bump elk to 7.17.0 to support 8.0.1 in 22.x

tweaking, cleanup

README.md

@@ -11,18 +11,24 @@ and includes dockerized versions of the following honeypots
 * [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot),
 * [conpot](http://conpot.org/),
 * [cowrie](https://github.com/cowrie/cowrie),
+* [ddospot](https://github.com/aelth/ddospot),
 * [dicompot](https://github.com/nsmfoo/dicompot),
 * [dionaea](https://github.com/DinoTools/dionaea),
 * [elasticpot](https://gitlab.com/bontchev/elasticpot),
+* [endlessh](https://github.com/skeeto/endlessh),
 * [glutton](https://github.com/mushorg/glutton),
 * [heralding](https://github.com/johnnykv/heralding),
+* [hellpot](https://github.com/yunginnanet/HellPot),
+* [honeypots](https://github.com/qeeqbox/honeypots),
 * [honeypy](https://github.com/foospidy/HoneyPy),
 * [honeysap](https://github.com/SecureAuthCorp/HoneySAP),
 * [honeytrap](https://github.com/armedpot/honeytrap/),
 * [ipphoney](https://gitlab.com/bontchev/ipphoney),
+* [log4pot](https://github.com/thomaspatzke/Log4Pot),
 * [mailoney](https://github.com/awhitehatter/mailoney),
 * [medpot](https://github.com/schmalle/medpot),
 * [rdpy](https://github.com/citronneur/rdpy),
+* [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot),
 * [snare](http://mushmush.org/),
 * [tanner](http://mushmush.org/)
 
@@ -92,17 +98,23 @@ In T-Pot we combine the dockerized honeypots ...
 * [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot),
 * [conpot](http://conpot.org/),
 * [cowrie](http://www.micheloosterhof.com/cowrie/),
+* [ddospot](https://github.com/aelth/ddospot),
 * [dicompot](https://github.com/nsmfoo/dicompot),
 * [dionaea](https://github.com/DinoTools/dionaea),
 * [elasticpot](https://gitlab.com/bontchev/elasticpot),
+* [endlessh](https://github.com/skeeto/endlessh),
 * [glutton](https://github.com/mushorg/glutton),
 * [heralding](https://github.com/johnnykv/heralding),
+* [hellpot](https://github.com/yunginnanet/HellPot),
+* [honeypots](https://github.com/qeeqbox/honeypots),
 * [honeypy](https://github.com/foospidy/HoneyPy),
 * [honeysap](https://github.com/SecureAuthCorp/HoneySAP),
 * [honeytrap](https://github.com/armedpot/honeytrap/),
 * [ipphoney](https://gitlab.com/bontchev/ipphoney),
+* [log4pot](https://github.com/thomaspatzke/Log4Pot),
 * [mailoney](https://github.com/awhitehatter/mailoney),
 * [medpot](https://github.com/schmalle/medpot),
+* [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot),
 * [rdpy](https://github.com/citronneur/rdpy),
 * [snare](http://mushmush.org/),
 * [tanner](http://mushmush.org/)
@@ -489,10 +501,13 @@ We hope you understand that we cannot provide support on an individual basis. We
 # Licenses
 The software that T-Pot is built on uses the following licenses.
 <br>GPLv2: [conpot](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeysap](https://github.com/SecureAuthCorp/HoneySAP/blob/master/COPYING), [honeypy](https://github.com/foospidy/HoneyPy/blob/master/LICENSE), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](http://suricata-ids.org/about/open-source/)
-<br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/telekom-security/ews/), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
+<br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/telekom-security/ews/), [log4pot](https://github.com/thomaspatzke/Log4Pot/blob/master/LICENSE), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot/blob/main/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
 <br>Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE), [elasticsearch-head](https://github.com/mobz/elasticsearch-head/blob/master/LICENCE)
-<br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE)
+<br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE)
+<br> Unlicense: [endlessh](https://github.com/skeeto/endlessh/blob/master/UNLICENSE)
 <br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license)
+<br> AGPL-3.0: [honeypots](https://github.com/qeeqbox/honeypots/blob/main/LICENSE)
+
 
 <a name="credits"></a>
 # Credits
@@ -507,6 +522,7 @@ Without open source and the fruitful development community (we are proud to be a
 * [cockpit](https://github.com/cockpit-project/cockpit/graphs/contributors)
 * [conpot](https://github.com/mushorg/conpot/graphs/contributors)
 * [cowrie](https://github.com/micheloosterhof/cowrie/graphs/contributors)
+* [ddospot](https://github.com/aelth/ddospot/graphs/contributors)
 * [debian](http://www.debian.org/)
 * [dicompot](https://github.com/nsmfoo/dicompot/graphs/contributors)
 * [dionaea](https://github.com/DinoTools/dionaea/graphs/contributors)
@@ -514,20 +530,25 @@ Without open source and the fruitful development community (we are proud to be a
 * [elasticpot](https://gitlab.com/bontchev/elasticpot/-/project_members)
 * [elasticsearch](https://github.com/elastic/elasticsearch/graphs/contributors)
 * [elasticsearch-head](https://github.com/mobz/elasticsearch-head/graphs/contributors)
+* [endlessh](https://github.com/skeeto/endlessh/graphs/contributors)
 * [ewsposter](https://github.com/armedpot/ewsposter/graphs/contributors)
 * [fatt](https://github.com/0x4D31/fatt/graphs/contributors)
 * [glutton](https://github.com/mushorg/glutton/graphs/contributors)
+* [hellpot](https://github.com/yunginnanet/HellPot/graphs/contributors)
 * [heralding](https://github.com/johnnykv/heralding/graphs/contributors)
+* [honeypots](https://github.com/qeeqbox/honeypots/graphs/contributors)
 * [honeypy](https://github.com/foospidy/HoneyPy/graphs/contributors)
 * [honeysap](https://github.com/SecureAuthCorp/HoneySAP/graphs/contributors)
 * [honeytrap](https://github.com/armedpot/honeytrap/graphs/contributors)
 * [ipphoney](https://gitlab.com/bontchev/ipphoney/-/project_members)
 * [kibana](https://github.com/elastic/kibana/graphs/contributors)
 * [logstash](https://github.com/elastic/logstash/graphs/contributors)
+* [log4pot](https://github.com/thomaspatzke/Log4Pot/graphs/contributors)
 * [mailoney](https://github.com/awhitehatter/mailoney)
 * [medpot](https://github.com/schmalle/medpot/graphs/contributors)
 * [p0f](http://lcamtuf.coredump.cx/p0f3/)
 * [rdpy](https://github.com/citronneur/rdpy)
+* [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot/graphs/contributors)
 * [spiderfoot](https://github.com/smicallef/spiderfoot)
 * [snare](https://github.com/mushorg/snare/graphs/contributors)
 * [tanner](https://github.com/mushorg/tanner/graphs/contributors)

bin/clean.sh

@@ -114,6 +114,14 @@ fuCOWRIE () {
   chown tpot:tpot /data/cowrie -R
 }
 
+# Let's create a function to clean up and prepare ddospot data
+fuDDOSPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
+  mkdir -p /data/ddospot/log
+  chmod 770 /data/ddospot -R
+  chown tpot:tpot /data/ddospot -R
+}
+
 # Let's create a function to clean up and prepare dicompot data
 fuDICOMPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
@@ -149,6 +157,14 @@ fuELK () {
   chown tpot:tpot /data/elk -R
 }
 
+# Let's create a function to clean up and prepare endlessh data
+fuENDLESSH () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
+  mkdir -p /data/endlessh/log
+  chmod 770 /data/endlessh -R
+  chown tpot:tpot /data/endlessh -R
+}
+
 # Let's create a function to clean up and prepare fatt data
 fuFATT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
@@ -165,6 +181,14 @@ fuGLUTTON () {
   chown tpot:tpot /data/glutton -R
 }
 
+# Let's create a function to clean up and prepare hellpot data
+fuHELLPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
+  mkdir -p /data/hellpot/log
+  chmod 770 /data/hellpot -R
+  chown tpot:tpot /data/hellpot -R
+}
+
 # Let's create a function to clean up and prepare heralding data
 fuHERALDING () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
@@ -173,6 +197,14 @@ fuHERALDING () {
   chown tpot:tpot /data/heralding -R
 }
 
+# Let's create a function to clean up and prepare honeypots data
+fuHONEYPOTS () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
+  mkdir -p /data/honeypots/log
+  chmod 770 /data/honeypots -R
+  chown tpot:tpot /data/honeypots -R
+}
+
 # Let's create a function to clean up and prepare honeypy data
 fuHONEYPY () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
@@ -205,6 +237,14 @@ fuIPPHONEY () {
   chown tpot:tpot /data/ipphoney -R
 }
 
+# Let's create a function to clean up and prepare log4pot data
+fuLOG4POT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
+  mkdir -p /data/log4pot/log
+  chmod 770 /data/log4pot -R
+  chown tpot:tpot /data/log4pot -R
+}
+
 # Let's create a function to clean up and prepare mailoney data
 fuMAILONEY () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
@@ -237,6 +277,14 @@ fuRDPY () {
   chown tpot:tpot /data/rdpy/ -R
 }
 
+# Let's create a function to clean up and prepare redishoneypot data
+fuREDISHONEYPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
+  mkdir -p /data/redishoneypot/log
+  chmod 770 /data/redishoneypot -R
+  chown tpot:tpot /data/redishoneypot -R
+}
+
 # Let's create a function to prepare spiderfoot db
 fuSPIDERFOOT () {
   mkdir -p /data/spiderfoot
@@ -296,20 +344,26 @@ if [ "$myPERSISTENCE" = "on" ];
     fuCITRIXHONEYPOT
     fuCONPOT
     fuCOWRIE
+    fuDDOSPOT
     fuDICOMPOT
     fuDIONAEA
     fuELASTICPOT
     fuELK
+    fuENDLESSH
     fuFATT
     fuGLUTTON
     fuHERALDING
+    fuHELLPOT
     fuHONEYSAP
+    fuHONEYPOTS
     fuHONEYPY
     fuHONEYTRAP
     fuIPPHONEY
+    fuLOG4POT
     fuMAILONEY
     fuMEDPOT
     fuNGINX
+    fuREDISHONEYPOT
     fuRDPY
     fuSPIDERFOOT
     fuSURICATA

bin/deploy.sh

@@ -0,0 +1,182 @@
+#!/bin/bash
+
+# Do we have root?
+function fuGOT_ROOT {
+echo
+echo -n "### Checking for root: "
+if [ "$(whoami)" != "root" ];
+  then
+    echo "[ NOT OK ]"
+    echo "### Please run as root."
+    echo "### Example: sudo $0"
+    exit
+  else
+    echo "[ OK ]"
+fi
+}
+
+function fuDEPLOY_POT () {
+echo
+echo "###############################"
+echo "# Deploying to T-Pot Hive ... #"
+echo "###############################"
+echo
+sshpass -e ssh -4 -t -T -l "$MY_TPOT_USERNAME" -p 64295 "$MY_HIVE_IP" << EOF
+echo "$SSHPASS" | sudo -S bash -c 'useradd -m -s /sbin/nologin -G tpotlogs "$MY_HIVE_USERNAME";
+mkdir -p /home/"$MY_HIVE_USERNAME"/.ssh;
+echo "$MY_POT_PUBLICKEY" >> /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
+chmod 600 /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
+chmod 755 /home/"$MY_HIVE_USERNAME"/.ssh;
+chown "$MY_HIVE_USERNAME":"$MY_HIVE_USERNAME" -R /home/"$MY_HIVE_USERNAME"/.ssh'
+EOF
+
+echo
+echo "###########################"
+echo "# Done. Please reboot ... #"
+echo "###########################"
+echo
+
+exit 0
+}
+
+# Check Hive availability 
+function fuCHECK_HIVE () {
+echo
+echo "############################################"
+echo "# Checking for T-Pot Hive availability ... #"
+echo "############################################"
+echo
+sshpass -e ssh -4 -t -l "$MY_TPOT_USERNAME" -p 64295 -f -N -L64305:127.0.0.1:64305 "$MY_HIVE_IP" -o "StrictHostKeyChecking=no"
+if [ $? -eq 0 ];
+  then
+    echo
+    echo "#########################"
+    echo "# T-Pot Hive available! #"
+    echo "#########################"
+    echo
+    myHIVE_OK=$(curl -s http://127.0.0.1:64305)
+    if [ "$myHIVE_OK" == "ok" ];
+      then
+	echo
+        echo "##############################"
+        echo "# T-Pot Hive tunnel test OK! #"
+        echo "##############################"
+        echo
+        kill -9 $(pidof ssh)
+      else
+        echo
+	echo "######################################################"
+        echo "# T-Pot Hive tunnel test FAILED!                     #"
+	echo "# Tunneled port tcp/64305 unreachable on T-Pot Hive. #"
+	echo "# Aborting.                                          #"
+        echo "######################################################"
+        echo
+        kill -9 $(pidof ssh)
+	rm $MY_POT_PUBLICKEYFILE
+	rm $MY_POT_PRIVATEKEYFILE
+	rm $MY_LS_ENVCONFIGFILE
+	exit 1
+    fi;
+  else
+    echo
+    echo "#################################################################"
+    echo "# Something went wrong, most likely T-Pot Hive was unreachable! #"
+    echo "# Aborting.                                                     #"
+    echo "#################################################################"
+    echo
+    rm $MY_POT_PUBLICKEYFILE
+    rm $MY_POT_PRIVATEKEYFILE
+    rm $MY_LS_ENVCONFIGFILE
+    exit 1
+fi;
+}
+
+function fuGET_DEPLOY_DATA () {
+echo
+echo "### Please provide data from your T-Pot Hive installation."
+echo "### This usually is the one running the 'T-Pot Hive' type."
+echo "### You will be needing the OS user (typically 'tsec'), the users' password and the IP / FQDN."
+echo "### Do not worry, the password will not be persisted!"
+echo
+
+read -p "Username: " MY_TPOT_USERNAME
+read -s -p "Password: " SSHPASS
+echo
+export SSHPASS
+read -p "IP / FQDN: " MY_HIVE_IP
+MY_HIVE_USERNAME="$(hostname)"
+MY_TPOT_TYPE="POT"
+MY_LS_ENVCONFIGFILE="/data/elk/logstash/ls_environment"
+
+MY_POT_PUBLICKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME.pub"
+MY_POT_PRIVATEKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME"
+if ! [ -s "$MY_POT_PRIVATEKEYFILE" ] && ! [ -s "$MY_POT_PUBLICKEYFILE" ];
+  then
+    echo
+    echo "##############################"
+    echo "# Generating ssh keyfile ... #"
+    echo "##############################"
+    echo
+    mkdir -p /data/elk/logstash
+    ssh-keygen -f "$MY_POT_PRIVATEKEYFILE" -N "" -C "$MY_HIVE_USERNAME"
+    MY_POT_PUBLICKEY="$(cat "$MY_POT_PUBLICKEYFILE")"
+  else
+    echo
+    echo "#############################################"
+    echo "# There is already a ssh keyfile. Aborting. #"
+    echo "#############################################"
+    echo
+    exit 1
+fi
+echo
+echo "###########################################################"
+echo "# Writing config to /data/elk/logstash/ls_environment.    #"
+echo "# If you make changes to this file, you need to reboot or #"
+echo "# run /opt/tpot/bin/updateip.sh.                          #"
+echo "###########################################################"
+echo
+tee $MY_LS_ENVCONFIGFILE << EOF
+MY_TPOT_TYPE=$MY_TPOT_TYPE
+MY_POT_PRIVATEKEYFILE=$MY_POT_PRIVATEKEYFILE
+MY_HIVE_USERNAME=$MY_HIVE_USERNAME
+MY_HIVE_IP=$MY_HIVE_IP
+EOF
+}
+
+# Deploy Pot to Hive
+fuGOT_ROOT
+echo
+echo "#################################"
+echo "# Ship T-Pot Logs to T-Pot Hive #"
+echo "#################################"
+echo
+echo "If you already have a T-Pot Hive installation running and"
+echo "this T-Pot installation is running the type \"Pot\" the"
+echo "script will automagically setup this T-Pot to ship and"
+echo "prepare the Hive to receive logs from this T-Pot."
+echo
+echo
+echo "###################################"
+echo "# Deploy T-Pot Logs to T-Pot Hive #"
+echo "###################################"
+echo 
+echo "[c] - Continue deplyoment"
+echo "[q] - Abort and exit"
+echo
+while [ 1 != 2 ]
+  do
+    read -s -n 1 -p "Your choice: " mySELECT
+      echo $mySELECT
+      case "$mySELECT" in
+        [c,C])
+          fuGET_DEPLOY_DATA
+          fuCHECK_HIVE
+	  fuDEPLOY_POT
+          break
+          ;;
+        [q,Q])
+          echo "Aborted."
+          exit 0
+          ;;
+      esac
+done

bin/deprecated/export_kibana-objects.sh

@@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
   then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
     exit
   else
     echo "### Elasticsearch is available, now continuing."
@@ -15,7 +15,7 @@ fi
 
 # Set vars
 myDATE=$(date +%Y%m%d%H%M)
-myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"')
 myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
 myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"')

bin/deprecated/import_kibana-objects.sh

@@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
   then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
     exit
   else
     echo "### Elasticsearch is available, now continuing."
@@ -43,7 +43,7 @@ tar xvfz $myDUMP > /dev/null
 
 # Restore index patterns
 myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev)
-myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null

bin/tped.sh

@@ -29,7 +29,7 @@ for i in $myYMLS;
   do
     myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " 
 done
-myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-)
+myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 17 50 10 $myITEMS 3>&1 1>&2 2>&3 3>&-)
 if [ "$myEDITION" == "" ];
   then
     echo "Have a nice day!"

bin/updateip.sh

@@ -32,5 +32,17 @@ MY_EXTIP=$myEXTIP
 MY_INTIP=$myLOCALIP
 MY_HOSTNAME=$HOSTNAME
 EOF
+
+if [ -s "/data/elk/logstash/ls_environment" ];
+  then
+    source /data/elk/logstash/ls_environment
+    tee -a /opt/tpot/etc/compose/elk_environment << EOF
+MY_TPOT_TYPE=$MY_TPOT_TYPE
+MY_POT_PRIVATEKEYFILE=$MY_POT_PRIVATEKEYFILE
+MY_HIVE_USERNAME=$MY_HIVE_USERNAME
+MY_HIVE_IP=$MY_HIVE_IP
+EOF
+fi
+
 chown tpot:tpot /data/ews/conf/ews.ip
 chmod 770 /data/ews/conf/ews.ip

cloud/.gitignore

@@ -6,5 +6,5 @@
 **/terraform.*
 
 # OpenStack clouds
-clouds.yaml
-secure.yaml
+**/clouds.yaml
+**/secure.yaml

cloud/ansible/openstack/roles/check/tasks/main.yaml

@@ -16,4 +16,4 @@
   ansible.builtin.fail:
     msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
   ignore_errors: yes
-  when: lookup('env','SSH_AUTH_SOCK') == ""
+  failed_when: lookup('env','SSH_AUTH_SOCK') == ""

cloud/ansible/openstack/roles/create_net/tasks/main.yaml

@@ -1,33 +1,33 @@
 - name: Create security group
   openstack.cloud.security_group:
     cloud: "{{ cloud }}"
-    name: sg-tpot-any
-    description: tpot any-any
+    name: sg-tpot-ansible
+    description: Security Group for T-Pot
 
 - name: Add rules to security group
   openstack.cloud.security_group_rule:
     cloud: "{{ cloud }}"
-    security_group: sg-tpot-any
+    security_group: sg-tpot-ansible
     remote_ip_prefix: 0.0.0.0/0
 
 - name: Create network
   openstack.cloud.network:
     cloud: "{{ cloud }}"
-    name: network-tpot
+    name: network-tpot-ansible
 
 - name: Create subnet
   openstack.cloud.subnet:
     cloud: "{{ cloud }}"
-    network_name: network-tpot
-    name: subnet-tpot
+    network_name: network-tpot-ansible
+    name: subnet-tpot-ansible
     cidr: 192.168.0.0/24
     dns_nameservers:
-      - 1.1.1.1
-      - 8.8.8.8
+      - 100.125.4.25
+      - 100.125.129.199
 
 - name: Create router
   openstack.cloud.router:
     cloud: "{{ cloud }}"
-    name: router-tpot
+    name: router-tpot-ansible
     interfaces:
-      - subnet-tpot
+      - subnet-tpot-ansible

cloud/ansible/openstack/roles/create_vm/tasks/main.yaml

@@ -11,10 +11,10 @@
     boot_from_volume: yes
     volume_size: "{{ volume_size }}"
     key_name: "{{ key_name }}"
-    timeout: 200
+    auto_ip: yes
     flavor: "{{ flavor }}"
-    security_groups: sg-tpot-any
-    network: network-tpot
+    security_groups: sg-tpot-ansible
+    network: network-tpot-ansible
   register: tpot
 
 - name: Add instance to inventory

cloud/ansible/openstack/roles/install/tasks/main.yaml

@@ -23,7 +23,7 @@
    shell: /bin/bash
 
 - name: Copy T-Pot configuration file
-  ansible.builtin.template:
+  ansible.builtin.copy:
     src: ../../../../../../iso/installer/tpot.conf.dist
     dest: /root/tpot.conf
     owner: root

cloud/terraform/README.md

@@ -37,12 +37,13 @@ This can easily be extended to support other [Terraform providers](https://regis
 <a name="what-created-otc"></a>
 ### Open Telekom Cloud (OTC)
 * ECS instance:
-  * s2.medium.8 (1 vCPU, 8 GB RAM)
+  * s3.medium.8 (1 vCPU, 8 GB RAM)
   * 128 GB disk
   * Debian 10
   * Public EIP
 * Security Group
-* Network, Subnet, Router (= Virtual Private Cloud [VPC])
+  * All TCP/UDP ports are open to the Internet
+* Virtual Private Cloud (VPC) and Subnet
 
 <a name="pre"></a>
 ## Prerequisites
@@ -90,11 +91,13 @@ In `aws/variables.tf`, you can change the additional variables:
 <a name="variables-otc"></a>
 ### Open Telekom Cloud (OTC)
 In `otc/variables.tf`, you can change the additional variables:
+* `ecs_flavor`
+* `ecs_disk_size`
 * `availability_zone`
-* `flavor`
 * `key_pair` - Specify an existing SSH key pair
-* `volume_size`  
-Furthermore you can configure the naming of the created infrastructure (per default everything gets prefixed with "tpot-", e.g. "tpot-router").
+* `eip_size`
+
+... and some more, but these are the most relevant.
 
 <a name="initialising"></a>
 ## Initialising

cloud/terraform/aws/main.tf

@@ -60,7 +60,7 @@ resource "aws_instance" "tpot" {
     volume_size           = 128
     delete_on_termination = true
   }
-  user_data         = templatefile("../cloud-init.yaml", {timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password})
-  vpc_security_group_ids = [aws_security_group.tpot.id]
+  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
+  vpc_security_group_ids      = [aws_security_group.tpot.id]
   associate_public_ip_address = true
 }

cloud/terraform/aws/variables.tf

@@ -32,30 +32,31 @@ variable "ec2_instance_type" {
 variable "ec2_ami" {
   type = map(string)
   default = {
-    "af-south-1"     = "ami-04090a79eb0bcb6c1"
-    "ap-east-1"      = "ami-0327f60df432e2479"
-    "ap-northeast-1" = "ami-06bc324209030cbc8"
-    "ap-northeast-2" = "ami-02ee842962ae7df95"
-    "ap-south-1"     = "ami-0d548fffbb2d54e42"
-    "ap-southeast-1" = "ami-0dcf891cda6248f00"
-    "ap-southeast-2" = "ami-022578f782d4e5d30"
-    "ca-central-1"   = "ami-01444dd84a75e9a82"
-    "eu-central-1"   = "ami-097411fa8fbfdffda"
-    "eu-north-1"     = "ami-026984326b6456f6a"
-    "eu-south-1"     = "ami-07ad114e5df69197e"
-    "eu-west-1"      = "ami-0101794b418f8b2a6"
-    "eu-west-2"      = "ami-00eac9341e72e638a"
-    "eu-west-3"      = "ami-01469c569416f3bd3"
-    "me-south-1"     = "ami-0821f357b877b076d"
-    "sa-east-1"      = "ami-0c87b2c6219e3d5fd"
-    "us-east-1"      = "ami-047f0b13f023f6553"
-    "us-east-2"      = "ami-0988470f4e830799f"
-    "us-west-1"      = "ami-0be6bacfeb2913ac2"
-    "us-west-2"      = "ami-0112d55fbe29acc68"
+    "af-south-1"     = "ami-0272d4f5fb1b98a0d"
+    "ap-east-1"      = "ami-00d242e2f23abf6d2"
+    "ap-northeast-1" = "ami-001c6b4d627e8be53"
+    "ap-northeast-2" = "ami-0d841ed4bf80e764c"
+    "ap-northeast-3" = "ami-01b0a01d770321320"
+    "ap-south-1"     = "ami-04ba7e5bd7c6f6929"
+    "ap-southeast-1" = "ami-0dca3eabb09c32ae2"
+    "ap-southeast-2" = "ami-03ff8684dc585ddae"
+    "ca-central-1"   = "ami-08af22d7c0382fd83"
+    "eu-central-1"   = "ami-0f41e297b3c53fab8"
+    "eu-north-1"     = "ami-0bbc6a00971c77d6d"
+    "eu-south-1"     = "ami-03ff8684dc585ddae"
+    "eu-west-1"      = "ami-080684ad73d431a05"
+    "eu-west-2"      = "ami-04b259723891dfc53"
+    "eu-west-3"      = "ami-00662eead74f66895"
+    "me-south-1"     = "ami-021a6c6047091ab5b"
+    "sa-east-1"      = "ami-0aac091cce68a049c"
+    "us-east-1"      = "ami-05ad4ed7f9c48178b"
+    "us-east-2"      = "ami-07640f3f27c0ad3d3"
+    "us-west-1"      = "ami-0c053f1d5f22eb09f"
+    "us-west-2"      = "ami-090cd3aed687b1ee1"
   }
 }
 
-# cloud-init configuration
+## cloud-init configuration ##
 variable "timezone" {
   default = "UTC"
 }
@@ -63,20 +64,30 @@ variable "timezone" {
 variable "linux_password" {
   #default = "LiNuXuSeRPaSs#"
   description = "Set a password for the default user"
+
+  validation {
+    condition     = length(var.linux_password) > 0
+    error_message = "Please specify a password for the default user."
+  }
 }
 
-# These will go in the generated tpot.conf file
+## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
-  default = "STANDARD"
+  default     = "STANDARD"
   description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, MEDICAL]"
 }
 
 variable "web_user" {
-  default = "webuser"
+  default     = "webuser"
   description = "Set a username for the web user"
 }
 
 variable "web_password" {
   #default = "w3b$ecret"
   description = "Set a password for the web user"
+
+  validation {
+    condition     = length(var.web_password) > 0
+    error_message = "Please specify a password for the web user."
+  }
 }

cloud/terraform/aws/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.13"
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
       version = "3.26.0"
     }
   }

cloud/terraform/cloud-init.yaml

@@ -5,6 +5,7 @@ packages:
   - git
 
 runcmd:
+  - curl -sS --retry 5 https://github.com
   - git clone https://github.com/telekom-security/tpotce /root/tpot
   - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
   - rm /root/tpot.conf

cloud/terraform/otc/.terraform.lock.hcl

@@ -2,38 +2,37 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/random" {
-  version     = "3.0.1"
-  constraints = "~> 3.0.1"
+  version     = "3.1.0"
+  constraints = "~> 3.1.0"
   hashes = [
-    "h1:SzM8nt2wzLMI28A3CWAtW25g3ZCm1O4xD0h3Ps/rU1U=",
-    "zh:0d4f683868324af056a9eb2b06306feef7c202c88dbbe6a4ad7517146a22fb50",
-    "zh:4824b3c7914b77d41dfe90f6f333c7ac9860afb83e2a344d91fbe46e5dfbec26",
-    "zh:4b82e43712f3cf0d0cbc95b2cbcd409ba8f0dc7848fdfb7c13633c27468ed04a",
-    "zh:78b3a2b860c3ebc973a794000015f5946eb59b82705d701d487475406b2612f1",
-    "zh:88bc65197bd74ff408d147b32f0045372ae3a3f2a2fdd7f734f315d988c0e4a2",
-    "zh:91bd3c9f625f177f3a5d641a64e54d4b4540cb071070ecda060a8261fb6eb2ef",
-    "zh:a6818842b28d800f784e0c93284ff602b0c4022f407e4750da03f50b853a9a2c",
-    "zh:c4a1a2b52abd05687e6cfded4a789dcd7b43e7a746e4d02dd1055370cf9a994d",
-    "zh:cf65041bf12fc3bde709c1d267dbe94142bc05adcabc4feb17da3b12249132ac",
-    "zh:e385e00e7425dda9d30b74ab4ffa4636f4b8eb23918c0b763f0ffab84ece0c5c",
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
   ]
 }
 
 provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
-  version     = "1.22.5"
-  constraints = "1.22.5"
+  version     = "1.23.6"
+  constraints = "~> 1.23.4"
   hashes = [
-    "h1:H20WxSx+j2JyrqHAgqsrV3rMWEOEZVEQuA7upz/1IgY=",
-    "zh:276ab06e7c011351fc5a803fea0321a9d12b1353bd43f5389f3bbf491e31fc41",
-    "zh:3191dc598ea4e4c99d08a2b1a5f65710dbcc1a892b1f9dde7b52515f32028319",
-    "zh:43db37c5fb6a886ce3bbc2aa730854476da7dd0340622ad874998041fa96f7a2",
-    "zh:45f3e2677a4c35bd88d435c906224092e0dde17055a203b474da2eeacffbf9b7",
-    "zh:504568581e561130fc0a9ceb6514e9664c67e3a89cd6c912f64c82f0a0305a30",
-    "zh:5646c76cbe710fd0acde409cdcfb352dd53a282c0207e46e33ac5714d0eaa0b9",
-    "zh:578b0f5d43f156f86ca6a63604da6e968f035d0b4bf6ccfc83db284fd31057f6",
-    "zh:784459b8350dc650f01e6866bcec0632e8b5a8733d81e6ed53bc8cc1254abb92",
-    "zh:970aa873a81994cddf84279b255d3f51a4138b23cb9162707cefb84042451bfc",
-    "zh:e892b8b6225a46067586b8e54a7102ac1b0fc296b4851dab3d4cc185de538d66",
-    "zh:f8c4699eebe99ac93d9cdccfcc809a5bd3d6c238be136d5a26c4e812ef30ec32",
+    "h1:B/1Md957jWaDgFqsJDzmJc75KwL0eC/PCVuZ8HV5xSc=",
+    "zh:1aa79010869d082157fb44fc83c3bff4e40938ec0ca916f704d974c7f7ca39e4",
+    "zh:3155b8366828ce50231f69962b55df1e2261ed63c44bb64e2c950dd68769df1b",
+    "zh:4a909617aa96a6d8aead14f56996ad94e0a1cae9d28e8df1ddae19c2095ed337",
+    "zh:4f71046719632b4b90f88d29d8ba88915ee6ad66cd9d7ebe84a7459013e5003a",
+    "zh:67e4d10b2db79ad78ae2ec8d9dfac53c4721028f97f4436a7aa45e80b1beefd3",
+    "zh:7f12541fc5a3513e5522ff2bd5fee17d1e67bfe64f9ef59d03863fc7389e12ce",
+    "zh:86fadabfc8307cf6084a412ffc9c797ec94932d08bc663a3fcebf98101e951f6",
+    "zh:98744b39c2bfe3e8e6f929f750a689971071b257f3f066f669f93c8e0b76d179",
+    "zh:c363d41debb060804e2c6bd9cb50b4e8daa37362299e3ea74e187265cd85f2ca",
   ]
 }

cloud/terraform/otc/main.tf

@@ -14,24 +14,18 @@ resource "opentelekomcloud_networking_secgroup_rule_v2" "secgroup_rule_1" {
   security_group_id = opentelekomcloud_networking_secgroup_v2.secgroup_1.id
 }
 
-resource "opentelekomcloud_networking_network_v2" "network_1" {
-  name = var.network_name
+resource "opentelekomcloud_vpc_v1" "vpc_1" {
+  name = var.vpc_name
+  cidr = var.vpc_cidr
 }
 
-resource "opentelekomcloud_networking_subnet_v2" "subnet_1" {
-  name            = var.subnet_name
-  network_id      = opentelekomcloud_networking_network_v2.network_1.id
-  cidr            = "192.168.0.0/24"
-  dns_nameservers = ["1.1.1.1", "8.8.8.8"]
-}
+resource "opentelekomcloud_vpc_subnet_v1" "subnet_1" {
+  name   = var.subnet_name
+  cidr   = var.subnet_cidr
+  vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
 
-resource "opentelekomcloud_networking_router_v2" "router_1" {
-  name = var.router_name
-}
-
-resource "opentelekomcloud_networking_router_interface_v2" "router_interface_1" {
-  router_id = opentelekomcloud_networking_router_v2.router_1.id
-  subnet_id = opentelekomcloud_networking_subnet_v2.subnet_1.id
+  gateway_ip = var.subnet_gateway_ip
+  dns_list   = ["100.125.4.25", "100.125.129.199"]
 }
 
 resource "random_id" "tpot" {
@@ -39,33 +33,36 @@ resource "random_id" "tpot" {
   prefix      = var.ecs_prefix
 }
 
-resource "opentelekomcloud_compute_instance_v2" "ecs_1" {
+resource "opentelekomcloud_ecs_instance_v1" "ecs_1" {
+  name     = random_id.tpot.b64_url
+  image_id = data.opentelekomcloud_images_image_v2.debian.id
+  flavor   = var.ecs_flavor
+  vpc_id   = opentelekomcloud_vpc_v1.vpc_1.id
+
+  nics {
+    network_id = opentelekomcloud_vpc_subnet_v1.subnet_1.id
+  }
+
+  system_disk_size  = var.ecs_disk_size
+  system_disk_type  = "SAS"
+  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.id]
   availability_zone = var.availability_zone
-  name              = random_id.tpot.b64_std
-  flavor_name       = var.flavor
-  key_pair          = var.key_pair
-  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.name]
-  user_data         = templatefile("../cloud-init.yaml", {timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password})
+  key_name          = var.key_pair
+  user_data         = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
+}
 
-  network {
-    name = opentelekomcloud_networking_network_v2.network_1.name
+resource "opentelekomcloud_vpc_eip_v1" "eip_1" {
+  publicip {
+    type = "5_bgp"
   }
-
-  block_device {
-    uuid                  = data.opentelekomcloud_images_image_v2.debian.id
-    source_type           = "image"
-    volume_size           = var.volume_size
-    destination_type      = "volume"
-    delete_on_termination = "true"
+  bandwidth {
+    name       = "bandwidth-${random_id.tpot.b64_url}"
+    size       = var.eip_size
+    share_type = "PER"
   }
-
-  depends_on = [opentelekomcloud_networking_router_interface_v2.router_interface_1]
 }
 
-resource "opentelekomcloud_networking_floatingip_v2" "floatip_1" {
-}
-
-resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_2" {
-  floating_ip = opentelekomcloud_networking_floatingip_v2.floatip_1.address
-  instance_id = opentelekomcloud_compute_instance_v2.ecs_1.id
+resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_1" {
+  floating_ip = opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address
+  instance_id = opentelekomcloud_ecs_instance_v1.ecs_1.id
 }

cloud/terraform/otc/outputs.tf

@@ -1,11 +1,11 @@
 output "Admin_UI" {
-  value = "https://${opentelekomcloud_networking_floatingip_v2.floatip_1.address}:64294"
+  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64294"
 }
 
 output "SSH_Access" {
-  value = "ssh -p 64295 linux@${opentelekomcloud_networking_floatingip_v2.floatip_1.address}"
+  value = "ssh -p 64295 linux@${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}"
 }
 
 output "Web_UI" {
-  value = "https://${opentelekomcloud_networking_floatingip_v2.floatip_1.address}:64297"
+  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64297"
 }

cloud/terraform/otc/provider.tf

@@ -1,3 +1,3 @@
 provider "opentelekomcloud" {
-    cloud = "open-telekom-cloud"
+  cloud = "open-telekom-cloud"
 }

cloud/terraform/otc/variables.tf

@@ -1,4 +1,4 @@
-# cloud-init configuration
+## cloud-init configuration ##
 variable "timezone" {
   default = "UTC"
 }
@@ -6,66 +6,93 @@ variable "timezone" {
 variable "linux_password" {
   #default = "LiNuXuSeRPaSs#"
   description = "Set a password for the default user"
+
+  validation {
+    condition     = length(var.linux_password) > 0
+    error_message = "Please specify a password for the default user."
+  }
 }
 
-# Cloud resources name configuration
+## Security Group ##
 variable "secgroup_name" {
-  default = "tpot-secgroup"
+  default = "sg-tpot"
 }
 
 variable "secgroup_desc" {
-  default = "T-Pot Security Group"
+  default = "Security Group for T-Pot"
 }
 
-variable "network_name" {
-  default = "tpot-network"
+## Virtual Private Cloud ##
+variable "vpc_name" {
+  default = "vpc-tpot"
 }
 
+variable "vpc_cidr" {
+  default = "192.168.0.0/16"
+}
+
+## Subnet ##
 variable "subnet_name" {
-  default = "tpot-subnet"
+  default = "subnet-tpot"
 }
 
-variable "router_name" {
-  default = "tpot-router"
+variable "subnet_cidr" {
+  default = "192.168.0.0/24"
 }
 
+variable "subnet_gateway_ip" {
+  default = "192.168.0.1"
+}
+
+## Elastic Cloud Server ##
 variable "ecs_prefix" {
   default = "tpot-"
 }
 
-# ECS configuration
-variable "availability_zone" {
-  default = "eu-de-03"
-  description = "Select an availability zone"
+variable "ecs_flavor" {
+  default = "s3.medium.8"
 }
 
-variable "flavor" {
-  default = "s3.medium.8"
-  description = "Select a compute flavor"
+variable "ecs_disk_size" {
+  default = "128"
+}
+
+variable "availability_zone" {
+  default = "eu-de-03"
 }
 
 variable "key_pair" {
   #default = ""
   description = "Specify your SSH key pair"
+
+  validation {
+    condition     = length(var.key_pair) > 0
+    error_message = "Please specify a Key Pair."
+  }
 }
 
-variable "volume_size" {
-  default = "128"
-  description = "Set the volume size"
+## Elastic IP ##
+variable "eip_size" {
+  default = "100"
 }
 
-# These will go in the generated tpot.conf file
+## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
-  default = "STANDARD"
+  default     = "STANDARD"
   description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, MEDICAL]"
 }
 
 variable "web_user" {
-  default = "webuser"
+  default     = "webuser"
   description = "Set a username for the web user"
 }
 
 variable "web_password" {
   #default = "w3b$ecret"
   description = "Set a password for the web user"
+
+  validation {
+    condition     = length(var.web_password) > 0
+    error_message = "Please specify a password for the web user."
+  }
 }

cloud/terraform/otc/versions.tf

@@ -2,12 +2,12 @@ terraform {
   required_version = ">= 0.13"
   required_providers {
     opentelekomcloud = {
-      source = "opentelekomcloud/opentelekomcloud"
-      version = "1.22.5"
+      source  = "opentelekomcloud/opentelekomcloud"
+      version = "~> 1.23.4"
     }
     random = {
-      source = "hashicorp/random"
-      version = "~> 3.0.1"
+      source  = "hashicorp/random"
+      version = "~> 3.1.0"
     }
   }
 }

docker/adbhoney/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
@@ -23,7 +23,7 @@ RUN apk -U add \
     addgroup -g 2000 adbhoney && \
     adduser -S -H -s /bin/ash -u 2000 -D -g 2000 adbhoney && \
     chown -R adbhoney:adbhoney /opt/adbhoney && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #
 # Clean up
     apk del --purge git \

docker/adbhoney/docker-compose.yml

@@ -14,7 +14,8 @@ services:
      - adbhoney_local
     ports:
      - "5555:5555"
-    image: "ghcr.io/telekom-security/adbhoney:2006"
+#    image: "dtagdevsec/adbhoney:2006"
+    image: "dtagdevsec/adbhoney:2006"
     read_only: true
     volumes:
      - /data/adbhoney/log:/opt/adbhoney/log

docker/ciscoasa/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/

docker/ciscoasa/docker-compose.yml

@@ -13,7 +13,7 @@ services:
     ports:
      - "5000:5000/udp"
      - "8443:8443"
-    image: "ghcr.io/telekom-security/ciscoasa:2006"
+    image: "dtagdevsec/ciscoasa:2006"
     read_only: true
     volumes:
      - /data/ciscoasa/log:/var/log/ciscoasa

docker/citrixhoneypot/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Install packages
 RUN apk -U add \
@@ -29,7 +29,7 @@ RUN apk -U add \
     addgroup -g 2000 citrixhoneypot && \
     adduser -S -H -s /bin/ash -u 2000 -D -g 2000 citrixhoneypot && \
     chown -R citrixhoneypot:citrixhoneypot /opt/citrixhoneypot && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #
 # Clean up
     apk del --purge git \

docker/citrixhoneypot/docker-compose.yml

@@ -14,7 +14,7 @@ services:
      - citrixhoneypot_local
     ports:
      - "443:443"
-    image: "ghcr.io/telekom-security/citrixhoneypot:2006"
+    image: "dtagdevsec/citrixhoneypot:2006"
     read_only: true
     volumes:
      - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs

docker/conpot/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:edge
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
@@ -28,7 +28,6 @@ RUN apk -U add \
 # Setup ConPot
     git clone https://github.com/mushorg/conpot /opt/conpot && \
     cd /opt/conpot/ && \
-#    git checkout ff09e009d10d953aa7dcff2c06b7c890e6ffd4b7 && \
     git checkout 804fd65aa3b7ffa31c07fd4e863d4a5500414cf3 && \
     # Change template default ports if <1024
     sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \ 
@@ -45,13 +44,13 @@ RUN apk -U add \
     pip3 install --no-cache-dir pysnmp-mibs && \
     cd / && \
     rm -rf /opt/conpot /tmp/* /var/tmp/* && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
 #    
 # Get wireshark manuf db for scapy, setup configs, user, groups
     mkdir -p /etc/conpot /var/log/conpot /usr/share/wireshark && \
     wget https://github.com/wireshark/wireshark/raw/master/manuf -o /usr/share/wireshark/manuf && \
     cp /root/dist/conpot.cfg /etc/conpot/conpot.cfg && \
-    cp -R /root/dist/templates /usr/lib/python3.8/site-packages/conpot/ && \
+    cp -R /root/dist/templates /usr/lib/python3.9/site-packages/conpot/ && \
     addgroup -g 2000 conpot && \
     adduser -S -s /bin/ash -u 2000 -D -g 2000 conpot && \
 #

docker/conpot/dist/conpot.cfg

@@ -3,7 +3,7 @@ sensorid = conpot
 
 [virtual_file_system]
 data_fs_url = %(CONPOT_TMP)s
-fs_url = tar:///usr/lib/python3.8/site-packages/conpot/data.tar
+fs_url = tar:///usr/lib/python3.9/site-packages/conpot/data.tar
 
 [session]
 timeout = 30

docker/conpot/docker-compose.yml

@@ -26,16 +26,16 @@ services:
     networks:
      - conpot_local_default
     ports:
-#    - "69:69"        
+#    - "69:69/udp"        
      - "80:80"
      - "102:102"
-     - "161:161"
+     - "161:161/udp"
      - "502:502"
-#     - "623:623"
+#     - "623:623/udp"
      - "2121:21"
      - "44818:44818"
-     - "47808:47808"
-    image: "ghcr.io/telekom-security/conpot:2006"
+     - "47808:47808/udp"
+    image: "dtagdevsec/conpot:2006"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -56,9 +56,9 @@ services:
     networks:
      - conpot_local_IEC104
     ports:
-#     - "161:161"
+#     - "161:161/udp"
      - "2404:2404"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2006"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -80,7 +80,7 @@ services:
      - conpot_local_guardian_ast
     ports:
      - "10001:10001"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2006"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -101,8 +101,8 @@ services:
     networks:
      - conpot_local_ipmi
     ports:
-     - "623:623"
-    image: "ghcr.io/telekom-security/conpot:2006"
+     - "623:623/udp"
+    image: "dtagdevsec/conpot:2006"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
@@ -125,7 +125,7 @@ services:
     ports:
      - "1025:1025"
      - "50100:50100"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2006"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot

docker/cowrie/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
@@ -17,12 +17,7 @@ RUN apk -U add \
              openssl-dev \
              py3-pip \
              python3 \
-             python3-dev \
-	     py3-bcrypt \
-	     py3-cryptography \
-             py3-mysqlclient \
-             py3-requests \
-             py3-setuptools && \
+             python3-dev && \
 #
 # Setup user
     addgroup -g 2000 cowrie && \
@@ -31,11 +26,13 @@ RUN apk -U add \
 # Install cowrie
     mkdir -p /home/cowrie && \
     cd /home/cowrie && \
-    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.2.0 && \
+    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.3.0 && \
     cd cowrie && \
+#    git checkout 6b1e82915478292f1e77ed776866771772b48f2e && \
 #    sed -i s/logfile.DailyLogFile/logfile.LogFile/g src/cowrie/python/logfile.py && \
     mkdir -p log && \
-    cp /root/dist/requirements.txt . && \
+    sed -i '/packaging.*/d' requirements.txt && \
+    pip3 install --upgrade pip && \
     pip3 install -r requirements.txt && \
 #
 # Setup configs

docker/cowrie/dist/cowrie.cfg

@@ -36,6 +36,11 @@ rsa_public_key = etc/ssh_host_rsa_key.pub
 rsa_private_key = etc/ssh_host_rsa_key
 dsa_public_key = etc/ssh_host_dsa_key.pub
 dsa_private_key = etc/ssh_host_dsa_key
+ecdsa_public_key = etc/ssh_host_ecdsa_key.pub
+ecdsa_private_key = etc/ssh_host_ecdsa_key
+ed25519_public_key = etc/ssh_host_ed25519_key.pub
+ed25519_private_key = etc/ssh_host_ed25519_key
+public_key_auth = ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
 #version = SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
 version = SSH-2.0-OpenSSH_7.9p1
 ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc

docker/cowrie/dist/requirements.txt

@@ -1,14 +0,0 @@
-appdirs==1.4.4
-attrs==20.3.0
-bcrypt==3.2.0
-configparser==5.0.1
-#cryptography==3.4.5
-#packaging==20.9
-pyasn1_modules==0.2.8
-pyopenssl==20.0.1
-pyparsing==2.4.7
-python-dateutil==2.8.1
-service_identity==18.1.0
-tftpy==0.8.0
-treq==21.1.0
-twisted==20.3.0

docker/cowrie/docker-compose.yml

@@ -18,7 +18,7 @@ services:
     ports:
      - "22:22"
      - "23:23"
-    image: "ghcr.io/telekom-security/cowrie:2006"
+    image: "dtagdevsec/cowrie:2006"
     read_only: true
     volumes:
      - /data/cowrie/downloads:/home/cowrie/cowrie/dl

docker/cyberchef/Dockerfile

@@ -1,30 +1,30 @@
-FROM alpine:3.10
-#
-# Get and install dependencies & packages
-RUN apk -U --no-cache add \
-            curl \
-            git \
-            npm \
-            nodejs && \
-    npm install npm@latest -g && \
-    npm install -g grunt-cli http-server && \
+FROM node:10.24.1-alpine3.11 as builder
 #
 # Install CyberChef 
-    cd /root && \
-    git clone https://github.com/gchq/cyberchef -b v9.27.0 && \
-    cd cyberchef && \
-    npm install && \
-    grunt prod && \
-    mkdir -p /opt/cyberchef && \
-    mv build/prod/* /opt/cyberchef && \
-    cd / && \
+RUN apk -U --no-cache add git
+RUN chown -R node:node /srv
+RUN npm install -g grunt-cli
+WORKDIR /srv
+USER node
+RUN git clone https://github.com/gchq/cyberchef -b v9.32.3 .
+ENV NODE_OPTIONS=--max_old_space_size=2048
+RUN npm install
+RUN grunt prod
+#
+# Move from builder
+FROM alpine:3.14
+#
+RUN apk -U --no-cache add \
+      curl \
+      npm && \
+      npm install -g http-server && \
 #
 # Clean up
-    apk del --purge git \
-                    npm && \
     rm -rf /root/* && \
     rm -rf /var/cache/apk/*
 #
+COPY --from=builder /srv/build/prod /opt/cyberchef
+#
 # Healthcheck
 HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:8000'
 #

docker/cyberchef/docker-compose.yml

@@ -14,5 +14,5 @@ services:
      - cyberchef_local
     ports:
      - "127.0.0.1:64299:8000"
-    image: "ghcr.io/telekom-security/cyberchef:2006"
+    image: "dtagdevsec/cyberchef:2006"
     read_only: true

docker/ddospot/Dockerfile

@@ -0,0 +1,52 @@
+FROM alpine:3.14
+#
+# Install packages
+RUN apk -U add \
+             build-base \
+             git \
+	     libcap \
+	     py3-pip \
+             python3 \
+             python3-dev && \
+#	     
+# Install ddospot from GitHub and setup
+    mkdir -p /opt && \
+    cd /opt/ && \
+    git clone https://github.com/aelth/ddospot && \
+    cd ddospot && \
+    git checkout 49f515237bd2d5744290ed21dcca9b53def243ba && \
+    # We only want JSON events, setting logger format to ('') ...
+    sed -i "/handler.setFormatter(logging.Formatter(/{n;N;d}" /opt/ddospot/ddospot/core/potloader.py && \
+    sed -i "s#handler.setFormatter(logging.Formatter(#handler.setFormatter(logging.Formatter(''))#g" /opt/ddospot/ddospot/core/potloader.py && \
+    # ... and remove msg from log message for individual honeypots
+    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/chargen/chargen.py && \
+    sed -i "s#self.logger.info('New DNS query - \%s' \% (raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/dns/dns.py && \
+    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/generic/generic.py && \
+    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/ntp/ntp.py && \
+    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/ssdp/ssdp.py && \
+    # We are using logrotate
+    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/chargen/chargenpot.conf && \
+    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/dns/dnspot.conf && \
+    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/generic/genericpot.conf && \
+    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ntp/ntpot.conf && \
+    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ssdp/ssdpot.conf && \
+    pip3 install -r ddospot/requirements.txt && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
+#
+# Setup user, groups and configs
+    addgroup -g 2000 ddospot && \
+    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 ddospot && \
+    chown ddospot:ddospot -R /opt/ddospot && \
+#
+# Clean up
+    apk del --purge build-base \
+                    git \
+		    python3-dev && \
+    rm -rf /root/* && \
+    rm -rf /var/cache/apk/*
+#
+# Start ddospot
+STOPSIGNAL SIGINT
+USER ddospot:ddospot
+WORKDIR /opt/ddospot/ddospot/
+CMD ["/usr/bin/python3","ddospot.py", "-n"]

docker/ddospot/docker-compose.yml

@@ -0,0 +1,26 @@
+version: '2.3'
+
+networks:
+  ddospot_local:
+
+services:
+
+# Ddospot service
+  ddospot:
+    build: .
+    container_name: ddospot
+    restart: always
+    networks:
+     - ddospot_local
+    ports:
+     - "19:19/udp"
+     - "53:53/udp"
+     - "123:123/udp"
+#     - "161:161/udp"
+     - "1900:1900/udp"
+    image: "dtagdevsec/ddospot:2006"
+    read_only: true
+    volumes:
+     - /data/ddospot/log:/opt/ddospot/ddospot/logs
+     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
+     - /data/ddospot/db:/opt/ddospot/ddospot/db

docker/dicompot/Dockerfile

@@ -1,7 +1,7 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Setup apk
-RUN apk -U add \
+RUN apk -U add --no-cache \
                    build-base \
                    git \
                    g++ && \

docker/dicompot/docker-compose.yml

@@ -17,7 +17,7 @@ services:
      - dicompot_local
     ports:
      - "11112:11112"
-    image: "ghcr.io/telekom-security/dicompot:2006"
+    image: "dtagdevsec/dicompot:2006"
     read_only: true
     volumes:
      - /data/dicompot/log:/var/log/dicompot

docker/dionaea/Dockerfile

@@ -1,15 +1,14 @@
-FROM debian:buster-slim
+FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND noninteractive
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Install dependencies and packages
-RUN apt-get update && \
-    apt-get install netselect-apt -y && \
-    netselect-apt && \
-    mv sources.list /etc/apt/ && \
-    apt-get update -y && \
+RUN apt-get update -y && \
+    apt-get install wget -y && \
+    wget http://archive.ubuntu.com/ubuntu/pool/universe/libe/libemu/libemu2_0.2.0+git20120122-1.2build1_amd64.deb http://archive.ubuntu.com/ubuntu/pool/universe/libe/libemu/libemu-dev_0.2.0+git20120122-1.2build1_amd64.deb && \
+    apt install ./libemu2_0.2.0+git20120122-1.2build1_amd64.deb ./libemu-dev_0.2.0+git20120122-1.2build1_amd64.deb -y && \
     apt-get dist-upgrade -y && \
     apt-get install -y --no-install-recommends \
 	build-essential \
@@ -20,7 +19,7 @@ RUN apt-get update && \
 	git \
         libcap2-bin \
 	libcurl4-openssl-dev \
-	libemu-dev \
+#	libemu-dev \
 	libev-dev \
 	libglib2.0-dev \
 	libloudmouth1-dev \
@@ -82,7 +81,8 @@ RUN apt-get update && \
       python3-dev \   
       python3-boto3 \
       python3-bson \
-      python3-yaml && \ 
+      python3-yaml \ 
+      wget && \ 
 #
     apt-get install -y \
       ca-certificates \
@@ -97,7 +97,8 @@ RUN apt-get update && \
       libnetfilter-queue1 \
       libnl-3-200 \
       libpcap0.8 \
-      libpython3.7 \
+#      libpython3.6 \
+      libpython3.8 \
       libudns0 && \
 #
     apt-get autoremove --purge -y && \

docker/dionaea/docker-compose.yml

@@ -31,7 +31,7 @@ services:
      - "5060:5060/udp"
      - "5061:5061"
      - "27017:27017"
-    image: "ghcr.io/telekom-security/dionaea:2006"
+    image: "dtagdevsec/dionaea:2006"
     read_only: true
     volumes:
      - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp

docker/docker-compose.yml

@@ -10,98 +10,98 @@ services:
 # Adbhoney service
   adbhoney:
     build: adbhoney/.
-    image: "ghcr.io/telekom-security/adbhoney:2006"
+    image: "dtagdevsec/adbhoney:2006"
 
 # Ciscoasa service
   ciscoasa:
     build: ciscoasa/.
-    image: "ghcr.io/telekom-security/ciscoasa:2006"
+    image: "dtagdevsec/ciscoasa:2006"
 
 # CitrixHoneypot service
   citrixhoneypot:
     build: citrixhoneypot/.
-    image: "ghcr.io/telekom-security/citrixhoneypot:2006"
+    image: "dtagdevsec/citrixhoneypot:2006"
 
 # Conpot IEC104 service
   conpot_IEC104:
     build: conpot/.
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2006"
 
 # Cowrie service
   cowrie:
     build: cowrie/.
-    image: "ghcr.io/telekom-security/cowrie:2006"
+    image: "dtagdevsec/cowrie:2006"
 
 # Dicompot service
   dicompot:
     build: dicompot/.
-    image: "ghcr.io/telekom-security/dicompot:2006"
+    image: "dtagdevsec/dicompot:2006"
 
 # Dionaea service
   dionaea:
     build: dionaea/.
-    image: "ghcr.io/telekom-security/dionaea:2006"
+    image: "dtagdevsec/dionaea:2006"
 
 # ElasticPot service
   elasticpot:
     build: elasticpot/.
-    image: "ghcr.io/telekom-security/elasticpot:2006"
+    image: "dtagdevsec/elasticpot:2006"
 
 # Glutton service
   glutton:
     build: glutton/.
-    image: "ghcr.io/telekom-security/glutton:2006"
+    image: "dtagdevsec/glutton:2006"
 
 # Heralding service
   heralding:
     build: heralding/.
-    image: "ghcr.io/telekom-security/heralding:2006"
+    image: "dtagdevsec/heralding:2006"
 
 # HoneyPy service
   honeypy:
     build: honeypy/.
-    image: "ghcr.io/telekom-security/honeypy:2006"
+    image: "dtagdevsec/honeypy:2006"
 
 # Honeytrap service
   honeytrap:
     build: honeytrap/.
-    image: "ghcr.io/telekom-security/honeytrap:2006"
+    image: "dtagdevsec/honeytrap:2006"
 
 # Mailoney service
   mailoney:
     build: mailoney/.
-    image: "ghcr.io/telekom-security/mailoney:2006"
+    image: "dtagdevsec/mailoney:2006"
 
 # Medpot service
   medpot:
     build: medpot/.
-    image: "ghcr.io/telekom-security/medpot:2006"
+    image: "dtagdevsec/medpot:2006"
 
 # Rdpy service
   rdpy:
     build: rdpy/.
-    image: "ghcr.io/telekom-security/rdpy:2006"
+    image: "dtagdevsec/rdpy:2006"
 
 #### Snare / Tanner
 ## Tanner Redis Service
   tanner_redis:
     build: tanner/redis/.
-    image: "ghcr.io/telekom-security/redis:2006"
+    image: "dtagdevsec/redis:2006"
 
 ## PHP Sandbox service
   tanner_phpox:
     build: tanner/phpox/.
-    image: "ghcr.io/telekom-security/phpox:2006"
+    image: "dtagdevsec/phpox:2006"
 
 ## Tanner API Service
   tanner_api:
     build: tanner/tanner/.
-    image: "ghcr.io/telekom-security/tanner:2006"
+    image: "dtagdevsec/tanner:2006"
 
 ## Snare Service
   snare:
     build: tanner/snare/.
-    image: "ghcr.io/telekom-security/snare:2006"
+    image: "dtagdevsec/snare:2006"
 
 
 ##################
@@ -111,17 +111,17 @@ services:
 # Fatt service
   fatt:
     build: fatt/.
-    image: "ghcr.io/telekom-security/fatt:2006"
+    image: "dtagdevsec/fatt:2006"
 
 # P0f service
   p0f:
     build: p0f/.
-    image: "ghcr.io/telekom-security/p0f:2006"
+    image: "dtagdevsec/p0f:2006"
 
 # Suricata service
   suricata:
     build: suricata/.
-    image: "ghcr.io/telekom-security/suricata:2006"
+    image: "dtagdevsec/suricata:2006"
 
 
 ##################
@@ -131,40 +131,40 @@ services:
 # Cyberchef service
   cyberchef:
     build: cyberchef/.
-    image: "ghcr.io/telekom-security/cyberchef:2006"
+    image: "dtagdevsec/cyberchef:2006"
 
 #### ELK
 ## Elasticsearch service
   elasticsearch:
     build: elk/elasticsearch/.
-    image: "ghcr.io/telekom-security/elasticsearch:2006"
+    image: "dtagdevsec/elasticsearch:2006"
 
 ## Kibana service
   kibana:
     build: elk/kibana/.
-    image: "ghcr.io/telekom-security/kibana:2006"
+    image: "dtagdevsec/kibana:2006"
 
 ## Logstash service
   logstash:
     build: elk/logstash/.
-    image: "ghcr.io/telekom-security/logstash:2006"
+    image: "dtagdevsec/logstash:2006"
 
 ## Elasticsearch-head service
   head:
     build: elk/head/.
-    image: "ghcr.io/telekom-security/head:2006"
+    image: "dtagdevsec/head:2006"
 
 # Ewsposter service
   ewsposter:
     build: ews/.
-    image: "ghcr.io/telekom-security/ewsposter:2006"
+    image: "dtagdevsec/ewsposter:2006"
 
 # Nginx service
   nginx:
     build: heimdall/.
-    image: "ghcr.io/telekom-security/nginx:2006"
+    image: "dtagdevsec/nginx:2006"
 
 # Spiderfoot service
   spiderfoot:
     build: spiderfoot/.
-    image: "ghcr.io/telekom-security/spiderfoot:2006"
+    image: "dtagdevsec/spiderfoot:2006"

docker/elasticpot/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/

docker/elasticpot/docker-compose.yml

@@ -14,7 +14,7 @@ services:
      - elasticpot_local
     ports:
      - "9200:9200"
-    image: "ghcr.io/telekom-security/elasticpot:2006"
+    image: "dtagdevsec/elasticpot:2006"
     read_only: true
     volumes:
      - /data/elasticpot/log:/opt/elasticpot/log

docker/elk/docker-compose.yml

@@ -10,7 +10,7 @@ services:
     restart: always
     environment:
      - bootstrap.memory_lock=true
-     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+#     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
      - ES_TMPDIR=/tmp
     cap_add:
      - IPC_LOCK
@@ -21,10 +21,10 @@ services:
       nofile:
         soft: 65536
         hard: 65536
-    mem_limit: 4g
+#    mem_limit: 4g
     ports:
      - "127.0.0.1:64298:9200"
-    image: "ghcr.io/telekom-security/elasticsearch:2006"
+    image: "dtagdevsec/elasticsearch:2006"
     volumes:
      - /data:/data
 
@@ -39,21 +39,21 @@ services:
         condition: service_healthy
     ports:
      - "127.0.0.1:64296:5601"
-    image: "ghcr.io/telekom-security/kibana:2006"
+    image: "dtagdevsec/kibana:2006"
 
 ## Logstash service
   logstash:
     build: logstash/.
     container_name: logstash
     restart: always
-    environment:
-     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
+#    environment:
+#     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
     depends_on:
       elasticsearch:
         condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
-    image: "ghcr.io/telekom-security/logstash:2006"
+    image: "dtagdevsec/logstash:2006"
     volumes:
      - /data:/data
 #     - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
@@ -68,5 +68,5 @@ services:
         condition: service_healthy
     ports:
      - "127.0.0.1:64302:9100"
-    image: "ghcr.io/telekom-security/head:2006"
+    image: "dtagdevsec/head:2006"
     read_only: true

docker/elk/elasticsearch/Dockerfile

@@ -1,25 +1,28 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # VARS
-ENV ES_VER=7.11.1 \
-    JAVA_HOME=/usr/lib/jvm/java-11-openjdk
+ENV ES_VER=7.17.0 \
+    ES_JAVA_HOME=/usr/lib/jvm/java-16-openjdk
+
 # Include dist
 ADD dist/ /root/dist/
 #
-# Setup env and apt
-#RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 RUN apk -U --no-cache add \
              aria2 \
              bash \
              curl \
-             nss \
-             openjdk11-jre && \
+             nss && \
+    apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community openjdk16-jre && \
 #
 # Get and install packages
     cd /root/dist/ && \
     mkdir -p /usr/share/elasticsearch/ && \
     aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-$ES_VER-linux-x86_64.tar.gz && \
     tar xvfz elasticsearch-$ES_VER-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/elasticsearch/ && \
+    rm -rf /usr/share/elasticsearch/jdk && \
+    rm -rf /usr/share/elasticsearch/modules/x-pack-ml && \
+    # For some reason Alpine 3.14 does not report the -x flag correctly and thus elasticsearch does not find java
+    sed -i 's/! -x/! -e/g' /usr/share/elasticsearch/bin/elasticsearch-env && \
 #
 # Add and move files
     cd /root/dist/ && \
@@ -30,7 +33,6 @@ RUN apk -U --no-cache add \
     addgroup -g 2000 elasticsearch && \
     adduser -S -H -s /bin/ash -u 2000 -D -g 2000 elasticsearch && \
     chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ && \
-    rm -rf /usr/share/elasticsearch/modules/x-pack-ml && \
 #
 # Clean up
     apk del --purge aria2 && \

docker/elk/elasticsearch/dist/elasticsearch.yml

@@ -2,7 +2,6 @@ cluster.name: tpotcluster
 node.name: "tpotcluster-node-01"
 xpack.ml.enabled: false
 xpack.security.enabled: false
-#xpack.ilm.enabled: false
 path:
     logs: /data/elk/log
     data: /data/elk/data
@@ -10,7 +9,5 @@ http.host: 0.0.0.0
 http.cors.enabled: true
 http.cors.allow-origin: "*"
 indices.query.bool.max_clause_count: 2000
-cluster.initial_master_nodes:
-- "tpotcluster-node-01"
-discovery.zen.ping.unicast.hosts:
-- localhost 
+cluster.routing.allocation.disk.watermark.enable_for_single_data_node: true
+discovery.type: single-node

docker/elk/elasticsearch/docker-compose.yml

@@ -24,6 +24,6 @@ services:
     mem_limit: 2g
     ports:
      - "127.0.0.1:64298:9200"
-    image: "ghcr.io/telekom-security/elasticsearch:2006"
+    image: "dtagdevsec/elasticsearch:2006"
     volumes:
      - /data:/data

docker/elk/head/Dockerfile

@@ -1,11 +1,12 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Setup env and apt
 RUN apk -U add \
             curl \
             git \
             nodejs \
-            nodejs-npm && \
+            #nodejs-npm && \
+            npm && \
 #
 # Get and install packages
     mkdir -p /usr/src/app/ && \

docker/elk/head/docker-compose.yml

@@ -12,5 +12,5 @@ services:
     #        condition: service_healthy
     ports:
      - "127.0.0.1:64302:9100"
-    image: "ghcr.io/telekom-security/head:2006"
+    image: "dtagdevsec/head:2006"
     read_only: true

docker/elk/kibana/Dockerfile

@@ -1,13 +1,11 @@
-FROM node:14.15.4-alpine
+FROM node:16.13.2-alpine3.14
 #
 # VARS
-ENV KB_VER=7.11.1
+ENV KB_VER=7.17.0
 # 
 # Include dist
 ADD dist/ /root/dist/
 #
-# Setup env and apt
-#RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 RUN apk -U --no-cache add \
             aria2 \
             curl \
@@ -25,36 +23,17 @@ RUN apk -U --no-cache add \
 #
 # Add and move files
     cd /root/dist/ && \
-#    cp kibana.svg /usr/share/kibana/src/ui/public/images/kibana.svg && \
-#    cp kibana.svg /usr/share/kibana/src/ui/public/icons/kibana.svg && \
-#    cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon.ico && \
-#    cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon-16x16.png && \
-#    cp elk.ico /usr/share/kibana/src/ui/public/assets/favicons/favicon-32x32.png && \
 #
 # Setup user, groups and configs
     sed -i 's/#server.basePath: ""/server.basePath: "\/kibana"/' /usr/share/kibana/config/kibana.yml && \
-    sed -i 's/#kibana.defaultAppId: "home"/kibana.defaultAppId: "dashboards"/' /usr/share/kibana/config/kibana.yml && \
     sed -i 's/#server.host: "localhost"/server.host: "0.0.0.0"/' /usr/share/kibana/config/kibana.yml && \
     sed -i 's/#elasticsearch.hosts: \["http:\/\/localhost:9200"\]/elasticsearch.hosts: \["http:\/\/elasticsearch:9200"\]/' /usr/share/kibana/config/kibana.yml && \
     sed -i 's/#server.rewriteBasePath: false/server.rewriteBasePath: false/' /usr/share/kibana/config/kibana.yml && \
-#    sed -i "s/#005571/#e20074/g" /usr/share/kibana/built_assets/css/plugins/kibana/index.css && \
-#    sed -i "s/#007ba4/#9e0051/g" /usr/share/kibana/built_assets/css/plugins/kibana/index.css && \
-#    sed -i "s/#00465d/#4f0028/g" /usr/share/kibana/built_assets/css/plugins/kibana/index.css && \
-    echo "xpack.infra.enabled: false" >> /usr/share/kibana/config/kibana.yml && \ 
-    echo "xpack.logstash.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
-    echo "xpack.canvas.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
-    echo "xpack.spaces.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
-    echo "xpack.apm.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
-    echo "xpack.security.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
-    echo "xpack.uptime.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
-    echo "xpack.securitySolution.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
-    echo "xpack.ml.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
-    echo "xpack.fleet.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
+    echo "xpack.reporting.roles.enabled: false" >> /usr/share/kibana/config/kibana.yml && \
     echo "elasticsearch.requestTimeout: 60000" >> /usr/share/kibana/config/kibana.yml && \
     echo "elasticsearch.shardTimeout: 60000" >> /usr/share/kibana/config/kibana.yml && \
-# There is no switch to disable Enterprise Search, so we need to remove it
-# In order to remove all X-Pack features we need to use OSS versions
-    rm -rf /usr/share/kibana/x-pack/plugins/enterprise_search && \
+    echo "kibana.autocompleteTimeout: 60000" >> /usr/share/kibana/config/kibana.yml && \
+    echo "kibana.autocompleteTerminateAfter: 1000000" >> /usr/share/kibana/config/kibana.yml && \
     rm -rf /usr/share/kibana/optimize/bundles/* && \
     /usr/share/kibana/bin/kibana --optimize --allow-root && \
     addgroup -g 2000 kibana && \

docker/elk/kibana/docker-compose.yml

@@ -12,4 +12,4 @@ services:
 #        condition: service_healthy
     ports:
      - "127.0.0.1:64296:5601"
-    image: "ghcr.io/telekom-security/kibana:2006"
+    image: "dtagdevsec/kibana:2006"

docker/elk/logstash/Dockerfile

@@ -1,7 +1,7 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # VARS
-ENV LS_VER=7.11.1
+ENV LS_VER=7.17.0
 # Include dist
 ADD dist/ /root/dist/
 #
@@ -9,13 +9,15 @@ ADD dist/ /root/dist/
 #RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
 RUN apk -U --no-cache add \
              aria2 \
+	     autossh \
              bash \
              bzip2 \
 	     curl \
              libc6-compat \
              libzmq \
              nss \
-             openjdk11-jre && \
+             openssh && \
+    apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community openjdk16-jre && \
 #
 # Get and install packages
     mkdir -p /etc/listbot && \
@@ -28,8 +30,13 @@ RUN apk -U --no-cache add \
     aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-$LS_VER-linux-x86_64.tar.gz && \
     tar xvfz logstash-$LS_VER-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
     rm -rf /usr/share/logstash/jdk && \
-    /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
-    /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
+    # For some reason Alpine 3.14 does not report the -x flag correctly and thus elasticsearch does not find java
+    sed -i 's/! -x/! -e/g' /usr/share/logstash/bin/logstash.lib.sh && \
+    /usr/share/logstash/bin/logstash-plugin install --preserve --no-verify logstash-filter-translate && \
+    /usr/share/logstash/bin/logstash-plugin install --preserve --no-verify logstash-input-http && \
+    /usr/share/logstash/bin/logstash-plugin install --preserve --no-verify logstash-output-gelf && \
+    /usr/share/logstash/bin/logstash-plugin install --preserve --no-verify logstash-output-http && \
+    /usr/share/logstash/bin/logstash-plugin install --preserve --no-verify logstash-output-syslog && \
 #
 # Add and move files
     cd /root/dist/ && \
@@ -37,6 +44,10 @@ RUN apk -U --no-cache add \
     chmod u+x /usr/bin/update.sh && \
     mkdir -p /etc/logstash/conf.d && \
     cp logstash.conf /etc/logstash/conf.d/ && \
+    cp http_input.conf /etc/logstash/conf.d/ && \
+    cp http_output.conf /etc/logstash/conf.d/ && \
+    cp pipelines.yml /usr/share/logstash/config/pipelines.yml && \
+    cp pipelines_pot.yml /usr/share/logstash/config/pipelines_pot.yml && \
     cp tpot_es_template.json /etc/logstash/ && \
 #
 # Setup user, groups and configs
@@ -57,4 +68,5 @@ HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600'
 # Start logstash
 #USER logstash:logstash
 #CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution --log.level debug
-CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution
+#CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/http_output.conf --config.reload.automatic --java-execution
+CMD update.sh && exec /usr/share/logstash/bin/logstash --config.reload.automatic --java-execution

docker/elk/logstash/Dockerfile.new

@@ -0,0 +1,68 @@
+FROM alpine:3.14
+#
+# VARS
+ENV LS_VER=7.15.1
+# Include dist
+ADD dist/ /root/dist/
+#
+# Setup env and apt
+#RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+RUN apk -U --no-cache add \
+             aria2 \
+             bash \
+             bzip2 \
+	     curl \
+             libc6-compat \
+             libzmq \
+             nss && \
+    apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/community openjdk16-jre && \
+#
+# Get and install packages
+    mkdir -p /etc/listbot && \
+    cd /etc/listbot && \
+    aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/cve.yaml.bz2 && \
+    aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/iprep.yaml.bz2 && \
+    bunzip2 *.bz2 && \
+    cd /root/dist/ && \
+    mkdir -p /usr/share/logstash/ && \
+    aria2c -s 16 -x 16 https://artifacts.elastic.co/downloads/logstash/logstash-$LS_VER-linux-x86_64.tar.gz && \
+    tar xvfz logstash-$LS_VER-linux-x86_64.tar.gz --strip-components=1 -C /usr/share/logstash/ && \
+    rm -rf /usr/share/logstash/jdk && \
+    # For some reason Alpine 3.14 does not report the -x flag correctly and thus elasticsearch does not find java
+    sed -i 's/! -x/! -e/g' /usr/share/logstash/bin/logstash.lib.sh && \
+    /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
+    /usr/share/logstash/bin/logstash-plugin install logstash-input-http && \
+    /usr/share/logstash/bin/logstash-plugin install logstash-output-gelf && \
+    /usr/share/logstash/bin/logstash-plugin install logstash-output-http && \
+    /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
+#
+# Add and move files
+    cd /root/dist/ && \
+    cp update.sh /usr/bin/ && \
+    chmod u+x /usr/bin/update.sh && \
+    mkdir -p /etc/logstash/conf.d && \
+    cp logstash.conf /etc/logstash/conf.d/ && \
+    cp http.conf /etc/logstash/conf.d/ && \
+    cp pipelines.yml /usr/share/logstash/config/pipelines.yml && \
+    cp tpot_es_template.json /etc/logstash/ && \
+#
+# Setup user, groups and configs
+    addgroup -g 2000 logstash && \
+    adduser -S -H -s /bin/bash -u 2000 -D -g 2000 logstash && \
+    chown -R logstash:logstash /usr/share/logstash && \
+    chown -R logstash:logstash /etc/listbot && \
+    chmod 755 /usr/bin/update.sh && \
+#
+# Clean up
+    rm -rf /root/* && \
+    rm -rf /tmp/* && \
+    rm -rf /var/cache/apk/*
+#
+# Healthcheck
+HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600'
+#
+# Start logstash
+#USER logstash:logstash
+#CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution --log.level debug
+#CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution
+CMD update.sh && exec /usr/share/logstash/bin/logstash --config.reload.automatic --java-execution

docker/elk/logstash/dist/http_input.conf

@@ -0,0 +1,19 @@
+# Input section
+input {
+  http {
+    id => "tpot"
+    host => "0.0.0.0"
+    port => "80"
+  }
+}
+
+# Output section
+output {
+  elasticsearch {
+    hosts => ["elasticsearch:9200"]
+    # With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
+    index => "logstash-%{+YYYY.MM.dd}"
+    template => "/etc/logstash/tpot_es_template.json"
+  }
+
+}

docker/elk/logstash/dist/http_output.conf

@@ -0,0 +1,756 @@
+# Input section
+input {
+
+# Fatt                                 
+  file {                                   
+    path => ["/data/fatt/log/fatt.log"]
+    codec => json     
+    type => "Fatt"
+  }  
+
+# Suricata
+  file {
+    path => ["/data/suricata/log/eve.json"]
+    codec => json
+    type => "Suricata"
+  }
+
+# P0f
+  file {
+    path => ["/data/p0f/log/p0f.json"]
+    codec => json
+    type => "P0f"
+  }
+
+# Adbhoney
+  file {
+    path => ["/data/adbhoney/log/adbhoney.json"]
+    codec => json
+    type => "Adbhoney"
+  }
+
+# Ciscoasa
+  file {
+    path => ["/data/ciscoasa/log/ciscoasa.log"]
+    codec => plain
+    type => "Ciscoasa"
+  }
+
+# CitrixHoneypot
+  file {
+    path => ["/data/citrixhoneypot/logs/server.log"]
+    codec => json
+    type => "CitrixHoneypot"
+  }
+
+# Conpot
+  file {
+    path => ["/data/conpot/log/*.json"]
+    codec => json
+    type => "ConPot"
+  }
+
+# Cowrie
+  file {
+    path => ["/data/cowrie/log/cowrie.json"]
+    codec => json
+    type => "Cowrie"
+  }
+
+# Dionaea
+  file {
+    path => ["/data/dionaea/log/dionaea.json"]
+    codec => json
+    type => "Dionaea"
+  }
+
+# Dicompot
+  file {
+    path => ["/data/dicompot/log/dicompot.log"]
+    codec => json
+    type => "Dicompot"
+  }
+
+# Ddospot
+  file {
+    path => ["/data/ddospot/log/*.log"]
+    codec => json
+    type => "Ddospot"
+  }
+
+# ElasticPot
+  file {
+    path => ["/data/elasticpot/log/elasticpot.json"]
+    codec => json
+    type => "ElasticPot"
+  }
+
+# Endlessh
+  file {
+    path => ["/data/endlessh/log/endlessh.log"]
+    codec => plain
+    type => "Endlessh"
+  }
+
+# Glutton
+  file {
+    path => ["/data/glutton/log/glutton.log"]
+    codec => json
+    type => "Glutton"
+  }
+
+# Hellpot
+  file {
+    path => ["/data/hellpot/log/hellpot.log"]
+    codec => json
+    type => "Hellpot"
+  }
+
+# Heralding
+  file {
+    path => ["/data/heralding/log/auth.csv"]
+    type => "Heralding"
+  }
+
+# Honeypots
+  file {
+    path => ["/data/honeypots/log/*.log"]
+    codec => json
+    type => "Honeypots"
+  }
+
+# Honeypy
+  file {
+    path => ["/data/honeypy/log/json.log"]
+    codec => json
+    type => "Honeypy"
+  }
+
+# Honeysap
+  file {
+    path => ["/data/honeysap/log/honeysap-external.log"]
+    codec => json
+    type => "Honeysap"
+  }
+
+# Honeytrap
+  file {
+    path => ["/data/honeytrap/log/attackers.json"]
+    codec => json
+    type => "Honeytrap"
+  }
+
+# Ipphoney
+  file {
+    path => ["/data/ipphoney/log/ipphoney.json"]
+    codec => json
+    type => "Ipphoney"
+  }
+
+# Log4pot
+  file {
+    path => ["/data/log4pot/log/log4pot.log"]
+    codec => json
+    type => "Log4pot"
+  }
+
+# Mailoney
+  file {
+    path => ["/data/mailoney/log/commands.log"]
+    codec => json
+    type => "Mailoney"
+  }
+
+# Medpot
+  file {
+    path => ["/data/medpot/log/medpot.log"]
+    codec => json
+    type => "Medpot"
+  }
+
+# Rdpy
+  file {
+    path => ["/data/rdpy/log/rdpy.log"]
+    type => "Rdpy"
+  }
+
+# Redishoneypot
+  file {
+    path => ["/data/redishoneypot/log/redishoneypot.log"]
+    codec => json
+    type => "Redishoneypot"
+  }
+
+# Host NGINX
+  file {
+    path => ["/data/nginx/log/access.log"]
+    codec => json
+    type => "NGINX"
+  }
+
+# Tanner
+  file {
+    path => ["/data/tanner/log/tanner_report.json"]
+    codec => json
+    type => "Tanner"
+  }
+
+}
+
+# Filter Section
+filter {
+
+
+# Fatt
+  if [type] == "Fatt" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+        "sourceIp" => "src_ip"
+	"destinationIp" => "dest_ip"
+	"sourcePort" => "src_port"
+	"destinationPort" => "dest_port"
+        "gquic" => "fatt_gquic"
+        "http" => "fatt_http"
+        "rdp" => "fatt_rdp"
+        "ssh" => "fatt_ssh"
+        "tls" => "fatt_tls"
+      }
+    }
+  }
+
+# Suricata
+  if [type] == "Suricata" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    translate {
+      refresh_interval => 86400
+      field => "[alert][signature_id]"
+      destination => "[alert][cve_id]"
+      dictionary_path => "/etc/listbot/cve.yaml"
+#      fallback => "-"
+    }
+  }
+
+# P0f
+  if [type] == "P0f" {
+    date {
+      match => [ "timestamp", "yyyy'/'MM'/'dd HH:mm:ss" ]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      rename => {
+        "server_port" => "dest_port"
+        "server_ip" => "dest_ip"
+        "client_port" => "src_port"
+        "client_ip" => "src_ip"
+      }
+    }
+  }
+
+# Adbhoney
+  if [type] == "Adbhoney" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+      remove_field => ["unixtime"]
+    }
+  }
+
+# Ciscoasa
+  if [type] == "Ciscoasa" {
+    kv {
+      remove_char_key => " '{}"
+      remove_char_value => "'{}"
+      value_split => ":"
+      field_split => ","
+    }
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      add_field => {
+        "dest_ip" => "${MY_EXTIP}"
+      }
+    }
+  }
+
+# CitrixHoneypot
+  if [type] == "CitrixHoneypot" {
+    grok { 
+      match => { 
+        "message" => [ "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{UNIXPATH:fileinfo.filename:string}", 
+	               "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string}", 
+		       "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg:string} %{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string:string}",
+		       "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{GREEDYDATA:msg:string}" ] 
+      } 
+    }
+    date {
+      match => [ "asctime", "ISO8601" ]
+      remove_field => ["asctime"]
+      remove_field => ["message"]
+    }
+    mutate {
+      add_field => {
+        "dest_port" => "443"
+      }
+      rename => {
+        "levelname" => "level"
+      }
+    }
+  }
+  
+# Conpot
+  if [type] == "ConPot" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate { 
+      rename => { 
+        "dst_port" => "dest_port" 
+        "dst_ip" => "dest_ip" 
+      } 
+    } 
+  }
+
+# Cowrie
+  if [type] == "Cowrie" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+        "dst_port" => "dest_port"
+        "dst_ip" => "dest_ip"
+      }
+    }
+  }
+
+# Ddospot
+  if [type] == "Ddospot" {
+    date {
+      match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
+      remove_field => ["time"]
+    }
+    if [path] == "/data/ddospot/log/chargenpot.log" {
+      mutate {
+        add_field => {
+	  "dest_port" => "19"
+          "dest_ip" => "${MY_EXTIP}"
+	}
+      }
+    }
+    if [path] == "/data/ddospot/log/dnspot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "53"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
+    if [path] == "/data/ddospot/log/ntpot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "123"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
+    if [path] == "/data/ddospot/log/ssdpot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "1900"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
+  }
+
+# Dionaea
+  if [type] == "Dionaea" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+        "dst_port" => "dest_port"
+        "dst_ip" => "dest_ip"
+      }
+      gsub => [
+        "src_ip", "::ffff:", "",
+        "dest_ip", "::ffff:", ""
+      ]
+    }
+    if [credentials] {
+      mutate {
+        add_field => {
+          "username" => "%{[credentials][username]}"
+          "password" => "%{[credentials][password]}"
+        }
+        remove_field => "[credentials]"
+      }
+    }
+  }
+
+# Dicompot
+  if [type] == "Dicompot" {
+    date {
+      match => [ "time", "yyyy-MM-dd HH:mm:ss" ]
+      remove_field => ["time"]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      rename => {
+        "ID" => "id"
+        "IP" => "src_ip"
+        "Port" => "src_port"
+        "AETitle" => "aetitle"
+        "Command" => "input"
+        "Files" => "files"
+        "Identifier" => "identifier"
+        "Matches" => "matches"
+        "Status" => "session"
+        "Version" => "version"
+      }
+    }
+  }
+
+# ElasticPot
+  if [type] == "ElasticPot" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+        "content_type" => "http.http_content_type"
+        "dst_port" => "dest_port"
+        "dst_ip" => "dest_ip"
+        "message" => "event_type"
+        "request" => "request_method"
+        "user_agent" => "http_user_agent"
+	"url" => "http.url"
+      }
+    }
+  }
+
+# Endlessh
+# Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24
+# Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096
+  if [type] == "Endlessh" {
+    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:duration}%{SPACE}bytes=%{NUMBER:bytes}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } }    
+    date {
+      match => [ "timestamp", "ISO8601" ]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      add_field => {
+        "dest_port" => "22"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+    }
+  }
+
+# Glutton
+  if [type] == "Glutton" {
+    date {
+      match => [ "ts", "UNIX" ]
+      remove_field => ["ts"]
+    }
+  }
+
+# Hellpot
+  if [type] == "Hellpot" {
+    date {
+      match => [ "time", "ISO8601" ]
+      remove_field => ["time"]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      add_field => {
+        "dest_port" => "80"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+      rename => {
+        "BYTES" => "bytes"
+        "DURATION" => "duration"
+        "REMOTE_ADDR" => "src_ip"
+        "URL" => "url"
+        "USERAGENT" => "http_user_agent"
+        "message" => "reason"
+      }
+    }
+  }
+
+# Heralding
+  if [type] == "Heralding" {
+    csv {
+      columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => ","
+    }
+    date {
+      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
+      remove_field => ["timestamp"]
+    }
+  }
+
+# Honeypy
+  if [type] == "Honeypy" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+      remove_field => ["timestamp"]
+      remove_field => ["date"]
+      remove_field => ["time"]
+      remove_field => ["millisecond"]
+    }
+  }
+
+# Honeypots
+  if [type] == "Honeypots" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
+# Honeysap
+  if [type] == "Honeysap" {
+    date {
+      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      rename => {
+        "[data][error_msg]" => "event_type"
+        "service" => "sensor"
+        "source_port" => "src_port"
+        "source_ip" => "src_ip"
+        "target_port" => "dest_port"
+        "target_ip" => "dest_ip"
+      }
+      remove_field => "event"
+      remove_field => "return_code"
+    }
+    if [data] {
+      mutate {
+	remove_field => "[data]"
+      }
+    }    
+  }
+
+# Honeytrap
+  if [type] == "Honeytrap" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+        "[attack_connection][local_port]" => "dest_port"
+        "[attack_connection][local_ip]" => "dest_ip"
+        "[attack_connection][remote_port]" => "src_port"
+        "[attack_connection][remote_ip]" => "src_ip"
+      }
+    }
+  }
+
+# Ipphoney
+  if [type] == "Ipphoney" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+	"query" => "ipp_query"
+        "content_type" => "http.http_content_type"
+        "dst_port" => "dest_port"
+        "dst_ip" => "dest_ip"
+        "request" => "request_method"
+        "operation" => "data"
+        "user_agent" => "http_user_agent"
+        "url" => "http.url"
+      }
+    }
+  }
+
+# Log4pot
+  if [type] == "Log4pot" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+        "request" => "request_uri"
+        "server_port" => "dest_port"
+        "port" => "src_port"
+        "client" => "src_ip"
+      }
+    }
+  }
+
+# Mailoney
+  if [type] == "Mailoney" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      add_field => { "dest_port" => "25" }
+    }
+  }
+
+# Medpot
+  if [type] == "Medpot" {
+    mutate {
+      add_field => {
+        "dest_port" => "2575"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+    }
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
+# Rdpy
+  if [type] == "Rdpy" {
+    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp},domain:%{CISCO_REASON:domain},username:%{CISCO_REASON:username},password:%{CISCO_REASON:password},hostname:%{GREEDYDATA:hostname}", "\A%{TIMESTAMP_ISO8601:timestamp},Connection from %{IPV4:src_ip}:%{INT:src_port:integer}" ] } }
+    date {
+      match => [ "timestamp", "ISO8601" ]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      add_field => { "dest_port" => "3389" }
+    }
+  }
+
+# Redishoneypot
+  if [type] == "Redishoneypot" {
+    date {
+      match => [ "time", "yyyy-MM-dd HH:mm:ss" ]
+      remove_field => ["time"]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      split => { "addr" => ":" }
+      add_field => { 
+        "src_ip" => "%{[addr][0]}" 
+        "src_port" => "%{[addr][1]}"
+        "dest_port" => "6379"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+      remove_field => ["addr"]
+    }
+  }
+
+# NGINX
+  if [type] == "NGINX" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+        "request" => "request_data"
+      }
+    }
+  }
+
+# Tanner
+  if [type] == "Tanner" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+        "[peer][ip]" => "src_ip"
+        "[peer][port]" => "src_port"
+      }
+      add_field => { "dest_port" => "80" }
+    }
+  }
+
+# Drop if parse fails
+if "_grokparsefailure" in [tags] { drop {} }
+if "_jsonparsefailure" in [tags] { drop {} }
+
+# Add T-Pot hostname and external IP
+  mutate {
+    add_field => {
+      "t-pot_ip_ext" => "${MY_EXTIP}"
+      "t-pot_ip_int" => "${MY_INTIP}"
+      "t-pot_hostname" => "${MY_HOSTNAME}"
+    }
+  }
+
+# Add geo coordinates / ASN info / IP rep.
+  if [src_ip]  {
+    geoip {
+      cache_size => 10000
+      source => "src_ip"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-City.mmdb"
+    }
+    geoip {
+      cache_size => 10000
+      source => "src_ip"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-ASN.mmdb"
+    }
+    translate {
+      refresh_interval => 86400
+      field => "src_ip"
+      destination => "ip_rep"
+      dictionary_path => "/etc/listbot/iprep.yaml"
+    }
+  }
+  if [t-pot_ip_ext]  {
+    geoip {
+      cache_size => 10000
+      source => "t-pot_ip_ext"
+      target => "geoip_ext"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-City.mmdb"
+    }
+    geoip {
+      cache_size => 10000
+      source => "t-pot_ip_ext"
+      target => "geoip_ext"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-ASN.mmdb"
+    }
+  }
+
+# In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
+  if [dest_port] {
+    mutate {
+        convert => { "dest_port" => "integer" }
+    }
+  }
+  if [src_port] {
+    mutate {
+        convert => { "src_port" => "integer" }
+    }
+  }
+  if [status] {
+    mutate {
+        convert => { "status" => "integer" }
+    }
+  }
+  if [id] {
+    mutate {
+        convert => { "id" => "string" }
+    }
+  }
+  if [request] {
+    mutate {
+        convert => { "request" => "string" }
+    }
+  }
+
+}
+
+# Output section
+output {
+    http {
+      http_method => "post"
+      http_compression => true
+      id => "${MY_HOSTNAME}"
+      codec => "json"
+      format => "json_batch"
+      url => "http://127.0.0.1:64305"
+    }
+
+}

docker/elk/logstash/dist/logstash.conf

@@ -71,6 +71,13 @@ input {
     type => "Dicompot"
   }
 
+# Ddospot
+  file {
+    path => ["/data/ddospot/log/*.log"]
+    codec => json
+    type => "Ddospot"
+  }
+
 # ElasticPot
   file {
     path => ["/data/elasticpot/log/elasticpot.json"]
@@ -78,6 +85,13 @@ input {
     type => "ElasticPot"
   }
 
+# Endlessh
+  file {
+    path => ["/data/endlessh/log/endlessh.log"]
+    codec => plain
+    type => "Endlessh"
+  }
+
 # Glutton
   file {
     path => ["/data/glutton/log/glutton.log"]
@@ -85,12 +99,26 @@ input {
     type => "Glutton"
   }
 
+# Hellpot
+  file {
+    path => ["/data/hellpot/log/hellpot.log"]
+    codec => json
+    type => "Hellpot"
+  }
+
 # Heralding
   file {
     path => ["/data/heralding/log/auth.csv"]
     type => "Heralding"
   }
 
+# Honeypots
+  file {
+    path => ["/data/honeypots/log/*.log"]
+    codec => json
+    type => "Honeypots"
+  }
+
 # Honeypy
   file {
     path => ["/data/honeypy/log/json.log"]
@@ -119,6 +147,13 @@ input {
     type => "Ipphoney"
   }
 
+# Log4pot
+  file {
+    path => ["/data/log4pot/log/log4pot.log"]
+    codec => json
+    type => "Log4pot"
+  }
+
 # Mailoney
   file {
     path => ["/data/mailoney/log/commands.log"]
@@ -139,6 +174,13 @@ input {
     type => "Rdpy"
   }
 
+# Redishoneypot
+  file {
+    path => ["/data/redishoneypot/log/redishoneypot.log"]
+    codec => json
+    type => "Redishoneypot"
+  }
+
 # Host NGINX
   file {
     path => ["/data/nginx/log/access.log"]
@@ -286,6 +328,46 @@ filter {
     }
   }
 
+# Ddospot
+  if [type] == "Ddospot" {
+    date {
+      match => [ "time", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
+      remove_field => ["time"]
+    }
+    if [path] == "/data/ddospot/log/chargenpot.log" {
+      mutate {
+        add_field => {
+	  "dest_port" => "19"
+          "dest_ip" => "${MY_EXTIP}"
+	}
+      }
+    }
+    if [path] == "/data/ddospot/log/dnspot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "53"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
+    if [path] == "/data/ddospot/log/ntpot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "123"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
+    if [path] == "/data/ddospot/log/ssdpot.log" {
+      mutate {
+        add_field => {
+          "dest_port" => "1900"
+          "dest_ip" => "${MY_EXTIP}"
+        }
+      }
+    }
+  }
+
 # Dionaea
   if [type] == "Dionaea" {
     date {
@@ -353,6 +435,23 @@ filter {
     }
   }
 
+# Endlessh
+# Example: 2021-10-29T21:08:31.026Z CLOSE host=1.2.3.4 port=12345 fd=4 time=20.015 bytes=24
+# Example: 2021-10-29T21:08:11.011Z ACCEPT host=1.2.3.4 port=12346 fd=4 n=1/4096
+  if [type] == "Endlessh" {
+    grok { match => { "message" => [ "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}time=%{SECOND:duration}%{SPACE}bytes=%{NUMBER:bytes}", "\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:reason}%{SPACE}host=%{IPV4:src_ip}%{SPACE}port=%{INT:src_port}%{SPACE}fd=%{INT}%{SPACE}n=%{INT}/%{INT}" ] } }    
+    date {
+      match => [ "timestamp", "ISO8601" ]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      add_field => {
+        "dest_port" => "22"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+    }
+  }
+
 # Glutton
   if [type] == "Glutton" {
     date {
@@ -361,6 +460,29 @@ filter {
     }
   }
 
+# Hellpot
+  if [type] == "Hellpot" {
+    date {
+      match => [ "time", "ISO8601" ]
+      remove_field => ["time"]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      add_field => {
+        "dest_port" => "80"
+        "dest_ip" => "${MY_EXTIP}"
+      }
+      rename => {
+        "BYTES" => "bytes"
+        "DURATION" => "duration"
+        "REMOTE_ADDR" => "src_ip"
+        "URL" => "url"
+        "USERAGENT" => "http_user_agent"
+        "message" => "reason"
+      }
+    }
+  }
+
 # Heralding
   if [type] == "Heralding" {
     csv {
@@ -383,6 +505,13 @@ filter {
     }
   }
 
+# Honeypots
+  if [type] == "Honeypots" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
 # Honeysap
   if [type] == "Honeysap" {
     date {
@@ -442,15 +571,28 @@ filter {
     }
   }
 
+# Log4pot
+  if [type] == "Log4pot" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    mutate {
+      rename => {
+        "request" => "request_uri"
+        "server_port" => "dest_port"
+        "port" => "src_port"
+        "client" => "src_ip"
+      }
+    }
+  }
+
 # Mailoney
   if [type] == "Mailoney" {
     date {
       match => [ "timestamp", "ISO8601" ]
     }
     mutate {
-      add_field => {
-        "dest_port" => "25"
-      }
+      add_field => { "dest_port" => "25" }
     }
   }
 
@@ -475,9 +617,26 @@ filter {
       remove_field => ["timestamp"]
     }
     mutate {
-      add_field => {
-        "dest_port" => "3389"
+      add_field => { "dest_port" => "3389" }
+    }
+  }
+
+# Redishoneypot
+  if [type] == "Redishoneypot" {
+    date {
+      match => [ "time", "yyyy-MM-dd HH:mm:ss" ]
+      remove_field => ["time"]
+      remove_field => ["timestamp"]
+    }
+    mutate {
+      split => { "addr" => ":" }
+      add_field => { 
+        "src_ip" => "%{[addr][0]}" 
+        "src_port" => "%{[addr][1]}"
+        "dest_port" => "6379"
+        "dest_ip" => "${MY_EXTIP}"
       }
+      remove_field => ["addr"]
     }
   }
 
@@ -486,6 +645,11 @@ filter {
     date {
       match => [ "timestamp", "ISO8601" ]
     }
+    mutate {
+      rename => {
+        "request" => "request_data"
+      }
+    }
   }
 
 # Tanner
@@ -498,26 +662,34 @@ filter {
         "[peer][ip]" => "src_ip"
         "[peer][port]" => "src_port"
       }
-      add_field => {
-        "dest_port" => "80"
-      }
+      add_field => { "dest_port" => "80" }
     }
   }
 
 # Drop if parse fails
 if "_grokparsefailure" in [tags] { drop {} }
+if "_jsonparsefailure" in [tags] { drop {} }
+
+# Add T-Pot hostname and external IP
+  mutate {
+    add_field => {
+      "t-pot_ip_ext" => "${MY_EXTIP}"
+      "t-pot_ip_int" => "${MY_INTIP}"
+      "t-pot_hostname" => "${MY_HOSTNAME}"
+    }
+  }
 
 # Add geo coordinates / ASN info / IP rep.
   if [src_ip]  {
     geoip {
       cache_size => 10000
       source => "src_ip"
-      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/GeoLite2-City.mmdb"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-City.mmdb"
     }
     geoip {
       cache_size => 10000
       source => "src_ip"
-      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/GeoLite2-ASN.mmdb"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-ASN.mmdb"
     }
     translate {
       refresh_interval => 86400
@@ -526,6 +698,20 @@ if "_grokparsefailure" in [tags] { drop {} }
       dictionary_path => "/etc/listbot/iprep.yaml"
     }
   }
+  if [t-pot_ip_ext]  {
+    geoip {
+      cache_size => 10000
+      source => "t-pot_ip_ext"
+      target => "geoip_ext"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-City.mmdb"
+    }
+    geoip {
+      cache_size => 10000
+      source => "t-pot_ip_ext"
+      target => "geoip_ext"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.11-java/vendor/GeoLite2-ASN.mmdb"
+    }
+  }
 
 # In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
   if [dest_port] {
@@ -548,15 +734,9 @@ if "_grokparsefailure" in [tags] { drop {} }
         convert => { "id" => "string" }
     }
   }
-
-# Add T-Pot hostname and external IP
-  if [type] == "Adbhoney" or [type] == "Ciscoasa" or [type] == "CitrixHoneypot" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dicompot" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "Fatt" or [type] == "Glutton" or [type] == "Honeysap" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Honeypy" or [type] == "Ipphoney" or [type] == "Mailoney" or [type] == "Medpot" or [type] == "P0f" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" {
+  if [request] {
     mutate {
-      add_field => {
-        "t-pot_ip_ext" => "${MY_EXTIP}"
-        "t-pot_ip_int" => "${MY_INTIP}"
-        "t-pot_hostname" => "${MY_HOSTNAME}"
-      }
+        convert => { "request" => "string" }
     }
   }
 
@@ -569,7 +749,7 @@ output {
     # With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
     index => "logstash-%{+YYYY.MM.dd}"
     template => "/etc/logstash/tpot_es_template.json"
-#    document_type => "doc"
+    #document_type => "doc"
   }
 
   #if [type] == "Suricata" {

docker/elk/logstash/dist/pipelines.yml

@@ -0,0 +1,4 @@
+- pipeline.id: logstash
+  path.config: "/etc/logstash/conf.d/logstash.conf"
+- pipeline.id: http_input
+  path.config: "/etc/logstash/conf.d/http_input.conf"

docker/elk/logstash/dist/pipelines_pot.yml

@@ -0,0 +1,2 @@
+- pipeline.id: http_output
+  path.config: "/etc/logstash/conf.d/http_output.conf"

docker/elk/logstash/dist/tpot_es_template.json

@@ -43,6 +43,15 @@
           "latitude" : { "type" : "half_float" },
           "longitude" : { "type" : "half_float" }
         }
+      },
+      "geoip_ext"  : {
+        "dynamic": true,
+        "properties" : {
+          "ip": { "type": "ip" },
+          "location" : { "type" : "geo_point" },
+          "latitude" : { "type" : "half_float" },
+          "longitude" : { "type" : "half_float" }
+        }
       }
     }
   }

docker/elk/logstash/dist/update.sh

@@ -35,6 +35,22 @@ if [ "$myCHECK" == "0" ];
     echo "Cannot reach Listbot, starting Logstash without latest translation maps."
 fi
 
+# Distributed T-Pot installation needs a different pipeline config and autossh tunnel. 
+if [ "$MY_TPOT_TYPE" == "POT" ];
+  then
+    echo
+    echo "Distributed T-Pot setup, sending T-Pot logs to $MY_HIVE_IP."
+    echo
+    echo "T-Pot type: $MY_TPOT_TYPE"
+    echo "Keyfile used: $MY_POT_PRIVATEKEYFILE"
+    echo "Hive username: $MY_HIVE_USERNAME"
+    echo "Hive IP: $MY_HIVE_IP"
+    echo
+    cp /usr/share/logstash/config/pipelines_pot.yml /usr/share/logstash/config/pipelines.yml
+    autossh -f -M 0 -4 -l $MY_HIVE_USERNAME -i $MY_POT_PRIVATEKEYFILE -p 64295 -N -L64305:127.0.0.1:64305 $MY_HIVE_IP -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null"
+    exit 0
+fi
+
 # We do want to enforce our es_template thus we always need to delete the default template, putting our default afterwards
 # This is now done via common_configs.rb => overwrite default logstash template
 echo "Removing logstash template."
@@ -44,7 +60,7 @@ echo "Checking if empty."
 curl -s -XGET http://elasticsearch:9200/_template/logstash
 echo
 echo "Putting default template."
-curl -s -XPUT "http://elasticsearch:9200/_template/logstash" -H 'Content-Type: application/json' -d'
+curl -XPUT "http://elasticsearch:9200/_template/logstash" -H 'Content-Type: application/json' -d'
 {
   "index_patterns" : "logstash-*",
   "version" : 60001,
@@ -90,6 +106,15 @@ curl -s -XPUT "http://elasticsearch:9200/_template/logstash" -H 'Content-Type: a
           "latitude" : { "type" : "half_float" },
           "longitude" : { "type" : "half_float" }
         }
+      },
+      "geoip_ext"  : {
+        "dynamic": true,
+        "properties" : {
+          "ip": { "type": "ip" },
+          "location" : { "type" : "geo_point" },
+          "latitude" : { "type" : "half_float" },
+          "longitude" : { "type" : "half_float" }
+        }
       }
     }
   }

docker/elk/logstash/docker-compose.yml

@@ -7,14 +7,17 @@ services:
     build: .
     container_name: logstash
     restart: always
-    environment:
-     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
+#    environment:
+#     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
 #    depends_on:
 #      elasticsearch:
 #        condition: service_healthy
     env_file:
      - /opt/tpot/etc/compose/elk_environment
-    image: "ghcr.io/telekom-security/logstash:2006"
+    ports:
+     - "127.0.0.1:64305:80"
+    image: "dtagdevsec/logstash:2006"
     volumes:
      - /data:/data
 #     - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
+#     - /root/tpotce/docker/elk/logstash/dist/http.conf:/etc/logstash/conf.d/http.conf

docker/endlessh/Dockerfile

@@ -0,0 +1,42 @@
+FROM alpine:3.13 as builder
+#
+# Include dist
+ADD dist/ /root/dist/
+#
+# Install packages
+RUN apk -U add --no-cache \
+            build-base \
+	    git \
+            libcap && \
+#
+# Install endlessh from git
+    git clone https://github.com/skeeto/endlessh /opt/endlessh && \
+    cd /opt/endlessh && \
+    git checkout dfe44eb2c5b6fc3c48a39ed826fe0e4459cdf6ef && \
+    make && \
+    mv /opt/endlessh/endlessh /root/dist
+#
+FROM alpine:3.14
+#
+COPY --from=builder /root/dist/* /opt/endlessh/
+#
+# Install packages
+RUN apk -U add --no-cache \
+            libcap && \
+#
+# Setup user, groups and configs
+    mkdir -p /var/log/endlessh && \
+    addgroup -g 2000 endlessh && \
+    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 endlessh && \
+    chown -R endlessh:endlessh /opt/endlessh && \
+    #setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+#
+# Clean up
+    rm -rf /root/* && \
+    rm -rf /var/cache/apk/*
+#
+# Set workdir and start endlessh
+STOPSIGNAL SIGINT
+USER endlessh:endlessh
+WORKDIR /opt/endlessh/
+CMD ./endlessh -f endlessh.conf >/var/log/endlessh/endlessh.log

docker/endlessh/dist/endlessh.conf

@@ -0,0 +1,27 @@
+# The port on which to listen for new SSH connections.
+Port 2222
+
+# The endless banner is sent one line at a time. This is the delay
+# in milliseconds between individual lines.
+Delay 10000
+
+# The length of each line is randomized. This controls the maximum
+# length of each line. Shorter lines may keep clients on for longer if
+# they give up after a certain number of bytes.
+MaxLineLength 32
+
+# Maximum number of connections to accept at a time. Connections beyond
+# this are not immediately rejected, but will wait in the queue.
+MaxClients 4096
+
+# Set the detail level for the log.
+#   0 = Quiet
+#   1 = Standard, useful log messages
+#   2 = Very noisy debugging information
+LogLevel 1
+
+# Set the family of the listening socket
+#   0 = Use IPv4 Mapped IPv6 (Both v4 and v6, default)
+#   4 = Use IPv4 only
+#   6 = Use IPv6 only
+BindFamily 4

docker/endlessh/docker-compose.yml

@@ -0,0 +1,20 @@
+version: '2.3'
+
+networks:
+  endlessh_local:
+
+services:
+
+# Endlessh service
+  endlessh:
+    build: .
+    container_name: endlessh
+    restart: always
+    networks:
+     - endlessh_local
+    ports:
+     - "22:2222"
+    image: "dtagdevsec/endlessh:2006"
+    read_only: true
+    volumes:
+     - /data/endlessh/log:/var/log/endlessh

docker/ews/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
@@ -20,12 +20,13 @@ RUN apk -U --no-cache add \
             py3-requests \
 	    py3-pip \
             py3-setuptools && \
-    pip3 install --no-cache-dir configparser hpfeeds3 pyOpenSSL xmljson && \
+    pip3 install --no-cache-dir configparser hpfeeds3 influxdb influxdb-client pyOpenSSL xmljson && \
 #
 # Setup ewsposter
     git clone https://github.com/telekom-security/ewsposter /opt/ewsposter && \
     cd /opt/ewsposter && \
-    git checkout 46cd801fb444f1fb0a90418ab46e5977ec0a90b6 && \
+#    git checkout 11ab4c8a0a1b63d4bca8c52c07f2eab520d0b257 && \
+    git checkout 17c08f3ae500d838c1528c9700e4430d5f6ad214 && \
     mkdir -p /opt/ewsposter/spool /opt/ewsposter/log && \
 #
 # Setup user and groups

docker/ews/dist/ews.cfg

@@ -34,8 +34,18 @@ hpfformat = %(EWS_HPFEEDS_FORMAT)s
 json = false
 jsondir = /data/ews/json/
 
+[INFLUXDB]
+influxdb = false
+host = http://localhost
+port = 8086
+username = <your username for influx 1.8>
+password = <your password for influx 1.8>
+token = <your token for influx 2.0>
+bucket = <your bucket/database for 2.0/1.8>
+org = <your org for influx 2.0>
+
 [GLASTOPFV3]
-glastopfv3 = true
+glastopfv3 = false
 nodeid = glastopfv3-community-01
 sqlitedb = /data/glastopf/db/glastopf.db
 malwaredir = /data/glastopf/data/files/
@@ -69,12 +79,12 @@ nodeid = conpot-community-01
 logfile = /data/conpot/log/conpot*.json
 
 [ELASTICPOT]
-elasticpot = false
+elasticpot = true
 nodeid = elasticpot-community-01
 logfile = /data/elasticpot/log/elasticpot.json
 
 [SURICATA]
-suricata = true
+suricata = false
 nodeid = suricata-community-01
 logfile = /data/suricata/log/eve.json
 
@@ -89,7 +99,7 @@ nodeid = rdpy-community-01
 logfile = /data/rdpy/log/rdpy.log
 
 [VNCLOWPOT]
-vnclowpot = true
+vnclowpot = false
 nodeid = vnclowpot-community-01
 logfile = /data/vnclowpot/log/vnclowpot.log
 
@@ -124,6 +134,31 @@ nodeid = adbhoney-community-01
 logfile = /data/adbhoney/log/adbhoney.json
 
 [FATT]
-fatt = true
+fatt = false
 nodeid = fatt-community-01
 logfile = /data/fatt/log/fatt.log
+
+[IPPHONEY]
+ipphoney = true
+nodeid = ipphoney-community-01
+logfile = /data/ipphoney/log/ipphoney.json
+
+[DICOMPOT]
+dicompot = true
+nodeid = dicompot-community-01
+logfile = /data/dicompot/log/dicompot.log
+
+[MEDPOT]
+medpot = true
+nodeid = medpot-community-01
+logfile = /data/medpot/log/medpot.log
+
+[HONEYPY]
+honeypy = true
+nodeid = honeypy-community-01
+logfile = /data/honeypy/log/json.log
+
+[CITRIX]
+citrix = true
+nodeid = citrix-community-01
+logfile = /data/citrixhoneypot/logs/server.log

docker/ews/docker-compose.yml

@@ -23,7 +23,7 @@ services:
      - EWS_HPFEEDS_FORMAT=json
     env_file:
      - /opt/tpot/etc/compose/elk_environment
-    image: "ghcr.io/telekom-security/ewsposter:2006"
+    image: "dtagdevsec/ewsposter:2006"
     volumes:
      - /data:/data
 #     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip

docker/fatt/Dockerfile

@@ -1,7 +1,4 @@
-FROM alpine:3.13
-#
-# Include dist
-#ADD dist/ /root/dist/
+FROM alpine:3.14
 #
 # Get and install dependencies & packages
 RUN apk -U add \
@@ -10,8 +7,8 @@ RUN apk -U add \
               py3-lxml \
 	      py3-pip \
               python3 \
-              python3-dev && \
-    apk -U add tshark --repository http://dl-3.alpinelinux.org/alpine/edge/community/ && \
+              python3-dev \
+              tshark && \
 #
 # Setup user
     addgroup -g 2000 fatt && \
@@ -24,7 +21,8 @@ RUN apk -U add \
     cd fatt && \
     git checkout 314cd1ff7873b5a145a51ec4e85f6107828a2c79 && \
     mkdir -p log && \
-    pip3 install pyshark==0.4.2.2 && \
+    # pyshark >= 0.4.3 breaks fatt
+    pip3 install pyshark==0.4.2.11 && \
 #
 # Setup configs
     chown fatt:fatt -R /opt/fatt/* && \

docker/fatt/docker-compose.yml

@@ -12,6 +12,6 @@ services:
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
-    image: "ghcr.io/telekom-security/fatt:2006"
+    image: "dtagdevsec/fatt:2006"
     volumes:
      - /data/fatt/log:/opt/fatt/log

docker/glutton/docker-compose.yml

@@ -13,7 +13,7 @@ services:
     network_mode: "host"
     cap_add:
      - NET_ADMIN
-    image: "ghcr.io/telekom-security/glutton:2006"
+    image: "dtagdevsec/glutton:2006"
     read_only: true
     volumes:
      - /data/glutton/log:/var/log/glutton

docker/heimdall/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Include dist
 ADD dist/ /root/dist/
@@ -64,6 +64,7 @@ RUN apk -U --no-cache add \
     sed -i "s/APP_NAME=Heimdall/APP_NAME=T-Pot/g" /var/lib/nginx/html/.env && \
 ## Add Nginx / T-Pot specific configs
     rm -rf /etc/nginx/conf.d/* /usr/share/nginx/html/* && \
+    mkdir -p /etc/nginx/conf.d && \
     cp /root/dist/conf/nginx.conf /etc/nginx/ && \
     cp -R /root/dist/conf/ssl /etc/nginx/ && \
     cp /root/dist/conf/tpotweb.conf /etc/nginx/conf.d/ && \

docker/heimdall/docker-compose.yml

@@ -26,7 +26,7 @@ services:
     ports:
      - "64297:64297"
      - "127.0.0.1:64304:64304"
-    image: "ghcr.io/telekom-security/nginx:2006"
+    image: "dtagdevsec/nginx:2006"
     read_only: true
     volumes:
      - /data/nginx/cert/:/etc/nginx/cert/:ro

docker/hellpot/Dockerfile

@@ -0,0 +1,48 @@
+FROM alpine:3.14
+#
+# Include dist
+ADD dist/ /root/dist/
+#
+# Setup apk
+RUN apk -U --no-cache add \
+                   build-base \
+                   git \
+                   go \
+                   g++ && \
+#
+# Setup go, hellpot
+    cd /root && \
+    export GOPATH=/opt/go/ && \
+    mkdir -p /opt/hellpot && \
+    mkdir -p /opt/go && \ 
+    git clone https://github.com/yunginnanet/HellPot && \
+    cd HellPot && \
+    git checkout f87b1f17e21b36edae41b7f49d4a54ae420a9bf8 && \
+  # Hellpot ignores setting the logpath, need to this hardcoded :(
+    sed -i 's#logDir = snek.GetString("logger.directory")#logDir = "/var/log/hellpot/"#g' config/logger.go && \
+    sed -i 's#tnow := "HellPot"#tnow := "hellpot"#g' config/logger.go && \
+    go build cmd/HellPot/HellPot.go && \
+    mv /root/HellPot/HellPot /opt/hellpot/ && \
+#
+# Setup user, groups and configs
+    addgroup -g 2000 hellpot && \
+    adduser -S -s /bin/ash -u 2000 -D -g 2000 hellpot && \
+    mkdir -p /var/log/hellpot && \
+  # Hellpot wants to create .config folder always in user's home
+    mkdir -p /home/hellpot/.config/HellPot/logs && \
+    mv /root/dist/config.toml /home/hellpot/.config/HellPot/ && \
+    chown hellpot:hellpot -R /home/hellpot && \
+#
+# Clean up
+    apk del --purge build-base \
+                    git \
+                    go \
+                    g++ && \
+    rm -rf /var/cache/apk/* \
+           /opt/go \
+           /root/dist
+#
+# Start hellpot
+WORKDIR /opt/hellpot
+USER hellpot:hellpot
+CMD ["./HellPot"]

docker/hellpot/dist/config.toml

@@ -0,0 +1,23 @@
+[http]
+  bind_addr = "0.0.0.0"
+  bind_port = "8080"
+  paths = ["wp-login.php","wp-login","wp-json/omapp/v1/support"]
+
+  # Unix Socket Listener (will override default)
+  use_unix_socket = false
+  unix_socket = "/var/run/hellpot"
+
+[logger]
+  debug = true
+  log_directory = "/var/log/hellpot/"
+  nocolor = true
+  use_date_filename = false
+
+[performance]
+  # max_workers is only valid if restrict_concurrency is true
+  restrict_concurrency = false
+  max_workers = 256
+  
+[deception]
+  # Used as "Server: " header (if not proxied)
+  server_name = "nginx"

docker/hellpot/docker-compose.yml

@@ -0,0 +1,20 @@
+version: '2.3'
+
+networks:
+  hellpot_local:
+
+services:
+
+# hellpot service
+  hellpot:
+    build: .
+    container_name: hellpot
+    restart: always
+    networks:
+     - hellpot_local
+    ports:
+     - "80:8080"    
+    image: "dtagdevsec/hellpot:2006"
+    read_only: true
+    volumes:
+     - /data/hellpot/log:/var/log/hellpot

docker/heralding/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #  
 # Include dist
 ADD dist/ /root/dist/
@@ -10,21 +10,19 @@ RUN apk -U --no-cache add \
             		libcap \
             		libffi-dev \
             		openssl-dev \
-                        libzmq \
+                        py3-pyzmq \
             		postgresql-dev \
-			py3-cryptography \
 			py3-pip \
-			py3-pyzmq \
             		python3 \
-            		python3-dev \
-            		py-virtualenv && \
+            		python3-dev && \
 #
 # Setup heralding
     mkdir -p /opt && \
     cd /opt/ && \
     git clone https://github.com/johnnykv/heralding && \
     cd heralding && \
-    git checkout 3f38976a2ab4d884d755b6324f2c71923ddadbdb && \
+    git checkout c31f99c55c7318c09272d8d9998e560c3d4de9aa && \
+    pip3 install --upgrade pip && \
     pip3 install --no-cache-dir -r requirements.txt && \
     pip3 install --no-cache-dir . && \
 #
@@ -33,7 +31,7 @@ RUN apk -U --no-cache add \
     adduser -S -H -s /bin/ash -u 2000 -D -g 2000 heralding && \
     mkdir -p /var/log/heralding/ /etc/heralding && \
     mv /root/dist/heralding.yml /etc/heralding/ && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
     chown -R heralding:heralding /var/log/heralding && \
 #
 # Clean up
@@ -44,8 +42,7 @@ RUN apk -U --no-cache add \
             libffi-dev \
             libressl-dev \
             postgresql-dev \
-            python3-dev \
-            py-virtualenv && \
+            python3-dev && \
     rm -rf /root/* \
            /var/cache/apk/* \
            /opt/heralding

docker/heralding/docker-compose.yml

@@ -31,7 +31,7 @@ services:
      - "3389:3389"
      - "5432:5432"
      - "5900:5900"
-    image: "ghcr.io/telekom-security/heralding:2006"
+    image: "dtagdevsec/heralding:2006"
     read_only: true
     volumes:
      - /data/heralding/log:/var/log/heralding

docker/honeypots/Dockerfile

@@ -0,0 +1,65 @@
+FROM alpine:3.14
+#
+# Include dist
+ADD dist/ /root/dist/
+#
+# Install packages
+RUN apk -U add \
+             build-base \
+	     freetds \
+	     freetds-dev \
+	     gcc \
+             git \
+             hiredis \
+	     jpeg-dev \
+	     libcap \
+             libffi-dev \
+             libpq \
+	     musl-dev \
+             openssl \
+             openssl-dev \
+	     postgresql-dev \
+	     py3-pip \
+             python3 \
+             python3-dev \
+             zlib-dev && \
+#	     
+# Install honeypots from GitHub and setup
+    mkdir -p /opt \
+             /var/log/honeypots && \
+    cd /opt/ && \
+    #git clone https://github.com/qeeqbox/honeypots && \
+    git clone https://github.com/t3chn0m4g3/honeypots && \
+    cd honeypots && \
+    #git checkout 7c654a3ef2c564ae6f1247bf302d652037080163 && \
+    pip3 install --upgrade pip && \
+    pip3 install --ignore-installed hiredis packaging && \
+    pip3 install . && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
+#
+# Setup user, groups and configs
+    addgroup -g 2000 honeypots && \
+    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 honeypots && \
+    chown honeypots:honeypots -R /opt/honeypots && \
+    chown honeypots:honeypots -R /var/log/honeypots && \
+    mv /root/dist/config.json /opt/honeypots/ && \
+#
+# Clean up
+    apk del --purge build-base \
+                    freetds-dev \
+                    git \
+		    jpeg-dev \
+		    libffi-dev \
+		    openssl-dev \
+		    postgresql-dev \
+		    python3-dev \
+		    zlib-dev && \
+    rm -rf /root/* && \
+    rm -rf /var/cache/apk/*
+#
+# Start honeypots 
+STOPSIGNAL SIGINT
+USER honeypots:honeypots
+WORKDIR /opt/honeypots/
+CMD python3 -m honeypots --setup all --config config.json
+#CMD python3 -m honeypots --setup telnet --config config.json

docker/honeypots/dist/config.json

@@ -0,0 +1,144 @@
+{
+    "logs":"file,terminal",
+    "logs_location":"/var/log/honeypots/",
+    "honeypots": {
+        "dns": {
+            "port": 53,
+            "ip": "0.0.0.0",
+            "username": "administrator",
+            "password": "123456"
+            },
+        "ftp": {
+            "port": 21,
+            "ip": "0.0.0.0",
+            "username": "ftp",
+            "password": "anonymous"
+            },
+        "httpproxy": {
+            "port": 8080,
+            "ip": "0.0.0.0",
+            "username": "admin",
+            "password": "admin"
+            },
+        "http": {
+            "port": 80,
+            "ip": "0.0.0.0",
+            "username": "admin",
+            "password": "admin"
+            },
+        "https": {
+            "port": 443,
+            "ip": "0.0.0.0",
+            "username": "admin",
+            "password": "admin"
+            },
+        "imap": {
+            "port": 143,
+            "ip": "0.0.0.0",
+            "username": "root",
+            "password": "123456"
+            },
+        "mysql": {
+            "port": 3306,
+            "ip": "0.0.0.0",
+            "username": "root",
+            "password": "123456"
+            },
+        "pop3": {
+            "port": 110,
+            "ip": "0.0.0.0",
+            "username": "root",
+            "password": "123456"
+            },
+        "postgres": {
+            "port": 5432,
+            "ip": "0.0.0.0",
+            "username": "postgres",
+            "password": "123456"
+            },
+        "redis": {
+            "port": 6379,
+            "ip": "0.0.0.0",
+            "username": "root",
+            "password": ""
+            },
+        "smb": {
+            "port": 445,
+            "ip": "0.0.0.0",
+            "username": "administrator",
+            "password": "123456"
+            },
+        "smtp": {
+            "port": 25,
+            "ip": "0.0.0.0",
+            "username": "root",
+            "password": "123456"
+            },
+        "socks5": {
+            "port": 1080,
+            "ip": "0.0.0.0",
+            "username": "admin",
+            "password": "admin"
+            },
+        "ssh": {
+            "port": 22,
+            "ip": "0.0.0.0",
+            "username": "root",
+            "password": "123456"
+            },
+        "telnet": {
+            "port": 23,
+            "ip": "0.0.0.0",
+            "username": "root",
+            "password": "123456"
+            },
+        "vnc": {
+            "port": 5900,
+            "ip": "0.0.0.0",
+            "username": "administrator",
+            "password": "123456"
+            },
+        "elastic": {
+            "port": 9200,
+            "ip": "0.0.0.0",
+            "username": "elastic",
+            "password": "123456"
+            },
+        "mssql": {
+            "port": 1433,
+            "ip": "0.0.0.0",
+            "username": "sa",
+            "password": ""
+            },
+        "ldap": {
+            "port": 389,
+            "ip": "0.0.0.0",
+            "username": "administrator",
+            "password": "123456"
+            },
+        "ntp": {
+            "port": 123,
+            "ip": "0.0.0.0",
+            "username": "administrator",
+            "password": "123456"
+            },
+        "memcache": {
+            "port": 11211,
+            "ip": "0.0.0.0",
+            "username": "admin",
+            "password": "123456"
+            },
+        "oracle": {
+            "port": 1521,
+            "ip": "0.0.0.0",
+            "username": "bi",
+            "password": "123456"
+            },
+        "snmp": {
+            "port": 161,
+            "ip": "0.0.0.0",
+            "username": "privUser",
+            "password": "123456"
+            }
+        }
+}

docker/honeypots/docker-compose.yml

@@ -0,0 +1,42 @@
+version: '2.3'
+
+networks:
+  honeypots_local:
+
+services:
+
+# Honeypots service
+  honeypots:
+    build: .
+    container_name: honeypots
+    stdin_open: true
+    tty: true
+    restart: always
+    tmpfs:
+     - /tmp:uid=2000,gid=2000
+    networks:
+     - honeypots_local
+    ports:
+     - "21:21"
+     - "22:22"
+     - "23:23"
+     - "25:25"
+     - "53:53/udp"
+     - "80:80"
+     - "110:110"
+     - "143:143"
+     - "389:389"
+     - "443:443"
+     - "445:445"
+     - "1080:1080"
+     - "1433:1433"
+     - "3306:3306"
+     - "5432:5432"
+     - "5900:5900"
+     - "6379:6379"
+     - "8080:8080"
+     - "9200:9200"
+    image: "dtagdevsec/honeypots:2006"
+    read_only: true
+    volumes:
+     - /data/honeypots/log:/var/log/honeypots

docker/honeypy/Dockerfile

@@ -49,7 +49,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     rm -rf /root/* && \
     rm -rf /var/cache/apk/*
 #
-# Set workdir and start mailoney
+# Set workdir and start honeypy
 USER honeypy:honeypy
 WORKDIR /opt/honeypy
 CMD ["/opt/honeypy/env/bin/python2", "/opt/honeypy/Honey.py", "-d"]

docker/honeypy/docker-compose.yml

@@ -20,7 +20,7 @@ services:
      - "2324:2324"
      - "4096:4096"
      - "9200:9200"
-    image: "ghcr.io/telekom-security/honeypy:2006"
+    image: "dtagdevsec/honeypy:2006"
     read_only: true
     volumes:
      - /data/honeypy/log:/opt/honeypy/log

docker/honeysap/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.10
+FROM alpine:3.11
 #
 # Include dist
 ADD dist/ /root/dist/
@@ -8,7 +8,6 @@ RUN apk -U --no-cache add \
             build-base \
             git \
 	    libstdc++ \
-	    py2-markupsafe \
             python2 \
             python2-dev \
             py2-pip \
@@ -22,6 +21,7 @@ RUN apk -U --no-cache add \
     mkdir conf && \
     cp /root/dist/* conf/ && \
     python setup.py install && \
+    pip install markupsafe && \
     pip install -r requirements-optional.txt && \
 #
 # Setup user, groups and configs

docker/honeysap/docker-compose.yml

@@ -14,6 +14,6 @@ services:
      - honeysap_local
     ports:
      - "3299:3299"
-    image: "ghcr.io/telekom-security/honeysap:2006"
+    image: "dtagdevsec/honeysap:2006"
     volumes:
      - /data/honeysap/log:/opt/honeysap/log

docker/honeytrap/Dockerfile

@@ -1,11 +1,12 @@
-FROM debian:buster-slim 
+FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND noninteractive
 #
 # Include dist
 ADD dist/ /root/dist/
 #
 # Setup apt
-RUN apt-get update -y && \
+RUN apt-get update && \
+    apt-get update -y && \
     apt-get dist-upgrade -y && \
 #
 # Install packages
@@ -26,10 +27,10 @@ RUN apt-get update -y && \
                        wget && \
 #
 # Install honeytrap from source
-    git clone https://github.com/armedpot/honeytrap /root/honeytrap && \
-#    git clone https://github.com/t3chn0m4g3/honeytrap /root/honeytrap && \
+#    git clone https://github.com/armedpot/honeytrap /root/honeytrap && \
+    git clone https://github.com/t3chn0m4g3/honeytrap /root/honeytrap && \
     cd /root/honeytrap/ && \
-    git checkout 9aa4f734f2ea2f0da790b02d79afe18204a23982 && \
+#    git checkout 9aa4f734f2ea2f0da790b02d79afe18204a23982 && \
     autoreconf -vfi && \
     ./configure \
       --with-stream-mon=nfq \

docker/honeytrap/docker-compose.yml

@@ -12,7 +12,7 @@ services:
     network_mode: "host"
     cap_add:
      - NET_ADMIN
-    image: "ghcr.io/telekom-security/honeytrap:2006"
+    image: "dtagdevsec/honeytrap:2006"
     read_only: true
     volumes:
      - /data/honeytrap/attacks:/opt/honeytrap/var/attacks

docker/ipphoney/docker-compose.yml

@@ -14,7 +14,7 @@ services:
      - ipphoney_local
     ports:
      - "631:631"
-    image: "ghcr.io/telekom-security/ipphoney:2006"
+    image: "dtagdevsec/ipphoney:2006"
     read_only: true
     volumes:
      - /data/ipphoney/log:/opt/ipphoney/log

docker/log4pot/Dockerfile

@@ -0,0 +1,58 @@
+FROM ubuntu:20.04
+ENV DEBIAN_FRONTEND noninteractive
+#
+# Install packages
+RUN apt-get update && \
+    apt-get update -y && \
+    apt-get dist-upgrade -y && \
+    apt-get install -y \
+             build-essential \
+	     cargo \
+	     cleo \
+             git \
+	     libcap2 \
+	     libcap2-bin \
+	     libcurl4 \
+	     libcurl4-nss-dev \
+	     libffi7 \
+	     libffi-dev \
+	     libssl-dev \
+	     python3-pip \
+             python3 \
+             python3-dev \
+             rust-all && \
+     pip3 install --upgrade pip && \
+     pip3 install poetry pycurl && \
+#	     
+# Install log4pot from GitHub and setup
+    mkdir -p /opt /var/log/log4pot && \
+    cd /opt/ && \
+    git clone https://github.com/thomaspatzke/Log4Pot && \
+    cd Log4Pot && \
+#    git checkout 4269bf4a91457328fb64c3e7941cb2f520e5e911 && \
+    git checkout 4e9bac32605e4d2dd4bbc6df56365988b4815c4a && \
+    sed -i 's#"type": logtype,#"reason": logtype,#g' log4pot.py && \
+    poetry install && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+#
+# Setup user, groups and configs
+    addgroup --gid 2000 log4pot && \
+    adduser --system --no-create-home --shell /bin/bash -uid 2000 --disabled-password --disabled-login -gid 2000 log4pot && \
+    chown log4pot:log4pot -R /opt/Log4Pot && \
+#
+# Clean up
+     apt-get purge -y build-essential \
+                    cargo \
+                    git \
+		    libffi-dev \
+		    libssl-dev \
+		    python3-dev \
+		    rust-all && \
+    apt-get autoremove -y --purge && \
+    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+#
+# Start log4pot
+STOPSIGNAL SIGINT
+USER log4pot:log4pot
+WORKDIR /opt/Log4Pot/
+CMD ["/usr/bin/python3","log4pot.py","--port","8080","--log","/var/log/log4pot/log/log4pot.log","--download-dir","/var/log/log4pot/payloads/","--download-class","--download-payloads"]

docker/log4pot/docker-compose.yml

@@ -0,0 +1,27 @@
+version: '2.3'
+
+networks:
+  log4pot_local:
+
+services:
+
+# Log4pot service
+  log4pot:
+    build: .
+    container_name: log4pot
+    restart: always
+    tmpfs:
+     - /tmp:uid=2000,gid=2000
+    networks:
+     - log4pot_local
+    ports:
+     - "80:8080"
+     - "443:8080"
+     - "8080:8080"
+     - "9200:8080"
+     - "25565:8080"
+    image: "dtagdevsec/log4pot:2006"
+    read_only: true
+    volumes:
+     - /data/log4pot/log:/var/log/log4pot/log
+     - /data/log4pot/payloads:/var/log/log4pot/payloads

docker/mailoney/docker-compose.yml

@@ -20,7 +20,7 @@ services:
      - mailoney_local
     ports:
      - "25:25"
-    image: "ghcr.io/telekom-security/mailoney:2006"
+    image: "dtagdevsec/mailoney:2006"
     read_only: true
     volumes:
      - /data/mailoney/log:/opt/mailoney/logs

docker/medpot/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13
+FROM alpine:3.14
 #
 # Setup apk
 RUN apk -U --no-cache add \
@@ -9,6 +9,7 @@ RUN apk -U --no-cache add \
 #
 # Setup go, build medpot
     export GOPATH=/opt/go/ && \
+    export GO111MODULE=off && \
     mkdir -p /opt/go/src && \
     cd /opt/go/src && \
     git clone https://github.com/schmalle/medpot && \

docker/medpot/docker-compose.yml

@@ -14,7 +14,7 @@ services:
      - medpot_local
     ports:
      - "2575:2575"
-    image: "ghcr.io/telekom-security/medpot:2006"
+    image: "dtagdevsec/medpot:2006"
     read_only: true
     volumes:
      - /data/medpot/log/:/var/log/medpot

docker/p0f/Dockerfile

@@ -1,4 +1,6 @@
-FROM alpine:3.13
+# In case of problems Alpine 3.13 needs to be used:
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2
+FROM alpine:3.14
 #
 # Add source
 ADD . /opt/p0f

docker/p0f/docker-compose.yml

@@ -8,7 +8,7 @@ services:
     container_name: p0f
     restart: always
     network_mode: "host"
-    image: "ghcr.io/telekom-security/p0f:2006"
+    image: "dtagdevsec/p0f:2006"
     read_only: true
     volumes:
      - /data/p0f/log:/var/log/p0f

docker/rdpy/Dockerfile

@@ -28,7 +28,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
                 pyopenssl \
                 qt4reactor \
                 service_identity \
-                rsa \
+                rsa==4.5 \		
                 pyasn1 && \
 #
 # Install rdpy from git

docker/rdpy/docker-compose.yml

@@ -22,7 +22,7 @@ services:
      - rdpy_local
     ports:
      - "3389:3389"
-    image: "ghcr.io/telekom-security/rdpy:2006"
+    image: "dtagdevsec/rdpy:2006"
     read_only: true
     volumes:
      - /data/rdpy/log:/var/log/rdpy