Update

2025-07-02 01:27:27 -04:00 · 2022-04-12 13:58:34 +02:00 · 2022-04-12 12:47:07 +02:00 · 2022-04-12 12:25:34 +02:00 · 2022-04-12 12:17:37 +02:00 · 2022-04-12 11:34:16 +02:00
295 changed files with 10727 additions and 4373 deletions
--- a/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md
+++ b/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md
@ -7,6 +7,8 @@ assignees: ''
 ---
 🗨️ Please post your questions in [Discussions](https://github.com/telekom-security/tpotce/discussions) and keep the issues for **issues**. Thank you 😁.<br>
 Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
 - 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,236 +1,45 @@
-# Changelog
+# Release Notes / Changelog
 T-Pot 22.04.0 is probably the most feature rich release ever provided with long awaited (wanted!) features readily available after installation. 
-## 20200630
+## New Features
- **Release T-Pot 20.06**
+* **Distributed** Installation with **HIVE** and **HIVE_SENSOR**
-  - After 4 months of public testing with the NextGen edition T-Pot 20.06 can finally be released.
+* **ARM64** support for all provided Docker images
- **Debian Buster**
+* **GeoIP Attack Map** visualizing Live Attacks on a dedicated webpage
-  - With the release of Debian Buster T-Pot now has access to all packages required right out of the box.
+* **Kibana Live Attack Map** visualizing Live Attacks from different **HIVE_SENSORS**
- **Add new honeypots**
+* **Blackhole** is a script trying to avoid mass scanner detection 
-  - [Dicompot](https://github.com/nsmfoo/dicompot) by @nsmfoo is a low interaction honeypot for the Dicom protocol which is the international standard to process medical imaging information. Together with Medpot which supports the HL7 protocol T-Pot is now offering a Medical Installation type.
+* **Elasticvue** a web front end for browsing and interacting with an Elastic Search cluster
-  - [Honeysap](https://github.com/SecureAuthCorp/HoneySAP) by SecureAuthCorp is a low interaction honeypot for the SAP services, in case of T-Pot configured for the SAP router.
+* **Ddospot** a honeypot for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks
-  - [Elasticpot](https://gitlab.com/bontchev/elasticpot) by Vesselin Bontchev replaces ElasticpotPY as a low interaction honeypot for Elasticsearch with more features, plugins and scripted responses.
+* **Endlessh** is a SSH tarpit that very slowly sends an endless, random SSH banner
- **Rebuild Images**
+* **HellPot** is an endless honeypot based on Heffalump that sends unruly HTTP bots to hell
-  - All docker images were rebuilt based on the latest (and stable running) versions of the tools and honeypots. Mostly the images now run on Alpine 3.12 / Debian Buster. However some honeypots / tools still reuire Alpine 3.11 / 3.10 to run properly.
+* **qHoneypots** 25 honeypots in a single container for monitoring network traffic, bots activities, and username \ password credentials
- **Install Types**
+* **Redishoneypot** is a honeypot mimicking some of the Redis' functions
-  - All docker-compose files (`/opt/tpot/etc/compose`) were remixed and most of the NextGen honeypots are now available in Standard.
+* **SentryPeer** a dedicated SIP honeypot
-  - There is now a **Medical** Installation Type with Dicompot and Medpot which will be of most interest for medical institutions to get started with T-Pot.
+* **Index Lifecycle Management** for Elasticseach indices is now being used
 - **Update Tools**
  - Connecting to T-Pot via `https://<ip>:64297` brings you to the T-Pot Landing Page now which is based on Heimdall and the latest NGINX enforcing TLS 1.3.
  - The ELK stack was updated to 7.8.0 and stripped down to the necessary core functions (where possible) for T-Pot while keeping ELK RAM requirements to a minimum (8GB of RAM is recommended now). The number of index pattern fields was reduced to **697** which increases performance significantly. There are **22** Kibana Dashboards, **397** Kibana Visualizations and **24** Kibana Searches readily available to cover all your needs to get started and familiar with T-Pot.
  - Cyberchef was updated to 9.21.0.
  - Elasticsearch Head was updated to the latest version available on GitHub.
  - Spiderfoot was updated to latest 3.1 dev.
 - **Landing Page**
  - After logging into T-Pot via web you are now greeted with a beautifully designed landing page.
 - **Countless Tweaks and improvements**
  - Under the hood lots of tiny tweaks, improvements and a few bugfixes will increase your overall experience with T-Pot.
-## 20200316
+## Upgrades
- **Move from Sid to Stable**
+* **Debian 11.x** is now being used for the T-Pot ISO images and required for post installs
-  - Debian Stable has now all the packages and versions we need for T-Pot. As a consequence we can now move to the `stable` branch.
+* **Elastic Stack 8.x** is now provided as Docker images
-## 20200310
+## Updates
- **Add 2FA to Cockpit**
+* **Honeypots** and **tools** were updated to their latest masters and releases
-  - Just run `2fa.sh` to enable two factor authentication in Cockpit.
+* Updates will be provided continuously through Docker Images updates 
 - **Find fastest mirror with netselect-apt**
  - Netselect-apt will find the fastest mirror close to you (outgoing ICMP required).
-## 20200309
+## Breaking Changes
- **Bump Nextgen to 20.06**
+* For security reasons all Py2.x honeypots with the need of PyPi packages have been removed: **HoneyPy**, **HoneySAP** and **RDPY**
-  - All NextGen images have been rebuilt to their latest master.
+* If you are upgrading from a previous version of T-Pot (20.06.x) you need to import the new Kibana objects or some of the functionality will be broken or will be unavailabe
-  - ElasticStack bumped to 7.6.1 (Elasticsearch will need at least 2048MB of RAM now, T-Pot at least 8GB of RAM) and tweak to accomodate changes of 7.x.
+* **Cyberchef** is now part of the Nginx Docker image, no longer as individual image
-  - Fixed errors in Tanner / Snare which will now handle downloads of malware via SSL and store them correctly (thanks to @afeena).
+* **ElasticSearch Head** is superseded by **Elasticvue** and part the Nginx Docker image
-  - Fixed errors in Heralding which will now improve on RDP connections (thanks to @johnnykv, @realsdx).
+* **Heimdall** is no longer supported and superseded with a new Bento based landing page
-  - Fixed error in honeytrap which will now build in Debian/Buster (thanks to @tillmannw).
+* **Elasticsearch Curator** is no longer supprted and superseded with **Index Lifecycle Policies** available through Kibana.
  - Mailoney is now logging in JSON format (thanks to @monsherko).
  - Base T-Pot landing page on Heimdall.
  - Tweaking of tools and some minor bug fixing
-## 20200116
+# Thanks & Credits
- **Bump ELK to latest 6.8.6**
+* @ghenry, for some fun late night debugging and of course SentryPeer!
- **Update ISO image to fix upstream bug of missing kernel modules**
+* @giga-a, for adding much appreciated features (i.e. JSON logging, 
- **Include dashboards for CitrixHoneypot**
+X-Forwarded-For, etc.) and of course qHoneypots! 
-  - Please run `/opt/tpot/update.sh` for the necessary modifications, omit the reboot and run `/opt/tpot/bin/tped.sh` to (re-)select the NextGen installation type.
+* @sp3t3rs, @trixam, for their backend and ews support!
-  - This update requires the latest Kibana objects as well. Download the latest from https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/etc/objects/kibana_export.json.zip, unzip and import the objects within Kibana WebUI > Management > Saved Objects > Export / Import". All objects will be overwritten upon import, make sure to run an export first.
+* @tadashi-oya, for spotting some errors and propose fixes!
 * @tmariuss, @shaderecker for their cloud contributions!
 * @vorband, for much appreciated and helpful insights regarding the GeoIP Attack Map!
 * @yunginnanet, on not giving up on squashing a bug and of course Hellpot!
-## 20200115
+... and many others from the T-Pot community by opening valued issues and discussions, suggesting ideas and thus helping to improve T-Pot!
 - **Prepare integration of CitrixHoneypot**
  - Prepare integration of [CitrixHoneypot](https://github.com/MalwareTech/CitrixHoneypot) by MalwareTech
  - Integration into ELK is still open
  - Please run `/opt/tpot/update.sh` for the necessary modifications, omit the reboot and run `/opt/tpot/bin/tped.sh` to (re-)select the NextGen installation type.
 ## 20191224
 - **Use pigz, optimize logrotate.conf**
  - Use `pigz` for faster archiving, especially with regard to high volumes of logs - Thanks to @workandresearchgithub!
  - Optimize `logrotate.conf` to improve archiving speed and get rid of multiple compression, also introduce `pigz`.
 ## 20191121
 - **Bump ADBHoney to latest master**
  - Use latest version of ADBHoney, which now fully support Python 3.x - Thanks to @huuck!
 ## 20191113, 20191104, 20191103, 20191028
 - **Switch to Debian 10 on OTC, Ansible Improvements**
  - OTC now supporting Debian 10 - Thanks to @shaderecker!
 ## 20191028
 - **Fix an issue with pip3, yq**
  - `yq` needs rehashing.
 ## 20191026
 - **Remove cockpit-pcp**
  - `cockpit-pcp` floods swap for some reason - removing for now.
 ## 20191022
 - **Bump Suricata to 5.0.0**
 ## 20191021
 - **Bump Cowrie to 2.0.0**
 ## 20191016
 - **Tweak installer, pip3, Heralding**
  - Install `cockpit-pcp` right from the start for machine monitoring in cockpit.
  - Move installer and update script to use pip3.
  - Bump heralding to latest master (1.0.6) - Thanks @johnnykv!
 ## 20191015
 - **Tweaking, Bump glutton, unlock ES script**
  - Add `unlock.sh` to unlock ES indices in case of lockdown after disk quota has been reached.
  - Prevent too much terminal logging from p0f and glutton since `daemon.log` was filled up.
  - Bump glutton to latest master now supporting payload_hex. Thanks to @glaslos.
 ## 20191002
 - **Merge**
  - Support Debian Buster images for AWS #454
  - Thank you @piffey
 ## 20190924
 - **Bump EWSPoster**
  - Supports Python 3.x
  - Thank you @Trixam
 ## 20190919
 - **Merge**
  - Handle non-interactive shells #454
  - Thank you @Oogy
 ## 20190907
 - **Logo tweaking**
  - Add QR logo
 ## 20190828
 - **Upgrades and rebuilds**
  - Bump Medpot, Nginx and Adbhoney to latest master
  - Bump ELK stack to 6.8.2
  - Rebuild Mailoney, Honeytrap, Elasticpot and Ciscoasa
  - Add 1080p T-Pot wallpaper for download
 ## 20190824
 - **Add some logo work**
  - Thanks to @thehadilps's suggestion adjusted social preview
  - Added 4k T-Pot wallpaper for download
 ## 20190823
 - **Fix for broken Fuse package**
  - Fuse package in upstream is broken
  - Adjust installer as workaround, fixes #442
 ## 20190816
 - **Upgrades and rebuilds**
  - Adjust Dionaea to avoid nmap detection, fixes #435 (thanks @iukea1)
  - Bump Tanner, Cyberchef, Spiderfoot and ES Head to latest master
 ## 20190815
 - **Bump ELK stack to 6.7.2**
  - Transition to 7.x must iterate slowly through previous versions to prevent changes breaking T-Pots
 ## 20190814
 - **Logstash Translation Maps improvement**
  - Download translation maps rather than running a git pull
  - Translation maps will now be bzip2 compressed to reduce traffic to a minimum
  - Fixes #432
 ## 20190802
 - **Add support for Buster as base image**
  - Install ISO is now based on Debian Buster
  - Installation upon Debian Buster is now supported
 ## 20190701
 - **Reworked Ansible T-Pot Deployment**
  - Transitioned from bash script to all Ansible
  - Reusable Ansible Playbook for OpenStack clouds
  - Example Showcase with our Open Telekom Cloud
  - Adaptable for other cloud providers
 ## 20190626
 - **HPFEEDS Opt-In commandline option**
  - Pass a hpfeeds config file as a commandline argument
  - hpfeeds config is saved in `/data/ews/conf/hpfeeds.cfg`
  - Update script restores hpfeeds config
 ## 20190604
 - **Finalize Fatt support**
  - Build visualizations, searches, dashboards
  - Rebuild index patterns
  - Some finishing touches
 ## 20190601
 - **Start supporting Fatt, remove Glastopf**
  - Build Dockerfile, Adjust logstash, installer, update and such.
  - Glastopf is no longer supported within T-Pot
 ## 20190528+20190531
 - **Increase total number of fields**
  - Adjust total number of fileds for logstash templae from 1000 to 2000.
 ## 20190526
 - **Fix build for Cowrie**
  - Upstream changes required a new package `py-bcrypt`.
 ## 20190525
 - **Fix build for RDPY**
  - Building was prevented due to cache error which occurs lately on Alpine if `apk` is using `--no-ache' as options.
 ## 20190520
 - **Adjust permissions for /data folder**
  - Now it is possible to download files from `/data` using SCP, WINSCP or CyberDuck.
 ## 20190513
 - **Added Ansible T-Pot Deployment on Open Telekom Cloud**
  - Reusable Ansible Playbooks for all cloud providers
  - Example Showcase with our Open Telekom Cloud
 ## 20190511
 - **Add hptest script**
  - Quickly test if the honeypots are working with `hptest.sh <[ip,host]>` based on nmap.
 ## 20190508
 - **Add tsec / install user to tpot group**
  - For users being able to easily download logs from the /data folder the installer now adds the `tpot` or the logged in user (`who am i`) via `usermod -a -G tpot <user>` to the tpot group. Also /data permissions will now be enforced to `770`, which is necessary for directory listings.
 ## 20190502
 - **Fix KVPs**
  - Some KVPs for Cowrie changed and the tagcloud was not showing any values in the Cowrie dashboard.
  - New installations are not affected, however existing installations need to import the objects from /opt/tpot/etc/objects/kibana-objects.json.zip.
 - **Makeiso**
  - Move to Xorriso for building the ISO image.
  - This allows to support most of the Debian based distros, i.e. Debian, MxLinux and Ubuntu.
 ## 20190428
 - **Rebuild ISO**
  - The install ISO needed a rebuilt after some changes in the Debian mirrors.
 - **Disable Netselect**
  - After some reports in the issues that some Debian mirrors were not fully synced and thus some packages were unavailable the netselect-apt feature was disabled.
 ## 20190406
 - **Fix for SSH**
  - In some situations the SSH Port was not written to a new line (thanks to @dpisano for reporting).
 - **Fix race condition for apt-fast**
  - Curl and wget need to be installed before apt-fast installation.
 ## 20190404
 - **Fix #332**
  - If T-Pot, opposed to the requirements, does not have full internet access netselect-apt fails to determine the fastest mirror as it needs ICMP and UDP outgoing. Should netselect-apt fail the default mirrors will be used.
 - **Improve install speed with apt-fast**
  - Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package.
 `git log --date=format:"## %Y%m%d" --pretty=format:"%ad %n- **%s**%n  - %b"`
--- a/README.md
+++ b/README.md
--- a/bin/backup_es_folders.sh
+++ b/bin/backup_es_folders.sh
@ -1,12 +1,21 @@
 #!/bin/bash
 # Run as root only.
 myWHOAMI=$(whoami)
-if [ "$myWHOAMI" != "root" ]
+if [ "$myWHOAMI" != "root" ];
  then
    echo "Need to run as root ..."
    exit
 fi
 if [ "$1" == "" ] || [ "$1" != "all" ] && [ "$1" != "base" ];
  then
    echo "Usage: backup_es_folders [all, base]"
    echo "       all  = backup all ES folder"
    echo "       base = backup only Kibana index".
    echo
    exit
 fi
 # Backup all ES relevant folders
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
@ -25,7 +34,7 @@ myCOUNT=1
 myDATE=$(date +%Y%m%d%H%M)
 myELKPATH="/data/elk/data"
 myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }')
-myKIBANAINDEXPATH=$myELKPATH/nodes/0/indices/$myKIBANAINDEXNAME
+myKIBANAINDEXPATH=$myELKPATH/indices/$myKIBANAINDEXNAME
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
@ -42,5 +51,11 @@ sleep 2
 # Backup DB in 2 flavors
 echo "### Now backing up Elasticsearch folders ..."
-tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
+if [ "$1" == "all" ];
-tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
+  then
    tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
 elif [ "$1" == "base" ];
  then
    tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
 fi
--- a/bin/blackhole.sh
+++ b/bin/blackhole.sh
@ -0,0 +1,109 @@
 #!/bin/bash
 # Run as root only.
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "### Need to run as root ..."
    echo
    exit
 fi
 # Disclaimer
 if [ "$1" == "" ];
  then
    echo "### Warning!"
    echo "### This script will download and add blackhole routes for known mass scanners in an attempt to decrease the chance of detection."
    echo "### IPs are neither curated or verified, use at your own risk!"
    echo "###"
    echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
    echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
    echo
    echo "Usage: blackhole.sh add (add blackhole routes)" 
    echo "       blackhole.sh del (delete blackhole routes)"
    echo
    exit
 fi
 # QnD paths, files
 mkdir -p /etc/blackhole
 cd /etc/blackhole
 myFILE="mass_scanner.txt"
 myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"
 myBASELINE="500"
 # Alternatively, using less routes, but blocking complete /24 networks
 #myFILE="mass_scanner_cidr.txt"
 #myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner_cidr.txt"
 # Calculate age of downloaded list, read IPs
 if [ -f "$myFILE" ];
  then
    myNOW=$(date +%s)
    myOLD=$(date +%s -r "$myFILE")
    myDAYS=$(( ($myNOW-$myOLD) / (60*60*24) ))
    echo "### Downloaded $myFILE list is $myDAYS days old."
    myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
 fi
 # Let's load ip list
 if [[ ! -f "$myFILE" && "$1" == "add" || "$myDAYS" -gt 30 ]];
  then
    echo "### Downloading $myFILE list."
    aria2c --allow-overwrite -s16 -x 16 "$myURL" && \
    myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u) 
 fi
 myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w)
 # Let's extract mass scanner IPs
 if [ "$myCOUNT" -lt "$myBASELINE" ] && [ "$1" == "add" ];
  then
    echo "### Something went wrong. Please check contents of /etc/blackhole/$myFILE."
    echo "### Aborting."
    echo
    exit
 elif [ "$(ip r | grep 'blackhole' -c)" -gt "$myBASELINE" ] && [ "$1" == "add" ];
  then
    echo "### Blackhole already enabled."
    echo "### Aborting."
    echo
    exit
 fi
 # Let's add blackhole routes for all mass scanner IPs
 if [ "$1" == "add" ];
  then
    echo
    echo -n "Now adding $myCOUNT IPs to blackhole."
    for i in $myBLACKHOLE_IPS;
      do
        ip route add blackhole "$i"
 	echo -n "."
    done
    echo
    echo "Added $(ip r | grep "blackhole" -c) IPs to blackhole."
    echo
    echo "### Remember!"
    echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
    echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
    echo
    exit
 fi
 # Let's delete blackhole routes for all mass scanner IPs
 if [ "$1" == "del" ] && [ "$myCOUNT" -gt "$myBASELINE" ];
  then
    echo
    echo -n "Now deleting $myCOUNT IPs from blackhole."
      for i in $myBLACKHOLE_IPS;
        do
          ip route del blackhole "$i"
 	  echo -n "."
      done
      echo
      echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole."
      echo
      rm "$myFILE"
  else
    echo "### Blackhole already disabled."
    echo
 fi
--- a/bin/change_ews_config.sh
+++ b/bin/change_ews_config.sh
@ -60,7 +60,7 @@ fi
 echo ""
 echo "[+] Creating config file with API UserID '$apiUser' and API Token '$apiToken'."
 echo "[+] Fetching config file from github. Outgoing https requests must be enabled!"
-wget -q https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist 
+wget -q https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist 
 if [[ -f "ews.cfg.dist" ]]; then
 	echo "[+] Successfully downloaded ews.cfg from github."
 else 
--- a/bin/clean.sh
+++ b/bin/clean.sh
@ -114,6 +114,14 @@ fuCOWRIE () {
  chown tpot:tpot /data/cowrie -R
 }
 # Let's create a function to clean up and prepare ddospot data
 fuDDOSPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
  mkdir -p /data/ddospot/log
  chmod 770 /data/ddospot -R
  chown tpot:tpot /data/ddospot -R
 }
 # Let's create a function to clean up and prepare dicompot data
 fuDICOMPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
@ -149,6 +157,14 @@ fuELK () {
  chown tpot:tpot /data/elk -R
 }
 # Let's create a function to clean up and prepare endlessh data
 fuENDLESSH () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
  mkdir -p /data/endlessh/log
  chmod 770 /data/endlessh -R
  chown tpot:tpot /data/endlessh -R
 }
 # Let's create a function to clean up and prepare fatt data
 fuFATT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
@ -165,6 +181,14 @@ fuGLUTTON () {
  chown tpot:tpot /data/glutton -R
 }
 # Let's create a function to clean up and prepare hellpot data
 fuHELLPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
  mkdir -p /data/hellpot/log
  chmod 770 /data/hellpot -R
  chown tpot:tpot /data/hellpot -R
 }
 # Let's create a function to clean up and prepare heralding data
 fuHERALDING () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
@ -173,12 +197,12 @@ fuHERALDING () {
  chown tpot:tpot /data/heralding -R
 }
-# Let's create a function to clean up and prepare honeypy data
+# Let's create a function to clean up and prepare honeypots data
-fuHONEYPY () {
+fuHONEYPOTS () {
-  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
-  mkdir -p /data/honeypy/log
+  mkdir -p /data/honeypots/log
-  chmod 770 /data/honeypy -R
+  chmod 770 /data/honeypots -R
-  chown tpot:tpot /data/honeypy -R
+  chown tpot:tpot /data/honeypots -R
 }
 # Let's create a function to clean up and prepare honeysap data
@ -197,6 +221,22 @@ fuHONEYTRAP () {
  chown tpot:tpot /data/honeytrap/ -R
 }
 # Let's create a function to clean up and prepare ipphoney data
 fuIPPHONEY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi
  mkdir -p /data/ipphoney/log
  chmod 770 /data/ipphoney -R
  chown tpot:tpot /data/ipphoney -R
 }
 # Let's create a function to clean up and prepare log4pot data
 fuLOG4POT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
  mkdir -p /data/log4pot/log
  chmod 770 /data/log4pot -R
  chown tpot:tpot /data/log4pot -R
 }
 # Let's create a function to clean up and prepare mailoney data
 fuMAILONEY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
@ -229,6 +269,22 @@ fuRDPY () {
  chown tpot:tpot /data/rdpy/ -R
 }
 # Let's create a function to clean up and prepare redishoneypot data
 fuREDISHONEYPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
  mkdir -p /data/redishoneypot/log
  chmod 770 /data/redishoneypot -R
  chown tpot:tpot /data/redishoneypot -R
 }
 # Let's create a function to clean up and prepare sentrypeer data
 fuSENTRYPEER () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi
  mkdir -p /data/sentrypeer/log
  chmod 770 /data/sentrypeer -R
  chown tpot:tpot /data/sentrypeer -R
 }
 # Let's create a function to prepare spiderfoot db
 fuSPIDERFOOT () {
  mkdir -p /data/spiderfoot
@ -288,20 +344,27 @@ if [ "$myPERSISTENCE" = "on" ];
    fuCITRIXHONEYPOT
    fuCONPOT
    fuCOWRIE
    fuDDOSPOT
    fuDICOMPOT
    fuDIONAEA
    fuELASTICPOT
    fuELK
    fuENDLESSH
    fuFATT
    fuGLUTTON
    fuHERALDING
    fuHELLPOT
    fuHONEYSAP
-    fuHONEYPY
+    fuHONEYPOTS
    fuHONEYTRAP
    fuIPPHONEY
    fuLOG4POT
    fuMAILONEY
    fuMEDPOT
    fuNGINX
    fuREDISHONEYPOT
    fuRDPY
    fuSENTRYPEER
    fuSPIDERFOOT
    fuSURICATA
    fuP0F
--- a/bin/deploy.sh
+++ b/bin/deploy.sh
@ -0,0 +1,182 @@
 #!/bin/bash
 # Do we have root?
 function fuGOT_ROOT {
 echo
 echo -n "### Checking for root: "
 if [ "$(whoami)" != "root" ];
  then
    echo "[ NOT OK ]"
    echo "### Please run as root."
    echo "### Example: sudo $0"
    exit
  else
    echo "[ OK ]"
 fi
 }
 function fuDEPLOY_SENSOR () {
 echo
 echo "###############################"
 echo "# Deploying to T-Pot Hive ... #"
 echo "###############################"
 echo
 sshpass -e ssh -4 -t -T -l "$MY_TPOT_USERNAME" -p 64295 "$MY_HIVE_IP" << EOF
 echo "$SSHPASS" | sudo -S bash -c 'useradd -m -s /sbin/nologin -G tpotlogs "$MY_HIVE_USERNAME";
 mkdir -p /home/"$MY_HIVE_USERNAME"/.ssh;
 echo "$MY_SENSOR_PUBLICKEY" >> /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
 chmod 600 /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
 chmod 755 /home/"$MY_HIVE_USERNAME"/.ssh;
 chown "$MY_HIVE_USERNAME":"$MY_HIVE_USERNAME" -R /home/"$MY_HIVE_USERNAME"/.ssh'
 EOF
 echo
 echo "###########################"
 echo "# Done. Please reboot ... #"
 echo "###########################"
 echo
 exit 0
 }
 # Check Hive availability 
 function fuCHECK_HIVE () {
 echo
 echo "############################################"
 echo "# Checking for T-Pot Hive availability ... #"
 echo "############################################"
 echo
 sshpass -e ssh -4 -t -l "$MY_TPOT_USERNAME" -p 64295 -f -N -L64305:127.0.0.1:64305 "$MY_HIVE_IP" -o "StrictHostKeyChecking=no"
 if [ $? -eq 0 ];
  then
    echo
    echo "#########################"
    echo "# T-Pot Hive available! #"
    echo "#########################"
    echo
    myHIVE_OK=$(curl -s http://127.0.0.1:64305)
    if [ "$myHIVE_OK" == "ok" ];
      then
 	echo
        echo "##############################"
        echo "# T-Pot Hive tunnel test OK! #"
        echo "##############################"
        echo
        kill -9 $(pidof ssh)
      else
        echo
 	echo "######################################################"
        echo "# T-Pot Hive tunnel test FAILED!                     #"
 	echo "# Tunneled port tcp/64305 unreachable on T-Pot Hive. #"
 	echo "# Aborting.                                          #"
        echo "######################################################"
        echo
        kill -9 $(pidof ssh)
 	rm $MY_SENSOR_PUBLICKEYFILE
 	rm $MY_SENSOR_PRIVATEKEYFILE
 	rm $MY_LS_ENVCONFIGFILE
 	exit 1
    fi;
  else
    echo
    echo "#################################################################"
    echo "# Something went wrong, most likely T-Pot Hive was unreachable! #"
    echo "# Aborting.                                                     #"
    echo "#################################################################"
    echo
    rm $MY_SENSOR_PUBLICKEYFILE
    rm $MY_SENSOR_PRIVATEKEYFILE
    rm $MY_LS_ENVCONFIGFILE
    exit 1
 fi;
 }
 function fuGET_DEPLOY_DATA () {
 echo
 echo "### Please provide data from your T-Pot Hive installation."
 echo "### This usually is the one running the 'T-Pot Hive' type."
 echo "### You will be needing the OS user (typically 'tsec'), the users' password and the IP / FQDN."
 echo "### Do not worry, the password will not be persisted!"
 echo
 read -p "Username: " MY_TPOT_USERNAME
 read -s -p "Password: " SSHPASS
 echo
 export SSHPASS
 read -p "IP / FQDN: " MY_HIVE_IP
 MY_HIVE_USERNAME="$(hostname)"
 MY_TPOT_TYPE="SENSOR"
 MY_LS_ENVCONFIGFILE="/data/elk/logstash/ls_environment"
 MY_SENSOR_PUBLICKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME.pub"
 MY_SENSOR_PRIVATEKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME"
 if ! [ -s "$MY_SENSOR_PRIVATEKEYFILE" ] && ! [ -s "$MY_SENSOR_PUBLICKEYFILE" ];
  then
    echo
    echo "##############################"
    echo "# Generating ssh keyfile ... #"
    echo "##############################"
    echo
    mkdir -p /data/elk/logstash
    ssh-keygen -f "$MY_SENSOR_PRIVATEKEYFILE" -N "" -C "$MY_HIVE_USERNAME"
    MY_SENSOR_PUBLICKEY="$(cat "$MY_SENSOR_PUBLICKEYFILE")"
  else
    echo
    echo "#############################################"
    echo "# There is already a ssh keyfile. Aborting. #"
    echo "#############################################"
    echo
    exit 1
 fi
 echo
 echo "###########################################################"
 echo "# Writing config to /data/elk/logstash/ls_environment.    #"
 echo "# If you make changes to this file, you need to reboot or #"
 echo "# run /opt/tpot/bin/updateip.sh.                          #"
 echo "###########################################################"
 echo
 tee $MY_LS_ENVCONFIGFILE << EOF
 MY_TPOT_TYPE=$MY_TPOT_TYPE
 MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
 MY_HIVE_USERNAME=$MY_HIVE_USERNAME
 MY_HIVE_IP=$MY_HIVE_IP
 EOF
 }
 # Deploy Pot to Hive
 fuGOT_ROOT
 echo
 echo "#################################"
 echo "# Ship T-Pot Logs to T-Pot Hive #"
 echo "#################################"
 echo
 echo "If you already have a T-Pot Hive installation running and"
 echo "this T-Pot installation is running the type \"Pot\" the"
 echo "script will automagically setup this T-Pot to ship and"
 echo "prepare the Hive to receive logs from this T-Pot."
 echo
 echo
 echo "###################################"
 echo "# Deploy T-Pot Logs to T-Pot Hive #"
 echo "###################################"
 echo 
 echo "[c] - Continue deplyoment"
 echo "[q] - Abort and exit"
 echo
 while [ 1 != 2 ]
  do
    read -s -n 1 -p "Your choice: " mySELECT
      echo $mySELECT
      case "$mySELECT" in
        [c,C])
          fuGET_DEPLOY_DATA
          fuCHECK_HIVE
 	  fuDEPLOY_SENSOR
          break
          ;;
        [q,Q])
          echo "Aborted."
          exit 0
          ;;
      esac
 done
--- a/bin/deprecated/export_kibana-objects.sh
+++ b/bin/deprecated/export_kibana-objects.sh
@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
  then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
    exit
  else
    echo "### Elasticsearch is available, now continuing."
@ -15,7 +15,7 @@ fi
 # Set vars
 myDATE=$(date +%Y%m%d%H%M)
-myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"')
 myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
 myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
--- a/bin/deprecated/hptest.sh
+++ b/bin/deprecated/hptest.sh
@ -0,0 +1,122 @@
 #!/bin/bash
 myHOST="$1"
 myPACKAGES="dcmtk netcat nmap"
 myMEDPOTPACKET="
 MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
 EVN|A01|198808181123
 PID|||PATID1234^5^M11^^AN||JONES^WILLIAM^A^III||19610615|M||2106-3|677 DELAWARE AVENUE^^EVERETT^MA^02149|GL|(919)379-1212|(919)271-3434~(919)277-3114||S||PATID12345001^2^M10^^ACSN|123456789|9-87654^NC
 NK1|1|JONES^BARBARA^K|SPO|||||20011105
 NK1|1|JONES^MICHAEL^A|FTH
 PV1|1|I|2000^2012^01||||004777^LEBAUER^SIDNEY^J.|||SUR||-||ADM|A0
 AL1|1||^PENICILLIN||CODE16~CODE17~CODE18
 AL1|2||^CAT DANDER||CODE257
 DG1|001|I9|1550|MAL NEO LIVER, PRIMARY|19880501103005|F
 PR1|2234|M11|111^CODE151|COMMON PROCEDURES|198809081123
 ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^SMITH^ELLEN|199505011201
 GT1|1122|1519|BILL^GATES^A
 IN1|001|A357|1234|BCMD|||||132987
 IN2|ID1551001|SSN12345678
 ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^ELLEN|199505011201"
 function fuGOTROOT {
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "Need to run as root ..."
    exit
 fi
 }
 function fuCHECKDEPS {
 myINST=""
 for myDEPS in $myPACKAGES;
 do
  myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
  if [ "$myOK" != "ok" ]
    then
      myINST=$(echo $myINST $myDEPS)
  fi
 done
 if [ "$myINST" != "" ]
  then
    apt-get update -y
    for myDEPS in $myINST;
    do
      apt-get install $myDEPS -y
    done
 fi
 }
 function fuCHECKFORARGS {
 if [ "$myHOST" != "" ];
  then
    echo "All arguments met. Continuing."
  else
    echo "Usage: hp_test.sh <[host or ip]>"
    exit
 fi
 }
 function fuGETPORTS {
 myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
 myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo "$i"; done)
 echo "Found these ports enabled:"
 echo "$myPORTS"
 exit
 }
 function fuSCAN {
 local myTIMEOUT="$1"
 local mySCANPORT="$2"
 local mySCANIP="$3"
 local mySCANOPTS="$4"
 timeout --foreground ${myTIMEOUT} nmap ${mySCANOPTS} -T4 -v -p ${mySCANPORT} ${mySCANIP} &
 }
 # Main
 fuGOTROOT
 fuCHECKDEPS
 fuCHECKFORARGS
 echo "Starting scans ..."
 echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
 curl -XGET "http://$myHOST:9200/logstash-*/_search" &
 curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" &
 echo "I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
 findscu -P -k PatientName="*" $myHOST 11112 &
 getscu -P -k PatientName="*" $myHOST 11112 &
 telnet $myHOST 3299 &
 fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
 fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
 fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"
 fuSCAN "120" "22" "$myHOST" "--script=ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,sshv1 -sC -sS -sV"
 fuSCAN "30" "22" "$myHOST" "--script=ssh-brute"
 fuSCAN "120" "23,2323,2324" "$myHOST" "--script=telnet-encryption,telnet-ntlm-info -sC -sS -sV --version-light"
 fuSCAN "120" "25" "$myHOST" "--script=smtp* -sC -sS -sV"
 fuSCAN "180" "42" "$myHOST" "-sC -sS -sV"
 fuSCAN "120" "69" "$myHOST" "--script=tftp-enum -sU"
 fuSCAN "120" "80,81,8080,8443" "$myHOST" "-sC -sS -sV"
 fuSCAN "120" "110,995" "$myHOST" "--script=pop3-capabilities,pop3-ntlm-info -sC -sS -sV --version-light"
 fuSCAN "30" "110,995" "$myHOST" "--script=pop3-brute -sS"
 fuSCAN "120" "143,993" "$myHOST" "--script=imap-capabilities,imap-ntlm-info -sC -sS -sV --version-light"
 fuSCAN "30" "143,993" "$myHOST" "--script=imap-brute -sS"
 fuSCAN "240" "445" "$myHOST" "--script=smb-vuln* -sS -sU"
 fuSCAN "120" "502" "$myHOST" "--script=modbus-discover -sS -sU"
 fuSCAN "120" "623" "$myHOST" "--script=ipmi-cipher-zero,ipmi-version,supermicro-ipmi -sS -sU"
 fuSCAN "30" "623" "$myHOST" "--script=ipmi-brute -sS -sU"
 fuSCAN "120" "1433" "$myHOST" "--script=ms-sql* -sS"
 fuSCAN "120" "1723" "$myHOST" "--script=pptp-version -sS"
 fuSCAN "120" "1883" "$myHOST" "--script=mqtt-subscribe -sS"
 fuSCAN "120" "2404" "$myHOST" "--script=iec-identify -sS"
 fuSCAN "120" "3306" "$myHOST" "--script=mysql-vuln* -sC -sS -sV"
 fuSCAN "120" "3389" "$myHOST" "--script=rdp* -sC -sS -sV"
 fuSCAN "120" "5000" "$myHOST" "--script=*upnp* -sS -sU"
 fuSCAN "120" "5060,5061" "$myHOST" "--script=sip-call-spoof,sip-enum-users,sip-methods -sS -sU"
 fuSCAN "120" "5900" "$myHOST" "--script=vnc-info,vnc-title,realvnc-auth-bypass -sS"
 fuSCAN "120" "27017" "$myHOST" "--script=mongo* -sS"
 fuSCAN "120" "47808" "$myHOST" "--script=bacnet* -sS"
 wait
 reset
 echo "Done."
--- a/bin/deprecated/import_kibana-objects.sh
+++ b/bin/deprecated/import_kibana-objects.sh
@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
  then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
    exit
  else
    echo "### Elasticsearch is available, now continuing."
@ -43,7 +43,7 @@ tar xvfz $myDUMP > /dev/null
 # Restore index patterns
 myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev)
-myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
--- a/bin/dps.sh
+++ b/bin/dps.sh
@ -8,8 +8,14 @@ if [ "$myWHOAMI" != "root" ]
    exit
 fi
 # Show current status of T-Pot containers
 myPARAM="$1"
 if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
  then
    watch --color -n $myPARAM "dps.sh"
    exit
 fi
 # Show current status of T-Pot containers
 myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")"
 myRED="[1;31m"
 myGREEN="[1;32m"
@ -17,19 +23,39 @@ myBLUE="[1;34m"
 myWHITE="[0;0m"
 myMAGENTA="[1;35m"
 # Blackhole Status
 myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
 if [ "$myBLACKHOLE_STATUS" -gt "500" ];
  then
    myBLACKHOLE_STATUS="${myGREEN}ENABLED"
  else
    myBLACKHOLE_STATUS="${myRED}DISABLED"
 fi
 function fuGETTPOT_STATUS {
 # T-Pot Status
 myTPOT_STATUS=$(systemctl status tpot | grep "Active" | awk '{ print $2 }')
 if [ "$myTPOT_STATUS" == "active" ];
  then
    echo "${myGREEN}ACTIVE"
  else
    echo "${myRED}INACTIVE"
 fi
 }
 function fuGETSTATUS {
 grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
 }
 function fuGETSYS {
-printf "========| System |========\n"
+printf "[ ========| System |======== ]\n"
-printf "%+10s %-20s\n" "Date: " "$(date)"
+printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "DATE: " "$(date)"
-printf "%+10s %-20s\n" "Uptime: " "$(uptime | cut -b 2-)"
+printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "UPTIME: " "$(grc --colour=on uptime)"
 printf "${myMAGENTA}%+11s %-20s\n" "T-POT: " "$(fuGETTPOT_STATUS)"
 printf "${myMAGENTA}%+11s %-20s\n" "BLACKHOLE: " "$myBLACKHOLE_STATUS${myWHITE}"
 echo
 }
 while true
  do
    myDPS=$(fuGETSTATUS)
    myDPSNAMES=$(echo "$myDPS" | awk '{ print $1 }' | sort)
    fuGETSYS
@ -45,10 +71,3 @@ while true
 	  printf "%-28s %-28s\n" "$myRED$i" "DOWN$myWHITE"
      fi
    done
    if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
      then 
        sleep "$myPARAM"
      else 
        break
    fi
 done
--- a/bin/hptest.sh
+++ b/bin/hptest.sh
@ -1,23 +1,8 @@
 #!/bin/bash
 myHOST="$1"
-myPACKAGES="dcmtk netcat nmap"
+myPACKAGES="nmap"
-myMEDPOTPACKET="
+myDOCKERCOMPOSEYML="/opt/tpot/etc/tpot.yml"
 MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
 EVN|A01|198808181123
 PID|||PATID1234^5^M11^^AN||JONES^WILLIAM^A^III||19610615|M||2106-3|677 DELAWARE AVENUE^^EVERETT^MA^02149|GL|(919)379-1212|(919)271-3434~(919)277-3114||S||PATID12345001^2^M10^^ACSN|123456789|9-87654^NC
 NK1|1|JONES^BARBARA^K|SPO|||||20011105
 NK1|1|JONES^MICHAEL^A|FTH
 PV1|1|I|2000^2012^01||||004777^LEBAUER^SIDNEY^J.|||SUR||-||ADM|A0
 AL1|1||^PENICILLIN||CODE16~CODE17~CODE18
 AL1|2||^CAT DANDER||CODE257
 DG1|001|I9|1550|MAL NEO LIVER, PRIMARY|19880501103005|F
 PR1|2234|M11|111^CODE151|COMMON PROCEDURES|198809081123
 ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^SMITH^ELLEN|199505011201
 GT1|1122|1519|BILL^GATES^A
 IN1|001|A357|1234|BCMD|||||132987
 IN2|ID1551001|SSN12345678
 ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^ELLEN|199505011201"
 function fuGOTROOT {
 myWHOAMI=$(whoami)
@ -52,71 +37,32 @@ function fuCHECKFORARGS {
 if [ "$myHOST" != "" ];
  then
    echo "All arguments met. Continuing."
    echo
  else
-    echo "Usage: hp_test.sh <[host or ip]>"
+    echo "Usage: hptest.sh <[host or ip]>"
    echo
    exit
 fi
 }
 function fuGETPORTS {
 myDOCKERCOMPOSEUDPPORTS=$(cat $myDOCKERCOMPOSEYML | grep "udp" | tr -d '"\|#\-' | cut -d ":" -f2 | cut -d "/" -f1 | sort -gu)
 myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
-myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo "$i"; done)
+myUDPPORTS=$(for i in $myDOCKERCOMPOSEUDPPORTS; do echo -n "U:$i,"; done)
-echo "Found these ports enabled:"
+myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo -n "T:$i,"; done)
 echo "$myPORTS"
 exit
 }
 function fuSCAN {
 local myTIMEOUT="$1"
 local mySCANPORT="$2"
 local mySCANIP="$3"
 local mySCANOPTS="$4"
 timeout --foreground ${myTIMEOUT} nmap ${mySCANOPTS} -T4 -v -p ${mySCANPORT} ${mySCANIP} &
 }
 # Main
 fuGETPORTS
 fuGOTROOT
 fuCHECKDEPS
 fuCHECKFORARGS
-
+echo
-echo "Starting scans ..."
+echo "Starting scan on all UDP / TCP ports defined in /opt/tpot/etc/tpot.yml ..."
-echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
+nmap -sV -sC -v -p $myPORTS $1 &
-curl -XGET "http://$myHOST:9200/logstash-*/_search" &
+nmap -sU -sV -sC -v -p $myUDPPORTS $1 &
-curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" &
+echo
 echo "I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
 findscu -P -k PatientName="*" $myHOST 11112 &
 getscu -P -k PatientName="*" $myHOST 11112 &
 telnet $myHOST 3299 &
 fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
 fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
 fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"
 fuSCAN "120" "22" "$myHOST" "--script=ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,sshv1 -sC -sS -sV"
 fuSCAN "30" "22" "$myHOST" "--script=ssh-brute"
 fuSCAN "120" "23,2323,2324" "$myHOST" "--script=telnet-encryption,telnet-ntlm-info -sC -sS -sV --version-light"
 fuSCAN "120" "25" "$myHOST" "--script=smtp* -sC -sS -sV"
 fuSCAN "180" "42" "$myHOST" "-sC -sS -sV"
 fuSCAN "120" "69" "$myHOST" "--script=tftp-enum -sU"
 fuSCAN "120" "80,81,8080,8443" "$myHOST" "-sC -sS -sV"
 fuSCAN "120" "110,995" "$myHOST" "--script=pop3-capabilities,pop3-ntlm-info -sC -sS -sV --version-light"
 fuSCAN "30" "110,995" "$myHOST" "--script=pop3-brute -sS"
 fuSCAN "120" "143,993" "$myHOST" "--script=imap-capabilities,imap-ntlm-info -sC -sS -sV --version-light"
 fuSCAN "30" "143,993" "$myHOST" "--script=imap-brute -sS"
 fuSCAN "240" "445" "$myHOST" "--script=smb-vuln* -sS -sU"
 fuSCAN "120" "502" "$myHOST" "--script=modbus-discover -sS -sU"
 fuSCAN "120" "623" "$myHOST" "--script=ipmi-cipher-zero,ipmi-version,supermicro-ipmi -sS -sU"
 fuSCAN "30" "623" "$myHOST" "--script=ipmi-brute -sS -sU"
 fuSCAN "120" "1433" "$myHOST" "--script=ms-sql* -sS"
 fuSCAN "120" "1723" "$myHOST" "--script=pptp-version -sS"
 fuSCAN "120" "1883" "$myHOST" "--script=mqtt-subscribe -sS"
 fuSCAN "120" "2404" "$myHOST" "--script=iec-identify -sS"
 fuSCAN "120" "3306" "$myHOST" "--script=mysql-vuln* -sC -sS -sV"
 fuSCAN "120" "3389" "$myHOST" "--script=rdp* -sC -sS -sV"
 fuSCAN "120" "5000" "$myHOST" "--script=*upnp* -sS -sU"
 fuSCAN "120" "5060,5061" "$myHOST" "--script=sip-call-spoof,sip-enum-users,sip-methods -sS -sU"
 fuSCAN "120" "5900" "$myHOST" "--script=vnc-info,vnc-title,realvnc-auth-bypass -sS"
 fuSCAN "120" "27017" "$myHOST" "--script=mongo* -sS"
 fuSCAN "120" "47808" "$myHOST" "--script=bacnet* -sS"
 wait
 reset
 echo "Done."
 echo
--- a/bin/setup_builder.sh
+++ b/bin/setup_builder.sh
@ -0,0 +1,45 @@
 #!/bin/bash
 # Got root?
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "Need to run as root ..."
    exit
 fi
 # Only run with command switch
 if [ "$1" != "-y" ]; then
  echo "### Setting up docker for Multi Arch Builds."
  echo "### Use on x64 only!"
  echo "### Run with -y to install!"
  echo
  exit
 fi
 # Main
 mkdir -p /root/.docker/cli-plugins/
 cd /root/.docker/cli-plugins/
 wget https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-amd64 -O docker-buildx
 chmod +x docker-buildx
 docker buildx ls
 # We need to create a new builder as the default one cannot handle multi-arch builds
 # https://docs.docker.com/desktop/multi-arch/
 docker buildx create --name mybuilder
 # Set as default
 docker buildx use mybuilder
 # We need to install emulators, arm64 should be fine for now
 # https://github.com/tonistiigi/binfmt/
 docker run --privileged --rm tonistiigi/binfmt --install arm64
 # Check if everything is setup correctly
 docker buildx inspect --bootstrap
 echo
 echo "### Done."
 echo
 echo "Example: docker buildx build --platform linux/amd64,linux/arm64 -t username/demo:latest --push ."
 echo "Docs: https://docs.docker.com/desktop/multi-arch/"
--- a/bin/tpdclean.sh
+++ b/bin/tpdclean.sh
@ -0,0 +1,29 @@
 #!/bin/bash
 # T-Pot Compose and Container Cleaner
 # Set colors
 myRED="[0;31m"
 myGREEN="[0;32m"
 myWHITE="[0;0m"
 # Only run with command switch
 if [ "$1" != "-y" ]; then
  echo $myRED"### WARNING"$myWHITE
  echo ""
  echo $myRED"###### This script is only intended for the tpot.service."$myWHITE
  echo $myRED"###### Run <systemctl stop tpot> first and then <tpdclean.sh -y>."$myWHITE
  echo $myRED"###### Be aware, all T-Pot container volumes and images will be removed."$myWHITE
  echo ""
  echo $myRED"### WARNING "$myWHITE
  echo
  exit
 fi
 # Remove old containers, images and volumes
 docker-compose -f /opt/tpot/etc/tpot.yml down -v >> /dev/null 2>&1
 docker-compose -f /opt/tpot/etc/tpot.yml rm -v >> /dev/null 2>&1
 docker network rm $(docker network ls -q) >> /dev/null 2>&1
 docker volume rm $(docker volume ls -q) >> /dev/null 2>&1
 docker rm -v $(docker ps -aq) >> /dev/null 2>&1
 docker rmi $(docker images | grep "<none>" | awk '{print $3}') >> /dev/null 2>&1
 docker rmi $(docker images | grep "2203" | awk '{print $3}') >> /dev/null 2>&1
 exit 0
--- a/bin/tped.sh
+++ b/bin/tped.sh
@ -29,7 +29,7 @@ for i in $myYMLS;
  do
    myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " 
 done
-myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-)
+myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 18 50 1 $myITEMS 3>&1 1>&2 2>&3 3>&-)
 if [ "$myEDITION" == "" ];
  then
    echo "Have a nice day!"
--- a/bin/updateip.sh
+++ b/bin/updateip.sh
@ -2,22 +2,62 @@
 # Let's add the first local ip to the /etc/issue and external ip to ews.ip file
 # If the external IP cannot be detected, the internal IP will be inherited.
 source /etc/environment
 myCHECKIFSENSOR=$(head -n 1 /opt/tpot/etc/tpot.yml | grep "Sensor" | wc -l)
 myUUID=$(lsblk -o MOUNTPOINT,UUID | grep "/" | awk '{ print $2 }')
 myLOCALIP=$(hostname -I | awk '{ print $1 }')
 myEXTIP=$(/opt/tpot/bin/myip.sh)
 if [ "$myEXTIP" = "" ];
  then
    myEXTIP=$myLOCALIP
    myEXTIP_LAT="49.865835022498125"
    myEXTIP_LONG="8.62606472775735"
  else
    myEXTIP_LOC=$(curl -s ipinfo.io/$myEXTIP/loc)
    myEXTIP_LAT=$(echo "$myEXTIP_LOC" | cut -f1 -d",")
    myEXTIP_LONG=$(echo "$myEXTIP_LOC" | cut -f2 -d",")
 fi
 # Load Blackhole routes if enabled 
 myBLACKHOLE_FILE1="/etc/blackhole/mass_scanner.txt"
 myBLACKHOLE_FILE2="/etc/blackhole/mass_scanner_cidr.txt"
 if [ -f "$myBLACKHOLE_FILE1" ] || [ -f "$myBLACKHOLE_FILE2" ];
  then
    /opt/tpot/bin/blackhole.sh add
 fi
 myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
 if [ "$myBLACKHOLE_STATUS" -gt "500" ];
  then
    myBLACKHOLE_STATUS="| [1;34mBLACKHOLE: [ [0;37mENABLED[1;34m ][0m"
  else
    myBLACKHOLE_STATUS="| [1;34mBLACKHOLE: [ [1;30mDISABLED[1;34m ][0m"
 fi
 mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1)
 # Export
 export myUUID
 export myLOCALIP
 export myEXTIP
 export myEXTIP_LAT
 export myEXTIP_LONG
 export myBLACKHOLE_STATUS
 export mySSHUSER
 # Build issue
 echo "[H[2J" > /etc/issue
-toilet -f ivrit -F metal --filter border:metal "T-Pot   20.06" | sed 's/\\/\\\\/g' >> /etc/issue
+toilet -f ivrit -F metal --filter border:metal "T-Pot   22.04" | sed 's/\\/\\\\/g' >> /etc/issue
 echo >> /etc/issue
 echo ",---- [ [1;34m\n[0m ] [ [0;34m\d[0m ] [ [1;30m\t[0m ]" >> /etc/issue
 echo "|" >> /etc/issue
 echo "| [1;34mIP: $myLOCALIP ($myEXTIP)[0m" >> /etc/issue
 echo "| [0;34mSSH: ssh -l tsec -p 64295 $myLOCALIP[0m" >> /etc/issue 
-echo "| [1;30mWEB: https://$myLOCALIP:64297[0m" >> /etc/issue
+if [ "$myCHECKIFSENSOR" == "0" ];
  then
    echo "| [1;30mWEB: https://$myLOCALIP:64297[0m" >> /etc/issue
 fi
 echo "| [0;37mADMIN: https://$myLOCALIP:64294[0m" >> /etc/issue
 echo "$myBLACKHOLE_STATUS" >> /etc/issue
 echo "|" >> /etc/issue
 echo "\`----" >> /etc/issue
 echo >> /etc/issue
@ -26,9 +66,24 @@ tee /data/ews/conf/ews.ip << EOF
 ip = $myEXTIP
 EOF
 tee /opt/tpot/etc/compose/elk_environment << EOF
 HONEY_UUID=$myUUID
 MY_EXTIP=$myEXTIP
 MY_EXTIP_LAT=$myEXTIP_LAT
 MY_EXTIP_LONG=$myEXTIP_LONG
 MY_INTIP=$myLOCALIP
 MY_HOSTNAME=$HOSTNAME
 EOF
 if [ -s "/data/elk/logstash/ls_environment" ];
  then
    source /data/elk/logstash/ls_environment
    tee -a /opt/tpot/etc/compose/elk_environment << EOF
 MY_TPOT_TYPE=$MY_TPOT_TYPE
 MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
 MY_HIVE_USERNAME=$MY_HIVE_USERNAME
 MY_HIVE_IP=$MY_HIVE_IP
 EOF
 fi
 chown tpot:tpot /data/ews/conf/ews.ip
 chmod 770 /data/ews/conf/ews.ip
--- a/cloud/.gitignore
+++ b/cloud/.gitignore
@ -0,0 +1,10 @@
 # Ansible
 *.retry
 # Terraform
 **/.terraform
 **/terraform.*
 # OpenStack clouds
 **/clouds.yaml
 **/secure.yaml
--- a/cloud/ansible/.gitignore
+++ b/cloud/ansible/.gitignore
@ -1,2 +0,0 @@
 # Ansible
 *.retry
--- a/cloud/ansible/README.md
+++ b/cloud/ansible/README.md
@ -2,15 +2,16 @@
 Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/).  
 It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box.  
-Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html) (e.g. AWS, Azure, Digital Ocean, Google).
+Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/scenario_guides/cloud_guides.html). Check out [Ansible Galaxy](https://galaxy.ansible.com/search?keywords=&order_by=-relevance&page=1&deprecated=false&type=collection&tags=cloud) for more cloud collections.
-The Playbook first creates all resources (security group, network, subnet, router), deploys a new server and then installs and configures T-Pot.
+The Playbook first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them.
 This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en).
 # Table of contents
 - [Preparation of Ansible Master](#ansible-master)
  - [Ansible Installation](#ansible)
  - [OpenStack Collection Installation](#collection)
  - [Agent Forwarding](#agent-forwarding)
 - [Preparations in Open Telekom Cloud Console](#preparation)
  - [Create new project](#project)
@ -18,8 +19,9 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of
  - [Import Key Pair](#key-pair)
 - [Clone Git Repository](#clone-git)
 - [Settings and recommended values](#settings)
-  - [Clouds.yaml](#clouds-yaml)
+  - [clouds.yaml](#clouds-yaml)
  - [Ansible remote user](#remote-user)
  - [Number of instances to deploy](#number)
  - [Instance settings](#instance-settings)
  - [User password](#user-password)
  - [Configure `tpot.conf.dist`](#tpot-conf)
@ -36,6 +38,8 @@ Ansible works over the SSH Port, so you don't have to add any special rules to y
 <a name="ansible"></a>
 ## Ansible Installation
 :warning: Ansible 2.10 or newer is required!
 Example for Ubuntu 18.04:  
 At first we update the system:  
@ -48,6 +52,17 @@ Then we need to add the repository and install Ansible:
 For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
 If your OS does not offer a recent version of Ansible (>= 2.10) you should consider [installing Ansible with pip](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-with-pip).  
 In short (if you already have Python3/pip3 installed):
 ```
 pip3 install ansible
 ```
 <a name="collection"></a>
 ## OpenStack Collection Installation
 For interacting with OpenStack resources in Ansible, you need to install the collection from Ansible Galaxy:  
 `ansible-galaxy collection install openstack.cloud`
 <a name="agent-forwarding"></a>
 ## Agent Forwarding
 If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines.  
@ -96,7 +111,7 @@ Import your SSH public key.
 <a name="clone-git"></a>
 # Clone Git Repository
 Clone the `tpotce` repository to your Ansible Master:  
-`git clone https://github.com/dtag-dev-sec/tpotce.git`  
+`git clone https://github.com/telekom-security/tpotce.git`  
 All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder.
 <a name="settings"></a>
@ -104,7 +119,7 @@ All Ansible related files are located in the [`cloud/ansible/openstack`](opensta
 You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook:
 <a name="clouds-yaml"></a>
-## Clouds.yaml
+## clouds.yaml
 Located at [`openstack/clouds.yaml`](openstack/clouds.yaml).  
 Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name):  
 ```
@ -118,22 +133,36 @@ clouds:
      user_domain_name: OTC-EU-DE-000000000010000XXXXX
 ```
 You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary.  
-For more information have a look in the [os_server](https://docs.ansible.com/ansible/latest/modules/os_server_module.html) Ansible module documentation.
+For more information have a look in the [openstack.cloud.server](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html) Ansible module documentation.
 If you already have your own `clouds.yaml` file or have multiple clouds in there, you can specify which one to use in the `openstack/my_os_cloud.yaml` file:
 ```
 # Enter the name of your cloud to use from clouds.yaml
 cloud: open-telekom-cloud
 ```
 <a name="remote-user"></a>
 ## Ansible remote user
 You may have to adjust the `remote_user` in the Ansible Playbook under [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml) depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is `linux`).
 <a name="number"></a>
 ## Number of instances to deploy
 You can adjust the number of VMs/T-Pots that you want to create in [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml):
 ```
 loop: "{{ range(0, 1) }}"
 ```
 One instance is set as the default, increase to your liking.
 <a name="instance-settings"></a>
 ## Instance settings
-Located at [`openstack/roles/deploy/vars/main.yaml`](openstack/roles/deploy/vars/main.yaml).  
+Located at [`openstack/roles/create_vm/vars/main.yaml`](openstack/roles/create_vm/vars/main.yaml).  
 Here you can customize your virtual machine specifications:
  - Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html).
  - Change the OS image (For T-Pot we need Debian)
  - (Optional) Change the volume size
  - Specify your key pair (:warning: Mandatory)
  - (Optional) Change the instance type (flavor)  
-    `s2.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.  
+    `s3.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.  
    A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html).
 ```
@ -141,7 +170,7 @@ availability_zone: eu-de-03
 image: Standard_Debian_10_latest
 volume_size: 128
 key_name: your-KeyPair
-flavor: s2.medium.8
+flavor: s3.medium.8
 ```
 <a name="user-password"></a>
@ -160,14 +189,6 @@ Here you can choose:
  - a username for the web interface
  - a password for the web interface (**you should definitely change that**)
 ```
 # tpot configuration file
 # myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]
 myCONF_TPOT_FLAVOR='STANDARD'
 myCONF_WEB_USER='webuser'
 myCONF_WEB_PW='w3b$ecret'
 ```
 <a name="ews-cfg"></a>
 ## Optional: Custom `ews.cfg`
 Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
@ -200,7 +221,7 @@ Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_
 #    - custom_hpfeeds
 ```
-You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg).  
+You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/files/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/files/hpfeeds.cfg).  
 That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN:
 ```
 myENABLE=true
@ -216,6 +237,7 @@ myFORMAT=json
 <a name="deploy"></a>
 # Deploying a T-Pot :honey_pot::honeybee:
 Now, after configuring everything, we can finally start deploying T-Pots!  
 Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:  
 `ansible-playbook deploy_tpot.yaml`  
 (Yes, it is as easy as that :smile:)
@ -223,15 +245,13 @@ Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:
 If you are running on a machine which asks for a sudo password, you can use:  
 `ansible-playbook --ask-become-pass deploy_tpot.yaml`
-The Playbook will first install required packages on the Ansible Master and then deploy a new server instance.  
+The Playbook will first install required packages on the Ansible Master and then deploy one (or more) new server instances.  
-After that, T-Pot gets installed and configured on the newly created host, optionally custom configs are applied and finally it reboots.
+After that, T-Pot gets installed and configured on them, optionally custom configs are applied and finally it reboots.
-Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/dtag-dev-sec/tpotce#ssh-and-web-access).
+Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
 <a name="documentation"></a>
 # Further documentation
 - [Ansible Documentation](https://docs.ansible.com/ansible/latest/)
- [Cloud modules — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html)
+- [openstack.cloud.server – Create/Delete Compute Instances from OpenStack](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html)
 - [os_server – Create/Delete Compute Instances from OpenStack — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/os_server_module.html)
 - [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/)
 - [Open Telekom Cloud API Overview](https://docs.otc.t-systems.com/en-us/api/wp/en-us_topic_0052070394.html)
--- a/cloud/ansible/openstack/clouds.yaml
+++ b/cloud/ansible/openstack/clouds.yaml
@ -1,6 +1,7 @@
 clouds:
  open-telekom-cloud:
    profile: otc
    region_name: eu-de
    auth:
      project_name: eu-de_your_project
      username: your_api_user
--- a/cloud/ansible/openstack/deploy_tpot.yaml
+++ b/cloud/ansible/openstack/deploy_tpot.yaml
@ -4,13 +4,22 @@
  roles:
    - check
- name: Deploy instance
+- name: Deploy instances
  hosts: localhost
-  roles:
+  vars_files: my_os_cloud.yaml
-    - deploy
+  tasks:
    - name: Create security group and network
      ansible.builtin.include_role:
        name: create_net
    - name: Create one or more instances
      ansible.builtin.include_role:
        name: create_vm
      loop: "{{ range(0, 1) }}"
      loop_control:
        extended: yes
- name: Install T-Pot on new instance
+- name: Install T-Pot
-  hosts: TPOT
+  hosts: tpot
  remote_user: linux
  become: yes
  gather_facts: no
--- a/cloud/ansible/openstack/my_os_cloud.yaml
+++ b/cloud/ansible/openstack/my_os_cloud.yaml
@ -0,0 +1,2 @@
 # Enter the name of your cloud to use from clouds.yaml
 cloud: open-telekom-cloud
--- a/cloud/ansible/openstack/requirements.yaml
+++ b/cloud/ansible/openstack/requirements.yaml
@ -0,0 +1,2 @@
 collections:
 - name: openstack.cloud
--- a/cloud/ansible/openstack/roles/check/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/check/tasks/main.yaml
@ -1,17 +1,19 @@
 - name: Install dependencies
-  package:
+  ansible.builtin.package:
    name:
-      - pwgen
+      - gcc
-      - python-setuptools
+      - python3-dev
-      - python-pip
+      - python3-setuptools
      - python3-pip
    state: present
 - name: Install openstacksdk
-  pip:
+  ansible.builtin.pip:
    name: openstacksdk
    executable: pip3
 - name: Check if agent forwarding is enabled
-  fail:
+  ansible.builtin.fail:
    msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
  ignore_errors: yes
-  when: lookup('env','SSH_AUTH_SOCK') == ""
+  failed_when: lookup('env','SSH_AUTH_SOCK') == ""
--- a/cloud/ansible/openstack/roles/create_net/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/create_net/tasks/main.yaml
@ -0,0 +1,33 @@
 - name: Create security group
  openstack.cloud.security_group:
    cloud: "{{ cloud }}"
    name: sg-tpot-ansible
    description: Security Group for T-Pot
 - name: Add rules to security group
  openstack.cloud.security_group_rule:
    cloud: "{{ cloud }}"
    security_group: sg-tpot-ansible
    remote_ip_prefix: 0.0.0.0/0
 - name: Create network
  openstack.cloud.network:
    cloud: "{{ cloud }}"
    name: network-tpot-ansible
 - name: Create subnet
  openstack.cloud.subnet:
    cloud: "{{ cloud }}"
    network_name: network-tpot-ansible
    name: subnet-tpot-ansible
    cidr: 192.168.0.0/24
    dns_nameservers:
      - 100.125.4.25
      - 100.125.129.199
 - name: Create router
  openstack.cloud.router:
    cloud: "{{ cloud }}"
    name: router-tpot-ansible
    interfaces:
      - subnet-tpot-ansible
--- a/cloud/ansible/openstack/roles/create_vm/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/create_vm/tasks/main.yaml
@ -0,0 +1,24 @@
 - name: Generate T-Pot name
  ansible.builtin.set_fact:
    tpot_name: "t-pot-ansible-{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=6') }}"
 - name: Create instance {{ ansible_loop.index }} of {{ ansible_loop.length }}
  openstack.cloud.server:
    cloud: "{{ cloud }}"
    name: "{{ tpot_name }}"
    availability_zone: "{{ availability_zone }}"
    image: "{{ image }}"
    boot_from_volume: yes
    volume_size: "{{ volume_size }}"
    key_name: "{{ key_name }}"
    auto_ip: yes
    flavor: "{{ flavor }}"
    security_groups: sg-tpot-ansible
    network: network-tpot-ansible
  register: tpot
 - name: Add instance to inventory
  ansible.builtin.add_host:
    hostname: "{{ tpot_name }}"
    ansible_host: "{{ tpot.server.public_v4 }}"
    groups: tpot
--- a/cloud/ansible/openstack/roles/create_vm/vars/main.yaml
+++ b/cloud/ansible/openstack/roles/create_vm/vars/main.yaml
@ -2,4 +2,4 @@ availability_zone: eu-de-03
 image: Standard_Debian_10_latest
 volume_size: 128
 key_name: your-KeyPair
-flavor: s2.medium.8
+flavor: s3.medium.8
--- a/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml
@ -1,5 +1,5 @@
 - name: Copy ews configuration file
-  template:
+  ansible.builtin.template:
    src: ews.cfg
    dest: /data/ews/conf
    owner: root
@ -7,7 +7,7 @@
    mode: 0644
 - name: Patching tpot.yml with custom ews configuration file
-  lineinfile:
+  ansible.builtin.lineinfile:
    path: /opt/tpot/etc/tpot.yml
    insertafter: "/opt/ewsposter/ews.ip"
    line: "     - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg"
--- a/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml
@ -1,5 +1,5 @@
 - name: Copy hpfeeds configuration file
-  copy:
+  ansible.builtin.copy:
    src: hpfeeds.cfg
    dest: /data/ews/conf
    owner: tpot
@ -8,5 +8,5 @@
  register: config
 - name: Applying hpfeeds settings
-  command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg
+  ansible.builtin.command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg
  when: config.changed == true
--- a/cloud/ansible/openstack/roles/deploy/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/deploy/tasks/main.yaml
@ -1,58 +0,0 @@
 - name: Create T-Pot name
  shell: echo t-pot-ansible-$(pwgen -ns 6 -1)
  register: tpot_name
 - name: Create security group
  os_security_group:
    cloud: open-telekom-cloud
    name: sg-tpot-any
    description: tpot any-any
 - name: Add rules to security group
  os_security_group_rule:
    cloud: open-telekom-cloud
    security_group: sg-tpot-any
    remote_ip_prefix: 0.0.0.0/0
 - name: Create network
  os_network:
    cloud: open-telekom-cloud
    name: network-tpot
 - name: Create subnet
  os_subnet:
    cloud: open-telekom-cloud
    network_name: network-tpot
    name: subnet-tpot
    cidr: 192.168.0.0/24
    dns_nameservers:
      - 1.1.1.1
      - 8.8.8.8
 - name: Create router
  os_router:
    cloud: open-telekom-cloud
    name: router-tpot
    interfaces:
      - subnet-tpot
 - name: Launch an instance
  os_server:
    cloud: open-telekom-cloud
    name: "{{ tpot_name.stdout }}"
    availability_zone: "{{ availability_zone }}"
    image: "{{ image }}"
    boot_from_volume: yes
    volume_size: "{{ volume_size }}"
    key_name: "{{ key_name }}"
    timeout: 200
    flavor: "{{ flavor }}"
    security_groups: sg-tpot-any
    network: network-tpot
  register: tpot
 - name: Add instance to inventory
  add_host:
    hostname: "{{ tpot_name.stdout }}"
    ansible_host: "{{ tpot.server.public_v4 }}"
    groups: TPOT
--- a/cloud/ansible/openstack/roles/install/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml
@ -1,29 +1,29 @@
 - name: Waiting for SSH connection
-  wait_for_connection:
+  ansible.builtin.wait_for_connection:
 - name: Gathering facts
-  setup:
+  ansible.builtin.setup:
 - name: Cloning T-Pot install directory
-  git:
+  ansible.builtin.git:
-    repo: "https://github.com/dtag-dev-sec/tpotce.git"
+    repo: "https://github.com/telekom-security/tpotce.git"
    dest: /root/tpot
 - name: Prepare to set user password
-  set_fact:
+  ansible.builtin.set_fact:
    user_name: "{{ ansible_user }}"
    user_salt: "s0mew1ck3dTpoT"
  no_log: true
 - name: Changing password for user {{ user_name }}
-  user:
+  ansible.builtin.user:
   name: "{{ ansible_user }}"
   password: "{{ user_password | password_hash('sha512', user_salt) }}"
   state: present
   shell: /bin/bash
 - name: Copy T-Pot configuration file
-  template:
+  ansible.builtin.copy:
    src: ../../../../../../iso/installer/tpot.conf.dist
    dest: /root/tpot.conf
    owner: root
@ -31,15 +31,15 @@
    mode: 0644
 - name: Install T-Pot on instance -  be patient, this might take 15 to 30 minutes depending on the connection speed.
-  command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
+  ansible.builtin.command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
 - name: Delete T-Pot configuration file
-  file:
+  ansible.builtin.file:
    path: /root/tpot.conf
    state: absent
 - name: Change unattended-upgrades to take default action
-  blockinfile:
+  ansible.builtin.blockinfile:
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    block: |
      Dpkg::Options {
--- a/cloud/ansible/openstack/roles/reboot/tasks/main.yaml
+++ b/cloud/ansible/openstack/roles/reboot/tasks/main.yaml
@ -1,10 +1,10 @@
 - name: Finally rebooting T-Pot
-  command: shutdown -r now
+  ansible.builtin.command: shutdown -r now
  async: 1
  poll: 0
 - name: Next login options
-  debug:
+  ansible.builtin.debug:
    msg:
    - "*****    SSH Access:"
    - "*****    ssh {{ ansible_user }}@{{ ansible_host }} -p 64295"
--- a/cloud/terraform/.gitignore
+++ b/cloud/terraform/.gitignore
@ -1,2 +0,0 @@
 **/.terraform
 **/terraform.*
--- a/cloud/terraform/README.md
+++ b/cloud/terraform/README.md
@ -1,7 +1,7 @@
 # T-Pot Terraform
 This [Terraform](https://www.terraform.io/) configuration can be used to launch a virtual machine, bootstrap any dependencies and install T-Pot in a single step.  
 Configuration for Amazon Web Services (AWS) and Open Telekom Cloud (OTC) is currently included.
-This can easily be extended to support other [Terraform providers](https://www.terraform.io/docs/providers/index.html).
+This can easily be extended to support other [Terraform providers](https://registry.terraform.io/browse/providers?category=public-cloud%2Ccloud-automation%2Cinfrastructure).
 [Cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used to bootstrap the instance and install T-Pot on startup.
@ -9,7 +9,7 @@ This can easily be extended to support other [Terraform providers](https://www.t
 - [What get's created](#what-created)
  - [Amazon Web Services (AWS)](#what-created-aws)
  - [Open Telekom Cloud (OTC)](#what-created-otc)
- [Pre-Requisites](#pre)
+- [Prerequisites](#pre)
  - [Amazon Web Services (AWS)](#pre-aws)
  - [Open Telekom Cloud (OTC)](#pre-otc)
 - [Terraform Variables](#variables)
@ -37,16 +37,17 @@ This can easily be extended to support other [Terraform providers](https://www.t
 <a name="what-created-otc"></a>
 ### Open Telekom Cloud (OTC)
 * ECS instance:
-  * s2.medium.8 (1 vCPU, 8 GB RAM)
+  * s3.medium.8 (1 vCPU, 8 GB RAM)
  * 128 GB disk
  * Debian 10
  * Public EIP
 * Security Group
-* Network, Subnet, Router (= Virtual Private Cloud [VPC])
+  * All TCP/UDP ports are open to the Internet
 * Virtual Private Cloud (VPC) and Subnet
 <a name="pre"></a>
-## Pre-Requisites
+## Prerequisites
-* [Terraform](https://www.terraform.io/) 0.12
+* [Terraform](https://www.terraform.io/) 0.13
 <a name="pre-aws"></a>
 ### Amazon Web Services (AWS)
@ -90,12 +91,13 @@ In `aws/variables.tf`, you can change the additional variables:
 <a name="variables-otc"></a>
 ### Open Telekom Cloud (OTC)
 In `otc/variables.tf`, you can change the additional variables:
-* `availabiliy_zone`
+* `ecs_flavor`
-* `flavor`
+* `ecs_disk_size`
 * `availability_zone`
 * `key_pair` - Specify an existing SSH key pair
-* `image_id`
+* `eip_size`
-* `volume_size`  
+
-Furthermore you can configure the naming of the created infrastructure (per default everything gets prefixed with "tpot-", e.g. "tpot-router").
+... and some more, but these are the most relevant.
 <a name="initialising"></a>
 ## Initialising
@ -124,4 +126,4 @@ If you want the remove the built infrastructure, you can run [`terraform destroy
 <a name="connecting"></a>
 ## Connecting to the Instance
-When the installation is completed, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/dtag-dev-sec/tpotce#ssh-and-web-access).
+When the installation is completed, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
--- a/cloud/terraform/aws/.terraform.lock.hcl
+++ b/cloud/terraform/aws/.terraform.lock.hcl
@ -0,0 +1,20 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/aws" {
  version     = "3.26.0"
  constraints = "3.26.0"
  hashes = [
    "h1:0i78FItlPeiomd+4ThZrtm56P5K33k7/6dnEe4ZePI0=",
    "zh:26043eed36d070ca032cf04bc980c654a25821a8abc0c85e1e570e3935bbfcbb",
    "zh:2fe68f3f78d23830a04d7fac3eda550eef1f627dfc130486f70a65dc5c254300",
    "zh:3d66484c608c64678e639db25d63872783ce60363a1246e30317f21c9c23b84b",
    "zh:46ffd755cfd4cf94fe66342797b5afdcef010a24e126c67fee141b357d393535",
    "zh:5e96f24357e945c9067cf5e032ad1d003609629c956c2f9f642fefe714e74587",
    "zh:60c27aca36bb63bf3e865c2193be80ca83b376581d00f9c220af4b013e163c4d",
    "zh:896f0f22d19d41e71b22f9240b261714c3915b165ddefeb771e7734d69dc47ea",
    "zh:90de9966cb2fd3e2f326df291595e55d2dd2d90e7d6dd085c2c8691dce82bdb4",
    "zh:ad05a91a88ceb1d6de5a568f7cc0b0e5bc0a79f3da70bc28c1e7f3750e362d58",
    "zh:e8c63f59c6465329e1f3357498face3dd7ef10a033df3c366a33aa9e94b46c01",
  ]
 }
--- a/cloud/terraform/aws/main.tf
+++ b/cloud/terraform/aws/main.tf
@ -60,7 +60,7 @@ resource "aws_instance" "tpot" {
    volume_size           = 128
    delete_on_termination = true
  }
-  user_data         = templatefile("../cloud-init.yaml", {timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password})
+  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
-  vpc_security_group_ids = [aws_security_group.tpot.id]
+  vpc_security_group_ids      = [aws_security_group.tpot.id]
  associate_public_ip_address = true
 }
--- a/cloud/terraform/aws/variables.tf
+++ b/cloud/terraform/aws/variables.tf
@ -28,32 +28,35 @@ variable "ec2_instance_type" {
  default = "t3.large"
 }
-# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Buster
+# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
 variable "ec2_ami" {
  type = map(string)
  default = {
-    "ap-east-1"      = "ami-f9c58188"
+    "af-south-1"     = "ami-0c372f041acae6d49"
-    "ap-northeast-1" = "ami-0fae5501ae428f9d7"
+    "ap-east-1"      = "ami-079b8d011d4655385"
-    "ap-northeast-2" = "ami-0522874b039290246"
+    "ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
-    "ap-south-1"     = "ami-03b4e18f70aca8973"
+    "ap-northeast-2" = "ami-0269fe7d013b8e2dd"
-    "ap-southeast-1" = "ami-0852293c17f5240b3"
+    "ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
-    "ap-southeast-2" = "ami-03ea2db714f1f6acf"
+    "ap-south-1"     = "ami-020d429f17c9f1d0a"
-    "ca-central-1"   = "ami-094511e5020cdea18"
+    "ap-southeast-1" = "ami-09625a221230d9fe6"
-    "eu-central-1"   = "ami-0394acab8c5063f6f"
+    "ap-southeast-2" = "ami-03cbc6cddb06af2c2"
-    "eu-north-1"     = "ami-0c82d9a7f5674320a"
+    "ca-central-1"   = "ami-09125623b02302014"
-    "eu-west-1"      = "ami-006d280940ad4a96c"
+    "eu-central-1"   = "ami-00c36c60f07e21791"
-    "eu-west-2"      = "ami-08fe9ea08db6f1258"
+    "eu-north-1"     = "ami-052bea934e2d9dbfe"
-    "eu-west-3"      = "ami-04563f5eab11f2b87"
+    "eu-south-1"     = "ami-04e2bb16d37324719"
-    "me-south-1"     = "ami-0492a01b319d1f052"
+    "eu-west-1"      = "ami-0f87948fe2cf1b2a4"
-    "sa-east-1"      = "ami-05e16feea94258a69"
+    "eu-west-2"      = "ami-02ed1bc837487d535"
-    "us-east-1"      = "ami-04d70e069399af2e9"
+    "eu-west-3"      = "ami-080efd2add7e29430"
-    "us-east-2"      = "ami-04100f1cdba76b497"
+    "me-south-1"     = "ami-0dbde382c834c4a72"
-    "us-west-1"      = "ami-014c78f266c5b7163"
+    "sa-east-1"      = "ami-0a0792814cb068077"
-    "us-west-2"      = "ami-023b7a69b9328e1f9"
+    "us-east-1"      = "ami-05dd1b6e7ef6f8378"
    "us-east-2"      = "ami-04dd0542609808c50"
    "us-west-1"      = "ami-07af5f877b3db9f73"
    "us-west-2"      = "ami-0d0d8694ba492c02b"
  }
 }
-# cloud-init configuration
+## cloud-init configuration ##
 variable "timezone" {
  default = "UTC"
 }
@ -61,20 +64,30 @@ variable "timezone" {
 variable "linux_password" {
  #default = "LiNuXuSeRPaSs#"
  description = "Set a password for the default user"
  validation {
    condition     = length(var.linux_password) > 0
    error_message = "Please specify a password for the default user."
  }
 }
-# These will go in the generated tpot.conf file
+## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
-  default = "STANDARD"
+  default     = "STANDARD"
-  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]"
+  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
 }
 variable "web_user" {
-  default = "webuser"
+  default     = "webuser"
  description = "Set a username for the web user"
 }
 variable "web_password" {
  #default = "w3b$ecret"
  description = "Set a password for the web user"
  validation {
    condition     = length(var.web_password) > 0
    error_message = "Please specify a password for the web user."
  }
 }
--- a/cloud/terraform/aws/versions.tf
+++ b/cloud/terraform/aws/versions.tf
@ -1,3 +1,9 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "3.26.0"
    }
  }
 }
--- a/cloud/terraform/aws_multi_region/_provider.tf
+++ b/cloud/terraform/aws_multi_region/_provider.tf
@ -0,0 +1,9 @@
 provider "aws" {
  alias  = "eu-west-2"
  region = "eu-west-2"
 }
 provider "aws" {
  alias  = "us-west-1"
  region = "us-west-1"
 }
--- a/cloud/terraform/aws_multi_region/main.tf
+++ b/cloud/terraform/aws_multi_region/main.tf
@ -0,0 +1,27 @@
 module "eu-west-2" {
  source = "./modules/multi-region"
  ec2_vpc_id = "vpc-xxxxxxxx"
  ec2_subnet_id = "subnet-xxxxxxxx"
  ec2_region = "eu-west-2"
  tpot_name = "T-Pot Honeypot"
  linux_password = var.linux_password
  web_password = var.web_password
  providers = {
    aws = aws.eu-west-2
  }
 }
 module "us-west-1" {
  source = "./modules/multi-region"
  ec2_vpc_id = "vpc-xxxxxxxx"
  ec2_subnet_id = "subnet-xxxxxxxx"
  ec2_region = "us-west-1"
  tpot_name = "T-Pot Honeypot"
  linux_password = var.linux_password
  web_password = var.web_password
  providers = {
    aws = aws.us-west-1
  }
 }
--- a/cloud/terraform/aws_multi_region/modules/multi-region/main.tf
+++ b/cloud/terraform/aws_multi_region/modules/multi-region/main.tf
@ -0,0 +1,69 @@
 variable "ec2_vpc_id" {}
 variable "ec2_subnet_id" {}
 variable "ec2_region" {}
 variable "linux_password" {}
 variable "web_password" {}
 variable "tpot_name" {}
 resource "aws_security_group" "tpot" {
  name        = "T-Pot"
  description = "T-Pot Honeypot"
  vpc_id      = var.ec2_vpc_id
  ingress {
    from_port   = 0
    to_port     = 64000
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 0
    to_port     = 64000
    protocol    = "udp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = 64294
    to_port     = 64294
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  ingress {
    from_port   = 64295
    to_port     = 64295
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  ingress {
    from_port   = 64297
    to_port     = 64297
    protocol    = "tcp"
    cidr_blocks = var.admin_ip
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
    Name = "T-Pot"
  }
 }
 resource "aws_instance" "tpot" {
  ami           = var.ec2_ami[var.ec2_region]
  instance_type = var.ec2_instance_type
  key_name      = var.ec2_ssh_key_name
  subnet_id     = var.ec2_subnet_id
  tags = {
    Name = var.tpot_name
  }
  root_block_device {
    volume_type           = "gp2"
    volume_size           = 128
    delete_on_termination = true
  }
  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
  vpc_security_group_ids      = [aws_security_group.tpot.id]
  associate_public_ip_address = true
 }
--- a/cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf
+++ b/cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf
@ -0,0 +1,12 @@
 output "Admin_UI" {
  value = "https://${aws_instance.tpot.public_dns}:64294/"
 }
 output "SSH_Access" {
  value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
 }
 output "Web_UI" {
  value = "https://${aws_instance.tpot.public_dns}:64297/"
 }
--- a/cloud/terraform/aws_multi_region/modules/multi-region/variables.tf
+++ b/cloud/terraform/aws_multi_region/modules/multi-region/variables.tf
@ -0,0 +1,57 @@
 variable "admin_ip" {
  default     = ["127.0.0.1/32"]
  description = "admin IP addresses in CIDR format"
 }
 variable "ec2_ssh_key_name" {
  default = "default"
 }
 # https://aws.amazon.com/ec2/instance-types/
 variable "ec2_instance_type" {
  default = "t3.xlarge"
 }
 # Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
 variable "ec2_ami" {
  type = map(string)
  default = {
    "af-south-1"     = "ami-0c372f041acae6d49"
    "ap-east-1"      = "ami-079b8d011d4655385"
    "ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
    "ap-northeast-2" = "ami-0269fe7d013b8e2dd"
    "ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
    "ap-south-1"     = "ami-020d429f17c9f1d0a"
    "ap-southeast-1" = "ami-09625a221230d9fe6"
    "ap-southeast-2" = "ami-03cbc6cddb06af2c2"
    "ca-central-1"   = "ami-09125623b02302014"
    "eu-central-1"   = "ami-00c36c60f07e21791"
    "eu-north-1"     = "ami-052bea934e2d9dbfe"
    "eu-south-1"     = "ami-04e2bb16d37324719"
    "eu-west-1"      = "ami-0f87948fe2cf1b2a4"
    "eu-west-2"      = "ami-02ed1bc837487d535"
    "eu-west-3"      = "ami-080efd2add7e29430"
    "me-south-1"     = "ami-0dbde382c834c4a72"
    "sa-east-1"      = "ami-0a0792814cb068077"
    "us-east-1"      = "ami-05dd1b6e7ef6f8378"
    "us-east-2"      = "ami-04dd0542609808c50"
    "us-west-1"      = "ami-07af5f877b3db9f73"
    "us-west-2"      = "ami-0d0d8694ba492c02b"
  }
 }
 ## cloud-init configuration ##
 variable "timezone" {
  default = "UTC"
 }
 ## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
  default     = "STANDARD"
  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
 }
 variable "web_user" {
  default     = "webuser"
  description = "Set a username for the web user"
 }
--- a/cloud/terraform/aws_multi_region/modules/multi-region/versions.tf
+++ b/cloud/terraform/aws_multi_region/modules/multi-region/versions.tf
@ -0,0 +1,9 @@
 terraform {
  required_version = ">= 0.13"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "3.72.0"
    }
  }
 }
--- a/cloud/terraform/aws_multi_region/outputs.tf
+++ b/cloud/terraform/aws_multi_region/outputs.tf
@ -0,0 +1,7 @@
 output "eu-west-2_Web_UI" {
  value = module.eu-west-2.Web_UI
 }
 output "us-west-1_Web_UI" {
  value = module.us-west-1.Web_UI
 }
--- a/cloud/terraform/aws_multi_region/variables.tf
+++ b/cloud/terraform/aws_multi_region/variables.tf
@ -0,0 +1,19 @@
 variable "linux_password" {
  #default = "LiNuXuSeRP4Ss!"
  description = "Set a password for the default user"
  validation {
    condition     = length(var.linux_password) > 0
    error_message = "Please specify a password for the default user."
  }
 }
 variable "web_password" {
  #default = "w3b$ecret20"
  description = "Set a password for the web user"
  validation {
    condition     = length(var.web_password) > 0
    error_message = "Please specify a password for the web user."
  }
 }
--- a/cloud/terraform/cloud-init.yaml
+++ b/cloud/terraform/cloud-init.yaml
@ -5,7 +5,8 @@ packages:
  - git
 runcmd:
-  - git clone https://github.com/dtag-dev-sec/tpotce /root/tpot
+  - curl -sS --retry 5 https://github.com
  - git clone https://github.com/telekom-security/tpotce /root/tpot
  - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
  - rm /root/tpot.conf
  - /sbin/shutdown -r now
--- a/cloud/terraform/otc/.terraform.lock.hcl
+++ b/cloud/terraform/otc/.terraform.lock.hcl
@ -0,0 +1,38 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/random" {
  version     = "3.1.0"
  constraints = "~> 3.1.0"
  hashes = [
    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
  ]
 }
 provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
  version     = "1.23.6"
  constraints = "~> 1.23.4"
  hashes = [
    "h1:B/1Md957jWaDgFqsJDzmJc75KwL0eC/PCVuZ8HV5xSc=",
    "zh:1aa79010869d082157fb44fc83c3bff4e40938ec0ca916f704d974c7f7ca39e4",
    "zh:3155b8366828ce50231f69962b55df1e2261ed63c44bb64e2c950dd68769df1b",
    "zh:4a909617aa96a6d8aead14f56996ad94e0a1cae9d28e8df1ddae19c2095ed337",
    "zh:4f71046719632b4b90f88d29d8ba88915ee6ad66cd9d7ebe84a7459013e5003a",
    "zh:67e4d10b2db79ad78ae2ec8d9dfac53c4721028f97f4436a7aa45e80b1beefd3",
    "zh:7f12541fc5a3513e5522ff2bd5fee17d1e67bfe64f9ef59d03863fc7389e12ce",
    "zh:86fadabfc8307cf6084a412ffc9c797ec94932d08bc663a3fcebf98101e951f6",
    "zh:98744b39c2bfe3e8e6f929f750a689971071b257f3f066f669f93c8e0b76d179",
    "zh:c363d41debb060804e2c6bd9cb50b4e8daa37362299e3ea74e187265cd85f2ca",
  ]
 }
--- a/cloud/terraform/otc/clouds.yaml
+++ b/cloud/terraform/otc/clouds.yaml
@ -1,5 +1,6 @@
 clouds:
  open-telekom-cloud:
    region_name: eu-de
    auth:
      project_name: eu-de_your_project
      username: your_api_user
--- a/cloud/terraform/otc/main.tf
+++ b/cloud/terraform/otc/main.tf
@ -1,3 +1,7 @@
 data "opentelekomcloud_images_image_v2" "debian" {
  name = "Standard_Debian_10_latest"
 }
 resource "opentelekomcloud_networking_secgroup_v2" "secgroup_1" {
  name        = var.secgroup_name
  description = var.secgroup_desc
@ -10,24 +14,18 @@ resource "opentelekomcloud_networking_secgroup_rule_v2" "secgroup_rule_1" {
  security_group_id = opentelekomcloud_networking_secgroup_v2.secgroup_1.id
 }
-resource "opentelekomcloud_networking_network_v2" "network_1" {
+resource "opentelekomcloud_vpc_v1" "vpc_1" {
-  name = var.network_name
+  name = var.vpc_name
  cidr = var.vpc_cidr
 }
-resource "opentelekomcloud_networking_subnet_v2" "subnet_1" {
+resource "opentelekomcloud_vpc_subnet_v1" "subnet_1" {
-  name            = var.subnet_name
+  name   = var.subnet_name
-  network_id      = opentelekomcloud_networking_network_v2.network_1.id
+  cidr   = var.subnet_cidr
-  cidr            = "192.168.0.0/24"
+  vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
  dns_nameservers = ["1.1.1.1", "8.8.8.8"]
 }
-resource "opentelekomcloud_networking_router_v2" "router_1" {
+  gateway_ip = var.subnet_gateway_ip
-  name = var.router_name
+  dns_list   = ["100.125.4.25", "100.125.129.199"]
 }
 resource "opentelekomcloud_networking_router_interface_v2" "router_interface_1" {
  router_id = opentelekomcloud_networking_router_v2.router_1.id
  subnet_id = opentelekomcloud_networking_subnet_v2.subnet_1.id
 }
 resource "random_id" "tpot" {
@ -35,33 +33,36 @@ resource "random_id" "tpot" {
  prefix      = var.ecs_prefix
 }
-resource "opentelekomcloud_compute_instance_v2" "ecs_1" {
+resource "opentelekomcloud_ecs_instance_v1" "ecs_1" {
-  availability_zone = var.availabiliy_zone
+  name     = random_id.tpot.b64_url
-  name              = random_id.tpot.b64
+  image_id = data.opentelekomcloud_images_image_v2.debian.id
-  flavor_name       = var.flavor
+  flavor   = var.ecs_flavor
-  key_pair          = var.key_pair
+  vpc_id   = opentelekomcloud_vpc_v1.vpc_1.id
  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.name]
  user_data         = templatefile("../cloud-init.yaml", {timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password})
-  network {
+  nics {
-    name = opentelekomcloud_networking_network_v2.network_1.name
+    network_id = opentelekomcloud_vpc_subnet_v1.subnet_1.id
  }
-  block_device {
+  system_disk_size  = var.ecs_disk_size
-    uuid                  = var.image_id
+  system_disk_type  = "SAS"
-    source_type           = "image"
+  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.id]
-    volume_size           = var.volume_size
+  availability_zone = var.availability_zone
-    destination_type      = "volume"
+  key_name          = var.key_pair
-    delete_on_termination = "true"
+  user_data         = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
 }
 resource "opentelekomcloud_vpc_eip_v1" "eip_1" {
  publicip {
    type = "5_bgp"
  }
  bandwidth {
    name       = "bandwidth-${random_id.tpot.b64_url}"
    size       = var.eip_size
    share_type = "PER"
  }
  depends_on = [opentelekomcloud_networking_router_interface_v2.router_interface_1]
 }
-resource "opentelekomcloud_networking_floatingip_v2" "floatip_1" {
+resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_1" {
-}
+  floating_ip = opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address
-
+  instance_id = opentelekomcloud_ecs_instance_v1.ecs_1.id
 resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_2" {
  floating_ip = opentelekomcloud_networking_floatingip_v2.floatip_1.address
  instance_id = opentelekomcloud_compute_instance_v2.ecs_1.id
 }
--- a/cloud/terraform/otc/outputs.tf
+++ b/cloud/terraform/otc/outputs.tf
@ -1,11 +1,11 @@
 output "Admin_UI" {
-  value = "https://${opentelekomcloud_networking_floatingip_v2.floatip_1.address}:64294"
+  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64294"
 }
 output "SSH_Access" {
-  value = "ssh -p 64295 linux@${opentelekomcloud_networking_floatingip_v2.floatip_1.address}"
+  value = "ssh -p 64295 linux@${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}"
 }
 output "Web_UI" {
-  value = "https://${opentelekomcloud_networking_floatingip_v2.floatip_1.address}:64297"
+  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64297"
 }
--- a/cloud/terraform/otc/provider.tf
+++ b/cloud/terraform/otc/provider.tf
@ -1,3 +1,3 @@
 provider "opentelekomcloud" {
-    cloud = "open-telekom-cloud"
+  cloud = "open-telekom-cloud"
 }
--- a/cloud/terraform/otc/variables.tf
+++ b/cloud/terraform/otc/variables.tf
@ -1,4 +1,4 @@
-# cloud-init configuration
+## cloud-init configuration ##
 variable "timezone" {
  default = "UTC"
 }
@ -6,71 +6,93 @@ variable "timezone" {
 variable "linux_password" {
  #default = "LiNuXuSeRPaSs#"
  description = "Set a password for the default user"
  validation {
    condition     = length(var.linux_password) > 0
    error_message = "Please specify a password for the default user."
  }
 }
-# Cloud resources name configuration
+## Security Group ##
 variable "secgroup_name" {
-  default = "tpot-secgroup"
+  default = "sg-tpot"
 }
 variable "secgroup_desc" {
-  default = "T-Pot Security Group"
+  default = "Security Group for T-Pot"
 }
-variable "network_name" {
+## Virtual Private Cloud ##
-  default = "tpot-network"
+variable "vpc_name" {
  default = "vpc-tpot"
 }
 variable "vpc_cidr" {
  default = "192.168.0.0/16"
 }
 ## Subnet ##
 variable "subnet_name" {
-  default = "tpot-subnet"
+  default = "subnet-tpot"
 }
-variable "router_name" {
+variable "subnet_cidr" {
-  default = "tpot-router"
+  default = "192.168.0.0/24"
 }
 variable "subnet_gateway_ip" {
  default = "192.168.0.1"
 }
 ## Elastic Cloud Server ##
 variable "ecs_prefix" {
  default = "tpot-"
 }
-# ECS configuration
+variable "ecs_flavor" {
-variable "availabiliy_zone" {
+  default = "s3.medium.8"
  default = "eu-de-03"
  description = "Select an availability zone"
 }
-variable "flavor" {
+variable "ecs_disk_size" {
-  default = "s2.medium.8"
+  default = "128"
-  description = "Select a compute flavor"
+}
 variable "availability_zone" {
  default = "eu-de-03"
 }
 variable "key_pair" {
  #default = ""
  description = "Specify your SSH key pair"
  validation {
    condition     = length(var.key_pair) > 0
    error_message = "Please specify a Key Pair."
  }
 }
-variable "image_id" {
+## Elastic IP ##
-  default = "d97dd29c-9318-4e4c-8d3a-7307d1513b77"
+variable "eip_size" {
-  description = "Select a Debian 10 base image id"
+  default = "100"
 }
-variable "volume_size" {
+## These will go in the generated tpot.conf file ##
  default = "128"
  description = "Set the volume size"
 }
 # These will go in the generated tpot.conf file
 variable "tpot_flavor" {
-  default = "STANDARD"
+  default     = "STANDARD"
-  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]"
+  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
 }
 variable "web_user" {
-  default = "webuser"
+  default     = "webuser"
  description = "Set a username for the web user"
 }
 variable "web_password" {
  #default = "w3b$ecret"
  description = "Set a password for the web user"
  validation {
    condition     = length(var.web_password) > 0
    error_message = "Please specify a password for the web user."
  }
 }
--- a/cloud/terraform/otc/versions.tf
+++ b/cloud/terraform/otc/versions.tf
@ -1,3 +1,13 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
  required_providers {
    opentelekomcloud = {
      source  = "opentelekomcloud/opentelekomcloud"
      version = "~> 1.23.4"
    }
    random = {
      source  = "hashicorp/random"
      version = "~> 3.1.0"
    }
  }
 }
--- a/doc/architecture.png
+++ b/doc/architecture.png
--- a/doc/attackmap.png
+++ b/doc/attackmap.png
--- a/doc/cockpit1.png
+++ b/doc/cockpit1.png
--- a/doc/cockpit2.png
+++ b/doc/cockpit2.png
--- a/doc/cockpit3.png
+++ b/doc/cockpit3.png
--- a/doc/cockpit_a.png
+++ b/doc/cockpit_a.png
--- a/doc/cockpit_b.png
+++ b/doc/cockpit_b.png
--- a/doc/cyberchef.png
+++ b/doc/cyberchef.png
--- a/doc/dashboard.png
+++ b/doc/dashboard.png
--- a/doc/dockerui.png
+++ b/doc/dockerui.png
--- a/doc/elasticvue.png
+++ b/doc/elasticvue.png
--- a/doc/headplugin.png
+++ b/doc/headplugin.png
--- a/doc/heimdall.png
+++ b/doc/heimdall.png
--- a/doc/kibana.png
+++ b/doc/kibana.png
--- a/doc/kibana_a.png
+++ b/doc/kibana_a.png
--- a/doc/kibana_b.png
+++ b/doc/kibana_b.png
--- a/doc/kibana_c.png
+++ b/doc/kibana_c.png
--- a/doc/netdata.png
+++ b/doc/netdata.png
--- a/doc/spiderfoot.png
+++ b/doc/spiderfoot.png
--- a/doc/tpotwebui.png
+++ b/doc/tpotwebui.png
--- a/doc/webssh.png
+++ b/doc/webssh.png
--- a/docker/adbhoney/Dockerfile
+++ b/docker/adbhoney/Dockerfile
@ -1,19 +1,19 @@
-FROM alpine:latest 
+FROM alpine:3.15
 #
 # Include dist
-ADD dist/ /root/dist/
+COPY dist/ /root/dist/
 #
 # Install packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+RUN apk --no-cache -U add \
    apk -U add \
            git \
-            libcap \
+	    procps \
-	    py3-pip \
+            python3 && \
            python3 \
            python3-dev && \
 #
 # Install adbhoney from git
-    git clone --depth=1 https://github.com/huuck/ADBHoney /opt/adbhoney && \
+    git clone https://github.com/huuck/ADBHoney /opt/adbhoney && \
    cd /opt/adbhoney && \
 #    git checkout ad7c17e78d01f6860d58ba826a4b6a4e4f83acbd && \
    git checkout 2417a7a982f4fd527b3a048048df9a23178767ad && \
    cp /root/dist/adbhoney.cfg /opt/adbhoney && \
    sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \
    sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \
@ -22,16 +22,15 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    addgroup -g 2000 adbhoney && \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 adbhoney && \
    chown -R adbhoney:adbhoney /opt/adbhoney && \
    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
 #
 # Clean up
-    apk del --purge git \
+    apk del --purge git && \
-                    python3-dev && \
+    rm -rf /root/* /opt/adbhoney/.git /var/cache/apk/*
    rm -rf /root/* && \
    rm -rf /var/cache/apk/*
 #
 # Set workdir and start adbhoney
 STOPSIGNAL SIGINT
 # Adbhoney sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings
 HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi
 USER adbhoney:adbhoney
 WORKDIR /opt/adbhoney/
-CMD nohup /usr/bin/python3 run.py
+CMD /usr/bin/python3 run.py
--- a/docker/adbhoney/docker-compose.yml
+++ b/docker/adbhoney/docker-compose.yml
@ -10,11 +10,13 @@ services:
    build: .
    container_name: adbhoney
    restart: always
    #    cpu_count: 1
    #    cpus: 0.25
    networks:
     - adbhoney_local
    ports:
     - "5555:5555"
-    image: "dtagdevsec/adbhoney:2006"
+    image: "dtagdevsec/adbhoney:2204"
    read_only: true
    volumes:
     - /data/adbhoney/log:/opt/adbhoney/log
--- a/docker/builder.sh
+++ b/docker/builder.sh
@ -0,0 +1,79 @@
 #!/bin/bash
 # Setup Vars
 myPLATFORMS="linux/amd64,linux/arm64"
 myHUBORG="dtagdevsec"
 myTAG="2204"
 myIMAGESBASE="adbhoney ciscoasa citrixhoneypot conpot cowrie ddospot dicompot dionaea elasticpot endlessh ewsposter fatt glutton hellpot heralding honeypots honeytrap ipphoney log4pot mailoney medpot nginx p0f redishoneypot sentrypeer spiderfoot suricata wordpot"
 myIMAGESELK="elasticsearch kibana logstash map"
 myIMAGESTANNER="phpox redis snare tanner"
 myBUILDERLOG="builder.log"
 myBUILDERERR="builder.err"
 myBUILDCACHE="/buildcache"
 # Got root?
 myWHOAMI=$(whoami)
 if [ "$myWHOAMI" != "root" ]
  then
    echo "Need to run as root ..."
    exit
 fi
 # Check for Buildx
 docker buildx > /dev/null 2>&1 
 if [ "$?" == "1" ];
  then
    echo "### Build environment not setup. Run bin/setup_builder.sh"
 fi
 # Only run with command switch
 if [ "$1" == "" ]; then
  echo "### T-Pot Multi Arch Image Builder."
  echo "## Usage: builder.sh [build, push]"
  echo "## build - Just build images, do not push."
  echo "## push - Build and push images."
  echo "## Pushing requires an active docker login."
  exit
 fi
 fuBUILDIMAGES () {
 local myPATH="$1"
 local myIMAGELIST="$2"
 local myPUSHOPTION="$3"
 for myREPONAME in $myIMAGELIST;
  do
    echo -n "Now building: $myREPONAME in $myPATH$myREPONAME/."
    docker buildx build --cache-from "type=local,src=$myBUILDCACHE" --cache-to "type=local,dest=$myBUILDCACHE" --platform $myPLATFORMS -t $myHUBORG/$myREPONAME:$myTAG $myPUSHOPTION $myPATH$myREPONAME/. >> $myBUILDERLOG 2>&1
    if [ "$?" != "0" ];
      then
 	echo " [ ERROR ] - Check logs!"
 	echo "Error building $myREPONAME" >> "$myBUILDERERR"
      else
 	echo " [ OK ]"
    fi
 done
 }
 # Just build images
 if [ "$1" == "build" ];
  then
    mkdir -p $myBUILDCACHE
    rm -f "$myBUILDERLOG" "$myBUILDERERR" 
    echo "### Building images ..."
    fuBUILDIMAGES "" "$myIMAGESBASE" ""
    fuBUILDIMAGES "elk/" "$myIMAGESELK" ""
    fuBUILDIMAGES "tanner/" "$myIMAGESTANNER" ""
 fi
 # Build and push images
 if [ "$1" == "push" ];
  then
    mkdir -p $myBUILDCACHE
    rm -f "$myBUILDERLOG" "$myBUILDERERR" 
    echo "### Building and pushing images ..."
    fuBUILDIMAGES "" "$myIMAGESBASE" "--push"
    fuBUILDIMAGES "elk/" "$myIMAGESELK" "--push"
    fuBUILDIMAGES "tanner/" "$myIMAGESTANNER" "--push"
 fi
--- a/docker/ciscoasa/Dockerfile
+++ b/docker/ciscoasa/Dockerfile
@ -1,17 +1,17 @@
-FROM alpine:latest
+FROM alpine:3.15
 #
 # Include dist
-ADD dist/ /root/dist/
+COPY dist/ /root/dist/
 #
 # Setup env and apt
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+RUN apk --no-cache -U upgrade && \
-    apk -U upgrade && \
+    apk --no-cache add build-base \
    apk add build-base \
            git \
            libffi \
            libffi-dev \
            openssl \
            openssl-dev \
 	    py3-cryptography \
 	    py3-pip \
            python3 \
            python3-dev && \
@ -23,8 +23,10 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Get and install packages
    mkdir -p /opt/ && \
    cd /opt/ && \
-    git clone --depth=1 https://github.com/cymmetria/ciscoasa_honeypot && \
+    git clone https://github.com/cymmetria/ciscoasa_honeypot && \
    cd ciscoasa_honeypot && \
    git checkout d6e91f1aab7fe6fc01fabf2046e76b68dd6dc9e2 && \
    sed -i "s/git+git/git+https/g" requirements.txt && \
    pip3 install --no-cache-dir -r requirements.txt && \
    cp /root/dist/asa_server.py /opt/ciscoasa_honeypot && \
    chown -R ciscoasa:ciscoasa /opt/ciscoasa_honeypot && \
@ -36,6 +38,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
                    openssl-dev \
                    python3-dev && \
    rm -rf /root/* && \
    rm -rf /opt/ciscoasa_honeypot/.git && \
    rm -rf /var/cache/apk/*
 #
 # Start ciscoasa
--- a/docker/ciscoasa/docker-compose.yml
+++ b/docker/ciscoasa/docker-compose.yml
@ -9,11 +9,14 @@ services:
    restart: always
    tmpfs:
     - /tmp/ciscoasa:uid=2000,gid=2000
-    network_mode: "host"
+#    cpu_count: 1
 #    cpus: 0.25
    networks:
     - ciscoasa_local
    ports:
     - "5000:5000/udp"
     - "8443:8443"
-    image: "dtagdevsec/ciscoasa:2006"
+    image: "dtagdevsec/ciscoasa:2204"
    read_only: true
    volumes:
     - /data/ciscoasa/log:/var/log/ciscoasa
--- a/docker/citrixhoneypot/Dockerfile
+++ b/docker/citrixhoneypot/Dockerfile
@ -1,21 +1,19 @@
-FROM alpine:latest
+FROM alpine:3.15
 #
 # Install packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+RUN apk --no-cache -U add \
    apk -U add \
            git \
            libcap \
 	    openssl \
-	    py3-pip \
+            py3-pip \
-            python3 \
+            python3 && \
            python3-dev && \
 #
    pip3 install --no-cache-dir python-json-logger && \
 #
 # Install CitrixHoneypot from GitHub
-#    git clone --depth=1 https://github.com/malwaretech/citrixhoneypot /opt/citrixhoneypot && \
+    git clone https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
-#    git clone --depth=1 https://github.com/vorband/CitrixHoneypot /opt/citrixhoneypot && \
+    cd /opt/citrixhoneypot && \
-    git clone --depth=1 https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
+    git checkout f59ad7320dc5bbb8c23c8baa5f111b52c52fbef3 && \
 #
 # Setup user, groups and configs
    mkdir -p /opt/citrixhoneypot/logs /opt/citrixhoneypot/ssl && \
@ -30,13 +28,13 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    addgroup -g 2000 citrixhoneypot && \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 citrixhoneypot && \
    chown -R citrixhoneypot:citrixhoneypot /opt/citrixhoneypot && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #
 # Clean up
    apk del --purge git \
-                    openssl \
+                    openssl && \
                    python3-dev && \
    rm -rf /root/* && \
    rm -rf /opt/citrixhoneypot/.git && \
    rm -rf /var/cache/apk/*
 #
 # Set workdir and start citrixhoneypot
--- a/docker/citrixhoneypot/docker-compose.yml
+++ b/docker/citrixhoneypot/docker-compose.yml
@ -10,11 +10,13 @@ services:
    build: .
    container_name: citrixhoneypot
    restart: always
 #    cpu_count: 1
 #    cpus: 0.25
    networks:
     - citrixhoneypot_local
    ports:
     - "443:443"
-    image: "dtagdevsec/citrixhoneypot:2006"
+    image: "dtagdevsec/citrixhoneypot:2204"
    read_only: true
    volumes:
     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
--- a/docker/conpot/Dockerfile
+++ b/docker/conpot/Dockerfile
@ -1,12 +1,12 @@
-FROM alpine:latest
+FROM alpine:3.15
 #
 # Include dist
-ADD dist/ /root/dist/
+COPY dist/ /root/dist/
 #
 # Setup apt
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+RUN apk --no-cache -U add \
    apk -U add \
             build-base \
 	     cython \
             file \
             git \
             libev \
@ -17,19 +17,36 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
             libxslt-dev \
             mariadb-dev \
             pkgconfig \
-	     py3-pip \
+	     procps \
             python3 \
             python3-dev \
-             py-cffi \
+	     py3-cffi \
-             py-cryptography \
+	     py3-cryptography \
-             tcpdump \
+	     py3-freezegun \
 	     py3-gevent \
 	     py3-lxml \
 	     py3-natsort \
 	     py3-pip \
 	     py3-ply \
 	     py3-psutil \
 	     py3-pycryptodomex \
 	     py3-pytest \
 	     py3-requests \
             py3-pyserial \
 	     py3-setuptools \
 	     py3-slugify \
 	     py3-snmp \
 	     py3-sphinx \
 	     py3-wheel \
 	     py3-zope-event \
 	     py3-zope-interface \
             wget && \
 #
 # Setup ConPot
-    git clone --depth=1 https://github.com/mushorg/conpot /opt/conpot && \
+    git clone https://github.com/mushorg/conpot /opt/conpot && \
    cd /opt/conpot/ && \
-    # Patch to accept ENV for MIB path
+    git checkout b3740505fd26d82473c0d7be405b372fa0f82575 && \
-    sed -i "s/tmp_mib_dir = tempfile.mkdtemp()/tmp_mib_dir = tempfile.mkdtemp(dir=os.environ['CONPOT_TMP'])/" /opt/conpot/conpot/protocols/snmp/snmp_server.py && \
+    #git checkout 1c2382ea290b611fdc6a0a5f9572c7504bcb616e && \
    # Change template default ports if <1024
    sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \
    sed -i 's/port="8800"/port="80"/' /opt/conpot/conpot/templates/default/http/http.xml && \
@ -40,17 +57,18 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    sed -i 's/port="6969"/port="69"/' /opt/conpot/conpot/templates/default/tftp/tftp.xml && \
    sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/IEC104/snmp/snmp.xml && \
    sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/ipmi/ipmi/ipmi.xml && \
-    pip3 install --no-cache-dir -U setuptools && \
+    cp /root/dist/requirements.txt . && \
    pip3 install --no-cache-dir --upgrade pip && \
    pip3 install --no-cache-dir . && \
    cd / && \
    rm -rf /opt/conpot /tmp/* /var/tmp/* && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #
 # Get wireshark manuf db for scapy, setup configs, user, groups
    mkdir -p /etc/conpot /var/log/conpot /usr/share/wireshark && \
    wget https://github.com/wireshark/wireshark/raw/master/manuf -o /usr/share/wireshark/manuf && \
    cp /root/dist/conpot.cfg /etc/conpot/conpot.cfg && \
-    cp -R /root/dist/templates /usr/lib/python3.8/site-packages/conpot/ && \
+    cp -R /root/dist/templates /usr/lib/python3.9/site-packages/conpot/ && \
    addgroup -g 2000 conpot && \
    adduser -S -s /bin/ash -u 2000 -D -g 2000 conpot && \
 #
@ -66,7 +84,6 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
            mariadb-dev \
            pkgconfig \
            python3-dev \
            py-cffi \
            wget && \
    rm -rf /root/* && \
    rm -rf /tmp/* && \
@ -74,5 +91,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 #
 # Start conpot
 STOPSIGNAL SIGINT
 # Conpot sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings
 HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi
 USER conpot:conpot
-CMD exec /usr/bin/conpot --temp_dir $CONPOT_TMP --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG
+CMD exec /usr/bin/conpot --mibcache $CONPOT_TMP --temp_dir $CONPOT_TMP --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG
--- a/docker/conpot/dist/command_responder.py
+++ b/docker/conpot/dist/command_responder.py
--- a/docker/conpot/dist/conpot.cfg
+++ b/docker/conpot/dist/conpot.cfg
@ -3,7 +3,7 @@ sensorid = conpot
 [virtual_file_system]
 data_fs_url = %(CONPOT_TMP)s
-fs_url = tar:///usr/lib/python3.8/site-packages/conpot/data.tar
+fs_url = tar:///usr/lib/python3.9/site-packages/conpot/data.tar
 [session]
 timeout = 30
--- a/docker/conpot/dist/requirements.txt
+++ b/docker/conpot/dist/requirements.txt
@ -0,0 +1,20 @@
 pysnmp-mibs
 pysmi
 libtaxii>=1.1.0
 crc16
 scapy==2.4.3rc1
 hpfeeds3
 modbus-tk
 stix-validator
 stix
 cybox
 bacpypes==0.17.0
 pyghmi==1.4.1
 mixbox
 modbus-tk
 cpppo
 fs==2.3.0
 tftpy
 # some freezegun versions broken
 pycrypto
 sphinx_rtd_theme
--- a/docker/conpot/dist/templates/IEC104/template.xml
+++ b/docker/conpot/dist/templates/IEC104/template.xml
@ -70,7 +70,7 @@
                <value type="value">100000000</value>
            </key>
            <key name="ifPhysAddress">
-                <value type="value">"\x00\x0e\x8c\x29\xc5\x1a"</value>
+                <value type="value">"0x000e8c29c51a"</value>
            </key>
            <key name="ifAdminStatus">
                <value type="value">1</value>
@ -91,19 +91,19 @@
                <value type="value">1</value>
            </key>
            <key name="ifInOctets">
-                <value type="value">1618895</value>
+                <value type="function">conpot.emulators.misc.sysinfo.BytesRecv</value>		    
            </key>
            <key name="ifInUcastPkts">
-                <value type="value">7018</value>
+                <value type="function">conpot.emulators.misc.sysinfo.PacketsRecv</value> 
            </key>
            <key name="ifInNUcastPkts">
                <value type="value">291</value>
            </key>
            <key name="ifOutOctets">
-                <value type="value">455107</value>
+                <value type="function">conpot.emulators.misc.sysinfo.BytesSent</value>
            </key>
            <key name="ifOutUcastPkts">
-                <value type="value">872264</value>
+                <value type="function">conpot.emulators.misc.sysinfo.PacketsSent</value> 
            </key>
            <key name="ifOutUNcastPkts">
                <value type="value">143</value>
@ -168,7 +168,7 @@
                <value type="value">0</value>
            </key>
            <key name="ipAdEntAddr">
-                <value type="value">"217.172.190.137"</value>
+                <value type="function">conpot.emulators.misc.sysinfo.LocalIP</value>
            </key>
            <key name="ipAdEntIfIndex">
                <value type="value">1</value>
@ -290,7 +290,7 @@
                <value type="value">45</value>
            </key>
            <key name="tcpCurrEstab">
-                <value type="value">0</value>
+                <value type="function">conpot.emulators.misc.sysinfo.TcpCurrEstab</value>
            </key>
            <key name="tcpInSegs">
                <value type="value">30321</value>
@ -305,7 +305,7 @@
                <value type="value">2</value>
            </key>
            <key name="tcpConnLocalAddress">
-                <value type="value">"217.172.190.137"</value>
+                <value type="function">conpot.emulators.misc.sysinfo.LocalIP</value>
            </key>
            <key name="tcpConnLocalPort">
                <value type="value">2404</value>
@ -336,7 +336,7 @@
                <value type="value">47</value>
            </key>
            <key name="udpLocalAddress">
-                <value type="value">"217.172.190.137"</value>
+                <value type="value">"163.172.189.137"</value>
            </key>
            <key name="udpLocalPort">
                <value type="value">161</value>
@ -347,6 +347,10 @@
            <!-- IEC104 Protocol parameter -->
            <!-- Common (Object) Address, aka COA, Station Address -->
            <key name="CommonAddress">
                <value type="value">"0x1e28"</value>
            </key>
            <!-- Timeout of connection establishment -->
            <key name="T_0">
                <value type="value">30</value>
--- a/docker/conpot/dist/templates/kamstrup_382/template.xml
+++ b/docker/conpot/dist/templates/kamstrup_382/template.xml
@ -11,7 +11,7 @@
        <!-- Core value that can be retrieved from the databus by key -->
        <key_value_mappings>
            <key name="power_simulator">
-                <value type="function">conpot.protocols.kamstrup.usage_simulator.UsageSimulator</value>
+                <value type="function">conpot.emulators.kamstrup.usage_simulator.UsageSimulator</value>
            </key>
            <key name="register_1024">
                <value type="value">0</value>
--- a/docker/conpot/docker-compose.yml
+++ b/docker/conpot/docker-compose.yml
@ -23,26 +23,27 @@ services:
     - CONPOT_TMP=/tmp/conpot
    tmpfs:
     - /tmp/conpot:uid=2000,gid=2000
 #    cpu_count: 1
 #    cpus: 0.25    
    networks:
     - conpot_local_default
    ports:
-#    - "69:69"        
+#    - "69:69/udp"        
     - "80:80"
     - "102:102"
-     - "161:161"
+     - "161:161/udp"
     - "502:502"
-#     - "623:623"
+#     - "623:623/udp"
     - "2121:21"
     - "44818:44818"
-     - "47808:47808"
+     - "47808:47808/udp"
-    image: "dtagdevsec/conpot:2006"
+    image: "dtagdevsec/conpot:2204"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
 # Conpot IEC104 service
  conpot_IEC104:
    build: .
    container_name: conpot_IEC104
    restart: always
    environment:
@ -53,19 +54,20 @@ services:
     - CONPOT_TMP=/tmp/conpot
    tmpfs:
     - /tmp/conpot:uid=2000,gid=2000
 #    cpu_count: 1
 #    cpus: 0.25
    networks:
     - conpot_local_IEC104
    ports:
-#     - "161:161"
+#     - "161:161/udp"
     - "2404:2404"
-    image: "dtagdevsec/conpot:2006"
+    image: "dtagdevsec/conpot:2204"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
 # Conpot guardian_ast service
  conpot_guardian_ast:
    build: .
    container_name: conpot_guardian_ast
    restart: always
    environment:
@ -76,18 +78,19 @@ services:
     - CONPOT_TMP=/tmp/conpot
    tmpfs:
     - /tmp/conpot:uid=2000,gid=2000
 #    cpu_count: 1
 #    cpus: 0.25
    networks:
     - conpot_local_guardian_ast
    ports:
     - "10001:10001"
-    image: "dtagdevsec/conpot:2006"
+    image: "dtagdevsec/conpot:2204"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
 # Conpot ipmi
  conpot_ipmi:
    build: .
    container_name: conpot_ipmi
    restart: always
    environment:
@ -98,18 +101,19 @@ services:
     - CONPOT_TMP=/tmp/conpot
    tmpfs:
     - /tmp/conpot:uid=2000,gid=2000
 #    cpu_count: 1
 #    cpus: 0.25
    networks:
     - conpot_local_ipmi
    ports:
-     - "623:623"
+     - "623:623/udp"
-    image: "dtagdevsec/conpot:2006"
+    image: "dtagdevsec/conpot:2204"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
 # Conpot kamstrup_382
  conpot_kamstrup_382:
    build: .
    container_name: conpot_kamstrup_382
    restart: always
    environment:
@ -120,12 +124,14 @@ services:
     - CONPOT_TMP=/tmp/conpot
    tmpfs:
     - /tmp/conpot:uid=2000,gid=2000
 #    cpu_count: 1
 #    cpus: 0.25
    networks:
     - conpot_local_kamstrup_382
    ports:
     - "1025:1025"
     - "50100:50100"
-    image: "dtagdevsec/conpot:2006"
+    image: "dtagdevsec/conpot:2204"
    read_only: true
    volumes:
     - /data/conpot/log:/var/log/conpot
--- a/docker/cowrie/Dockerfile
+++ b/docker/cowrie/Dockerfile
@ -1,28 +1,37 @@
-FROM alpine:latest
+FROM alpine:3.15
 #
 # Include dist
-ADD dist/ /root/dist/
+COPY dist/ /root/dist/
 #
 # Get and install dependencies & packages
-RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+RUN apk --no-cache -U add \
-    apk -U add \
+             bash \
-                       bash \
+             build-base \
-                       build-base \
+             git \
-                       git \
+             gmp-dev \
-                       gmp-dev \
+             libcap \
-                       libcap \
+             libffi-dev \
-                       libffi-dev \
+             mpc1-dev \
-                       mpc1-dev \
+             mpfr-dev \
-                       mpfr-dev \
+             openssl \
-                       openssl \
+             openssl-dev \
-                       openssl-dev \
+	     py3-appdirs \
-		       py3-pip \
+	     py3-asn1-modules \
-                       python3 \
+	     py3-attrs \
-                       python3-dev \
+	     py3-bcrypt \
-                       py3-bcrypt \
+	     py3-cryptography \
-		       py3-mysqlclient \
+	     py3-dateutil \
-                       py3-requests \
+	     py3-greenlet \
-                       py3-setuptools && \
+	     py3-mysqlclient \
 	     py3-openssl \
 	     py3-packaging \
 	     py3-parsing \
             py3-pip \
 	     py3-service_identity \
 	     py3-treq \
 	     py3-twisted \
             python3 \
             python3-dev && \
 #
 # Setup user
    addgroup -g 2000 cowrie && \
@ -31,10 +40,12 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 # Install cowrie
    mkdir -p /home/cowrie && \
    cd /home/cowrie && \
-    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.1.0 && \
+    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.3.0 && \
    cd cowrie && \
 #    git checkout 6b1e82915478292f1e77ed776866771772b48f2e && \
    mkdir -p log && \
    cp /root/dist/requirements.txt . && \
    pip3 install --upgrade pip && \
    pip3 install -r requirements.txt && \
 #
 # Setup configs
@ -63,6 +74,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    rm -rf /root/* /tmp/* && \
    rm -rf /var/cache/apk/* && \
    rm -rf /home/cowrie/cowrie/cowrie.pid && \
    rm -rf /home/cowrie/cowrie/.git && \
    unset PYTHON_DIR
 #
 # Start cowrie
--- a/docker/cowrie/dist/cowrie.cfg
+++ b/docker/cowrie/dist/cowrie.cfg
@ -36,6 +36,11 @@ rsa_public_key = etc/ssh_host_rsa_key.pub
 rsa_private_key = etc/ssh_host_rsa_key
 dsa_public_key = etc/ssh_host_dsa_key.pub
 dsa_private_key = etc/ssh_host_dsa_key
 ecdsa_public_key = etc/ssh_host_ecdsa_key.pub
 ecdsa_private_key = etc/ssh_host_ecdsa_key
 ed25519_public_key = etc/ssh_host_ed25519_key.pub
 ed25519_private_key = etc/ssh_host_ed25519_key
 public_key_auth = ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
 #version = SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
 version = SSH-2.0-OpenSSH_7.9p1
 ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc
--- a/docker/cowrie/dist/requirements.txt
+++ b/docker/cowrie/dist/requirements.txt
@ -1,13 +1,2 @@
-attrs==19.3.0
+configparser==5.2.0
-bcrypt==3.1.7
+tftpy==0.8.2
 configparser==4.0.2
 cryptography==2.9.2
 packaging==20.3
 pyasn1_modules==0.2.8
 pyopenssl==19.1.0
 pyparsing==2.4.7
 python-dateutil==2.8.1
 service_identity==18.1.0
 tftpy==0.8.0
 treq==20.4.1
 twisted==20.3.0
--- a/docker/cowrie/docker-compose.yml
+++ b/docker/cowrie/docker-compose.yml
@ -13,12 +13,14 @@ services:
    tmpfs:
     - /tmp/cowrie:uid=2000,gid=2000
     - /tmp/cowrie/data:uid=2000,gid=2000
 #    cpu_count: 1
 #    cpus: 0.25
    networks:
     - cowrie_local
    ports:
     - "22:22"
     - "23:23"
-    image: "dtagdevsec/cowrie:2006"
+    image: "dtagdevsec/cowrie:2204"
    read_only: true
    volumes:
     - /data/cowrie/downloads:/home/cowrie/cowrie/dl
--- a/docker/cyberchef/Dockerfile
+++ b/docker/cyberchef/Dockerfile
@ -1,37 +0,0 @@
 FROM alpine:3.10
 #
 # Get and install dependencies & packages
 RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
    apk -U --no-cache add \
            curl \
            git \
            npm \
            nodejs && \
    npm install -g grunt-cli && \
    npm install -g http-server && \
    npm install npm@latest -g && \
 #
 # Install CyberChef 
    cd /root && \
    git clone https://github.com/gchq/cyberchef --depth=1 && \
    chown -R nobody:nobody cyberchef && \
    cd cyberchef && \
    npm install && \
    grunt prod && \
    mkdir -p /opt/cyberchef && \
    mv build/prod/* /opt/cyberchef && \
    cd / && \
 #
 # Clean up
    apk del --purge git \
                    npm && \
    rm -rf /root/* && \
    rm -rf /var/cache/apk/*
 #
 # Healthcheck
 HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:8000'
 #
 # Set user, workdir and start spiderfoot
 USER nobody:nobody
 WORKDIR /opt/cyberchef
 CMD ["http-server", "-p", "8000"]
--- a/docker/ddospot/Dockerfile
+++ b/docker/ddospot/Dockerfile
@ -0,0 +1,63 @@
 FROM alpine:3.15
 #
 # Include dist
 COPY dist/ /root/dist/
 #
 # Install packages
 RUN apk --no-cache -U add \
             build-base \
             git \
 	     libcap \
 	     py3-colorama \
 	     py3-greenlet \
 	     py3-pip \
 	     py3-schedule \
 	     py3-sqlalchemy \
 	     py3-twisted \
 	     py3-wheel \
             python3 \
             python3-dev && \
 #	     
 # Install ddospot from GitHub and setup
    mkdir -p /opt && \
    cd /opt/ && \
    git clone https://github.com/aelth/ddospot && \
    cd ddospot && \
    git checkout 49f515237bd2d5744290ed21dcca9b53def243ba && \
    # We only want JSON events, setting logger format to ('') ...
    sed -i "/handler.setFormatter(logging.Formatter(/{n;N;d}" /opt/ddospot/ddospot/core/potloader.py && \
    sed -i "s#handler.setFormatter(logging.Formatter(#handler.setFormatter(logging.Formatter(''))#g" /opt/ddospot/ddospot/core/potloader.py && \
    # ... and remove msg from log message for individual honeypots
    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/chargen/chargen.py && \
    sed -i "s#self.logger.info('New DNS query - \%s' \% (raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/dns/dns.py && \
    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/generic/generic.py && \
    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/ntp/ntp.py && \
    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/ssdp/ssdp.py && \
    # We are using logrotate
    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/chargen/chargenpot.conf && \
    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/dns/dnspot.conf && \
    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/generic/genericpot.conf && \
    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ntp/ntpot.conf && \
    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ssdp/ssdpot.conf && \
    cp /root/dist/requirements.txt . && \
    pip3 install -r ddospot/requirements.txt && \
    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #
 # Setup user, groups and configs
    addgroup -g 2000 ddospot && \
    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 ddospot && \
    chown ddospot:ddospot -R /opt/ddospot && \
 #
 # Clean up
    apk del --purge build-base \
                    git \
 		    python3-dev && \
    rm -rf /root/* && \
    rm -rf /opt/ddospot/.git && \
    rm -rf /var/cache/apk/*
 #
 # Start ddospot
 STOPSIGNAL SIGINT
 USER ddospot:ddospot
 WORKDIR /opt/ddospot/ddospot/
 CMD ["/usr/bin/python3","ddospot.py", "-n"]
--- a/docker/ddospot/dist/requirements.txt
+++ b/docker/ddospot/dist/requirements.txt
@ -0,0 +1,4 @@
 git+https://github.com/hpfeeds/hpfeeds
 tabulate
 python-geoip
 python-geoip-geolite2
--- a/docker/ddospot/docker-compose.yml
+++ b/docker/ddospot/docker-compose.yml
@ -0,0 +1,28 @@
 version: '2.3'
 networks:
  ddospot_local:
 services:
 # Ddospot service
  ddospot:
    build: .
    container_name: ddospot
    restart: always
 #    cpu_count: 1
 #    cpus: 0.25
    networks:
     - ddospot_local
    ports:
     - "19:19/udp"
     - "53:53/udp"
     - "123:123/udp"
 #     - "161:161/udp"
     - "1900:1900/udp"
    image: "dtagdevsec/ddospot:2204"
    read_only: true
    volumes:
     - /data/ddospot/log:/opt/ddospot/ddospot/logs
     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
     - /data/ddospot/db:/opt/ddospot/ddospot/db
--- a/docker/deprecated/cyberchef/Dockerfile
+++ b/docker/deprecated/cyberchef/Dockerfile
@ -0,0 +1,34 @@
 FROM node:10.24.1-alpine3.11 as builder
 #
 # Install CyberChef 
 RUN apk -U --no-cache add git
 RUN chown -R node:node /srv
 RUN npm install -g grunt-cli
 WORKDIR /srv
 USER node
 RUN git clone https://github.com/gchq/cyberchef -b v9.32.3 .
 ENV NODE_OPTIONS=--max_old_space_size=2048
 RUN npm install
 RUN grunt prod
 #
 # Move from builder
 FROM alpine:3.15
 #
 RUN apk -U --no-cache add \
      curl \
      npm && \
      npm install -g http-server && \
 #
 # Clean up
    rm -rf /root/* && \
    rm -rf /var/cache/apk/*
 #
 COPY --from=builder /srv/build/prod /opt/cyberchef
 #
 # Healthcheck
 HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:8000'
 #
 # Set user, workdir and start cyberchef
 USER nobody:nobody
 WORKDIR /opt/cyberchef
 CMD ["http-server", "-p", "8000"]
--- a/docker/deprecated/cyberchef/docker-compose.yml
+++ b/docker/deprecated/cyberchef/docker-compose.yml
@ -14,5 +14,5 @@ services:
     - cyberchef_local
    ports:
     - "127.0.0.1:64299:8000"
-    image: "dtagdevsec/cyberchef:2006"
+    image: "dtagdevsec/cyberchef:2204"
    read_only: true
--- a/Show More
+++ b/Show More
		`@ -0,0 +1,2 @@`
							`# Enter the name of your cloud to use from clouds.yaml`
							`cloud: open-telekom-cloud`