpot && \
     cd /opt/conpot/ && \
-    # Patch to accept ENV for MIB path
-    sed -i "s/tmp_mib_dir = tempfile.mkdtemp()/tmp_mib_dir = tempfile.mkdtemp(dir=os.environ['CONPOT_TMP'])/" /opt/conpot/conpot/protocols/snmp/snmp_server.py && \
+#    git checkout ff09e009d10d953aa7dcff2c06b7c890e6ffd4b7 && \
+    git checkout 804fd65aa3b7ffa31c07fd4e863d4a5500414cf3 && \
     # Change template default ports if <1024
     sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \ 
     sed -i 's/port="8800"/port="80"/' /opt/conpot/conpot/templates/default/http/http.xml && \ 
@@ -42,6 +42,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/ipmi/ipmi/ipmi.xml && \ 
     pip3 install --no-cache-dir -U setuptools && \
     pip3 install --no-cache-dir . && \
+    pip3 install --no-cache-dir pysnmp-mibs && \
     cd / && \
     rm -rf /opt/conpot /tmp/* /var/tmp/* && \
     setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
@@ -75,4 +76,4 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Start conpot
 STOPSIGNAL SIGINT
 USER conpot:conpot
-CMD exec /usr/bin/conpot --temp_dir $CONPOT_TMP --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG
+CMD exec /usr/bin/conpot --mibcache $CONPOT_TMP --temp_dir $CONPOT_TMP --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

docker/conpot/dist/templates/IEC104/template.xml

@@ -70,7 +70,7 @@
                 <value type="value">100000000</value>
             </key>
             <key name="ifPhysAddress">
-                <value type="value">"\x00\x0e\x8c\x29\xc5\x1a"</value>
+                <value type="value">"0x000e8c29c51a"</value>
             </key>
             <key name="ifAdminStatus">
                 <value type="value">1</value>
@@ -347,6 +347,10 @@
 
 
             <!-- IEC104 Protocol parameter -->
+            <!-- Common (Object) Address, aka COA, Station Address -->
+            <key name="CommonAddress">
+                <value type="value">"0x1e28"</value>
+            </key>
             <!-- Timeout of connection establishment -->
             <key name="T_0">
                 <value type="value">30</value>

docker/conpot/docker-compose.yml

@@ -35,7 +35,7 @@ services:
      - "2121:21"
      - "44818:44818"
      - "47808:47808"
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -58,7 +58,7 @@ services:
     ports:
 #     - "161:161"
      - "2404:2404"
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -80,7 +80,7 @@ services:
      - conpot_local_guardian_ast
     ports:
      - "10001:10001"
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -102,7 +102,7 @@ services:
      - conpot_local_ipmi
     ports:
      - "623:623"
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -125,7 +125,7 @@ services:
     ports:
      - "1025:1025"
      - "50100:50100"
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot

docker/cowrie/Dockerfile

@@ -1,11 +1,10 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Get and install dependencies & packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U add \
+RUN apk -U add \
              bash \
              build-base \
              git \
@@ -20,6 +19,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
              python3 \
              python3-dev \
 	     py3-bcrypt \
+	     py3-cryptography \
              py3-mysqlclient \
              py3-requests \
              py3-setuptools && \
@@ -31,8 +31,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Install cowrie
     mkdir -p /home/cowrie && \
     cd /home/cowrie && \
-    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.1.0 && \
+    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.2.0 && \
     cd cowrie && \
+#    sed -i s/logfile.DailyLogFile/logfile.LogFile/g src/cowrie/python/logfile.py && \
     mkdir -p log && \
     cp /root/dist/requirements.txt . && \
     pip3 install -r requirements.txt && \

docker/cowrie/dist/requirements.txt

@@ -1,13 +1,14 @@
-attrs==19.3.0
-bcrypt==3.1.7
-configparser==4.0.2
-cryptography==2.9.2
-packaging==20.3
+appdirs==1.4.4
+attrs==20.3.0
+bcrypt==3.2.0
+configparser==5.0.1
+#cryptography==3.4.5
+#packaging==20.9
 pyasn1_modules==0.2.8
-pyopenssl==19.1.0
+pyopenssl==20.0.1
 pyparsing==2.4.7
 python-dateutil==2.8.1
 service_identity==18.1.0
 tftpy==0.8.0
-treq==20.4.1
+treq==21.1.0
 twisted==20.3.0

docker/cowrie/docker-compose.yml

@@ -18,7 +18,7 @@ services:
     ports:
      - "22:22"
      - "23:23"
-    image: "dtagdevsec/cowrie:2006"
+    image: "ghcr.io/telekom-security/cowrie:2006"
     read_only: true
     volumes:
      - /data/cowrie/downloads:/home/cowrie/cowrie/dl

docker/cyberchef/Dockerfile

@@ -1,20 +1,17 @@
 FROM alpine:3.10
 #
 # Get and install dependencies & packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U --no-cache add \
+RUN apk -U --no-cache add \
             curl \
             git \
             npm \
             nodejs && \
-    npm install -g grunt-cli && \
-    npm install -g http-server && \
     npm install npm@latest -g && \
+    npm install -g grunt-cli http-server && \
 #
 # Install CyberChef 
     cd /root && \
-    git clone https://github.com/gchq/cyberchef --depth=1 && \
-    chown -R nobody:nobody cyberchef && \
+    git clone https://github.com/gchq/cyberchef -b v9.27.0 && \
     cd cyberchef && \
     npm install && \
     grunt prod && \
@@ -31,7 +28,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Healthcheck
 HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:8000'
 #
-# Set user, workdir and start spiderfoot
+# Set user, workdir and start cyberchef
 USER nobody:nobody
 WORKDIR /opt/cyberchef
 CMD ["http-server", "-p", "8000"]

docker/cyberchef/docker-compose.yml

@@ -14,5 +14,5 @@ services:
      - cyberchef_local
     ports:
      - "127.0.0.1:64299:8000"
-    image: "dtagdevsec/cyberchef:2006"
+    image: "ghcr.io/telekom-security/cyberchef:2006"
     read_only: true

docker/deprecated/elasticpot.old/README.md

@@ -1,10 +1,10 @@
-[![](https://images.microbadger.com/badges/version/dtagdevsec/elasticpot:1903.svg)](https://microbadger.com/images/dtagdevsec/elasticpot:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/elasticpot:1903.svg)](https://microbadger.com/images/dtagdevsec/elasticpot:1903 "Get your own image badge on microbadger.com")
+[![](https://images.microbadger.com/badges/version/ghcr.io/telekom-security/elasticpot:1903.svg)](https://microbadger.com/images/ghcr.io/telekom-security/elasticpot:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/ghcr.io/telekom-security/elasticpot:1903.svg)](https://microbadger.com/images/ghcr.io/telekom-security/elasticpot:1903 "Get your own image badge on microbadger.com")
 
 # elasticpot
 
 [elasticpot](https://github.com/schmalle/ElasticPot) is a simple elastic search honeypot.
 
-This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG.
+This dockerized version is part of the **[T-Pot community honeypot](http://telekom-security.github.io/)** of Deutsche Telekom AG.
 
 The `Dockerfile` contains the blueprint for the dockerized elasticpot and will be used to setup the docker image.
 

docker/deprecated/elasticpot.old/docker-compose.yml

@@ -14,7 +14,7 @@ services:
      - elasticpot_local
     ports:
      - "9200:9200"
-    image: "dtagdevsec/elasticpot:2006"
+    image: "ghcr.io/telekom-security/elasticpot:2006"
     read_only: true
     volumes:
      - /data/elasticpot/log:/opt/ElasticpotPY/log

docker/deprecated/glastopf/README.md

@@ -1,10 +1,10 @@
-[![](https://images.microbadger.com/badges/version/dtagdevsec/glastopf:1903.svg)](https://microbadger.com/images/dtagdevsec/glastopf:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/glastopf:1903.svg)](https://microbadger.com/images/dtagdevsec/glastopf:1903 "Get your own image badge on microbadger.com")
+[![](https://images.microbadger.com/badges/version/ghcr.io/telekom-security/glastopf:1903.svg)](https://microbadger.com/images/ghcr.io/telekom-security/glastopf:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/ghcr.io/telekom-security/glastopf:1903.svg)](https://microbadger.com/images/ghcr.io/telekom-security/glastopf:1903 "Get your own image badge on microbadger.com")
 
 # glastopf (deprecated)
 
 [glastopf](https://github.com/mushorg/glastopf) is a python web application honeypot.
 
-This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG.
+This dockerized version is part of the **[T-Pot community honeypot](http://telekom-security.github.io/)** of Deutsche Telekom AG.
 
 The `Dockerfile` contains the blueprint for the dockerized glastopf and will be used to setup the docker image.
 

docker/deprecated/glastopf/docker-compose.yml

@@ -16,7 +16,7 @@ services:
      - glastopf_local
     ports:
      - "8081:80"
-    image: "dtagdevsec/glastopf:1903"
+    image: "ghcr.io/telekom-security/glastopf:1903"
     read_only: true
     volumes:
      - /data/glastopf/db:/tmp/glastopf/db

docker/deprecated/hpfeeds/docker-compose.yml

@@ -16,4 +16,4 @@ services:
      - hpfeeds_local
     ports:
      - "20000:20000"
-    image: "dtagdevsec/hpfeeds:latest"
+    image: "ghcr.io/telekom-security/hpfeeds:latest"

docker/deprecated/nginx/docker-compose.yml

@@ -17,7 +17,7 @@ services:
     network_mode: "host"
     ports:
      - "64297:64297"
-    image: "dtagdevsec/nginx:1903"
+    image: "ghcr.io/telekom-security/nginx:1903"
     read_only: true
     volumes:
      - /data/nginx/cert/:/etc/nginx/cert/:ro

docker/dicompot/Dockerfile

@@ -1,8 +1,7 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Setup apk
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U add \
+RUN apk -U add \
                    build-base \
                    git \
                    g++ && \
@@ -14,6 +13,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     cd /opt/go/ && \
     git clone https://github.com/nsmfoo/dicompot.git && \
     cd dicompot && \
+    git checkout 41331194156bbb17078bcc1594f4952ac06a731e && \
     go mod download && \
     go install -a -x github.com/nsmfoo/dicompot/server && \
 #

docker/dicompot/docker-compose.yml

@@ -17,7 +17,7 @@ services:
      - dicompot_local
     ports:
      - "11112:11112"
-    image: "dtagdevsec/dicompot:2006"
+    image: "ghcr.io/telekom-security/dicompot:2006"
     read_only: true
     volumes:
      - /data/dicompot/log:/var/log/dicompot

docker/dionaea/Dockerfile

@@ -5,7 +5,11 @@ ENV DEBIAN_FRONTEND noninteractive
 ADD dist/ /root/dist/
 #
 # Install dependencies and packages
-RUN apt-get update -y && \
+RUN apt-get update && \
+    apt-get install netselect-apt -y && \
+    netselect-apt && \
+    mv sources.list /etc/apt/ && \
+    apt-get update -y && \
     apt-get dist-upgrade -y && \
     apt-get install -y --no-install-recommends \
 	build-essential \
@@ -36,7 +40,7 @@ RUN apt-get update -y && \
 #
 # Get and install dionaea
     # Latest master is unstable, SIP causes crashing
-    git clone --depth=1 https://github.com/dinotools/dionaea -b 0.8.0 /root/dionaea/ && \
+    git clone --depth=1 https://github.com/dinotools/dionaea -b 0.11.0 /root/dionaea/ && \
     cd /root/dionaea && \
     #git checkout 1426750b9fd09c5bfeae74d506237333cd8505e2 && \
     mkdir build && \

docker/dionaea/docker-compose.yml

@@ -31,7 +31,7 @@ services:
      - "5060:5060/udp"
      - "5061:5061"
      - "27017:27017"
-    image: "dtagdevsec/dionaea:2006"
+    image: "ghcr.io/telekom-security/dionaea:2006"
     read_only: true
     volumes:
      - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp

docker/docker-compose.yml

@@ -10,98 +10,98 @@ services:
 # Adbhoney service
   adbhoney:
     build: adbhoney/.
-    image: "dtagdevsec/adbhoney:2006"
+    image: "ghcr.io/telekom-security/adbhoney:2006"
 
 # Ciscoasa service
   ciscoasa:
     build: ciscoasa/.
-    image: "dtagdevsec/ciscoasa:2006"
+    image: "ghcr.io/telekom-security/ciscoasa:2006"
 
 # CitrixHoneypot service
   citrixhoneypot:
     build: citrixhoneypot/.
-    image: "dtagdevsec/citrixhoneypot:2006"
+    image: "ghcr.io/telekom-security/citrixhoneypot:2006"
 
 # Conpot IEC104 service
   conpot_IEC104:
     build: conpot/.
-    image: "dtagdevsec/conpot:2006"
+    image: "ghcr.io/telekom-security/conpot:2006"
 
 # Cowrie service
   cowrie:
     build: cowrie/.
-    image: "dtagdevsec/cowrie:2006"
+    image: "ghcr.io/telekom-security/cowrie:2006"
 
 # Dicompot service
   dicompot:
     build: dicompot/.
-    image: "dtagdevsec/dicompot:2006"
+    image: "ghcr.io/telekom-security/dicompot:2006"
 
 # Dionaea service
   dionaea:
     build: dionaea/.
-    image: "dtagdevsec/dionaea:2006"
+    image: "ghcr.io/telekom-security/dionaea:2006"
 
 # ElasticPot service
   elasticpot:
     build: elasticpot/.
-    image: "dtagdevsec/elasticpot:2006"
+    image: "ghcr.io/telekom-security/elasticpot:2006"
 
 # Glutton service
   glutton:
     build: glutton/.
-    image: "dtagdevsec/glutton:2006"
+    image: "ghcr.io/telekom-security/glutton:2006"
 
 # Heralding service
   heralding:
     build: heralding/.
-    image: "dtagdevsec/heralding:2006"
+    image: "ghcr.io/telekom-security/heralding:2006"
 
 # HoneyPy service
   honeypy:
     build: honeypy/.
-    image: "dtagdevsec/honeypy:2006"
+    image: "ghcr.io/telekom-security/honeypy:2006"
 
 # Honeytrap service
   honeytrap:
     build: honeytrap/.
-    image: "dtagdevsec/honeytrap:2006"
+    image: "ghcr.io/telekom-security/honeytrap:2006"
 
 # Mailoney service
   mailoney:
     build: mailoney/.
-    image: "dtagdevsec/mailoney:2006"
+    image: "ghcr.io/telekom-security/mailoney:2006"
 
 # Medpot service
   medpot:
     build: medpot/.
-    image: "dtagdevsec/medpot:2006"
+    image: "ghcr.io/telekom-security/medpot:2006"
 
 # Rdpy service
   rdpy:
     build: rdpy/.
-    image: "dtagdevsec/rdpy:2006"
+    image: "ghcr.io/telekom-security/rdpy:2006"
 
 #### Snare / Tanner
 ## Tanner Redis Service
   tanner_redis:
     build: tanner/redis/.
-    image: "dtagdevsec/redis:2006"
+    image: "ghcr.io/telekom-security/redis:2006"
 
 ## PHP Sandbox service
   tanner_phpox:
     build: tanner/phpox/.
-    image: "dtagdevsec/phpox:2006"
+    image: "ghcr.io/telekom-security/phpox:2006"
 
 ## Tanner API Service
   tanner_api:
     build: tanner/tanner/.
-    image: "dtagdevsec/tanner:2006"
+    image: "ghcr.io/telekom-security/tanner:2006"
 
 ## Snare Service
   snare:
     build: tanner/snare/.
-    image: "dtagdevsec/snare:2006"
+    image: "ghcr.io/telekom-security/snare:2006"
 
 
 ##################
@@ -111,17 +111,17 @@ services:
 # Fatt service
   fatt:
     build: fatt/.
-    image: "dtagdevsec/fatt:2006"
+    image: "ghcr.io/telekom-security/fatt:2006"
 
 # P0f service
   p0f:
     build: p0f/.
-    image: "dtagdevsec/p0f:2006"
+    image: "ghcr.io/telekom-security/p0f:2006"
 
 # Suricata service
   suricata:
     build: suricata/.
-    image: "dtagdevsec/suricata:2006"
+    image: "ghcr.io/telekom-security/suricata:2006"
 
 
 ##################
@@ -131,40 +131,40 @@ services:
 # Cyberchef service
   cyberchef:
     build: cyberchef/.
-    image: "dtagdevsec/cyberchef:2006"
+    image: "ghcr.io/telekom-security/cyberchef:2006"
 
 #### ELK
 ## Elasticsearch service
   elasticsearch:
     build: elk/elasticsearch/.
-    image: "dtagdevsec/elasticsearch:2006"
+    image: "ghcr.io/telekom-security/elasticsearch:2006"
 
 ## Kibana service
   kibana:
     build: elk/kibana/.
-    image: "dtagdevsec/kibana:2006"
+    image: "ghcr.io/telekom-security/kibana:2006"
 
 ## Logstash service
   logstash:
     build: elk/logstash/.
-    image: "dtagdevsec/logstash:2006"
+    image: "ghcr.io/telekom-security/logstash:2006"
 
 ## Elasticsearch-head service
   head:
     build: elk/head/.
-    image: "dtagdevsec/head:2006"
+    image: "ghcr.io/telekom-security/head:2006"
 
 # Ewsposter service
   ewsposter:
     build: ews/.
-    image: "dtagdevsec/ewsposter:2006"
+    image: "ghcr.io/telekom-security/ewsposter:2006"
 
 # Nginx service
   nginx:
     build: heimdall/.
-    image: "dtagdevsec/nginx:2006"
+    image: "ghcr.io/telekom-security/nginx:2006"
 
 # Spiderfoot service
   spiderfoot:
     build: spiderfoot/.
-    image: "dtagdevsec/spiderfoot:2006"
+    image: "ghcr.io/telekom-security/spiderfoot:2006"

docker/elasticpot/Dockerfile

@@ -1,17 +1,18 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Install packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U add \
+RUN apk -U add \
              build-base \
 	     ca-certificates \
              git \
              libffi-dev \
 	     openssl \
              openssl-dev \
+	     postgresql-dev \
+             py3-cryptography \
              py3-mysqlclient \
              py3-requests \
 	     py3-pip \
@@ -19,8 +20,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
              python3-dev && \
     mkdir -p /opt && \
     cd /opt/ && \
-    git clone --depth=1 https://gitlab.com/bontchev/elasticpot.git/ && \
+    git clone https://gitlab.com/bontchev/elasticpot.git/ && \
     cd elasticpot && \
+    git checkout d12649730d819bd78ea622361b6c65120173ad45 && \
     pip3 install -r requirements.txt && \
 #
 # Setup user, groups and configs
@@ -33,6 +35,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
                     git \
                     libffi-dev \
 		    openssl-dev \
+		    postgresql-dev \
 		    python3-dev && \
     rm -rf /root/* && \
     rm -rf /var/cache/apk/*

docker/elasticpot/docker-compose.yml

@@ -14,7 +14,7 @@ services:
      - elasticpot_local
     ports:
      - "9200:9200"
-    image: "dtagdevsec/elasticpot:2006"
+    image: "ghcr.io/telekom-security/elasticpot:2006"
     read_only: true
     volumes:
      - /data/elasticpot/log:/opt/elasticpot/log

docker/elk/docker-compose.yml

@@ -24,7 +24,7 @@ services:
     mem_limit: 4g
     ports:
      - "127.0.0.1:64298:9200"
-    image: "dtagdevsec/elasticsearch:2006"
+    image: "ghcr.io/telekom-security/elasticsearch:2006"
     volumes:
      - /data:/data
 
@@ -39,19 +39,21 @@ services:
         condition: service_healthy
     ports:
      - "127.0.0.1:64296:5601"
-    image: "dtagdevsec/kibana:2006"
+    image: "ghcr.io/telekom-security/kibana:2006"
 
 ## Logstash service
   logstash:
     build: logstash/.
     container_name: logstash
     restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
     depends_on:
       elasticsearch:
         condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/logstash:2006"
+    image: "ghcr.io/telekom-security/logstash:2006"
     volumes:
      - /data:/data
 #     - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
@@ -66,5 +68,5 @@ services:
         condition: service_healthy
     ports:
      - "127.0.0.1:64302:9100"
-    image: "dtagdevsec/head:2006"
+    image: "ghcr.io/telekom-security/head:2006"
     read_only: true

docker/elk/elasticsearch/Dockerfile

@@ -1,14 +1,14 @@
-FROM alpine
+FROM alpine:3.13
 #
 # VARS
-ENV ES_VER=7.8.0 \
+ENV ES_VER=7.11.1 \
     JAVA_HOME=/usr/lib/jvm/java-11-openjdk
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup env and apt
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U --no-cache add \
+#RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+RUN apk -U --no-cache add \
              aria2 \
              bash \
              curl \

docker/elk/elasticsearch/docker-compose.yml

@@ -24,6 +24,6 @@ services:
     mem_limit: 2g
     ports:
      - "127.0.0.1:64298:9200"
-    image: "dtagdevsec/elasticsearch:2006"
+    image: "ghcr.io/telekom-security/elasticsearch:2006"
     volumes:
      - /data:/data

docker/elk/head/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Setup env and apt
 RUN apk -U add \
@@ -10,7 +10,8 @@ RUN apk -U add \
 # Get and install packages
     mkdir -p /usr/src/app/ && \
     cd /usr/src/app/ && \
-    git clone --depth=1 https://github.com/mobz/elasticsearch-head . && \
+    git clone https://github.com/mobz/elasticsearch-head . && \
+    git checkout 2d51fecac2980d350fcd3319fd9fe2999f63c9db && \
     npm install http-server && \
     sed -i "s#\"http\:\/\/localhost\:9200\"#window.location.protocol \+ \'\/\/\' \+ window.location.hostname \+ \'\:\' \+ window.location.port \+ \'\/es\/\'#" /usr/src/app/_site/app.js && \
 #

docker/elk/head/docker-compose.yml

@@ -12,5 +12,5 @@ services:
     #        condition: service_healthy
     ports:
      - "127.0.0.1:64302:9100"
-    image: "dtagdevsec/head:2006"
+    image: "ghcr.io/telekom-security/head:2006"
     read_only: true

docker/elk/kibana/Dockerfile

@@ -1,16 +1,17 @@
-FROM node:10.21.0-alpine
+FROM node:14.15.4-alpine
 #
 # VARS
-ENV KB_VER=7.8.0
+ENV KB_VER=7.11.1
 # 
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup env and apt
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U --no-cache add \
+#RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+RUN apk -U --no-cache add \
             aria2 \
-            curl && \
+            curl \
+            gcompat && \
 #
 # Get and install packages
     cd /root/dist/ && \
@@ -46,10 +47,14 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     echo "xpack.apm.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
     echo "xpack.security.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
     echo "xpack.uptime.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
-    echo "xpack.siem.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
+    echo "xpack.securitySolution.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
     echo "xpack.ml.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
+    echo "xpack.fleet.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
     echo "elasticsearch.requestTimeout: 60000" >> /usr/share/kibana/config/kibana.yml && \
     echo "elasticsearch.shardTimeout: 60000" >> /usr/share/kibana/config/kibana.yml && \
+# There is no switch to disable Enterprise Search, so we need to remove it
+# In order to remove all X-Pack features we need to use OSS versions
+    rm -rf /usr/share/kibana/x-pack/plugins/enterprise_search && \
     rm -rf /usr/share/kibana/optimize/bundles/* && \
     /usr/share/kibana/bin/kibana --optimize --allow-root && \
     addgroup -g 2000 kibana && \

docker/elk/kibana/docker-compose.yml

@@ -12,4 +12,4 @@ services:
 #        condition: service_healthy
     ports:
      - "127.0.0.1:64296:5601"
-    image: "dtagdevsec/kibana:2006"
+    image: "ghcr.io/telekom-security/kibana:2006"

docker/elk/logstash/Dockerfile

@@ -1,13 +1,13 @@
-FROM alpine
+FROM alpine:3.13
 #
 # VARS
-ENV LS_VER=7.8.0
+ENV LS_VER=7.11.1
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup env and apt
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U --no-cache add \
+#RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+RUN apk -U --no-cache add \
              aria2 \
              bash \
              bzip2 \
@@ -25,8 +25,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     bunzip2 *.bz2 && \
     cd /root/dist/ && \
     mkdir -p /usr/share/logstash/ && \
-    aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-$LS_VER.tar.gz && \
-    tar xvfz logstash-$LS_VER.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
+    aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-$LS_VER-linux-x86_64.tar.gz && \
+    tar xvfz logstash-$LS_VER-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
+    rm -rf /usr/share/logstash/jdk && \
     /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
     /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
 #
@@ -36,8 +37,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     chmod u+x /usr/bin/update.sh && \
     mkdir -p /etc/logstash/conf.d && \
     cp logstash.conf /etc/logstash/conf.d/ && \
-    cp elasticsearch-template-es7x.json /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/ && \
-    cp common_configs.rb /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/ && \
+    cp tpot_es_template.json /etc/logstash/ && \
 #
 # Setup user, groups and configs
     addgroup -g 2000 logstash && \
@@ -56,4 +56,5 @@ HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600'
 #
 # Start logstash
 #USER logstash:logstash
+#CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution --log.level debug
 CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution

docker/elk/logstash/dist/common_configs.rb

@@ -1,167 +0,0 @@
-require 'forwardable' # Needed for logstash core SafeURI. We need to patch this in core: https://github.com/elastic/logstash/pull/5978
-
-module LogStash; module Outputs; class ElasticSearch
-  module CommonConfigs
-
-    DEFAULT_INDEX_NAME = "logstash-%{+yyyy.MM.dd}"
-    DEFAULT_POLICY = "logstash-policy"
-    DEFAULT_ROLLOVER_ALIAS = 'logstash'
-
-    DEFAULT_HOST = ::LogStash::Util::SafeURI.new("//127.0.0.1")
-
-    def self.included(mod)
-      # The index to write events to. This can be dynamic using the `%{foo}` syntax.
-      # The default value will partition your indices by day so you can more easily
-      # delete old data or only search specific date ranges.
-      # Indexes may not contain uppercase characters.
-      # For weekly indexes ISO 8601 format is recommended, eg. logstash-%{+xxxx.ww}.
-      # LS uses Joda to format the index pattern from event timestamp.
-      # Joda formats are defined http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html[here].
-      mod.config :index, :validate => :string, :default => DEFAULT_INDEX_NAME
-
-      mod.config :document_type, 
-        :validate => :string, 
-        :deprecated => "Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0. You should avoid this feature"
-
-      # From Logstash 1.3 onwards, a template is applied to Elasticsearch during
-      # Logstash's startup if one with the name `template_name` does not already exist.
-      # By default, the contents of this template is the default template for
-      # `logstash-%{+YYYY.MM.dd}` which always matches indices based on the pattern
-      # `logstash-*`.  Should you require support for other index names, or would like
-      # to change the mappings in the template in general, a custom template can be
-      # specified by setting `template` to the path of a template file.
-      #
-      # Setting `manage_template` to false disables this feature.  If you require more
-      # control over template creation, (e.g. creating indices dynamically based on
-      # field names) you should set `manage_template` to false and use the REST
-      # API to apply your templates manually.
-      mod.config :manage_template, :validate => :boolean, :default => true
-
-      # This configuration option defines how the template is named inside Elasticsearch.
-      # Note that if you have used the template management features and subsequently
-      # change this, you will need to prune the old template manually, e.g.
-      #
-      # `curl -XDELETE <http://localhost:9200/_template/OldTemplateName?pretty>`
-      #
-      # where `OldTemplateName` is whatever the former setting was.
-      mod.config :template_name, :validate => :string, :default => "logstash"
-
-      # You can set the path to your own template here, if you so desire.
-      # If not set, the included template will be used.
-      mod.config :template, :validate => :path
-
-      # The template_overwrite option will always overwrite the indicated template
-      # in Elasticsearch with either the one indicated by template or the included one.
-      # This option is set to false by default. If you always want to stay up to date
-      # with the template provided by Logstash, this option could be very useful to you.
-      # Likewise, if you have your own template file managed by puppet, for example, and
-      # you wanted to be able to update it regularly, this option could help there as well.
-      #
-      # Please note that if you are using your own customized version of the Logstash
-      # template (logstash), setting this to true will make Logstash to overwrite
-      # the "logstash" template (i.e. removing all customized settings)
-      mod.config :template_overwrite, :validate => :boolean, :default => true
-
-      # The document ID for the index. Useful for overwriting existing entries in
-      # Elasticsearch with the same ID.
-      mod.config :document_id, :validate => :string
-
-      # The version to use for indexing. Use sprintf syntax like `%{my_version}` to use a field value here.
-      # See https://www.elastic.co/blog/elasticsearch-versioning-support.
-      mod.config :version, :validate => :string
-      
-      # The version_type to use for indexing.
-      # See https://www.elastic.co/blog/elasticsearch-versioning-support.
-      # See also https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html#_version_types
-      mod.config :version_type, :validate => ["internal", 'external', "external_gt", "external_gte", "force"]
-
-      # A routing override to be applied to all processed events.
-      # This can be dynamic using the `%{foo}` syntax.
-      mod.config :routing, :validate => :string
-
-      # For child documents, ID of the associated parent.
-      # This can be dynamic using the `%{foo}` syntax.
-      mod.config :parent, :validate => :string, :default => nil
-
-      # For child documents, name of the join field
-      mod.config :join_field, :validate => :string, :default => nil
-
-      # Sets the host(s) of the remote instance. If given an array it will load balance requests across the hosts specified in the `hosts` parameter.
-      # Remember the `http` protocol uses the http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html#modules-http[http] address (eg. 9200, not 9300).
-      #     `"127.0.0.1"`
-      #     `["127.0.0.1:9200","127.0.0.2:9200"]`
-      #     `["http://127.0.0.1"]`
-      #     `["https://127.0.0.1:9200"]`
-      #     `["https://127.0.0.1:9200/mypath"]` (If using a proxy on a subpath)
-      # It is important to exclude http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html[dedicated master nodes] from the `hosts` list
-      # to prevent LS from sending bulk requests to the master nodes.  So this parameter should only reference either data or client nodes in Elasticsearch.
-      #
-      # Any special characters present in the URLs here MUST be URL escaped! This means `#` should be put in as `%23` for instance.
-      mod.config :hosts, :validate => :uri, :default => [ DEFAULT_HOST ], :list => true
-
-      # Cloud ID, from the Elastic Cloud web console. If set `hosts` should not be used.
-      #
-      # For more details, check out the https://www.elastic.co/guide/en/logstash/current/connecting-to-cloud.html#_cloud_id[cloud documentation]
-      mod.config :cloud_id, :validate => :string
-
-      # Set upsert content for update mode.s
-      # Create a new document with this parameter as json string if `document_id` doesn't exists
-      mod.config :upsert, :validate => :string, :default => ""
-
-      # Enable `doc_as_upsert` for update mode.
-      # Create a new document with source if `document_id` doesn't exist in Elasticsearch
-      mod.config :doc_as_upsert, :validate => :boolean, :default => false
-
-      # Set script name for scripted update mode
-      mod.config :script, :validate => :string, :default => ""
-
-      # Define the type of script referenced by "script" variable
-      #  inline : "script" contains inline script
-      #  indexed : "script" contains the name of script directly indexed in elasticsearch
-      #  file    : "script" contains the name of script stored in elasticseach's config directory
-      mod.config :script_type, :validate => ["inline", 'indexed', "file"], :default => ["inline"]
-
-      # Set the language of the used script. If not set, this defaults to painless in ES 5.0
-      mod.config :script_lang, :validate => :string, :default => "painless"
-
-      # Set variable name passed to script (scripted update)
-      mod.config :script_var_name, :validate => :string, :default => "event"
-
-      # if enabled, script is in charge of creating non-existent document (scripted update)
-      mod.config :scripted_upsert, :validate => :boolean, :default => false
-
-      # Set initial interval in seconds between bulk retries. Doubled on each retry up to `retry_max_interval`
-      mod.config :retry_initial_interval, :validate => :number, :default => 2
-
-      # Set max interval in seconds between bulk retries.
-      mod.config :retry_max_interval, :validate => :number, :default => 64
-
-      # The number of times Elasticsearch should internally retry an update/upserted document
-      # See the https://www.elastic.co/guide/en/elasticsearch/guide/current/partial-updates.html[partial updates]
-      # for more info
-      mod.config :retry_on_conflict, :validate => :number, :default => 1
-
-      # Set which ingest pipeline you wish to execute for an event. You can also use event dependent configuration
-      # here like `pipeline => "%{INGEST_PIPELINE}"`
-      mod.config :pipeline, :validate => :string, :default => nil
-
-
-      # -----
-      # ILM configurations (beta)
-      # -----
-      # Flag for enabling Index Lifecycle Management integration.
-      mod.config :ilm_enabled, :validate => [true, false, 'true', 'false', 'auto'], :default => 'auto'
-
-      # Rollover alias used for indexing data. If rollover alias doesn't exist, Logstash will create it and map it to the relevant index
-      mod.config :ilm_rollover_alias, :validate => :string, :default => DEFAULT_ROLLOVER_ALIAS
-
-      # appends “{now/d}-000001” by default for new index creation, subsequent rollover indices will increment based on this pattern i.e. “000002”
-      # {now/d} is date math, and will insert the appropriate value automatically.
-      mod.config :ilm_pattern, :validate => :string, :default => '{now/d}-000001'
-
-      # ILM policy to use, if undefined the default policy will be used.
-      mod.config :ilm_policy, :validate => :string, :default => DEFAULT_POLICY
-
-    end
-  end
-end end end

docker/elk/logstash/dist/logstash.conf

@@ -112,6 +112,13 @@ input {
     type => "Honeytrap"
   }
 
+# Ipphoney
+  file {
+    path => ["/data/ipphoney/log/ipphoney.json"]
+    codec => json
+    type => "Ipphoney"
+  }
+
 # Mailoney
   file {
     path => ["/data/mailoney/log/commands.log"]
@@ -314,6 +321,7 @@ filter {
     }
     mutate {
       rename => {
+        "ID" => "id"
         "IP" => "src_ip"
         "Port" => "src_port"
         "AETitle" => "aetitle"
@@ -415,6 +423,25 @@ filter {
     }
   }
 
+# Ipphoney
+  if [type] == "Ipphoney" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+	"query" => "ipp_query"
+        "content_type" => "http.http_content_type"
+        "dst_port" => "dest_port"
+        "dst_ip" => "dest_ip"
+        "request" => "request_method"
+        "operation" => "data"
+        "user_agent" => "http_user_agent"
+        "url" => "http.url"
+      }
+    }
+  }
+
 # Mailoney
   if [type] == "Mailoney" {
     date {
@@ -516,9 +543,14 @@ if "_grokparsefailure" in [tags] { drop {} }
         convert => { "status" => "integer" }
     }
   }
+  if [id] {
+    mutate {
+        convert => { "id" => "string" }
+    }
+  }
 
 # Add T-Pot hostname and external IP
-  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
+  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
     mutate {
       add_field => {
         "t-pot_ip_ext" => "${MY_EXTIP}"
@@ -534,8 +566,9 @@ if "_grokparsefailure" in [tags] { drop {} }
 output {
   elasticsearch {
     hosts => ["elasticsearch:9200"]
-    # With ILM in place we need to set the daily index manually, if not => FUBAR
+    # With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
     index => "logstash-%{+YYYY.MM.dd}"
+    template => "/etc/logstash/tpot_es_template.json"
 #    document_type => "doc"
   }
 

docker/elk/logstash/dist/update.sh

@@ -35,11 +35,63 @@ if [ "$myCHECK" == "0" ];
     echo "Cannot reach Listbot, starting Logstash without latest translation maps."
 fi
 
-# Make sure logstash can put latest logstash template by deleting the old one first
+# We do want to enforce our es_template thus we always need to delete the default template, putting our default afterwards
 # This is now done via common_configs.rb => overwrite default logstash template
-#echo "Removing logstash template."
-#curl -XDELETE http://elasticsearch:9200/_template/logstash
-#echo
-#echo "Checking if empty."
-#curl -XGET http://elasticsearch:9200/_template/logstash
-#echo
+echo "Removing logstash template."
+curl -s -XDELETE http://elasticsearch:9200/_template/logstash
+echo
+echo "Checking if empty."
+curl -s -XGET http://elasticsearch:9200/_template/logstash
+echo
+echo "Putting default template."
+curl -s -XPUT "http://elasticsearch:9200/_template/logstash" -H 'Content-Type: application/json' -d'
+{
+  "index_patterns" : "logstash-*",
+  "version" : 60001,
+  "settings" : {
+    "index.refresh_interval" : "5s",
+    "number_of_shards" : 1,
+    "index.number_of_replicas" : "0",
+    "index.mapping.total_fields.limit" : "2000",
+    "index.query": {
+      "default_field": "*"
+     }
+  },
+  "mappings" : {
+    "dynamic_templates" : [ {
+      "message_field" : {
+        "path_match" : "message",
+        "match_mapping_type" : "string",
+        "mapping" : {
+          "type" : "text",
+          "norms" : false
+        }
+      }
+    }, {
+      "string_fields" : {
+        "match" : "*",
+        "match_mapping_type" : "string",
+        "mapping" : {
+          "type" : "text", "norms" : false,
+          "fields" : {
+            "keyword" : { "type": "keyword", "ignore_above": 256 }
+          }
+        }
+      }
+    } ],
+    "properties" : {
+      "@timestamp": { "type": "date"},
+      "@version": { "type": "keyword"},
+      "geoip"  : {
+        "dynamic": true,
+        "properties" : {
+          "ip": { "type": "ip" },
+          "location" : { "type" : "geo_point" },
+          "latitude" : { "type" : "half_float" },
+          "longitude" : { "type" : "half_float" }
+        }
+      }
+    }
+  }
+}'
+echo

docker/elk/logstash/docker-compose.yml

@@ -7,12 +7,14 @@ services:
     build: .
     container_name: logstash
     restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
 #    depends_on:
 #      elasticsearch:
 #        condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/logstash:2006"
+    image: "ghcr.io/telekom-security/logstash:2006"
     volumes:
      - /data:/data
-     - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
+#     - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf

docker/ews/Dockerfile

@@ -1,11 +1,10 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Install packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U --no-cache add \
+RUN apk -U --no-cache add \
             build-base \
             git \
             libffi-dev \
@@ -14,6 +13,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 	    python3 \
             python3-dev \
             py3-cffi \
+	    py3-cryptography \
             py3-ipaddress \
 	    py3-lxml \
 	    py3-mysqlclient \
@@ -23,7 +23,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     pip3 install --no-cache-dir configparser hpfeeds3 pyOpenSSL xmljson && \
 #
 # Setup ewsposter
-    git clone --depth=1 https://github.com/dtag-dev-sec/ewsposter /opt/ewsposter && \
+    git clone https://github.com/telekom-security/ewsposter /opt/ewsposter && \
+    cd /opt/ewsposter && \
+    git checkout 46cd801fb444f1fb0a90418ab46e5977ec0a90b6 && \
     mkdir -p /opt/ewsposter/spool /opt/ewsposter/log && \
 #
 # Setup user and groups

docker/ews/dist/ews.cfg

@@ -4,10 +4,11 @@ spooldir = /opt/ewsposter/spool/
 logdir = /opt/ewsposter/log/
 del_malware_after_send = false
 send_malware = false
-sendlimit = 500
+sendlimit = 5000
 contact = your_email_address
-proxy =
-ip =
+proxy = None
+ip_int = None
+ip_ext = None
 
 [EWS]
 ews = true
@@ -39,24 +40,6 @@ nodeid = glastopfv3-community-01
 sqlitedb = /data/glastopf/db/glastopf.db
 malwaredir = /data/glastopf/data/files/
 
-[GLASTOPFV2]
-glastopfv2 = false
-nodeid =
-mysqlhost =
-mysqldb =
-mysqluser =
-mysqlpw =
-malwaredir =
-
-[KIPPO]
-kippo = false
-nodeid =
-mysqlhost =
-mysqldb =
-mysqluser =
-mysqlpw =
-malwaredir =
-
 [COWRIE]
 cowrie = true
 nodeid = cowrie-community-01
@@ -75,12 +58,6 @@ newversion = true
 payloaddir = /data/honeytrap/attacks/
 attackerfile = /data/honeytrap/log/attacker.log
 
-[RDPDETECT]
-rdpdetect = false
-nodeid =
-iptableslog =
-targetip =
-
 [EMOBILITY]
 eMobility = false
 nodeid = emobility-community-01
@@ -135,3 +112,18 @@ logfile = /data/tanner/log/tanner_report.json
 glutton = true
 nodeid = glutton-community-01
 logfile = /data/glutton/log/glutton.log
+
+[HONEYSAP]
+honeysap = true
+nodeid = honeysap-community-01
+logfile = /data/honeysap/log/honeysap-external.log
+
+[ADBHONEY]
+adbhoney = true
+nodeid = adbhoney-community-01
+logfile = /data/adbhoney/log/adbhoney.json
+
+[FATT]
+fatt = true
+nodeid = fatt-community-01
+logfile = /data/fatt/log/fatt.log

docker/ews/docker-compose.yml

@@ -23,8 +23,7 @@ services:
      - EWS_HPFEEDS_FORMAT=json
     env_file:
      - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/ewsposter:2006"
+    image: "ghcr.io/telekom-security/ewsposter:2006"
     volumes:
      - /data:/data
-     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
-
+#     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip

docker/fatt/Dockerfile

@@ -1,11 +1,10 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Include dist
 #ADD dist/ /root/dist/
 #
 # Get and install dependencies & packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U add \
+RUN apk -U add \
               git \
               py3-libxml2 \
               py3-lxml \
@@ -21,8 +20,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Install fatt
     mkdir -p /opt && \
     cd /opt && \
-    git clone --depth=1 https://github.com/0x4D31/fatt && \
+    git clone https://github.com/0x4D31/fatt && \
     cd fatt && \
+    git checkout 314cd1ff7873b5a145a51ec4e85f6107828a2c79 && \
     mkdir -p log && \
     pip3 install pyshark==0.4.2.2 && \
 #
@@ -39,4 +39,4 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 STOPSIGNAL SIGINT
 ENV PYTHONPATH /opt/fatt
 WORKDIR /opt/fatt
-CMD python3 fatt.py -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) --print_output --json_logging -o log/fatt.log
+CMD python3 fatt.py -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }') --print_output --json_logging -o log/fatt.log

docker/fatt/docker-compose.yml

@@ -12,6 +12,6 @@ services:
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
-    image: "dtagdevsec/fatt:2006"
+    image: "ghcr.io/telekom-security/fatt:2006"
     volumes:
      - /data/fatt/log:/opt/fatt/log

docker/glutton/Dockerfile

@@ -1,11 +1,10 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Include dist
 ADD dist/ /root/dist/
 # 
 # Setup apk
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U --no-cache add \
+RUN apk -U --no-cache add \
                    build-base \
                    git \
                    go \
@@ -22,6 +21,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     cd /opt/go/ && \
     git clone https://github.com/mushorg/glutton && \
     cd /opt/go/glutton/ && \
+    git checkout c25045b95b43ed9bfee89b2d14a50f5794a9cf2b && \
     mv /root/dist/system.go /opt/go/glutton/ && \
     go mod download && \
     make build && \
@@ -52,4 +52,4 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Start glutton 
 WORKDIR /opt/glutton
 USER glutton:glutton
-CMD exec bin/server -i $(/sbin/ip address | grep '^2: ' | awk '{ print $2 }' | tr -d [:punct:]) -l /var/log/glutton/glutton.log > /dev/null 2>&1
+CMD exec bin/server -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }') -l /var/log/glutton/glutton.log > /dev/null 2>&1

docker/glutton/docker-compose.yml

@@ -13,7 +13,7 @@ services:
     network_mode: "host"
     cap_add:
      - NET_ADMIN
-    image: "dtagdevsec/glutton:2006"
+    image: "ghcr.io/telekom-security/glutton:2006"
     read_only: true
     volumes:
      - /data/glutton/log:/var/log/glutton

docker/heimdall/Dockerfile

@@ -1,11 +1,10 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Get and install dependencies & packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U --no-cache add \
+RUN apk -U --no-cache add \
       git \
       nginx \
       nginx-mod-http-headers-more \
@@ -28,11 +27,16 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 #
 # Clone and setup Heimdall, Nginx
     git clone https://github.com/linuxserver/heimdall && \
+    cd heimdall && \
+    git checkout 61a5a1a8b023771e0ff7c056add5537d20737e51 && \
+    cd .. && \
     cp -R heimdall/. /var/lib/nginx/html && \
     rm -rf heimdall && \
     cd /var/lib/nginx/html && \
     cp .env.example .env && \
-    php artisan key:generate && \
+    # Fix error for ArrayInput in smyfony with regard to PHP7.4 (https://github.com/symfony/symfony/pull/32806/files)
+    sed -i "135s/.*/} elseif (0 === strpos(\$key, '-')) {/" /var/lib/nginx/html/vendor/symfony/console/Input/ArrayInput.php && \
+    php7 artisan key:generate && \
 #
 ## Add previously configured content
     mkdir -p /var/lib/nginx/html/storage/app/public/backgrounds/ && \

docker/heimdall/dist/conf/tpotweb.conf

@@ -149,4 +149,8 @@ server {
             proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete;
         }
 
+        location /scaninfo {
+            proxy_pass http://127.0.0.1:64303/spiderfoot/scaninfo;
+        }
+
 }

docker/heimdall/docker-compose.yml

@@ -26,7 +26,7 @@ services:
     ports:
      - "64297:64297"
      - "127.0.0.1:64304:64304"
-    image: "dtagdevsec/nginx:2006"
+    image: "ghcr.io/telekom-security/nginx:2006"
     read_only: true
     volumes:
      - /data/nginx/cert/:/etc/nginx/cert/:ro

docker/heralding/Dockerfile

@@ -1,11 +1,10 @@
-FROM alpine:latest
+FROM alpine:3.13
 #  
 # Include dist
 ADD dist/ /root/dist/
 #
 # Install packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U --no-cache add \ 
+RUN apk -U --no-cache add \ 
             		build-base \
             		git \
             		libcap \
@@ -13,7 +12,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
             		openssl-dev \
                         libzmq \
             		postgresql-dev \
+			py3-cryptography \
 			py3-pip \
+			py3-pyzmq \
             		python3 \
             		python3-dev \
             		py-virtualenv && \
@@ -21,8 +22,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Setup heralding
     mkdir -p /opt && \
     cd /opt/ && \
-    git clone --depth=1 https://github.com/johnnykv/heralding && \
+    git clone https://github.com/johnnykv/heralding && \
     cd heralding && \
+    git checkout 3f38976a2ab4d884d755b6324f2c71923ddadbdb && \
     pip3 install --no-cache-dir -r requirements.txt && \
     pip3 install --no-cache-dir . && \
 #

docker/heralding/dist/heralding.yml

@@ -62,6 +62,7 @@ capabilities:
     timeout: 30
     protocol_specific_data:
       max_attempts: 3
+      banner: "+OK POP3 server ready"
 
   pop3s:
     enabled: true
@@ -69,6 +70,7 @@ capabilities:
     timeout: 30
     protocol_specific_data:
       max_attempts: 3
+      banner: "+OK POP3 server ready"
       # if a .pem file is not found in work dir, a new pem file will be created
       # using these values
       cert:
@@ -157,6 +159,25 @@ capabilities:
       # If the fqdn option is commented out or empty, then fqdn of the host will be used
       fqdn: ""
 
+  smtps:
+    enabled: true
+    port: 465
+    timeout: 30
+    protocol_specific_data:
+      banner: "Microsoft ESMTP MAIL service ready"
+      # If the fqdn option is commented out or empty, then fqdn of the host will be used
+      fqdn: ""
+      cert:
+        common_name: "*"
+        country: "US"
+        state: None
+        locality: None
+        organization: None
+        organizational_unit: None
+        # how many days should the certificate be valid for
+        valid_days: 365
+        serial_number: 0
+
   vnc:
     enabled: true
     port: 5900

docker/heralding/docker-compose.yml

@@ -23,6 +23,7 @@ services:
      - "110:110"
      - "143:143"
      - "443:443"
+     - "465:465"
      - "993:993"
      - "995:995"
      - "1080:1080"
@@ -30,7 +31,7 @@ services:
      - "3389:3389"
      - "5432:5432"
      - "5900:5900"
-    image: "dtagdevsec/heralding:2006"
+    image: "ghcr.io/telekom-security/heralding:2006"
     read_only: true
     volumes:
      - /data/heralding/log:/var/log/heralding

docker/honeypy/Dockerfile

@@ -17,8 +17,9 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     pip install --no-cache-dir virtualenv && \
 #
 # Clone honeypy from git
-    git clone --depth=1 https://github.com/foospidy/HoneyPy /opt/honeypy && \
+    git clone https://github.com/foospidy/HoneyPy /opt/honeypy && \
     cd /opt/honeypy && \
+    git checkout feccab56ca922bcab01cac4ffd82f588d61ab1c5 && \
     sed -i 's/local_host/dest_ip/g' /opt/honeypy/loggers/file/honeypy_file.py && \
     sed -i 's/local_port/dest_port/g' /opt/honeypy/loggers/file/honeypy_file.py && \
     sed -i 's/remote_host/src_ip/g' /opt/honeypy/loggers/file/honeypy_file.py && \

docker/honeypy/docker-compose.yml

@@ -20,7 +20,7 @@ services:
      - "2324:2324"
      - "4096:4096"
      - "9200:9200"
-    image: "dtagdevsec/honeypy:2006"
+    image: "ghcr.io/telekom-security/honeypy:2006"
     read_only: true
     volumes:
      - /data/honeypy/log:/opt/honeypy/log

docker/honeysap/Dockerfile

@@ -4,20 +4,21 @@ FROM alpine:3.10
 ADD dist/ /root/dist/
 #
 # Install packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
-    apk -U --no-cache add \
+RUN apk -U --no-cache add \
             build-base \
             git \
 	    libstdc++ \
 	    py2-markupsafe \
             python2 \
             python2-dev \
-            py2-pip && \
+            py2-pip \
+            tcpdump && \
 #
 # Clone honeysap from git
 #    git clone --depth=1 https://github.com/SecureAuthCorp/HoneySAP /opt/honeysap && \
     git clone --depth=1 https://github.com/t3chn0m4g3/HoneySAP /opt/honeysap && \
     cd /opt/honeysap && \
+    git checkout a3c355a710d399de9d543659a685effaa70e683d && \
     mkdir conf && \
     cp /root/dist/* conf/ && \
     python setup.py install && \

docker/honeysap/docker-compose.yml

@@ -14,6 +14,6 @@ services:
      - honeysap_local
     ports:
      - "3299:3299"
-    image: "dtagdevsec/honeysap:2006"
+    image: "ghcr.io/telekom-security/honeysap:2006"
     volumes:
      - /data/honeysap/log:/opt/honeysap/log

docker/honeytrap/Dockerfile

@@ -29,6 +29,7 @@ RUN apt-get update -y && \
     git clone https://github.com/armedpot/honeytrap /root/honeytrap && \
 #    git clone https://github.com/t3chn0m4g3/honeytrap /root/honeytrap && \
     cd /root/honeytrap/ && \
+    git checkout 9aa4f734f2ea2f0da790b02d79afe18204a23982 && \
     autoreconf -vfi && \
     ./configure \
       --with-stream-mon=nfq \

docker/honeytrap/docker-compose.yml

@@ -12,7 +12,7 @@ services:
     network_mode: "host"
     cap_add:
      - NET_ADMIN
-    image: "dtagdevsec/honeytrap:2006"
+    image: "ghcr.io/telekom-security/honeytrap:2006"
     read_only: true
     volumes:
      - /data/honeytrap/attacks:/opt/honeytrap/var/attacks

docker/ipphoney/Dockerfile

@@ -0,0 +1,49 @@
+FROM alpine:3.13
+#
+# Include dist
+ADD dist/ /root/dist/
+#
+# Install packages
+RUN apk -U add \
+             build-base \
+	     ca-certificates \
+             git \
+	     libcap \
+             libffi-dev \
+	     openssl \
+             openssl-dev \
+	     postgresql-dev \
+	     py3-cryptography \
+             py3-mysqlclient \
+             py3-requests \
+	     py3-pip \
+             python3 \
+             python3-dev && \
+    mkdir -p /opt && \
+    cd /opt/ && \
+    git clone https://gitlab.com/bontchev/ipphoney.git/ && \
+    cd ipphoney && \
+    git checkout 7ab1cac437baba17cb2cd25d5bb1400327e1bb79 && \
+    pip3 install -r requirements.txt && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+#
+# Setup user, groups and configs
+    addgroup -g 2000 ipphoney && \
+    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 ipphoney && \
+    mv /root/dist/honeypot.cfg /opt/ipphoney/etc/ && \
+#
+# Clean up
+    apk del --purge build-base \
+                    git \
+                    libffi-dev \
+		    openssl-dev \
+		    postgresql-dev \
+		    python3-dev && \
+    rm -rf /root/* && \
+    rm -rf /var/cache/apk/*
+#
+# Start ipphoney
+STOPSIGNAL SIGINT
+USER ipphoney:ipphoney
+WORKDIR /opt/ipphoney/
+CMD ["/usr/bin/python3","ipphoney.py"]

docker/ipphoney/dist/honeypot.cfg

@@ -0,0 +1,312 @@
+# DO NOT EDIT THIS FILE!
+# Changes to default files will be lost on update and are difficult to
+# manage and support.
+#
+# Please make any changes to system defaults by overriding them in
+# honeypot.cfg
+#
+# To override a specific setting, copy the name of the stanza and
+# setting to the file where you wish to override it.
+
+# ============================================================================
+# General Honeypot Options
+# ============================================================================
+[honeypot]
+
+# Sensor name is used to identify this honeypot instance. Used by the database
+# logging modules such as JSON.
+#
+# If not specified, the logging modules will instead use the host name of the
+# server as the sensor name.
+#
+# (default: the name of the local machine)
+#sensor_name = myhostname
+
+# Name of the web server on the simulated printer.
+#
+# (default: Lexmark_Web_Server)
+server_name = Lexmark_Web_Server
+
+# Directory where to save log files in.
+# Log files are <log_filename>.YYYY-MM-DD in that directory
+#
+# (default: log)
+log_path = log
+
+# Log file name
+#
+# (default: stdout)
+#log_filename =
+
+# Directory containing the response files
+#
+# (default: responses)
+#responses_dir = responses
+
+# Directory where to save downloaded artifacts in.
+#
+# (default: dl)
+#download_path = dl
+
+# Whether to save the files sent for printing
+# (default: true)
+#download_files = true
+
+# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
+# A value of 0 means no limit. If the file size is known to be too big from the start,
+# the file will not be stored on disk at all.
+#
+# (default: 0)
+#download_limit_size = 0
+
+# ============================================================================
+# Network Specific Options
+# ============================================================================
+
+# Port to listen for incoming connections.
+#
+# (default: 631)
+#listen_port = 631
+
+# Site to query for one's public IP address
+#
+# (default: https://ident.me)
+#public_ip_url = https://ident.me
+
+# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
+# IP address is obtained by querying public_ip_url
+#
+# (default: false)
+#report_public_ip = false
+
+
+# ============================================================================
+# Output Plugins
+# These provide an extensible mechanism to send audit log entries to third
+# parties. The audit entries contain information on clients connecting to
+# the honeypot.
+#
+# Output entries need to start with 'output_' and have the 'enabled' entry.
+# ============================================================================
+
+# CouchDB logging module
+#
+#[output_couch]
+#enabled = false
+#host = localhost
+#port = 5984
+#username = ipphoney
+#password = secret
+#database = ipphoney
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# Elasticsearch logging module
+#
+#[output_elastic]
+#enabled = false
+#host = localhost
+#port = 9200
+#index = ipphoney
+#
+# type has been deprecated since ES 6.0.0
+# use _doc which is the default type. See
+# https://stackoverflow.com/a/53688626 for
+# more information
+#
+#type = _doc
+#
+# set pipeline = geoip to map src_ip to
+# geo location data. You can use a custom
+# pipeline but you must ensure it exists
+# in elasticsearch.
+#
+#pipeline = geoip
+#
+# Authentication. When x-pack.security is enabled
+# in ES, default users have been created and requests
+# must be authenticated.
+#
+# Credentials
+#
+#username = ipphoney
+#password = secret
+#
+# TLS encryption. Communications between the client (ipphoney) 
+# and the ES server should naturally be protected by encryption
+# if requests are authenticated (to prevent from man-in-the-middle 
+# attacks). The following options are then paramount
+# if username and password are provided.
+#
+# use ssl/tls
+#ssl = true
+# verify SSL certificates
+#verify_certs = true
+# Path to trusted CA certs on disk
+#ca_certs = /path/to/cert/file/elastic_ca.crt
+
+# HPFeeds
+#
+# Note the lack of "s" at the end:
+[output_hpfeed]
+enabled = false
+#server = hpfeeds.mysite.org
+#tlscert = /path/to/tls/cert/file
+#port = 10000
+#identifier = abc123
+#secret = secret
+#channel = ipphoney
+
+# InfluxDB 2.0 logging module
+#
+#[output_influx2]
+#enabled = false
+#host = hostname
+#token = token
+#org = organization
+#bucket = ipphoney
+
+# JSON based logging module
+#
+[output_jsonlog]
+enabled = true
+logfile = log/ipphoney.json
+epoch_timestamp = false
+
+# MongoDB logging module
+#
+#[output_mongodb]
+#enabled = false
+#host = 127.0.0.1
+#port = 27017
+#username = ipphoney
+#password = secret
+#database = ipphoney
+# Note: .format(username, password, host, port, database) is done
+#  on the following string; make sure that there are 5 placeholders ({}) in it
+#connection_string = mongodb://{}:{}@{}:{}/{}
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# MySQL logging module
+# Database structure for this module is supplied in docs/sql/mysql.sql
+#
+# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
+# MySQL logging requires an extra Python module: pip install mysql-python
+#
+#[output_mysql]
+#enabled = false
+#host = localhost
+#database = ipphoney
+#username = ipphoney
+#password = secret
+#port = 3306
+#debug = false
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# PostgreSQL logging module
+#
+#[output_postgres]
+#enabled = false
+#host = hostname
+#username = ipphoney
+#password = secret
+#port = 5432
+#database = ipphoney
+#debug = false
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# RedisDB logging module
+#
+#[output_redisdb]
+#enabled = false
+#host = 127.0.0.1
+#port = 6379
+# DB of the redis server. Defaults to 0
+#db = 0
+# Password of the redis server. Defaults to None
+#password = secret
+# Name of the list to push to or the channel to publish to. Required
+#keyname = ipphoney
+# Method to use when sending data to redis.
+# Can be one of [lpush, rpush, publish]. Defaults to lpush
+#send_method = lpush
+
+# SQLite3 logging module
+#
+# Logging to SQLite3 database. To init the database, use the script
+# docs/sql/sqlite3.sql:
+#     sqlite3 <db_file> < docs/sql/sqlite3.sql
+#
+#[output_sqlite]
+#enabled = false
+#debug = false
+#db_file = data/ipphoney.db
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# Local Syslog output module
+#
+# This sends log messages to the local syslog daemon.
+#
+#[output_localsyslog]
+#enabled = false
+# Facility can be:
+# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
+#
+# default: USER
+#facility = USER
+
+# Text output
+# This writes audit log entries to a text file
+#
+#[output_textlog]
+#enabled = false
+#logfile = log/ipphoney.txt
+
+
+# TODO:
+
+# Rethinkdb output module
+#
+#[output_rethinkdblog]
+#enabled = false
+#host = 127.0.0.1
+#port = 28015
+#table = events
+#db = ipphoney
+#password =
+
+# InfluxDB logging module
+#
+#[output_influx]
+#enabled = false
+#host = 127.0.0.1
+#port = 8086
+#database_name = ipphoney
+#retention_policy_duration = 12w
+
+# Kafka logging module
+#
+#[output_kafka]
+#enabled = false
+#host = 127.0.0.1
+#port = 9092
+#topic = ipphoney
+

docker/ipphoney/docker-compose.yml

@@ -0,0 +1,20 @@
+version: '2.3'
+
+networks:
+  ipphoney_local:
+
+services:
+
+# Ipphoney service
+  ipphoney:
+    build: .
+    container_name: ipphoney
+    restart: always
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: "ghcr.io/telekom-security/ipphoney:2006"
+    read_only: true
+    volumes:
+     - /data/ipphoney/log:/opt/ipphoney/log

docker/mailoney/Dockerfile

@@ -13,8 +13,9 @@ RUN apk -U --no-cache add \
             python-dev && \
 #
 # Install libemu    
-    git clone --depth=1 https://github.com/buffer/libemu /root/libemu/ && \
+    git clone https://github.com/buffer/libemu /root/libemu/ && \
     cd /root/libemu/ && \
+    git checkout e2624361e13588da74a2ce3e1dea0abb59dcf1d0 && \
     autoreconf -vi && \
     ./configure && \
     make && \
@@ -26,7 +27,9 @@ RUN apk -U --no-cache add \
                         pylibemu && \ 
 #
 # Install mailoney from git
-    git clone --depth=1 https://github.com/t3chn0m4g3/mailoney /opt/mailoney && \
+    git clone https://github.com/t3chn0m4g3/mailoney /opt/mailoney && \
+    cd /opt/mailoney && \
+    git checkout 85c37649a99e1cec3f8d48d509653c9a8127ea4f && \
 #
 # Setup user, groups and configs
     addgroup -g 2000 mailoney && \

docker/mailoney/docker-compose.yml

@@ -20,7 +20,7 @@ services:
      - mailoney_local
     ports:
      - "25:25"
-    image: "dtagdevsec/mailoney:2006"
+    image: "ghcr.io/telekom-security/mailoney:2006"
     read_only: true
     volumes:
      - /data/mailoney/log:/opt/mailoney/logs

docker/medpot/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM alpine:3.13
 #
 # Setup apk
 RUN apk -U --no-cache add \
@@ -12,6 +12,9 @@ RUN apk -U --no-cache add \
     mkdir -p /opt/go/src && \
     cd /opt/go/src && \
     git clone https://github.com/schmalle/medpot && \
+    cd medpot && \
+    git checkout 75a2e6134cf926c35b6017d62542274434c87388 && \
+    cd .. && \
     go get -d -v github.com/davecgh/go-spew/spew && \
     go get -d -v github.com/go-ini/ini && \
     go get -d -v github.com/mozillazg/request && \

docker/medpot/docker-compose.yml

@@ -14,7 +14,7 @@ services:
      - medpot_local
     ports:
      - "2575:2575"
-    image: "dtagdevsec/medpot:2006"
+    image: "ghcr.io/telekom-security/medpot:2006"
     read_only: true
     volumes:
      - /data/medpot/log/:/var/log/medpot