Fix repack for AMD64 .iso (#1481)

Azure Deployment via ARM template

CHANGELOG.md

@@ -1,323 +1,45 @@
-# Changelog
+# Release Notes / Changelog
+T-Pot 22.04.0 is probably the most feature rich release ever provided with long awaited (wanted!) features readily available after installation. 
 
-## 20210222
-- **New Release 20.06.2**
-- **Countless Cloud Contributions**
-  - Thanks to @shaderecker
+## New Features
+* **Distributed** Installation with **HIVE** and **HIVE_SENSOR**
+* **ARM64** support for all provided Docker images
+* **GeoIP Attack Map** visualizing Live Attacks on a dedicated webpage
+* **Kibana Live Attack Map** visualizing Live Attacks from different **HIVE_SENSORS**
+* **Blackhole** is a script trying to avoid mass scanner detection 
+* **Elasticvue** a web front end for browsing and interacting with an Elastic Search cluster
+* **Ddospot** a honeypot for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks
+* **Endlessh** is a SSH tarpit that very slowly sends an endless, random SSH banner
+* **HellPot** is an endless honeypot based on Heffalump that sends unruly HTTP bots to hell
+* **qHoneypots** 25 honeypots in a single container for monitoring network traffic, bots activities, and username \ password credentials
+* **Redishoneypot** is a honeypot mimicking some of the Redis' functions
+* **SentryPeer** a dedicated SIP honeypot
+* **Index Lifecycle Management** for Elasticseach indices is now being used
 
-## 20210219
-- **Rebuild Snare, Tanner, Redis, Phpox**
-  - Rebuild images to their latest masters and upgrade Alpine OS to 3.13 where possible.
-- **Bump Elastic Stack to 7.11.1**
-  - Updgrade Elastic Stack Images to 7.11.1 and update License Info to reflect new Elastic License.
-  - Prepare for new release.
+## Upgrades
+* **Debian 11.x** is now being used for the T-Pot ISO images and required for post installs
+* **Elastic Stack 8.x** is now provided as Docker images
 
-## 20210218
-- **Rebuild Conpot, EWSPoster, Cowrie, Glutton, Dionaea**
-  - Rebuild images to their latest masters and upgrade Alpine OS to 3.13 where possible.
+## Updates
+* **Honeypots** and **tools** were updated to their latest masters and releases
+* Updates will be provided continuously through Docker Images updates 
 
-## 20210216
-- **Bump Heralding to 1.0.7**
-  - Rebuild and upgrade image to 1.0.7 and upgrade Alpine OS to 3.13.
-  - Enable SMTPS for Heralding.
-- **Rebuild IPPHoney, Fatt, EWSPoster, Spiderfoot**
-  - Rebuild images to their latest masters and upgrade Alpine OS to 3.13 where possible.
-  - Upgrade Spiderfoot to 3.3
+## Breaking Changes
+* For security reasons all Py2.x honeypots with the need of PyPi packages have been removed: **HoneyPy**, **HoneySAP** and **RDPY**
+* If you are upgrading from a previous version of T-Pot (20.06.x) you need to import the new Kibana objects or some of the functionality will be broken or will be unavailabe
+* **Cyberchef** is now part of the Nginx Docker image, no longer as individual image
+* **ElasticSearch Head** is superseded by **Elasticvue** and part the Nginx Docker image
+* **Heimdall** is no longer supported and superseded with a new Bento based landing page
+* **Elasticsearch Curator** is no longer supprted and superseded with **Index Lifecycle Policies** available through Kibana.
 
-## 20210215
-- **Rebuild Dicompot, p0f, Medpot, Honeysap, Heimdall, Elasticpot, Citrixhoneypot, Ciscoasa**
-  - Rebuild images to their latest masters and upgrade Alpine OS to 3.13 where possible.
+# Thanks & Credits
+* @ghenry, for some fun late night debugging and of course SentryPeer!
+* @giga-a, for adding much appreciated features (i.e. JSON logging, 
+X-Forwarded-For, etc.) and of course qHoneypots! 
+* @sp3t3rs, @trixam, for their backend and ews support!
+* @tadashi-oya, for spotting some errors and propose fixes!
+* @tmariuss, @shaderecker for their cloud contributions!
+* @vorband, for much appreciated and helpful insights regarding the GeoIP Attack Map!
+* @yunginnanet, on not giving up on squashing a bug and of course Hellpot!
 
-## 20210212
-- **Rebuild Cyberchef, Adbhoney, Elastic Stack**
-  - Rebuild images to their latest masters and upgrade Alpine OS to 3.13 where possible.
-  - Bump Elastic Stack to 7.11.0
-  - Bump Cyberchef to 9.27.0
-
-## 20210119
-- **Bump Dionaea to 0.11.0**
-  - Upgrade Dionaea to 0.11.0, rebuild image and upgrade Alpine OS to 3.13.
-
-## 20210106
-- **Update Internet IF retrieval**
-  - To be consistent with @adepasquale PR #746 fatt, glutton and p0f Dockerfiles were updated accordingly.
-  - Merge PR #746 from @adepasquale, thank you!
-
-## 20201228
-- **Fix broken SQlite DB**
-  - Fix a broken `app.sqlite` in Heimdall
-- **Avoid ghcr.io because of slow transfers**
-- **Remove netselect-apt**
-  - causes too many unpredictable errors #733 as the latest example
-
-## 20201210
-- **Bump Elastic Stack 7.10.1, EWSPoster to 1.12**
-
-## 20201202
-- **Update Elastic Stack to 7.10.0**
-
-## 20201130
-- **Suricata, use suricata-update for rule management**
-  - As a bonus we can now run "suricata-update" using docker-exec, triggering both a rule update and a Suricata rule reload.
-  - Thanks to @adepasquale!
-
-## 20201126
-- **Suricata, update suricata.yaml for 6.x**
-  - Merge in the latest updates from suricata-6.0.x while at the same time keeping the custom T-Pot configuration.
-  - Thanks to @adepasquale!
-- **Bump Cowrie to 2.2.0**
-
-## 20201028
-- **Bump Suricata to 5.0.4, Spiderfoot to 3.2.1, Dionaea to 0.9.2, IPPHoney, Heralding, Conpot to latest masters**
-
-## 20201027
-- **Bump Dicompot to latest master, Elastic Stack to 7.9.3**
-
-## 20201005
-- **Bump Elastic Stack to 7.9.2**
-  - @brianlechthaler, thanks for PR #706, which had issues regarding Elastic Stack and resulted in reverting to 7.9.1
-
-## 20200904
-- **Release T-Pot 20.06.1**
-  - Github offers a free Docker Container Registry for public packages. For our Open Source projects we want to make sure to have everything in one place and thus moving from Docker Hub to the GitHub Container Registry.
-- **Bump Elastic Stack**
-  - Update the Elastic Stack to 7.9.1.
-- **Rebuild Images**
-  - All docker images were rebuilt based on the latest (and stable running) versions of the tools and honeypots and have been pinned to specific Alpine / Debian versions and git commits so rebuilds will less likely fail.
-- **Cleaning up**
-  - Clean up old references and links.
-
-## 20200630
-- **Release T-Pot 20.06**
-  - After 4 months of public testing with the NextGen edition T-Pot 20.06 can finally be released.
-- **Debian Buster**
-  - With the release of Debian Buster T-Pot now has access to all packages required right out of the box.
-- **Add new honeypots**
-  - [Dicompot](https://github.com/nsmfoo/dicompot) by @nsmfoo is a low interaction honeypot for the Dicom protocol which is the international standard to process medical imaging information. Together with Medpot which supports the HL7 protocol T-Pot is now offering a Medical Installation type.
-  - [Honeysap](https://github.com/SecureAuthCorp/HoneySAP) by SecureAuthCorp is a low interaction honeypot for the SAP services, in case of T-Pot configured for the SAP router.
-  - [Elasticpot](https://gitlab.com/bontchev/elasticpot) by Vesselin Bontchev replaces ElasticpotPY as a low interaction honeypot for Elasticsearch with more features, plugins and scripted responses.
-- **Rebuild Images**
-  - All docker images were rebuilt based on the latest (and stable running) versions of the tools and honeypots. Mostly the images now run on Alpine 3.12 / Debian Buster. However some honeypots / tools still reuire Alpine 3.11 / 3.10 to run properly.
-- **Install Types**
-  - All docker-compose files (`/opt/tpot/etc/compose`) were remixed and most of the NextGen honeypots are now available in Standard.
-  - There is now a **Medical** Installation Type with Dicompot and Medpot which will be of most interest for medical institutions to get started with T-Pot.
-- **Update Tools**
-  - Connecting to T-Pot via `https://<ip>:64297` brings you to the T-Pot Landing Page now which is based on Heimdall and the latest NGINX enforcing TLS 1.3.
-  - The ELK stack was updated to 7.8.0 and stripped down to the necessary core functions (where possible) for T-Pot while keeping ELK RAM requirements to a minimum (8GB of RAM is recommended now). The number of index pattern fields was reduced to **697** which increases performance significantly. There are **22** Kibana Dashboards, **397** Kibana Visualizations and **24** Kibana Searches readily available to cover all your needs to get started and familiar with T-Pot.
-  - Cyberchef was updated to 9.21.0.
-  - Elasticsearch Head was updated to the latest version available on GitHub.
-  - Spiderfoot was updated to latest 3.1 dev.
-- **Landing Page**
-  - After logging into T-Pot via web you are now greeted with a beautifully designed landing page.
-- **Countless Tweaks and improvements**
-  - Under the hood lots of tiny tweaks, improvements and a few bugfixes will increase your overall experience with T-Pot.
-
-## 20200316
-- **Move from Sid to Stable**
-  - Debian Stable has now all the packages and versions we need for T-Pot. As a consequence we can now move to the `stable` branch.
-
-## 20200310
-- **Add 2FA to Cockpit**
-  - Just run `2fa.sh` to enable two factor authentication in Cockpit.
-- **Find fastest mirror with netselect-apt**
-  - Netselect-apt will find the fastest mirror close to you (outgoing ICMP required).
-
-## 20200309
-- **Bump Nextgen to 20.06**
-  - All NextGen images have been rebuilt to their latest master.
-  - ElasticStack bumped to 7.6.1 (Elasticsearch will need at least 2048MB of RAM now, T-Pot at least 8GB of RAM) and tweak to accomodate changes of 7.x.
-  - Fixed errors in Tanner / Snare which will now handle downloads of malware via SSL and store them correctly (thanks to @afeena).
-  - Fixed errors in Heralding which will now improve on RDP connections (thanks to @johnnykv, @realsdx).
-  - Fixed error in honeytrap which will now build in Debian/Buster (thanks to @tillmannw).
-  - Mailoney is now logging in JSON format (thanks to @monsherko).
-  - Base T-Pot landing page on Heimdall.
-  - Tweaking of tools and some minor bug fixing
-
-## 20200116
-- **Bump ELK to latest 6.8.6**
-- **Update ISO image to fix upstream bug of missing kernel modules**
-- **Include dashboards for CitrixHoneypot**
-  - Please run `/opt/tpot/update.sh` for the necessary modifications, omit the reboot and run `/opt/tpot/bin/tped.sh` to (re-)select the NextGen installation type.
-  - This update requires the latest Kibana objects as well. Download the latest from https://raw.githubusercontent.com/telekom-security/tpotce/master/etc/objects/kibana_export.json.zip, unzip and import the objects within Kibana WebUI > Management > Saved Objects > Export / Import". All objects will be overwritten upon import, make sure to run an export first.
-
-## 20200115
-- **Prepare integration of CitrixHoneypot**
-  - Prepare integration of [CitrixHoneypot](https://github.com/MalwareTech/CitrixHoneypot) by MalwareTech
-  - Integration into ELK is still open
-  - Please run `/opt/tpot/update.sh` for the necessary modifications, omit the reboot and run `/opt/tpot/bin/tped.sh` to (re-)select the NextGen installation type.
-
-## 20191224
-- **Use pigz, optimize logrotate.conf**
-  - Use `pigz` for faster archiving, especially with regard to high volumes of logs - Thanks to @workandresearchgithub!
-  - Optimize `logrotate.conf` to improve archiving speed and get rid of multiple compression, also introduce `pigz`.
-
-## 20191121
-- **Bump ADBHoney to latest master**
-  - Use latest version of ADBHoney, which now fully support Python 3.x - Thanks to @huuck!
-
-## 20191113, 20191104, 20191103, 20191028
-- **Switch to Debian 10 on OTC, Ansible Improvements**
-  - OTC now supporting Debian 10 - Thanks to @shaderecker!
-
-## 20191028
-- **Fix an issue with pip3, yq**
-  - `yq` needs rehashing.
-
-## 20191026
-- **Remove cockpit-pcp**
-  - `cockpit-pcp` floods swap for some reason - removing for now.
-
-## 20191022
-- **Bump Suricata to 5.0.0**
-
-## 20191021
-- **Bump Cowrie to 2.0.0**
-
-## 20191016
-- **Tweak installer, pip3, Heralding**
-  - Install `cockpit-pcp` right from the start for machine monitoring in cockpit.
-  - Move installer and update script to use pip3.
-  - Bump heralding to latest master (1.0.6) - Thanks @johnnykv!
-
-## 20191015
-- **Tweaking, Bump glutton, unlock ES script**
-  - Add `unlock.sh` to unlock ES indices in case of lockdown after disk quota has been reached.
-  - Prevent too much terminal logging from p0f and glutton since `daemon.log` was filled up.
-  - Bump glutton to latest master now supporting payload_hex. Thanks to @glaslos.
-
-## 20191002
-- **Merge**
-  - Support Debian Buster images for AWS #454
-  - Thank you @piffey
-
-## 20190924
-- **Bump EWSPoster**
-  - Supports Python 3.x
-  - Thank you @Trixam
-
-## 20190919
-- **Merge**
-  - Handle non-interactive shells #454
-  - Thank you @Oogy
-
-## 20190907
-- **Logo tweaking**
-  - Add QR logo
-
-## 20190828
-- **Upgrades and rebuilds**
-  - Bump Medpot, Nginx and Adbhoney to latest master
-  - Bump ELK stack to 6.8.2
-  - Rebuild Mailoney, Honeytrap, Elasticpot and Ciscoasa
-  - Add 1080p T-Pot wallpaper for download
-
-## 20190824
-- **Add some logo work**
-  - Thanks to @thehadilps's suggestion adjusted social preview
-  - Added 4k T-Pot wallpaper for download
-
-## 20190823
-- **Fix for broken Fuse package**
-  - Fuse package in upstream is broken
-  - Adjust installer as workaround, fixes #442
-
-## 20190816
-- **Upgrades and rebuilds**
-  - Adjust Dionaea to avoid nmap detection, fixes #435 (thanks @iukea1)
-  - Bump Tanner, Cyberchef, Spiderfoot and ES Head to latest master
-
-## 20190815
-- **Bump ELK stack to 6.7.2**
-  - Transition to 7.x must iterate slowly through previous versions to prevent changes breaking T-Pots
-
-## 20190814
-- **Logstash Translation Maps improvement**
-  - Download translation maps rather than running a git pull
-  - Translation maps will now be bzip2 compressed to reduce traffic to a minimum
-  - Fixes #432
-
-## 20190802
-- **Add support for Buster as base image**
-  - Install ISO is now based on Debian Buster
-  - Installation upon Debian Buster is now supported
-
-## 20190701
-- **Reworked Ansible T-Pot Deployment**
-  - Transitioned from bash script to all Ansible
-  - Reusable Ansible Playbook for OpenStack clouds
-  - Example Showcase with our Open Telekom Cloud
-  - Adaptable for other cloud providers
-
-## 20190626
-- **HPFEEDS Opt-In commandline option**
-  - Pass a hpfeeds config file as a commandline argument
-  - hpfeeds config is saved in `/data/ews/conf/hpfeeds.cfg`
-  - Update script restores hpfeeds config
-
-## 20190604
-- **Finalize Fatt support**
-  - Build visualizations, searches, dashboards
-  - Rebuild index patterns
-  - Some finishing touches
-
-## 20190601
-- **Start supporting Fatt, remove Glastopf**
-  - Build Dockerfile, Adjust logstash, installer, update and such.
-  - Glastopf is no longer supported within T-Pot
-
-## 20190528+20190531
-- **Increase total number of fields**
-  - Adjust total number of fileds for logstash templae from 1000 to 2000.
-
-## 20190526
-- **Fix build for Cowrie**
-  - Upstream changes required a new package `py-bcrypt`.
-
-## 20190525
-- **Fix build for RDPY**
-  - Building was prevented due to cache error which occurs lately on Alpine if `apk` is using `--no-ache' as options.
-
-## 20190520
-- **Adjust permissions for /data folder**
-  - Now it is possible to download files from `/data` using SCP, WINSCP or CyberDuck.
-
-## 20190513
-- **Added Ansible T-Pot Deployment on Open Telekom Cloud**
-  - Reusable Ansible Playbooks for all cloud providers
-  - Example Showcase with our Open Telekom Cloud
-
-## 20190511
-- **Add hptest script**
-  - Quickly test if the honeypots are working with `hptest.sh <[ip,host]>` based on nmap.
-
-## 20190508
-- **Add tsec / install user to tpot group**
-  - For users being able to easily download logs from the /data folder the installer now adds the `tpot` or the logged in user (`who am i`) via `usermod -a -G tpot <user>` to the tpot group. Also /data permissions will now be enforced to `770`, which is necessary for directory listings.
-
-## 20190502
-- **Fix KVPs**
-  - Some KVPs for Cowrie changed and the tagcloud was not showing any values in the Cowrie dashboard.
-  - New installations are not affected, however existing installations need to import the objects from /opt/tpot/etc/objects/kibana-objects.json.zip.
-- **Makeiso**
-  - Move to Xorriso for building the ISO image.
-  - This allows to support most of the Debian based distros, i.e. Debian, MxLinux and Ubuntu.
-
-## 20190428
-- **Rebuild ISO**
-  - The install ISO needed a rebuilt after some changes in the Debian mirrors.
-- **Disable Netselect**
-  - After some reports in the issues that some Debian mirrors were not fully synced and thus some packages were unavailable the netselect-apt feature was disabled.
-
-## 20190406
-- **Fix for SSH**
-  - In some situations the SSH Port was not written to a new line (thanks to @dpisano for reporting).
-- **Fix race condition for apt-fast**
-  - Curl and wget need to be installed before apt-fast installation.
-
-## 20190404
-- **Fix #332**
-  - If T-Pot, opposed to the requirements, does not have full internet access netselect-apt fails to determine the fastest mirror as it needs ICMP and UDP outgoing. Should netselect-apt fail the default mirrors will be used.
-- **Improve install speed with apt-fast**
-  - Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package.
-
-`git log --date=format:"## %Y%m%d" --pretty=format:"%ad %n- **%s**%n  - %b"`
+... and many others from the T-Pot community by opening valued issues and discussions, suggesting ideas and thus helping to improve T-Pot!

CITATION.cff

@@ -0,0 +1,43 @@
+# This CITATION.cff file was generated with cffinit.
+# Visit https://bit.ly/cffinit to generate yours today!
+
+cff-version: 1.2.0
+title: T-Pot
+message: >-
+  If you use this software, please cite it using the
+  metadata from this file.
+type: software
+authors:
+  - name: Deutsche Telekom Security GmbH
+    address: Bonner Talweg 100
+    city: Bonn
+    country: DE
+    post-code: '53113'
+    website: 'https://github.com/telekom-security'
+  - given-names: Marco
+    family-names: Ochse
+    affiliation: Deutsche Telekom Security GmbH
+identifiers:
+  - type: url
+    value: >-
+      https://github.com/telekom-security/tpotce/releases/tag/22.04.0
+    description: T-Pot Release 22.04.0
+repository-code: 'https://github.com/telekom-security/tpotce'
+abstract: >-
+  T-Pot is the all in one, optionally distributed, multiarch
+  (amd64, arm64) honeypot plattform, supporting 20+
+  honeypots and countless visualization options using the
+  Elastic Stack, animated live attack maps and lots of
+  security tools to further improve the deception
+  experience.
+keywords:
+  - honeypot
+  - deception
+  - t-pot
+  - telekom security
+  - docker
+  - elk
+license: GPL-3.0
+commit: af09aa96b184f873ec83da4e7380762a0a5ce416
+version: 22.04.0
+date-released: '2022-04-12'

SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+## Supported Versions
+
+| Version   | Supported          |
+| -------   | ------------------ |
+| 22.04.x   | :white_check_mark: |
+
+
+## Reporting a Vulnerability
+
+We take security of T-Pot very seriously. If one of T-Pot's components is affected, it is most likely that a upstream component we rely on is involved, such as a honeypot, docker image, tool or package. Together we will find the best possible way to remedy the situation.
+
+Before you submit a possible vulnerability, please ensure you have done the following:
+1. You have checked the documentation, issues and discussions if the detected behavior is typical and does not revolve around other issues. I.e. Cowrie will be detected with outgoing conncection requests or T-Pot opening all possible TCP ports which Honeytrap enabled install flavors will do as a feature.
+2. You have identified the vulnerable component and isolated your finding (honeypot, docker image, tool, package, etc.).
+3. You have a detailed description including log files, possibly debug files, with all steps necessary for us to reproduce / trigger the behaviour or vulnerability. At best you already have a possible solution, hotfix, fix or patch to remedy the situation and want to submit a PR. 
+4. You have checked if the possible vulnerability is known upstream. If a fix / patch is already available, please provide the necessary info.
+
+We will get back to you as fast as possible. In case you think this is an emergency for the whole T-Pot community feel free to speed things up by **responsibly** informing our [CERT](https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/introducing-deutsche-telekom-cert-358316).

bin/backup_es_folders.sh

@@ -1,12 +1,21 @@
 #!/bin/bash
 # Run as root only.
 myWHOAMI=$(whoami)
-if [ "$myWHOAMI" != "root" ]
+if [ "$myWHOAMI" != "root" ];
   then
     echo "Need to run as root ..."
     exit
 fi
 
+if [ "$1" == "" ] || [ "$1" != "all" ] && [ "$1" != "base" ];
+  then
+    echo "Usage: backup_es_folders [all, base]"
+    echo "       all  = backup all ES folder"
+    echo "       base = backup only Kibana index".
+    echo
+    exit
+fi
+
 # Backup all ES relevant folders
 # Make sure ES is available
 myES="http://127.0.0.1:64298/"
@@ -25,7 +34,7 @@ myCOUNT=1
 myDATE=$(date +%Y%m%d%H%M)
 myELKPATH="/data/elk/data"
 myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }')
-myKIBANAINDEXPATH=$myELKPATH/nodes/0/indices/$myKIBANAINDEXNAME
+myKIBANAINDEXPATH=$myELKPATH/indices/$myKIBANAINDEXNAME
 
 # Let's ensure normal operation on exit or if interrupted ...
 function fuCLEANUP {
@@ -42,5 +51,11 @@ sleep 2
 
 # Backup DB in 2 flavors
 echo "### Now backing up Elasticsearch folders ..."
-tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
-tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
+if [ "$1" == "all" ];
+  then
+    tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
+elif [ "$1" == "base" ];
+  then
+    tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
+fi
+

bin/blackhole.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+
+# Run as root only.
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "### Need to run as root ..."
+    echo
+    exit
+fi
+
+# Disclaimer
+if [ "$1" == "" ];
+  then
+    echo "### Warning!"
+    echo "### This script will download and add blackhole routes for known mass scanners in an attempt to decrease the chance of detection."
+    echo "### IPs are neither curated or verified, use at your own risk!"
+    echo "###"
+    echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
+    echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
+    echo
+    echo "Usage: blackhole.sh add (add blackhole routes)" 
+    echo "       blackhole.sh del (delete blackhole routes)"
+    echo
+    exit
+fi
+
+# QnD paths, files
+mkdir -p /etc/blackhole
+cd /etc/blackhole
+myFILE="mass_scanner.txt"
+myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"
+myBASELINE="500"
+# Alternatively, using less routes, but blocking complete /24 networks
+#myFILE="mass_scanner_cidr.txt"
+#myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner_cidr.txt"
+
+# Calculate age of downloaded list, read IPs
+if [ -f "$myFILE" ];
+  then
+    myNOW=$(date +%s)
+    myOLD=$(date +%s -r "$myFILE")
+    myDAYS=$(( ($myNOW-$myOLD) / (60*60*24) ))
+    echo "### Downloaded $myFILE list is $myDAYS days old."
+    myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
+fi
+
+# Let's load ip list
+if [[ ! -f "$myFILE" && "$1" == "add" || "$myDAYS" -gt 30 ]];
+  then
+    echo "### Downloading $myFILE list."
+    aria2c --allow-overwrite -s16 -x 16 "$myURL" && \
+    myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u) 
+fi
+
+myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w)
+# Let's extract mass scanner IPs
+if [ "$myCOUNT" -lt "$myBASELINE" ] && [ "$1" == "add" ];
+  then
+    echo "### Something went wrong. Please check contents of /etc/blackhole/$myFILE."
+    echo "### Aborting."
+    echo
+    exit
+elif [ "$(ip r | grep 'blackhole' -c)" -gt "$myBASELINE" ] && [ "$1" == "add" ];
+  then
+    echo "### Blackhole already enabled."
+    echo "### Aborting."
+    echo
+    exit
+fi
+
+# Let's add blackhole routes for all mass scanner IPs
+if [ "$1" == "add" ];
+  then
+    echo
+    echo -n "Now adding $myCOUNT IPs to blackhole."
+    for i in $myBLACKHOLE_IPS;
+      do
+        ip route add blackhole "$i"
+	echo -n "."
+    done
+    echo
+    echo "Added $(ip r | grep "blackhole" -c) IPs to blackhole."
+    echo
+    echo "### Remember!"
+    echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
+    echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
+    echo
+    exit
+fi
+
+# Let's delete blackhole routes for all mass scanner IPs
+if [ "$1" == "del" ] && [ "$myCOUNT" -gt "$myBASELINE" ];
+  then
+    echo
+    echo -n "Now deleting $myCOUNT IPs from blackhole."
+      for i in $myBLACKHOLE_IPS;
+        do
+          ip route del blackhole "$i"
+	  echo -n "."
+      done
+      echo
+      echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole."
+      echo
+      rm "$myFILE"
+  else
+    echo "### Blackhole already disabled."
+    echo
+fi

bin/clean.sh

@@ -114,6 +114,14 @@ fuCOWRIE () {
   chown tpot:tpot /data/cowrie -R
 }
 
+# Let's create a function to clean up and prepare ddospot data
+fuDDOSPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
+  mkdir -p /data/ddospot/bl /data/ddospot/db /data/ddospot/log
+  chmod 770 /data/ddospot -R
+  chown tpot:tpot /data/ddospot -R
+}
+
 # Let's create a function to clean up and prepare dicompot data
 fuDICOMPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
@@ -149,6 +157,14 @@ fuELK () {
   chown tpot:tpot /data/elk -R
 }
 
+# Let's create a function to clean up and prepare endlessh data
+fuENDLESSH () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
+  mkdir -p /data/endlessh/log
+  chmod 770 /data/endlessh -R
+  chown tpot:tpot /data/endlessh -R
+}
+
 # Let's create a function to clean up and prepare fatt data
 fuFATT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
@@ -165,6 +181,14 @@ fuGLUTTON () {
   chown tpot:tpot /data/glutton -R
 }
 
+# Let's create a function to clean up and prepare hellpot data
+fuHELLPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
+  mkdir -p /data/hellpot/log
+  chmod 770 /data/hellpot -R
+  chown tpot:tpot /data/hellpot -R
+}
+
 # Let's create a function to clean up and prepare heralding data
 fuHERALDING () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
@@ -173,12 +197,12 @@ fuHERALDING () {
   chown tpot:tpot /data/heralding -R
 }
 
-# Let's create a function to clean up and prepare honeypy data
-fuHONEYPY () {
-  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
-  mkdir -p /data/honeypy/log
-  chmod 770 /data/honeypy -R
-  chown tpot:tpot /data/honeypy -R
+# Let's create a function to clean up and prepare honeypots data
+fuHONEYPOTS () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
+  mkdir -p /data/honeypots/log
+  chmod 770 /data/honeypots -R
+  chown tpot:tpot /data/honeypots -R
 }
 
 # Let's create a function to clean up and prepare honeysap data
@@ -205,6 +229,14 @@ fuIPPHONEY () {
   chown tpot:tpot /data/ipphoney -R
 }
 
+# Let's create a function to clean up and prepare log4pot data
+fuLOG4POT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
+  mkdir -p /data/log4pot/log
+  chmod 770 /data/log4pot -R
+  chown tpot:tpot /data/log4pot -R
+}
+
 # Let's create a function to clean up and prepare mailoney data
 fuMAILONEY () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
@@ -237,6 +269,22 @@ fuRDPY () {
   chown tpot:tpot /data/rdpy/ -R
 }
 
+# Let's create a function to clean up and prepare redishoneypot data
+fuREDISHONEYPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
+  mkdir -p /data/redishoneypot/log
+  chmod 770 /data/redishoneypot -R
+  chown tpot:tpot /data/redishoneypot -R
+}
+
+# Let's create a function to clean up and prepare sentrypeer data
+fuSENTRYPEER () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi
+  mkdir -p /data/sentrypeer/log
+  chmod 770 /data/sentrypeer -R
+  chown tpot:tpot /data/sentrypeer -R
+}
+
 # Let's create a function to prepare spiderfoot db
 fuSPIDERFOOT () {
   mkdir -p /data/spiderfoot
@@ -296,21 +344,27 @@ if [ "$myPERSISTENCE" = "on" ];
     fuCITRIXHONEYPOT
     fuCONPOT
     fuCOWRIE
+    fuDDOSPOT
     fuDICOMPOT
     fuDIONAEA
     fuELASTICPOT
     fuELK
+    fuENDLESSH
     fuFATT
     fuGLUTTON
     fuHERALDING
+    fuHELLPOT
     fuHONEYSAP
-    fuHONEYPY
+    fuHONEYPOTS
     fuHONEYTRAP
     fuIPPHONEY
+    fuLOG4POT
     fuMAILONEY
     fuMEDPOT
     fuNGINX
+    fuREDISHONEYPOT
     fuRDPY
+    fuSENTRYPEER
     fuSPIDERFOOT
     fuSURICATA
     fuP0F

bin/deploy.sh

@@ -0,0 +1,182 @@
+#!/bin/bash
+
+# Do we have root?
+function fuGOT_ROOT {
+echo
+echo -n "### Checking for root: "
+if [ "$(whoami)" != "root" ];
+  then
+    echo "[ NOT OK ]"
+    echo "### Please run as root."
+    echo "### Example: sudo $0"
+    exit
+  else
+    echo "[ OK ]"
+fi
+}
+
+function fuDEPLOY_SENSOR () {
+echo
+echo "###############################"
+echo "# Deploying to T-Pot Hive ... #"
+echo "###############################"
+echo
+sshpass -e ssh -4 -t -T -l "$MY_TPOT_USERNAME" -p 64295 "$MY_HIVE_IP" << EOF
+echo "$SSHPASS" | sudo -S bash -c 'useradd -m -s /sbin/nologin -G tpotlogs "$MY_HIVE_USERNAME";
+mkdir -p /home/"$MY_HIVE_USERNAME"/.ssh;
+echo "$MY_SENSOR_PUBLICKEY" >> /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
+chmod 600 /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
+chmod 755 /home/"$MY_HIVE_USERNAME"/.ssh;
+chown "$MY_HIVE_USERNAME":"$MY_HIVE_USERNAME" -R /home/"$MY_HIVE_USERNAME"/.ssh'
+EOF
+
+echo
+echo "###########################"
+echo "# Done. Please reboot ... #"
+echo "###########################"
+echo
+
+exit 0
+}
+
+# Check Hive availability 
+function fuCHECK_HIVE () {
+echo
+echo "############################################"
+echo "# Checking for T-Pot Hive availability ... #"
+echo "############################################"
+echo
+sshpass -e ssh -4 -t -l "$MY_TPOT_USERNAME" -p 64295 -f -N -L64305:127.0.0.1:64305 "$MY_HIVE_IP" -o "StrictHostKeyChecking=no"
+if [ $? -eq 0 ];
+  then
+    echo
+    echo "#########################"
+    echo "# T-Pot Hive available! #"
+    echo "#########################"
+    echo
+    myHIVE_OK=$(curl -s http://127.0.0.1:64305)
+    if [ "$myHIVE_OK" == "ok" ];
+      then
+	echo
+        echo "##############################"
+        echo "# T-Pot Hive tunnel test OK! #"
+        echo "##############################"
+        echo
+        kill -9 $(pidof ssh)
+      else
+        echo
+	echo "######################################################"
+        echo "# T-Pot Hive tunnel test FAILED!                     #"
+	echo "# Tunneled port tcp/64305 unreachable on T-Pot Hive. #"
+	echo "# Aborting.                                          #"
+        echo "######################################################"
+        echo
+        kill -9 $(pidof ssh)
+	rm $MY_SENSOR_PUBLICKEYFILE
+	rm $MY_SENSOR_PRIVATEKEYFILE
+	rm $MY_LS_ENVCONFIGFILE
+	exit 1
+    fi;
+  else
+    echo
+    echo "#################################################################"
+    echo "# Something went wrong, most likely T-Pot Hive was unreachable! #"
+    echo "# Aborting.                                                     #"
+    echo "#################################################################"
+    echo
+    rm $MY_SENSOR_PUBLICKEYFILE
+    rm $MY_SENSOR_PRIVATEKEYFILE
+    rm $MY_LS_ENVCONFIGFILE
+    exit 1
+fi;
+}
+
+function fuGET_DEPLOY_DATA () {
+echo
+echo "### Please provide data from your T-Pot Hive installation."
+echo "### This usually is the one running the 'T-Pot Hive' type."
+echo "### You will be needing the OS user (typically 'tsec'), the users' password and the IP / FQDN."
+echo "### Do not worry, the password will not be persisted!"
+echo
+
+read -p "Username: " MY_TPOT_USERNAME
+read -s -p "Password: " SSHPASS
+echo
+export SSHPASS
+read -p "IP / FQDN: " MY_HIVE_IP
+MY_HIVE_USERNAME="$(hostname)"
+MY_TPOT_TYPE="SENSOR"
+MY_LS_ENVCONFIGFILE="/data/elk/logstash/ls_environment"
+
+MY_SENSOR_PUBLICKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME.pub"
+MY_SENSOR_PRIVATEKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME"
+if ! [ -s "$MY_SENSOR_PRIVATEKEYFILE" ] && ! [ -s "$MY_SENSOR_PUBLICKEYFILE" ];
+  then
+    echo
+    echo "##############################"
+    echo "# Generating ssh keyfile ... #"
+    echo "##############################"
+    echo
+    mkdir -p /data/elk/logstash
+    ssh-keygen -f "$MY_SENSOR_PRIVATEKEYFILE" -N "" -C "$MY_HIVE_USERNAME"
+    MY_SENSOR_PUBLICKEY="$(cat "$MY_SENSOR_PUBLICKEYFILE")"
+  else
+    echo
+    echo "#############################################"
+    echo "# There is already a ssh keyfile. Aborting. #"
+    echo "#############################################"
+    echo
+    exit 1
+fi
+echo
+echo "###########################################################"
+echo "# Writing config to /data/elk/logstash/ls_environment.    #"
+echo "# If you make changes to this file, you need to reboot or #"
+echo "# run /opt/tpot/bin/updateip.sh.                          #"
+echo "###########################################################"
+echo
+tee $MY_LS_ENVCONFIGFILE << EOF
+MY_TPOT_TYPE=$MY_TPOT_TYPE
+MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
+MY_HIVE_USERNAME=$MY_HIVE_USERNAME
+MY_HIVE_IP=$MY_HIVE_IP
+EOF
+}
+
+# Deploy Pot to Hive
+fuGOT_ROOT
+echo
+echo "#################################"
+echo "# Ship T-Pot Logs to T-Pot Hive #"
+echo "#################################"
+echo
+echo "If you already have a T-Pot Hive installation running and"
+echo "this T-Pot installation is running the type \"Pot\" the"
+echo "script will automagically setup this T-Pot to ship and"
+echo "prepare the Hive to receive logs from this T-Pot."
+echo
+echo
+echo "###################################"
+echo "# Deploy T-Pot Logs to T-Pot Hive #"
+echo "###################################"
+echo 
+echo "[c] - Continue deplyoment"
+echo "[q] - Abort and exit"
+echo
+while [ 1 != 2 ]
+  do
+    read -s -n 1 -p "Your choice: " mySELECT
+      echo $mySELECT
+      case "$mySELECT" in
+        [c,C])
+          fuGET_DEPLOY_DATA
+          fuCHECK_HIVE
+	  fuDEPLOY_SENSOR
+          break
+          ;;
+        [q,Q])
+          echo "Aborted."
+          exit 0
+          ;;
+      esac
+done

bin/deprecated/export_kibana-objects.sh

@@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
   then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
     exit
   else
     echo "### Elasticsearch is available, now continuing."
@@ -15,7 +15,7 @@ fi
 
 # Set vars
 myDATE=$(date +%Y%m%d%H%M)
-myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"')
 myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
 myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"')

bin/deprecated/hptest.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+
+myHOST="$1"
+myPACKAGES="dcmtk netcat nmap"
+myMEDPOTPACKET="
+MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
+EVN|A01|198808181123
+PID|||PATID1234^5^M11^^AN||JONES^WILLIAM^A^III||19610615|M||2106-3|677 DELAWARE AVENUE^^EVERETT^MA^02149|GL|(919)379-1212|(919)271-3434~(919)277-3114||S||PATID12345001^2^M10^^ACSN|123456789|9-87654^NC
+NK1|1|JONES^BARBARA^K|SPO|||||20011105
+NK1|1|JONES^MICHAEL^A|FTH
+PV1|1|I|2000^2012^01||||004777^LEBAUER^SIDNEY^J.|||SUR||-||ADM|A0
+AL1|1||^PENICILLIN||CODE16~CODE17~CODE18
+AL1|2||^CAT DANDER||CODE257
+DG1|001|I9|1550|MAL NEO LIVER, PRIMARY|19880501103005|F
+PR1|2234|M11|111^CODE151|COMMON PROCEDURES|198809081123
+ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^SMITH^ELLEN|199505011201
+GT1|1122|1519|BILL^GATES^A
+IN1|001|A357|1234|BCMD|||||132987
+IN2|ID1551001|SSN12345678
+ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^ELLEN|199505011201"
+
+function fuGOTROOT {
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "Need to run as root ..."
+    exit
+fi
+}
+
+function fuCHECKDEPS {
+myINST=""
+for myDEPS in $myPACKAGES;
+do
+  myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
+  if [ "$myOK" != "ok" ]
+    then
+      myINST=$(echo $myINST $myDEPS)
+  fi
+done
+if [ "$myINST" != "" ]
+  then
+    apt-get update -y
+    for myDEPS in $myINST;
+    do
+      apt-get install $myDEPS -y
+    done
+fi
+}
+
+function fuCHECKFORARGS {
+if [ "$myHOST" != "" ];
+  then
+    echo "All arguments met. Continuing."
+  else
+    echo "Usage: hp_test.sh <[host or ip]>"
+    exit
+fi
+}
+
+function fuGETPORTS {
+myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
+myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo "$i"; done)
+echo "Found these ports enabled:"
+echo "$myPORTS"
+exit
+}
+
+function fuSCAN {
+local myTIMEOUT="$1"
+local mySCANPORT="$2"
+local mySCANIP="$3"
+local mySCANOPTS="$4"
+
+timeout --foreground ${myTIMEOUT} nmap ${mySCANOPTS} -T4 -v -p ${mySCANPORT} ${mySCANIP} &
+}
+
+# Main
+fuGOTROOT
+fuCHECKDEPS
+fuCHECKFORARGS
+
+echo "Starting scans ..."
+echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
+curl -XGET "http://$myHOST:9200/logstash-*/_search" &
+curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" &
+echo "
I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
+findscu -P -k PatientName="*" $myHOST 11112 &
+getscu -P -k PatientName="*" $myHOST 11112 &
+telnet $myHOST 3299 &
+fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
+fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
+fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"
+fuSCAN "120" "22" "$myHOST" "--script=ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,sshv1 -sC -sS -sV"
+fuSCAN "30" "22" "$myHOST" "--script=ssh-brute"
+fuSCAN "120" "23,2323,2324" "$myHOST" "--script=telnet-encryption,telnet-ntlm-info -sC -sS -sV --version-light"
+fuSCAN "120" "25" "$myHOST" "--script=smtp* -sC -sS -sV"
+fuSCAN "180" "42" "$myHOST" "-sC -sS -sV"
+fuSCAN "120" "69" "$myHOST" "--script=tftp-enum -sU"
+fuSCAN "120" "80,81,8080,8443" "$myHOST" "-sC -sS -sV"
+fuSCAN "120" "110,995" "$myHOST" "--script=pop3-capabilities,pop3-ntlm-info -sC -sS -sV --version-light"
+fuSCAN "30" "110,995" "$myHOST" "--script=pop3-brute -sS"
+fuSCAN "120" "143,993" "$myHOST" "--script=imap-capabilities,imap-ntlm-info -sC -sS -sV --version-light"
+fuSCAN "30" "143,993" "$myHOST" "--script=imap-brute -sS"
+fuSCAN "240" "445" "$myHOST" "--script=smb-vuln* -sS -sU"
+fuSCAN "120" "502" "$myHOST" "--script=modbus-discover -sS -sU"
+fuSCAN "120" "623" "$myHOST" "--script=ipmi-cipher-zero,ipmi-version,supermicro-ipmi -sS -sU"
+fuSCAN "30" "623" "$myHOST" "--script=ipmi-brute -sS -sU"
+fuSCAN "120" "1433" "$myHOST" "--script=ms-sql* -sS"
+fuSCAN "120" "1723" "$myHOST" "--script=pptp-version -sS"
+fuSCAN "120" "1883" "$myHOST" "--script=mqtt-subscribe -sS"
+fuSCAN "120" "2404" "$myHOST" "--script=iec-identify -sS"
+fuSCAN "120" "3306" "$myHOST" "--script=mysql-vuln* -sC -sS -sV"
+fuSCAN "120" "3389" "$myHOST" "--script=rdp* -sC -sS -sV"
+fuSCAN "120" "5000" "$myHOST" "--script=*upnp* -sS -sU"
+fuSCAN "120" "5060,5061" "$myHOST" "--script=sip-call-spoof,sip-enum-users,sip-methods -sS -sU"
+fuSCAN "120" "5900" "$myHOST" "--script=vnc-info,vnc-title,realvnc-auth-bypass -sS"
+fuSCAN "120" "27017" "$myHOST" "--script=mongo* -sS"
+fuSCAN "120" "47808" "$myHOST" "--script=bacnet* -sS"
+wait
+reset
+echo "Done."

bin/deprecated/import_kibana-objects.sh

@@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
 myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
 if ! [ "$myESSTATUS" = "1" ]
   then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
+    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
     exit
   else
     echo "### Elasticsearch is available, now continuing."
@@ -43,7 +43,7 @@ tar xvfz $myDUMP > /dev/null
 
 # Restore index patterns
 myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev)
-myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep "scripted" | wc -w)
+myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
 echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
 curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null

bin/dps.sh

@@ -8,8 +8,14 @@ if [ "$myWHOAMI" != "root" ]
     exit
 fi
 
-# Show current status of T-Pot containers
 myPARAM="$1"
+if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
+  then
+    watch --color -n $myPARAM "$0"
+    exit
+fi
+
+# Show current status of T-Pot containers
 myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")"
 myRED=""
 myGREEN=""
@@ -17,19 +23,39 @@ myBLUE=""
 myWHITE=""
 myMAGENTA=""
 
+# Blackhole Status
+myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
+if [ "$myBLACKHOLE_STATUS" -gt "500" ];
+  then
+    myBLACKHOLE_STATUS="${myGREEN}ENABLED"
+  else
+    myBLACKHOLE_STATUS="${myRED}DISABLED"
+fi
+
+function fuGETTPOT_STATUS {
+# T-Pot Status
+myTPOT_STATUS=$(systemctl status tpot | grep "Active" | awk '{ print $2 }')
+if [ "$myTPOT_STATUS" == "active" ];
+  then
+    echo "${myGREEN}ACTIVE"
+  else
+    echo "${myRED}INACTIVE"
+fi
+}
+
 function fuGETSTATUS {
 grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
 }
 
 function fuGETSYS {
-printf "========| System |========\n"
-printf "%+10s %-20s\n" "Date: " "$(date)"
-printf "%+10s %-20s\n" "Uptime: " "$(uptime | cut -b 2-)"
+printf "[ ========| System |======== ]\n"
+printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "DATE: " "$(date)"
+printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "UPTIME: " "$(grc --colour=on uptime)"
+printf "${myMAGENTA}%+11s %-20s\n" "T-POT: " "$(fuGETTPOT_STATUS)"
+printf "${myMAGENTA}%+11s %-20s\n" "BLACKHOLE: " "$myBLACKHOLE_STATUS${myWHITE}"
 echo
 }
 
-while true
-  do
     myDPS=$(fuGETSTATUS)
     myDPSNAMES=$(echo "$myDPS" | awk '{ print $1 }' | sort)
     fuGETSYS
@@ -45,10 +71,3 @@ while true
 	  printf "%-28s %-28s\n" "$myRED$i" "DOWN$myWHITE"
       fi
     done
-    if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
-      then 
-        sleep "$myPARAM"
-      else 
-        break
-    fi
-done

bin/hptest.sh

@@ -1,23 +1,8 @@
 #!/bin/bash
 
 myHOST="$1"
-myPACKAGES="dcmtk netcat nmap"
-myMEDPOTPACKET="
-MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
-EVN|A01|198808181123
-PID|||PATID1234^5^M11^^AN||JONES^WILLIAM^A^III||19610615|M||2106-3|677 DELAWARE AVENUE^^EVERETT^MA^02149|GL|(919)379-1212|(919)271-3434~(919)277-3114||S||PATID12345001^2^M10^^ACSN|123456789|9-87654^NC
-NK1|1|JONES^BARBARA^K|SPO|||||20011105
-NK1|1|JONES^MICHAEL^A|FTH
-PV1|1|I|2000^2012^01||||004777^LEBAUER^SIDNEY^J.|||SUR||-||ADM|A0
-AL1|1||^PENICILLIN||CODE16~CODE17~CODE18
-AL1|2||^CAT DANDER||CODE257
-DG1|001|I9|1550|MAL NEO LIVER, PRIMARY|19880501103005|F
-PR1|2234|M11|111^CODE151|COMMON PROCEDURES|198809081123
-ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^SMITH^ELLEN|199505011201
-GT1|1122|1519|BILL^GATES^A
-IN1|001|A357|1234|BCMD|||||132987
-IN2|ID1551001|SSN12345678
-ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^ELLEN|199505011201"
+myPACKAGES="nmap"
+myDOCKERCOMPOSEYML="/opt/tpot/etc/tpot.yml"
 
 function fuGOTROOT {
 myWHOAMI=$(whoami)
@@ -52,71 +37,32 @@ function fuCHECKFORARGS {
 if [ "$myHOST" != "" ];
   then
     echo "All arguments met. Continuing."
+    echo
   else
-    echo "Usage: hp_test.sh <[host or ip]>"
+    echo "Usage: hptest.sh <[host or ip]>"
+    echo
     exit
 fi
 }
 
 function fuGETPORTS {
+myDOCKERCOMPOSEUDPPORTS=$(cat $myDOCKERCOMPOSEYML | grep "udp" | tr -d '"\|#\-' | cut -d ":" -f2 | cut -d "/" -f1 | sort -gu)
 myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
-myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo "$i"; done)
-echo "Found these ports enabled:"
-echo "$myPORTS"
-exit
-}
-
-function fuSCAN {
-local myTIMEOUT="$1"
-local mySCANPORT="$2"
-local mySCANIP="$3"
-local mySCANOPTS="$4"
-
-timeout --foreground ${myTIMEOUT} nmap ${mySCANOPTS} -T4 -v -p ${mySCANPORT} ${mySCANIP} &
+myUDPPORTS=$(for i in $myDOCKERCOMPOSEUDPPORTS; do echo -n "U:$i,"; done)
+myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo -n "T:$i,"; done)
 }
 
 # Main
+fuGETPORTS
 fuGOTROOT
 fuCHECKDEPS
 fuCHECKFORARGS
-
-echo "Starting scans ..."
-echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
-curl -XGET "http://$myHOST:9200/logstash-*/_search" &
-curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" &
-echo "
I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
-findscu -P -k PatientName="*" $myHOST 11112 &
-getscu -P -k PatientName="*" $myHOST 11112 &
-telnet $myHOST 3299 &
-fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
-fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
-fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"
-fuSCAN "120" "22" "$myHOST" "--script=ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,sshv1 -sC -sS -sV"
-fuSCAN "30" "22" "$myHOST" "--script=ssh-brute"
-fuSCAN "120" "23,2323,2324" "$myHOST" "--script=telnet-encryption,telnet-ntlm-info -sC -sS -sV --version-light"
-fuSCAN "120" "25" "$myHOST" "--script=smtp* -sC -sS -sV"
-fuSCAN "180" "42" "$myHOST" "-sC -sS -sV"
-fuSCAN "120" "69" "$myHOST" "--script=tftp-enum -sU"
-fuSCAN "120" "80,81,8080,8443" "$myHOST" "-sC -sS -sV"
-fuSCAN "120" "110,995" "$myHOST" "--script=pop3-capabilities,pop3-ntlm-info -sC -sS -sV --version-light"
-fuSCAN "30" "110,995" "$myHOST" "--script=pop3-brute -sS"
-fuSCAN "120" "143,993" "$myHOST" "--script=imap-capabilities,imap-ntlm-info -sC -sS -sV --version-light"
-fuSCAN "30" "143,993" "$myHOST" "--script=imap-brute -sS"
-fuSCAN "240" "445" "$myHOST" "--script=smb-vuln* -sS -sU"
-fuSCAN "120" "502" "$myHOST" "--script=modbus-discover -sS -sU"
-fuSCAN "120" "623" "$myHOST" "--script=ipmi-cipher-zero,ipmi-version,supermicro-ipmi -sS -sU"
-fuSCAN "30" "623" "$myHOST" "--script=ipmi-brute -sS -sU"
-fuSCAN "120" "1433" "$myHOST" "--script=ms-sql* -sS"
-fuSCAN "120" "1723" "$myHOST" "--script=pptp-version -sS"
-fuSCAN "120" "1883" "$myHOST" "--script=mqtt-subscribe -sS"
-fuSCAN "120" "2404" "$myHOST" "--script=iec-identify -sS"
-fuSCAN "120" "3306" "$myHOST" "--script=mysql-vuln* -sC -sS -sV"
-fuSCAN "120" "3389" "$myHOST" "--script=rdp* -sC -sS -sV"
-fuSCAN "120" "5000" "$myHOST" "--script=*upnp* -sS -sU"
-fuSCAN "120" "5060,5061" "$myHOST" "--script=sip-call-spoof,sip-enum-users,sip-methods -sS -sU"
-fuSCAN "120" "5900" "$myHOST" "--script=vnc-info,vnc-title,realvnc-auth-bypass -sS"
-fuSCAN "120" "27017" "$myHOST" "--script=mongo* -sS"
-fuSCAN "120" "47808" "$myHOST" "--script=bacnet* -sS"
+echo
+echo "Starting scan on all UDP / TCP ports defined in /opt/tpot/etc/tpot.yml ..."
+nmap -sV -sC -v -p $myPORTS $1 &
+nmap -sU -sV -sC -v -p $myUDPPORTS $1 &
+echo
 wait
-reset
 echo "Done."
+echo
+

bin/rules.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 ### Vars, Ports for Standard services
-myHOSTPORTS="7634 64294 64295"
+myHOSTPORTS="7634 64294 64295 64297 64304"
 myDOCKERCOMPOSEYML="$1"
 myRULESFUNCTION="$2"
 

bin/setup_builder.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Got root?
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "Need to run as root ..."
+    exit
+fi
+
+# Only run with command switch
+if [ "$1" != "-y" ]; then
+  echo "### Setting up docker for Multi Arch Builds."
+  echo "### Use on x64 only!"
+  echo "### Run with -y to install!"
+  echo
+  exit
+fi
+
+# Main
+mkdir -p /root/.docker/cli-plugins/
+cd /root/.docker/cli-plugins/
+wget https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-amd64 -O docker-buildx
+chmod +x docker-buildx
+
+docker buildx ls
+
+# We need to create a new builder as the default one cannot handle multi-arch builds
+# https://docs.docker.com/desktop/multi-arch/
+docker buildx create --name mybuilder
+
+# Set as default
+docker buildx use mybuilder
+
+# We need to install emulators, arm64 should be fine for now
+# https://github.com/tonistiigi/binfmt/
+docker run --privileged --rm tonistiigi/binfmt --install arm64
+
+# Check if everything is setup correctly
+docker buildx inspect --bootstrap
+echo
+echo "### Done."
+echo
+echo "Example: docker buildx build --platform linux/amd64,linux/arm64 -t username/demo:latest --push ."
+echo "Docs: https://docs.docker.com/desktop/multi-arch/"

bin/tpdclean.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# T-Pot Compose and Container Cleaner
+# Set colors
+myRED=""
+myGREEN=""
+myWHITE=""
+
+# Only run with command switch
+if [ "$1" != "-y" ]; then
+  echo $myRED"### WARNING"$myWHITE
+  echo ""
+  echo $myRED"###### This script is only intended for the tpot.service."$myWHITE
+  echo $myRED"###### Run <systemctl stop tpot> first and then <tpdclean.sh -y>."$myWHITE
+  echo $myRED"###### Be aware, all T-Pot container volumes and images will be removed."$myWHITE
+  echo ""
+  echo $myRED"### WARNING "$myWHITE
+  echo
+  exit
+fi
+
+# Remove old containers, images and volumes
+docker-compose -f /opt/tpot/etc/tpot.yml down -v >> /dev/null 2>&1
+docker-compose -f /opt/tpot/etc/tpot.yml rm -v >> /dev/null 2>&1
+docker network rm $(docker network ls -q) >> /dev/null 2>&1
+docker volume rm $(docker volume ls -q) >> /dev/null 2>&1
+docker rm -v $(docker ps -aq) >> /dev/null 2>&1
+docker rmi $(docker images | grep "<none>" | awk '{print $3}') >> /dev/null 2>&1
+docker rmi $(docker images | grep "2203" | awk '{print $3}') >> /dev/null 2>&1
+exit 0

bin/tped.sh

@@ -29,7 +29,7 @@ for i in $myYMLS;
   do
     myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " 
 done
-myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-)
+myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 18 50 1 $myITEMS 3>&1 1>&2 2>&3 3>&-)
 if [ "$myEDITION" == "" ];
   then
     echo "Have a nice day!"

bin/updateip.sh

@@ -2,23 +2,62 @@
 # Let's add the first local ip to the /etc/issue and external ip to ews.ip file
 # If the external IP cannot be detected, the internal IP will be inherited.
 source /etc/environment
-myUUID=$(lsblk -o MOUNTPOINT,UUID | grep "/" | awk '{ print $2 }')
+myCHECKIFSENSOR=$(head -n 1 /opt/tpot/etc/tpot.yml | grep "Sensor" | wc -l)
+myUUID=$(lsblk -o MOUNTPOINT,UUID | grep -e "^/ " | awk '{ print $2 }')
 myLOCALIP=$(hostname -I | awk '{ print $1 }')
 myEXTIP=$(/opt/tpot/bin/myip.sh)
 if [ "$myEXTIP" = "" ];
   then
     myEXTIP=$myLOCALIP
+    myEXTIP_LAT="49.865835022498125"
+    myEXTIP_LONG="8.62606472775735"
+  else
+    myEXTIP_LOC=$(curl -s ipinfo.io/$myEXTIP/loc)
+    myEXTIP_LAT=$(echo "$myEXTIP_LOC" | cut -f1 -d",")
+    myEXTIP_LONG=$(echo "$myEXTIP_LOC" | cut -f2 -d",")
 fi
+
+# Load Blackhole routes if enabled 
+myBLACKHOLE_FILE1="/etc/blackhole/mass_scanner.txt"
+myBLACKHOLE_FILE2="/etc/blackhole/mass_scanner_cidr.txt"
+if [ -f "$myBLACKHOLE_FILE1" ] || [ -f "$myBLACKHOLE_FILE2" ];
+  then
+    /opt/tpot/bin/blackhole.sh add
+fi
+
+myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
+if [ "$myBLACKHOLE_STATUS" -gt "500" ];
+  then
+    myBLACKHOLE_STATUS="| BLACKHOLE: [ ENABLED ]"
+  else
+    myBLACKHOLE_STATUS="| BLACKHOLE: [ DISABLED ]"
+fi
+
 mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1)
+
+# Export
+export myUUID
+export myLOCALIP
+export myEXTIP
+export myEXTIP_LAT
+export myEXTIP_LONG
+export myBLACKHOLE_STATUS
+export mySSHUSER
+
+# Build issue
 echo "" > /etc/issue
-toilet -f ivrit -F metal --filter border:metal "T-Pot   20.06" | sed 's/\\/\\\\/g' >> /etc/issue
+toilet -f ivrit -F metal --filter border:metal "T-Pot   22.04" | sed 's/\\/\\\\/g' >> /etc/issue
 echo >> /etc/issue
 echo ",---- [ \n ] [ \d ] [ \t ]" >> /etc/issue
 echo "|" >> /etc/issue
 echo "| IP: $myLOCALIP ($myEXTIP)" >> /etc/issue
 echo "| SSH: ssh -l tsec -p 64295 $myLOCALIP" >> /etc/issue 
-echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue
+if [ "$myCHECKIFSENSOR" == "0" ];
+  then
+    echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue
+fi
 echo "| ADMIN: https://$myLOCALIP:64294" >> /etc/issue
+echo "$myBLACKHOLE_STATUS" >> /etc/issue
 echo "|" >> /etc/issue
 echo "\`----" >> /etc/issue
 echo >> /etc/issue
@@ -29,8 +68,22 @@ EOF
 tee /opt/tpot/etc/compose/elk_environment << EOF
 HONEY_UUID=$myUUID
 MY_EXTIP=$myEXTIP
+MY_EXTIP_LAT=$myEXTIP_LAT
+MY_EXTIP_LONG=$myEXTIP_LONG
 MY_INTIP=$myLOCALIP
 MY_HOSTNAME=$HOSTNAME
 EOF
+
+if [ -s "/data/elk/logstash/ls_environment" ];
+  then
+    source /data/elk/logstash/ls_environment
+    tee -a /opt/tpot/etc/compose/elk_environment << EOF
+MY_TPOT_TYPE=$MY_TPOT_TYPE
+MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
+MY_HIVE_USERNAME=$MY_HIVE_USERNAME
+MY_HIVE_IP=$MY_HIVE_IP
+EOF
+fi
+
 chown tpot:tpot /data/ews/conf/ews.ip
 chmod 770 /data/ews/conf/ews.ip

cloud/.gitignore

@@ -6,5 +6,5 @@
 **/terraform.*
 
 # OpenStack clouds
-clouds.yaml
-secure.yaml
+**/clouds.yaml
+**/secure.yaml

cloud/ansible/openstack/roles/check/tasks/main.yaml

@@ -16,4 +16,4 @@
   ansible.builtin.fail:
     msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
   ignore_errors: yes
-  when: lookup('env','SSH_AUTH_SOCK') == ""
+  failed_when: lookup('env','SSH_AUTH_SOCK') == ""

cloud/ansible/openstack/roles/create_net/tasks/main.yaml

@@ -1,33 +1,33 @@
 - name: Create security group
   openstack.cloud.security_group:
     cloud: "{{ cloud }}"
-    name: sg-tpot-any
-    description: tpot any-any
+    name: sg-tpot-ansible
+    description: Security Group for T-Pot
 
 - name: Add rules to security group
   openstack.cloud.security_group_rule:
     cloud: "{{ cloud }}"
-    security_group: sg-tpot-any
+    security_group: sg-tpot-ansible
     remote_ip_prefix: 0.0.0.0/0
 
 - name: Create network
   openstack.cloud.network:
     cloud: "{{ cloud }}"
-    name: network-tpot
+    name: network-tpot-ansible
 
 - name: Create subnet
   openstack.cloud.subnet:
     cloud: "{{ cloud }}"
-    network_name: network-tpot
-    name: subnet-tpot
+    network_name: network-tpot-ansible
+    name: subnet-tpot-ansible
     cidr: 192.168.0.0/24
     dns_nameservers:
-      - 1.1.1.1
-      - 8.8.8.8
+      - 100.125.4.25
+      - 100.125.129.199
 
 - name: Create router
   openstack.cloud.router:
     cloud: "{{ cloud }}"
-    name: router-tpot
+    name: router-tpot-ansible
     interfaces:
-      - subnet-tpot
+      - subnet-tpot-ansible

cloud/ansible/openstack/roles/create_vm/tasks/main.yaml

@@ -11,10 +11,10 @@
     boot_from_volume: yes
     volume_size: "{{ volume_size }}"
     key_name: "{{ key_name }}"
-    timeout: 200
+    auto_ip: yes
     flavor: "{{ flavor }}"
-    security_groups: sg-tpot-any
-    network: network-tpot
+    security_groups: sg-tpot-ansible
+    network: network-tpot-ansible
   register: tpot
 
 - name: Add instance to inventory

cloud/ansible/openstack/roles/install/tasks/main.yaml

@@ -23,7 +23,7 @@
    shell: /bin/bash
 
 - name: Copy T-Pot configuration file
-  ansible.builtin.template:
+  ansible.builtin.copy:
     src: ../../../../../../iso/installer/tpot.conf.dist
     dest: /root/tpot.conf
     owner: root

cloud/azure/README.md

@@ -0,0 +1,71 @@
+
+# Azure T-Pot
+
+The following deployment template will deploy a Standard T-Pot server on a Azure VM on a Network\Subnet of your choosing. [Click here to learn more on T-Pot](https://github.com/telekom-security/tpotce)
+
+[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ftelekom-security%2Ftpotce%2Fmaster%2Fcloud%2Fazure%2Fazuredeploy.json)
+[![Deploy To Azure US Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ftelekom-security%2Ftpotce%2Fmaster%2Fcloud%2Fazure%2Fazuredeploy.json)
+[![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.svg?sanitize=true)](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2Ftelekom-security%2Ftpotce%2Fmaster%2Fcloud%2Fazure%2Fazuredeploy.json)
+
+## Install Instructions
+
+ 1. Update the VM Name to reflect your naming convention and taxonomy.  
+ 2. Place you Azure Virtual Network Resource Id *(Recommendation of
+    placement depending on goal, you may want to place    in Hub Virtual
+    Network to detect activity from on-premise or other    virtual
+    network spokes. You can also place in DMZ or isolated in a    unique
+    virtual network exposed to direct internet.)*
+  3. My Connection IP of a public ip address you are coming from to use dashboards and manage.
+  4. Cloud Init B64 Encoded write your cloud init yaml contents and base 64 encode them into this string parameter.
+
+Cloud-Init Yaml Example before B64 Encoding:
+
+    packages:
+      - git
+    
+    runcmd:
+      - curl -sS --retry 5 https://github.com
+      - git clone https://github.com/telekom-security/tpotce /root/tpot
+      - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
+      - rm /root/tpot.conf
+      - /sbin/shutdown -r now
+    
+    password: w3b$ecrets2!
+    chpasswd:
+      expire: false
+    
+    write_files:
+      - content: |
+          # tpot configuration file
+          myCONF_TPOT_FLAVOR='STANDARD'
+          myCONF_WEB_USER='webuser'
+          myCONF_WEB_PW='w3b$ecrets2!'
+        owner: root:root
+        path: /root/tpot.conf
+        permissions: '0600'
+
+Be sure to copy and update values like: 
+
+ - password: 
+ - myCONF_TPOT_FLAVOR= (Different flavors as follows: [STANDARD,
+   HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]
+   **Recommend deploying STANDARD** if you are exploring first time)
+ - myCONF_WEB_USER=
+ - myCONF_WEB_PW=
+
+Once you update the cloud init yaml file locally then base 64 encode and paste this string to in the securestring parameter.
+
+B64 Example: 
+
+    I2Nsb3VkLWNvbmZpZwp0aW1lem9uZTogVVMvRWFzdGVybgoKcGFja2FnZXM6CiAgLSBnaXQKCnJ1bmNtZDoKICAtIGN1cmwgLXNTIC0tcmV0cnkgNSBodHRwczovL2dpdGh1Yi5jb20KICAtIGdpdCBjbG9uZSBodHRwczovL2dpdGh1Yi5jb20vdGVsZWtvbS1zZWN1cml0eS90cG90Y2UgL3Jvb3QvdHBvdAogIC0gL3Jvb3QvdHBvdC9pc28vaW5zdGFsbGVyL2luc3RhbGwuc2ggLS10eXBlPWF1dG8gLS1jb25mPS9yb290L3Rwb3QuY29uZgogIC0gcm0gL3Jvb3QvdHBvdC5jb25mCiAgLSAvc2Jpbi9zaHV0ZG93biAtciBub3cKCnBhc3N3b3JkOiB3M2IkZWNyZXRzMiEKY2hwYXNzd2Q6CiAgZXhwaXJlOiBmYWxzZQoKd3JpdGVfZmlsZXM6CiAgLSBjb250ZW50OiB8CiAgICAgICMgdHBvdCBjb25maWd1cmF0aW9uIGZpbGUKICAgICAgbXlDT05GX1RQT1RfRkxBVk9SPSdTVEFOREFSRCcKICAgICAgbXlDT05GX1dFQl9VU0VSPSd3ZWJ1c2VyJwogICAgICBteUNPTkZfV0VCX1BXPSd3M2IkZWNyZXRzMiEnCiAgICBvd25lcjogcm9vdDpyb290CiAgICBwYXRoOiAvcm9vdC90cG90LmNvbmYKICAgIHBlcm1pc3Npb25zOiAnMDYwMCc=
+
+Click review and create, deployment of VM should take less than 5 minutes, however Cloud-Init will take some time, **typically 15 minutes** before T-Pot services are up and running.
+
+## Post Install Instructions
+Install **may take around 15 minutes** for services to come up. Check to make sure from your public IP you can connect to https://azurepuplicip:64297 you will be prompted for your username and password supplied in the B64 Cloud Init String you supplied for *myCONF_WEB_PW=* 
+
+Review the [available honeypots architecture section](https://raw.githubusercontent.com/telekom-security/tpotce/master/doc/architecture.png) and [available ports](https://github.com/telekom-security/tpotce#required-ports) and poke a hole in the Network Security Group to expose the T-Pot to your on-premise network CIDR, or other Azure virtual network CIDRs, finally you can also expose a port to the public Internet for Threat Intelligence gathering.
+
+## Network Security Group
+Please study the rules carefully. You may need to make some additional rules or modifications based on your needs and considerations. As an example if this is for internal private ip range detections you may want to remove rules and place a higher priority DENY rule preventing all the T-Pot ports and services being exposed internally, and then place a few ALLOW rules to your on-premise private ip address CIDR, other Hub Private IPs, and some Spoke Private IPs.
+![enter image description here](https://raw.githubusercontent.com/telekom-security/tpotce/master/cloud/azure/images/nsg.png)

cloud/azure/azuredeploy.json

@@ -0,0 +1,308 @@
+{
+    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "VMName": {
+            "type": "string",
+            "metadata": {
+                "description": "VM Name and convention your company uses, be sure to entice naming EX. vm-fileshares-prod-eastus-003"
+            },
+            "defaultValue": "vm-fileshares-prod-eastus-003"
+        },
+        "virtualNetworkId": {
+            "type": "string",
+            "metadata": {
+                "description": "Virtual Network Resource ID to Deploy Azure VM into"
+            },
+            "defaultValue": "/subscriptions/{SUBID}/resourceGroups/{RG NAME}/providers/Microsoft.Network/virtualNetworks/{VNET NAME}"
+        },
+        "subnetName": {
+            "type": "string",
+            "metadata": {
+                "description": "Virtual Network Subnet Name to Deploy Azure VM into"
+            }
+        },
+        "MyConnectionIP": {
+            "type": "string",
+            "minLength": 7,
+            "maxLength": 15,
+            "metadata": {
+                "description": "The Public IP I will be connecting from to administer and configure"
+            },
+            "defaultValue": "XXX.XXX.XXX.XXX"
+        },
+        "adminUsername": {
+            "type": "string",
+            "minLength": 1,
+            "defaultValue": "webuser",
+            "metadata": {
+                "description": "Admin user name for Linux VM"
+            }
+        },
+        "authenticationType": {
+            "type": "string",
+            "defaultValue": "password",
+            "allowedValues": [
+                "sshPublicKey",
+                "password"
+            ],
+            "metadata": {
+                "description": "Type of authentication to use on the Virtual Machine. SSH key is recommended."
+            }
+        },
+        "adminPasswordOrKey": {
+            "type": "securestring",
+            "metadata": {
+                "description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
+            }
+        },
+        "CloudInitB64Encoded": {
+            "type": "securestring",
+            "metadata": {
+                "description": "Cloud Init Configuration as a Base 64 encoded string, decode to examine a few variables to change and encode and submit"
+            },
+            "defaultValue": "I2Nsb3VkLWNvbmZpZwp0aW1lem9uZTogVVMvRWFzdGVybgoKcGFja2FnZXM6CiAgLSBnaXQKCnJ1bmNtZDoKICAtIGN1cmwgLXNTIC0tcmV0cnkgNSBodHRwczovL2dpdGh1Yi5jb20KICAtIGdpdCBjbG9uZSBodHRwczovL2dpdGh1Yi5jb20vdGVsZWtvbS1zZWN1cml0eS90cG90Y2UgL3Jvb3QvdHBvdAogIC0gL3Jvb3QvdHBvdC9pc28vaW5zdGFsbGVyL2luc3RhbGwuc2ggLS10eXBlPWF1dG8gLS1jb25mPS9yb290L3Rwb3QuY29uZgogIC0gcm0gL3Jvb3QvdHBvdC5jb25mCiAgLSAvc2Jpbi9zaHV0ZG93biAtciBub3cKCnBhc3N3b3JkOiB3M2IkZWNyZXRzMiEKY2hwYXNzd2Q6CiAgZXhwaXJlOiBmYWxzZQoKd3JpdGVfZmlsZXM6CiAgLSBjb250ZW50OiB8CiAgICAgICMgdHBvdCBjb25maWd1cmF0aW9uIGZpbGUKICAgICAgbXlDT05GX1RQT1RfRkxBVk9SPSdTVEFOREFSRCcKICAgICAgbXlDT05GX1dFQl9VU0VSPSd3ZWJ1c2VyJwogICAgICBteUNPTkZfV0VCX1BXPSd3M2IkZWNyZXRzMiEnCiAgICBvd25lcjogcm9vdDpyb290CiAgICBwYXRoOiAvcm9vdC90cG90LmNvbmYKICAgIHBlcm1pc3Npb25zOiAnMDYwMCc="
+        }
+    },
+    "variables": {
+        "vnetId": "[parameters('virtualNetworkId')]",
+        "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]",
+        "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
+                "ssh": {
+                    "publicKeys": [
+                        {
+                            "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]",
+                            "keyData": "[parameters('adminPasswordOrKey')]"
+                        }
+        ]
+      }
+    }
+    },
+    "resources": [
+        {
+            "name": "[concat(uniqueString(resourceGroup().id, deployment().name),'-nic')]",
+            "type": "Microsoft.Network/networkInterfaces",
+            "apiVersion": "2021-08-01",
+            "location": "[resourceGroup().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkSecurityGroups/', concat(uniqueString(resourceGroup().id, deployment().name),'-nsg'))]",
+                "[resourceId('Microsoft.Network/publicIpAddresses', concat(uniqueString(resourceGroup().id, deployment().name),'-pip'))]"
+            ],
+            "properties": {
+                "ipConfigurations": [
+                    {
+                        "name": "ipconfig1",
+                        "properties": {
+                            "subnet": {
+                                "id": "[variables('subnetRef')]"
+                            },
+                            "privateIPAllocationMethod": "Dynamic",
+                            "publicIpAddress": {
+                                "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', concat(uniqueString(resourceGroup().id, deployment().name),'-pip'))]",
+                                "properties": {
+                                    "deleteOption": "Detach"
+                                }
+                            }
+                        }
+                    }
+                ],
+                "enableAcceleratedNetworking": true,
+                "networkSecurityGroup": {
+                    "id": "[resourceId('Microsoft.Network/networkSecurityGroups/', concat(uniqueString(resourceGroup().id, deployment().name),'-nsg'))]"
+                }
+            }
+        },
+        {
+            "name": "[concat(uniqueString(resourceGroup().id, deployment().name),'-nsg')]",
+            "type": "Microsoft.Network/networkSecurityGroups",
+            "apiVersion": "2019-02-01",
+            "location": "[resourceGroup().location]",
+            "properties": {
+            "securityRules": [
+            {
+                "name": "AllowAzureCloud22Inbound",
+                "properties": {
+                    "protocol": "*",
+                    "sourcePortRange": "*",
+                    "destinationPortRange": "22",
+                    "sourceAddressPrefix": "AzureCloud",
+                    "destinationAddressPrefix": "*",
+                    "access": "Allow",
+                    "priority": 1011,
+                    "direction": "Inbound",
+                    "sourcePortRanges": [],
+                    "destinationPortRanges": [],
+                    "sourceAddressPrefixes": [],
+                    "destinationAddressPrefixes": []
+                }
+            },
+            {
+                "name": "AllowCustom64294Inbound",
+                "properties": {
+                    "protocol": "*",
+                    "sourcePortRange": "*",
+                    "destinationPortRange": "64294",
+                    "sourceAddressPrefix": "[parameters('MyConnectionIP')]",
+                    "destinationAddressPrefix": "*",
+                    "access": "Allow",
+                    "priority": 1021,
+                    "direction": "Inbound",
+                    "sourcePortRanges": [],
+                    "destinationPortRanges": [],
+                    "sourceAddressPrefixes": [],
+                    "destinationAddressPrefixes": []
+                }
+            },
+            {
+                "name": "AllowSSHCustom64295Inbound",
+                "properties": {
+                    "protocol": "*",
+                    "sourcePortRange": "*",
+                    "destinationPortRange": "64295",
+                    "sourceAddressPrefix": "[parameters('MyConnectionIP')]",
+                    "destinationAddressPrefix": "*",
+                    "access": "Allow",
+                    "priority": 1031,
+                    "direction": "Inbound",
+                    "sourcePortRanges": [],
+                    "destinationPortRanges": [],
+                    "sourceAddressPrefixes": [],
+                    "destinationAddressPrefixes": []
+                }
+            },
+            {
+                "name": "AllowAzureCloud64295Inbound",
+                "properties": {
+                    "protocol": "*",
+                    "sourcePortRange": "*",
+                    "destinationPortRange": "64295",
+                    "sourceAddressPrefix": "AzureCloud",
+                    "destinationAddressPrefix": "*",
+                    "access": "Allow",
+                    "priority": 1041,
+                    "direction": "Inbound",
+                    "sourcePortRanges": [],
+                    "destinationPortRanges": [],
+                    "sourceAddressPrefixes": [],
+                    "destinationAddressPrefixes": []
+                }
+            },
+            {
+                "name": "AllowCustom64297Inbound",
+                "properties": {
+                    "protocol": "*",
+                    "sourcePortRange": "*",
+                    "destinationPortRange": "64297",
+                    "sourceAddressPrefix": "[parameters('MyConnectionIP')]",
+                    "destinationAddressPrefix": "*",
+                    "access": "Allow",
+                    "priority": 1051,
+                    "direction": "Inbound",
+                    "sourcePortRanges": [],
+                    "destinationPortRanges": [],
+                    "sourceAddressPrefixes": [],
+                    "destinationAddressPrefixes": []
+                }
+            },
+            {
+                "name": "AllowAllHomeOfficeCustomAnyInbound",
+                "properties": {
+                    "protocol": "*",
+                    "sourcePortRange": "*",
+                    "destinationPortRange": "*",
+                    "sourceAddressPrefix": "[parameters('MyConnectionIP')]",
+                    "destinationAddressPrefix": "*",
+                    "access": "Allow",
+                    "priority": 1061,
+                    "direction": "Inbound",
+                    "sourcePortRanges": [],
+                    "destinationPortRanges": [],
+                    "sourceAddressPrefixes": [],
+                    "destinationAddressPrefixes": []
+                }
+            }
+        ]
+            }
+        },
+        {
+            "name": "[concat(uniqueString(resourceGroup().id, deployment().name),'-pip')]",
+            "type": "Microsoft.Network/publicIpAddresses",
+            "apiVersion": "2020-08-01",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "publicIpAllocationMethod": "Static"
+            },
+            "sku": {
+                "name": "Standard"
+            },
+            "zones": [
+                "1"
+            ]
+        },
+        {
+            "name": "[parameters('VMName')]",
+            "type": "Microsoft.Compute/virtualMachines",
+            "apiVersion": "2022-03-01",
+            "location": "[resourceGroup().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkInterfaces', concat(uniqueString(resourceGroup().id, deployment().name),'-nic'))]"
+            ],
+            "properties": {
+                "hardwareProfile": {
+                    "vmSize": "Standard_D4s_v3"
+                },
+                "storageProfile": {
+                    "osDisk": {
+                        "createOption": "fromImage",
+                        "managedDisk": {
+                            "storageAccountType": "StandardSSD_LRS"
+                        },
+                        "deleteOption": "Delete"
+                    },
+                    "imageReference": {
+                        "publisher": "debian",
+                        "offer": "debian-11",
+                        "sku": "11-gen2",
+                        "version": "latest"
+                    },
+                    "dataDisks": [
+                        {
+                            "name": "[concat(parameters('VMName'),'-datadisk')]",
+                            "diskSizeGB": 256,
+                            "lun": 0,
+                            "createOption": "Empty",
+                            "caching": "ReadWrite"
+                        }
+                    ]
+                },
+                "networkProfile": {
+                    "networkInterfaces": [
+                        {
+                            "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(uniqueString(resourceGroup().id, deployment().name),'-nic'))]",
+                            "properties": {
+                                "deleteOption": "Delete"
+                            }
+                        }
+                    ]
+                },
+                "osProfile": {
+                    "computerName": "[parameters('VMName')]",
+                    "adminUsername": "[parameters('adminUsername')]",
+                    "adminPassword": "[parameters('adminPasswordOrKey')]",
+                    "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]",
+                    "customData": "[parameters('CloudInitB64Encoded')]"
+                },
+                "diagnosticsProfile": {
+                    "bootDiagnostics": {
+                        "enabled": true
+                    }
+                }
+            },
+            "zones": [
+                "1"
+            ]
+        }
+    ],
+    "outputs": {}
+}

cloud/terraform/README.md

@@ -37,12 +37,13 @@ This can easily be extended to support other [Terraform providers](https://regis
 <a name="what-created-otc"></a>
 ### Open Telekom Cloud (OTC)
 * ECS instance:
-  * s2.medium.8 (1 vCPU, 8 GB RAM)
+  * s3.medium.8 (1 vCPU, 8 GB RAM)
   * 128 GB disk
   * Debian 10
   * Public EIP
 * Security Group
-* Network, Subnet, Router (= Virtual Private Cloud [VPC])
+  * All TCP/UDP ports are open to the Internet
+* Virtual Private Cloud (VPC) and Subnet
 
 <a name="pre"></a>
 ## Prerequisites
@@ -90,11 +91,13 @@ In `aws/variables.tf`, you can change the additional variables:
 <a name="variables-otc"></a>
 ### Open Telekom Cloud (OTC)
 In `otc/variables.tf`, you can change the additional variables:
+* `ecs_flavor`
+* `ecs_disk_size`
 * `availability_zone`
-* `flavor`
 * `key_pair` - Specify an existing SSH key pair
-* `volume_size`  
-Furthermore you can configure the naming of the created infrastructure (per default everything gets prefixed with "tpot-", e.g. "tpot-router").
+* `eip_size`
+
+... and some more, but these are the most relevant.
 
 <a name="initialising"></a>
 ## Initialising

cloud/terraform/aws/main.tf

@@ -60,7 +60,7 @@ resource "aws_instance" "tpot" {
     volume_size           = 128
     delete_on_termination = true
   }
-  user_data         = templatefile("../cloud-init.yaml", {timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password})
-  vpc_security_group_ids = [aws_security_group.tpot.id]
+  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
+  vpc_security_group_ids      = [aws_security_group.tpot.id]
   associate_public_ip_address = true
 }

cloud/terraform/aws/variables.tf

@@ -28,34 +28,35 @@ variable "ec2_instance_type" {
   default = "t3.large"
 }
 
-# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Buster
+# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
 variable "ec2_ami" {
   type = map(string)
   default = {
-    "af-south-1"     = "ami-04090a79eb0bcb6c1"
-    "ap-east-1"      = "ami-0327f60df432e2479"
-    "ap-northeast-1" = "ami-06bc324209030cbc8"
-    "ap-northeast-2" = "ami-02ee842962ae7df95"
-    "ap-south-1"     = "ami-0d548fffbb2d54e42"
-    "ap-southeast-1" = "ami-0dcf891cda6248f00"
-    "ap-southeast-2" = "ami-022578f782d4e5d30"
-    "ca-central-1"   = "ami-01444dd84a75e9a82"
-    "eu-central-1"   = "ami-097411fa8fbfdffda"
-    "eu-north-1"     = "ami-026984326b6456f6a"
-    "eu-south-1"     = "ami-07ad114e5df69197e"
-    "eu-west-1"      = "ami-0101794b418f8b2a6"
-    "eu-west-2"      = "ami-00eac9341e72e638a"
-    "eu-west-3"      = "ami-01469c569416f3bd3"
-    "me-south-1"     = "ami-0821f357b877b076d"
-    "sa-east-1"      = "ami-0c87b2c6219e3d5fd"
-    "us-east-1"      = "ami-047f0b13f023f6553"
-    "us-east-2"      = "ami-0988470f4e830799f"
-    "us-west-1"      = "ami-0be6bacfeb2913ac2"
-    "us-west-2"      = "ami-0112d55fbe29acc68"
+    "af-south-1"     = "ami-0c372f041acae6d49"
+    "ap-east-1"      = "ami-079b8d011d4655385"
+    "ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
+    "ap-northeast-2" = "ami-0269fe7d013b8e2dd"
+    "ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
+    "ap-south-1"     = "ami-020d429f17c9f1d0a"
+    "ap-southeast-1" = "ami-09625a221230d9fe6"
+    "ap-southeast-2" = "ami-03cbc6cddb06af2c2"
+    "ca-central-1"   = "ami-09125623b02302014"
+    "eu-central-1"   = "ami-00c36c60f07e21791"
+    "eu-north-1"     = "ami-052bea934e2d9dbfe"
+    "eu-south-1"     = "ami-04e2bb16d37324719"
+    "eu-west-1"      = "ami-0f87948fe2cf1b2a4"
+    "eu-west-2"      = "ami-02ed1bc837487d535"
+    "eu-west-3"      = "ami-080efd2add7e29430"
+    "me-south-1"     = "ami-0dbde382c834c4a72"
+    "sa-east-1"      = "ami-0a0792814cb068077"
+    "us-east-1"      = "ami-05dd1b6e7ef6f8378"
+    "us-east-2"      = "ami-04dd0542609808c50"
+    "us-west-1"      = "ami-07af5f877b3db9f73"
+    "us-west-2"      = "ami-0d0d8694ba492c02b"
   }
 }
 
-# cloud-init configuration
+## cloud-init configuration ##
 variable "timezone" {
   default = "UTC"
 }
@@ -63,20 +64,30 @@ variable "timezone" {
 variable "linux_password" {
   #default = "LiNuXuSeRPaSs#"
   description = "Set a password for the default user"
+
+  validation {
+    condition     = length(var.linux_password) > 0
+    error_message = "Please specify a password for the default user."
+  }
 }
 
-# These will go in the generated tpot.conf file
+## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
-  default = "STANDARD"
-  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, MEDICAL]"
+  default     = "STANDARD"
+  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
 }
 
 variable "web_user" {
-  default = "webuser"
+  default     = "webuser"
   description = "Set a username for the web user"
 }
 
 variable "web_password" {
   #default = "w3b$ecret"
   description = "Set a password for the web user"
+
+  validation {
+    condition     = length(var.web_password) > 0
+    error_message = "Please specify a password for the web user."
+  }
 }

cloud/terraform/aws/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.13"
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
       version = "3.26.0"
     }
   }

cloud/terraform/aws_multi_region/_provider.tf

@@ -0,0 +1,9 @@
+provider "aws" {
+  alias  = "eu-west-2"
+  region = "eu-west-2"
+}
+
+provider "aws" {
+  alias  = "us-west-1"
+  region = "us-west-1"
+}

cloud/terraform/aws_multi_region/main.tf

@@ -0,0 +1,27 @@
+module "eu-west-2" {
+  source = "./modules/multi-region"
+  ec2_vpc_id = "vpc-xxxxxxxx"
+  ec2_subnet_id = "subnet-xxxxxxxx"
+  ec2_region = "eu-west-2"
+  tpot_name = "T-Pot Honeypot"
+  
+  linux_password = var.linux_password
+  web_password = var.web_password
+  providers = {
+    aws = aws.eu-west-2
+  }
+}
+
+module "us-west-1" {
+  source = "./modules/multi-region"
+  ec2_vpc_id = "vpc-xxxxxxxx"
+  ec2_subnet_id = "subnet-xxxxxxxx"
+  ec2_region = "us-west-1"
+  tpot_name = "T-Pot Honeypot"
+
+  linux_password = var.linux_password
+  web_password = var.web_password
+  providers = {
+    aws = aws.us-west-1
+  }
+}

cloud/terraform/aws_multi_region/modules/multi-region/main.tf

@@ -0,0 +1,69 @@
+variable "ec2_vpc_id" {}
+variable "ec2_subnet_id" {}
+variable "ec2_region" {}
+variable "linux_password" {}
+variable "web_password" {}
+variable "tpot_name" {}
+
+resource "aws_security_group" "tpot" {
+  name        = "T-Pot"
+  description = "T-Pot Honeypot"
+  vpc_id      = var.ec2_vpc_id
+  ingress {
+    from_port   = 0
+    to_port     = 64000
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 0
+    to_port     = 64000
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 64294
+    to_port     = 64294
+    protocol    = "tcp"
+    cidr_blocks = var.admin_ip
+  }
+  ingress {
+    from_port   = 64295
+    to_port     = 64295
+    protocol    = "tcp"
+    cidr_blocks = var.admin_ip
+  }
+  ingress {
+    from_port   = 64297
+    to_port     = 64297
+    protocol    = "tcp"
+    cidr_blocks = var.admin_ip
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "T-Pot"
+  }
+}
+
+resource "aws_instance" "tpot" {
+  ami           = var.ec2_ami[var.ec2_region]
+  instance_type = var.ec2_instance_type
+  key_name      = var.ec2_ssh_key_name
+  subnet_id     = var.ec2_subnet_id
+  tags = {
+    Name = var.tpot_name
+  }
+  root_block_device {
+    volume_type           = "gp2"
+    volume_size           = 128
+    delete_on_termination = true
+  }
+  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
+  vpc_security_group_ids      = [aws_security_group.tpot.id]
+  associate_public_ip_address = true
+}

cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf

@@ -0,0 +1,12 @@
+output "Admin_UI" {
+  value = "https://${aws_instance.tpot.public_dns}:64294/"
+}
+
+output "SSH_Access" {
+  value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
+}
+
+output "Web_UI" {
+  value = "https://${aws_instance.tpot.public_dns}:64297/"
+}
+

cloud/terraform/aws_multi_region/modules/multi-region/variables.tf

@@ -0,0 +1,57 @@
+variable "admin_ip" {
+  default     = ["127.0.0.1/32"]
+  description = "admin IP addresses in CIDR format"
+}
+
+variable "ec2_ssh_key_name" {
+  default = "default"
+}
+
+# https://aws.amazon.com/ec2/instance-types/
+variable "ec2_instance_type" {
+  default = "t3.xlarge"
+}
+
+# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
+variable "ec2_ami" {
+  type = map(string)
+  default = {
+    "af-south-1"     = "ami-0c372f041acae6d49"
+    "ap-east-1"      = "ami-079b8d011d4655385"
+    "ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
+    "ap-northeast-2" = "ami-0269fe7d013b8e2dd"
+    "ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
+    "ap-south-1"     = "ami-020d429f17c9f1d0a"
+    "ap-southeast-1" = "ami-09625a221230d9fe6"
+    "ap-southeast-2" = "ami-03cbc6cddb06af2c2"
+    "ca-central-1"   = "ami-09125623b02302014"
+    "eu-central-1"   = "ami-00c36c60f07e21791"
+    "eu-north-1"     = "ami-052bea934e2d9dbfe"
+    "eu-south-1"     = "ami-04e2bb16d37324719"
+    "eu-west-1"      = "ami-0f87948fe2cf1b2a4"
+    "eu-west-2"      = "ami-02ed1bc837487d535"
+    "eu-west-3"      = "ami-080efd2add7e29430"
+    "me-south-1"     = "ami-0dbde382c834c4a72"
+    "sa-east-1"      = "ami-0a0792814cb068077"
+    "us-east-1"      = "ami-05dd1b6e7ef6f8378"
+    "us-east-2"      = "ami-04dd0542609808c50"
+    "us-west-1"      = "ami-07af5f877b3db9f73"
+    "us-west-2"      = "ami-0d0d8694ba492c02b"
+  }
+}
+
+## cloud-init configuration ##
+variable "timezone" {
+  default = "UTC"
+}
+
+## These will go in the generated tpot.conf file ##
+variable "tpot_flavor" {
+  default     = "STANDARD"
+  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
+}
+
+variable "web_user" {
+  default     = "webuser"
+  description = "Set a username for the web user"
+}

cloud/terraform/aws_multi_region/modules/multi-region/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "3.72.0"
+    }
+  }
+}

cloud/terraform/aws_multi_region/outputs.tf

@@ -0,0 +1,7 @@
+output "eu-west-2_Web_UI" {
+  value = module.eu-west-2.Web_UI
+}
+
+output "us-west-1_Web_UI" {
+  value = module.us-west-1.Web_UI
+}

cloud/terraform/aws_multi_region/variables.tf

@@ -0,0 +1,19 @@
+variable "linux_password" {
+  #default = "LiNuXuSeRP4Ss!"
+  description = "Set a password for the default user"
+
+  validation {
+    condition     = length(var.linux_password) > 0
+    error_message = "Please specify a password for the default user."
+  }
+}
+
+variable "web_password" {
+  #default = "w3b$ecret20"
+  description = "Set a password for the web user"
+
+  validation {
+    condition     = length(var.web_password) > 0
+    error_message = "Please specify a password for the web user."
+  }
+}

cloud/terraform/cloud-init.yaml

@@ -5,6 +5,7 @@ packages:
   - git
 
 runcmd:
+  - curl -sS --retry 5 https://github.com
   - git clone https://github.com/telekom-security/tpotce /root/tpot
   - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
   - rm /root/tpot.conf

cloud/terraform/otc/.terraform.lock.hcl

@@ -2,38 +2,37 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/random" {
-  version     = "3.0.1"
-  constraints = "~> 3.0.1"
+  version     = "3.1.0"
+  constraints = "~> 3.1.0"
   hashes = [
-    "h1:SzM8nt2wzLMI28A3CWAtW25g3ZCm1O4xD0h3Ps/rU1U=",
-    "zh:0d4f683868324af056a9eb2b06306feef7c202c88dbbe6a4ad7517146a22fb50",
-    "zh:4824b3c7914b77d41dfe90f6f333c7ac9860afb83e2a344d91fbe46e5dfbec26",
-    "zh:4b82e43712f3cf0d0cbc95b2cbcd409ba8f0dc7848fdfb7c13633c27468ed04a",
-    "zh:78b3a2b860c3ebc973a794000015f5946eb59b82705d701d487475406b2612f1",
-    "zh:88bc65197bd74ff408d147b32f0045372ae3a3f2a2fdd7f734f315d988c0e4a2",
-    "zh:91bd3c9f625f177f3a5d641a64e54d4b4540cb071070ecda060a8261fb6eb2ef",
-    "zh:a6818842b28d800f784e0c93284ff602b0c4022f407e4750da03f50b853a9a2c",
-    "zh:c4a1a2b52abd05687e6cfded4a789dcd7b43e7a746e4d02dd1055370cf9a994d",
-    "zh:cf65041bf12fc3bde709c1d267dbe94142bc05adcabc4feb17da3b12249132ac",
-    "zh:e385e00e7425dda9d30b74ab4ffa4636f4b8eb23918c0b763f0ffab84ece0c5c",
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
   ]
 }
 
 provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
-  version     = "1.22.5"
-  constraints = "1.22.5"
+  version     = "1.23.6"
+  constraints = "~> 1.23.4"
   hashes = [
-    "h1:H20WxSx+j2JyrqHAgqsrV3rMWEOEZVEQuA7upz/1IgY=",
-    "zh:276ab06e7c011351fc5a803fea0321a9d12b1353bd43f5389f3bbf491e31fc41",
-    "zh:3191dc598ea4e4c99d08a2b1a5f65710dbcc1a892b1f9dde7b52515f32028319",
-    "zh:43db37c5fb6a886ce3bbc2aa730854476da7dd0340622ad874998041fa96f7a2",
-    "zh:45f3e2677a4c35bd88d435c906224092e0dde17055a203b474da2eeacffbf9b7",
-    "zh:504568581e561130fc0a9ceb6514e9664c67e3a89cd6c912f64c82f0a0305a30",
-    "zh:5646c76cbe710fd0acde409cdcfb352dd53a282c0207e46e33ac5714d0eaa0b9",
-    "zh:578b0f5d43f156f86ca6a63604da6e968f035d0b4bf6ccfc83db284fd31057f6",
-    "zh:784459b8350dc650f01e6866bcec0632e8b5a8733d81e6ed53bc8cc1254abb92",
-    "zh:970aa873a81994cddf84279b255d3f51a4138b23cb9162707cefb84042451bfc",
-    "zh:e892b8b6225a46067586b8e54a7102ac1b0fc296b4851dab3d4cc185de538d66",
-    "zh:f8c4699eebe99ac93d9cdccfcc809a5bd3d6c238be136d5a26c4e812ef30ec32",
+    "h1:B/1Md957jWaDgFqsJDzmJc75KwL0eC/PCVuZ8HV5xSc=",
+    "zh:1aa79010869d082157fb44fc83c3bff4e40938ec0ca916f704d974c7f7ca39e4",
+    "zh:3155b8366828ce50231f69962b55df1e2261ed63c44bb64e2c950dd68769df1b",
+    "zh:4a909617aa96a6d8aead14f56996ad94e0a1cae9d28e8df1ddae19c2095ed337",
+    "zh:4f71046719632b4b90f88d29d8ba88915ee6ad66cd9d7ebe84a7459013e5003a",
+    "zh:67e4d10b2db79ad78ae2ec8d9dfac53c4721028f97f4436a7aa45e80b1beefd3",
+    "zh:7f12541fc5a3513e5522ff2bd5fee17d1e67bfe64f9ef59d03863fc7389e12ce",
+    "zh:86fadabfc8307cf6084a412ffc9c797ec94932d08bc663a3fcebf98101e951f6",
+    "zh:98744b39c2bfe3e8e6f929f750a689971071b257f3f066f669f93c8e0b76d179",
+    "zh:c363d41debb060804e2c6bd9cb50b4e8daa37362299e3ea74e187265cd85f2ca",
   ]
 }

cloud/terraform/otc/main.tf

@@ -14,24 +14,18 @@ resource "opentelekomcloud_networking_secgroup_rule_v2" "secgroup_rule_1" {
   security_group_id = opentelekomcloud_networking_secgroup_v2.secgroup_1.id
 }
 
-resource "opentelekomcloud_networking_network_v2" "network_1" {
-  name = var.network_name
+resource "opentelekomcloud_vpc_v1" "vpc_1" {
+  name = var.vpc_name
+  cidr = var.vpc_cidr
 }
 
-resource "opentelekomcloud_networking_subnet_v2" "subnet_1" {
-  name            = var.subnet_name
-  network_id      = opentelekomcloud_networking_network_v2.network_1.id
-  cidr            = "192.168.0.0/24"
-  dns_nameservers = ["1.1.1.1", "8.8.8.8"]
-}
+resource "opentelekomcloud_vpc_subnet_v1" "subnet_1" {
+  name   = var.subnet_name
+  cidr   = var.subnet_cidr
+  vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
 
-resource "opentelekomcloud_networking_router_v2" "router_1" {
-  name = var.router_name
-}
-
-resource "opentelekomcloud_networking_router_interface_v2" "router_interface_1" {
-  router_id = opentelekomcloud_networking_router_v2.router_1.id
-  subnet_id = opentelekomcloud_networking_subnet_v2.subnet_1.id
+  gateway_ip = var.subnet_gateway_ip
+  dns_list   = ["100.125.4.25", "100.125.129.199"]
 }
 
 resource "random_id" "tpot" {
@@ -39,33 +33,36 @@ resource "random_id" "tpot" {
   prefix      = var.ecs_prefix
 }
 
-resource "opentelekomcloud_compute_instance_v2" "ecs_1" {
+resource "opentelekomcloud_ecs_instance_v1" "ecs_1" {
+  name     = random_id.tpot.b64_url
+  image_id = data.opentelekomcloud_images_image_v2.debian.id
+  flavor   = var.ecs_flavor
+  vpc_id   = opentelekomcloud_vpc_v1.vpc_1.id
+
+  nics {
+    network_id = opentelekomcloud_vpc_subnet_v1.subnet_1.id
+  }
+
+  system_disk_size  = var.ecs_disk_size
+  system_disk_type  = "SAS"
+  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.id]
   availability_zone = var.availability_zone
-  name              = random_id.tpot.b64_std
-  flavor_name       = var.flavor
-  key_pair          = var.key_pair
-  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.name]
-  user_data         = templatefile("../cloud-init.yaml", {timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password})
+  key_name          = var.key_pair
+  user_data         = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
+}
 
-  network {
-    name = opentelekomcloud_networking_network_v2.network_1.name
+resource "opentelekomcloud_vpc_eip_v1" "eip_1" {
+  publicip {
+    type = "5_bgp"
   }
-
-  block_device {
-    uuid                  = data.opentelekomcloud_images_image_v2.debian.id
-    source_type           = "image"
-    volume_size           = var.volume_size
-    destination_type      = "volume"
-    delete_on_termination = "true"
+  bandwidth {
+    name       = "bandwidth-${random_id.tpot.b64_url}"
+    size       = var.eip_size
+    share_type = "PER"
   }
-
-  depends_on = [opentelekomcloud_networking_router_interface_v2.router_interface_1]
 }
 
-resource "opentelekomcloud_networking_floatingip_v2" "floatip_1" {
-}
-
-resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_2" {
-  floating_ip = opentelekomcloud_networking_floatingip_v2.floatip_1.address
-  instance_id = opentelekomcloud_compute_instance_v2.ecs_1.id
+resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_1" {
+  floating_ip = opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address
+  instance_id = opentelekomcloud_ecs_instance_v1.ecs_1.id
 }

cloud/terraform/otc/outputs.tf

@@ -1,11 +1,11 @@
 output "Admin_UI" {
-  value = "https://${opentelekomcloud_networking_floatingip_v2.floatip_1.address}:64294"
+  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64294"
 }
 
 output "SSH_Access" {
-  value = "ssh -p 64295 linux@${opentelekomcloud_networking_floatingip_v2.floatip_1.address}"
+  value = "ssh -p 64295 linux@${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}"
 }
 
 output "Web_UI" {
-  value = "https://${opentelekomcloud_networking_floatingip_v2.floatip_1.address}:64297"
+  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64297"
 }

cloud/terraform/otc/provider.tf

@@ -1,3 +1,3 @@
 provider "opentelekomcloud" {
-    cloud = "open-telekom-cloud"
+  cloud = "open-telekom-cloud"
 }

cloud/terraform/otc/variables.tf

@@ -1,4 +1,4 @@
-# cloud-init configuration
+## cloud-init configuration ##
 variable "timezone" {
   default = "UTC"
 }
@@ -6,66 +6,93 @@ variable "timezone" {
 variable "linux_password" {
   #default = "LiNuXuSeRPaSs#"
   description = "Set a password for the default user"
+
+  validation {
+    condition     = length(var.linux_password) > 0
+    error_message = "Please specify a password for the default user."
+  }
 }
 
-# Cloud resources name configuration
+## Security Group ##
 variable "secgroup_name" {
-  default = "tpot-secgroup"
+  default = "sg-tpot"
 }
 
 variable "secgroup_desc" {
-  default = "T-Pot Security Group"
+  default = "Security Group for T-Pot"
 }
 
-variable "network_name" {
-  default = "tpot-network"
+## Virtual Private Cloud ##
+variable "vpc_name" {
+  default = "vpc-tpot"
 }
 
+variable "vpc_cidr" {
+  default = "192.168.0.0/16"
+}
+
+## Subnet ##
 variable "subnet_name" {
-  default = "tpot-subnet"
+  default = "subnet-tpot"
 }
 
-variable "router_name" {
-  default = "tpot-router"
+variable "subnet_cidr" {
+  default = "192.168.0.0/24"
 }
 
+variable "subnet_gateway_ip" {
+  default = "192.168.0.1"
+}
+
+## Elastic Cloud Server ##
 variable "ecs_prefix" {
   default = "tpot-"
 }
 
-# ECS configuration
-variable "availability_zone" {
-  default = "eu-de-03"
-  description = "Select an availability zone"
+variable "ecs_flavor" {
+  default = "s3.medium.8"
 }
 
-variable "flavor" {
-  default = "s3.medium.8"
-  description = "Select a compute flavor"
+variable "ecs_disk_size" {
+  default = "128"
+}
+
+variable "availability_zone" {
+  default = "eu-de-03"
 }
 
 variable "key_pair" {
   #default = ""
   description = "Specify your SSH key pair"
+
+  validation {
+    condition     = length(var.key_pair) > 0
+    error_message = "Please specify a Key Pair."
+  }
 }
 
-variable "volume_size" {
-  default = "128"
-  description = "Set the volume size"
+## Elastic IP ##
+variable "eip_size" {
+  default = "100"
 }
 
-# These will go in the generated tpot.conf file
+## These will go in the generated tpot.conf file ##
 variable "tpot_flavor" {
-  default = "STANDARD"
-  description = "Specify your tpot flavor [STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, MEDICAL]"
+  default     = "STANDARD"
+  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
 }
 
 variable "web_user" {
-  default = "webuser"
+  default     = "webuser"
   description = "Set a username for the web user"
 }
 
 variable "web_password" {
   #default = "w3b$ecret"
   description = "Set a password for the web user"
+
+  validation {
+    condition     = length(var.web_password) > 0
+    error_message = "Please specify a password for the web user."
+  }
 }

cloud/terraform/otc/versions.tf

@@ -2,12 +2,12 @@ terraform {
   required_version = ">= 0.13"
   required_providers {
     opentelekomcloud = {
-      source = "opentelekomcloud/opentelekomcloud"
-      version = "1.22.5"
+      source  = "opentelekomcloud/opentelekomcloud"
+      version = "~> 1.23.4"
     }
     random = {
-      source = "hashicorp/random"
-      version = "~> 3.0.1"
+      source  = "hashicorp/random"
+      version = "~> 3.1.0"
     }
   }
 }

docker/adbhoney/Dockerfile

@@ -1,20 +1,20 @@
-FROM alpine:3.13
+FROM alpine:3.17
 #
 # Include dist
-ADD dist/ /root/dist/
+COPY dist/ /root/dist/
 #
 # Install packages
-RUN apk -U add \
+RUN apk --no-cache -U add \
             git \
-            libcap \
-	    py3-pip \
-            python3 \
-            python3-dev && \
+	    procps \
+	    py3-requests \
+            python3 && \
 #
 # Install adbhoney from git
     git clone https://github.com/huuck/ADBHoney /opt/adbhoney && \
     cd /opt/adbhoney && \
-    git checkout ad7c17e78d01f6860d58ba826a4b6a4e4f83acbd && \
+#    git checkout 2417a7a982f4fd527b3a048048df9a23178767ad && \
+    git checkout 42afd98611724ca3d694a48b694c957e8d953db4 && \
     cp /root/dist/adbhoney.cfg /opt/adbhoney && \
     sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \
     sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \
@@ -23,16 +23,15 @@ RUN apk -U add \
     addgroup -g 2000 adbhoney && \
     adduser -S -H -s /bin/ash -u 2000 -D -g 2000 adbhoney && \
     chown -R adbhoney:adbhoney /opt/adbhoney && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
 #
 # Clean up
-    apk del --purge git \
-                    python3-dev && \
-    rm -rf /root/* && \
-    rm -rf /var/cache/apk/*
+    apk del --purge git && \
+    rm -rf /root/* /opt/adbhoney/.git /var/cache/apk/*
 #
 # Set workdir and start adbhoney
 STOPSIGNAL SIGINT
+# Adbhoney sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings
+HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi
 USER adbhoney:adbhoney
 WORKDIR /opt/adbhoney/
-CMD nohup /usr/bin/python3 run.py
+CMD /usr/bin/python3 run.py

docker/adbhoney/dist/adbhoney.cfg

@@ -3,6 +3,8 @@ hostname = honeypot01
 
 address = 0.0.0.0
 port = 5555
+http_download = true
+http_timeout = 45
 
 download_dir = dl/
 log_dir = log/

docker/adbhoney/docker-compose.yml

@@ -10,11 +10,13 @@ services:
     build: .
     container_name: adbhoney
     restart: always
+    #    cpu_count: 1
+    #    cpus: 0.25
     networks:
      - adbhoney_local
     ports:
      - "5555:5555"
-    image: "ghcr.io/telekom-security/adbhoney:2006"
+    image: "dtagdevsec/adbhoney:2204"
     read_only: true
     volumes:
      - /data/adbhoney/log:/opt/adbhoney/log

docker/builder.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# Setup Vars
+myPLATFORMS="linux/amd64,linux/arm64"
+myHUBORG="dtagdevsec"
+myTAG="2204"
+myIMAGESBASE="adbhoney ciscoasa citrixhoneypot conpot cowrie ddospot dicompot dionaea elasticpot endlessh ewsposter fatt glutton hellpot heralding honeypots honeytrap ipphoney log4pot mailoney medpot nginx p0f redishoneypot sentrypeer spiderfoot suricata wordpot"
+myIMAGESELK="elasticsearch kibana logstash map"
+myIMAGESTANNER="phpox redis snare tanner"
+myBUILDERLOG="builder.log"
+myBUILDERERR="builder.err"
+myBUILDCACHE="/buildcache"
+
+# Got root?
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "Need to run as root ..."
+    exit
+fi
+
+# Check for Buildx
+docker buildx > /dev/null 2>&1 
+if [ "$?" == "1" ];
+  then
+    echo "### Build environment not setup. Run bin/setup_builder.sh"
+fi
+
+# Only run with command switch
+if [ "$1" == "" ]; then
+  echo "### T-Pot Multi Arch Image Builder."
+  echo "## Usage: builder.sh [build, push]"
+  echo "## build - Just build images, do not push."
+  echo "## push - Build and push images."
+  echo "## Pushing requires an active docker login."
+  exit
+fi
+
+fuBUILDIMAGES () {
+local myPATH="$1"
+local myIMAGELIST="$2"
+local myPUSHOPTION="$3"
+
+for myREPONAME in $myIMAGELIST;
+  do
+    echo -n "Now building: $myREPONAME in $myPATH$myREPONAME/."
+    docker buildx build --cache-from "type=local,src=$myBUILDCACHE" --cache-to "type=local,dest=$myBUILDCACHE" --platform $myPLATFORMS -t $myHUBORG/$myREPONAME:$myTAG $myPUSHOPTION $myPATH$myREPONAME/. >> $myBUILDERLOG 2>&1
+    if [ "$?" != "0" ];
+      then
+	echo " [ ERROR ] - Check logs!"
+	echo "Error building $myREPONAME" >> "$myBUILDERERR"
+      else
+	echo " [ OK ]"
+    fi
+done
+}
+
+# Just build images
+if [ "$1" == "build" ];
+  then
+    mkdir -p $myBUILDCACHE
+    rm -f "$myBUILDERLOG" "$myBUILDERERR" 
+    echo "### Building images ..."
+    fuBUILDIMAGES "" "$myIMAGESBASE" ""
+    fuBUILDIMAGES "elk/" "$myIMAGESELK" ""
+    fuBUILDIMAGES "tanner/" "$myIMAGESTANNER" ""
+fi
+
+# Build and push images
+if [ "$1" == "push" ];
+  then
+    mkdir -p $myBUILDCACHE
+    rm -f "$myBUILDERLOG" "$myBUILDERERR" 
+    echo "### Building and pushing images ..."
+    fuBUILDIMAGES "" "$myIMAGESBASE" "--push"
+    fuBUILDIMAGES "elk/" "$myIMAGESELK" "--push"
+    fuBUILDIMAGES "tanner/" "$myIMAGESTANNER" "--push"
+fi
+

docker/ciscoasa/Dockerfile

@@ -1,11 +1,11 @@
-FROM alpine:3.13
+FROM alpine:3.17
 #
 # Include dist
-ADD dist/ /root/dist/
+COPY dist/ /root/dist/
 #
 # Setup env and apt
-RUN apk -U upgrade && \
-    apk add build-base \
+RUN apk --no-cache -U upgrade && \
+    apk --no-cache add build-base \
             git \
             libffi \
             libffi-dev \
@@ -26,6 +26,7 @@ RUN apk -U upgrade && \
     git clone https://github.com/cymmetria/ciscoasa_honeypot && \
     cd ciscoasa_honeypot && \
     git checkout d6e91f1aab7fe6fc01fabf2046e76b68dd6dc9e2 && \
+    sed -i "s/git+git/git+https/g" requirements.txt && \
     pip3 install --no-cache-dir -r requirements.txt && \
     cp /root/dist/asa_server.py /opt/ciscoasa_honeypot && \
     chown -R ciscoasa:ciscoasa /opt/ciscoasa_honeypot && \
@@ -37,6 +38,7 @@ RUN apk -U upgrade && \
                     openssl-dev \
                     python3-dev && \
     rm -rf /root/* && \
+    rm -rf /opt/ciscoasa_honeypot/.git && \
     rm -rf /var/cache/apk/*
 #
 # Start ciscoasa

docker/ciscoasa/docker-compose.yml

@@ -1,5 +1,8 @@
 version: '2.3'
 
+networks:
+  ciscoasa_local:
+
 services:
 
 # Ciscoasa service
@@ -9,11 +12,14 @@ services:
     restart: always
     tmpfs:
      - /tmp/ciscoasa:uid=2000,gid=2000
-    network_mode: "host"
+#    cpu_count: 1
+#    cpus: 0.25
+    networks:
+     - ciscoasa_local
     ports:
      - "5000:5000/udp"
      - "8443:8443"
-    image: "ghcr.io/telekom-security/ciscoasa:2006"
+    image: "dtagdevsec/ciscoasa:2204"
     read_only: true
     volumes:
      - /data/ciscoasa/log:/var/log/ciscoasa

docker/citrixhoneypot/Dockerfile

@@ -1,13 +1,12 @@
-FROM alpine:3.13
+FROM alpine:3.17
 #
 # Install packages
-RUN apk -U add \
+RUN apk --no-cache -U add \
             git \
             libcap \
 	    openssl \
             py3-pip \
-            python3 \
-            python3-dev && \
+            python3 && \
 #
     pip3 install --no-cache-dir python-json-logger && \
 #
@@ -29,13 +28,13 @@ RUN apk -U add \
     addgroup -g 2000 citrixhoneypot && \
     adduser -S -H -s /bin/ash -u 2000 -D -g 2000 citrixhoneypot && \
     chown -R citrixhoneypot:citrixhoneypot /opt/citrixhoneypot && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \
 #
 # Clean up
     apk del --purge git \
-                    openssl \
-                    python3-dev && \
+                    openssl && \
     rm -rf /root/* && \
+    rm -rf /opt/citrixhoneypot/.git && \
     rm -rf /var/cache/apk/*
 #
 # Set workdir and start citrixhoneypot

docker/citrixhoneypot/docker-compose.yml

@@ -10,11 +10,13 @@ services:
     build: .
     container_name: citrixhoneypot
     restart: always
+#    cpu_count: 1
+#    cpus: 0.25
     networks:
      - citrixhoneypot_local
     ports:
      - "443:443"
-    image: "ghcr.io/telekom-security/citrixhoneypot:2006"
+    image: "dtagdevsec/citrixhoneypot:2204"
     read_only: true
     volumes:
      - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs

docker/conpot/Dockerfile

@@ -1,11 +1,12 @@
-FROM alpine:edge
+FROM alpine:3.17
 #
 # Include dist
-ADD dist/ /root/dist/
+COPY dist/ /root/dist/
 #
 # Setup apt
-RUN apk -U add \
+RUN apk --no-cache -U add \
              build-base \
+	     cython \
              file \
              git \
              libev \
@@ -16,49 +17,64 @@ RUN apk -U add \
              libxslt-dev \
              mariadb-dev \
              pkgconfig \
+	     procps \
              python3 \
              python3-dev \
-             py3-cffi \
-             py3-cryptography \
+	     py3-cffi \
+	     py3-cryptography \
+	     py3-freezegun \
 	     py3-gevent \
+	     py3-lxml \
+	     py3-natsort \
 	     py3-pip \
-             tcpdump \
+	     py3-ply \
+	     py3-psutil \
+	     py3-pycryptodomex \
+	     py3-pytest \
+	     py3-requests \
+             py3-pyserial \
+	     py3-setuptools \
+	     py3-slugify \
+	     py3-snmp \
+	     py3-sphinx \
+	     py3-wheel \
+	     py3-zope-event \
+	     py3-zope-interface \
              wget && \
 #
 # Setup ConPot
     git clone https://github.com/mushorg/conpot /opt/conpot && \
     cd /opt/conpot/ && \
-#    git checkout ff09e009d10d953aa7dcff2c06b7c890e6ffd4b7 && \
-    git checkout 804fd65aa3b7ffa31c07fd4e863d4a5500414cf3 && \
+    git checkout b3740505fd26d82473c0d7be405b372fa0f82575 && \
+    #git checkout 1c2382ea290b611fdc6a0a5f9572c7504bcb616e && \
     # Change template default ports if <1024
-    sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \ 
-    sed -i 's/port="8800"/port="80"/' /opt/conpot/conpot/templates/default/http/http.xml && \ 
-    sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/default/ipmi/ipmi.xml && \ 
-    sed -i 's/port="5020"/port="502"/' /opt/conpot/conpot/templates/default/modbus/modbus.xml && \ 
-    sed -i 's/port="10201"/port="102"/' /opt/conpot/conpot/templates/default/s7comm/s7comm.xml && \ 
-    sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/default/snmp/snmp.xml && \ 
-    sed -i 's/port="6969"/port="69"/' /opt/conpot/conpot/templates/default/tftp/tftp.xml && \ 
-    sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/IEC104/snmp/snmp.xml && \ 
-    sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/ipmi/ipmi/ipmi.xml && \ 
-    pip3 install --no-cache-dir -U setuptools && \
+    sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \
+    sed -i 's/port="8800"/port="80"/' /opt/conpot/conpot/templates/default/http/http.xml && \
+    sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/default/ipmi/ipmi.xml && \
+    sed -i 's/port="5020"/port="502"/' /opt/conpot/conpot/templates/default/modbus/modbus.xml && \
+    sed -i 's/port="10201"/port="102"/' /opt/conpot/conpot/templates/default/s7comm/s7comm.xml && \
+    sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/default/snmp/snmp.xml && \
+    sed -i 's/port="6969"/port="69"/' /opt/conpot/conpot/templates/default/tftp/tftp.xml && \
+    sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/IEC104/snmp/snmp.xml && \
+    sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/ipmi/ipmi/ipmi.xml && \
+    cp /root/dist/requirements.txt . && \
+    pip3 install --no-cache-dir --upgrade pip && \
     pip3 install --no-cache-dir . && \
-    pip3 install --no-cache-dir pysnmp-mibs && \
     cd / && \
     rm -rf /opt/conpot /tmp/* /var/tmp/* && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
-#    
+    setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \
+#
 # Get wireshark manuf db for scapy, setup configs, user, groups
     mkdir -p /etc/conpot /var/log/conpot /usr/share/wireshark && \
     wget https://github.com/wireshark/wireshark/raw/master/manuf -o /usr/share/wireshark/manuf && \
     cp /root/dist/conpot.cfg /etc/conpot/conpot.cfg && \
-    cp -R /root/dist/templates /usr/lib/python3.8/site-packages/conpot/ && \
+    cp -R /root/dist/templates /usr/lib/python3.10/site-packages/conpot/ && \
     addgroup -g 2000 conpot && \
     adduser -S -s /bin/ash -u 2000 -D -g 2000 conpot && \
 #
 # Clean up
     apk del --purge \
             build-base \
-            cython-dev \
             file \
             git \
             libev \
@@ -67,7 +83,6 @@ RUN apk -U add \
             mariadb-dev \
             pkgconfig \
             python3-dev \
-            py-cffi \
             wget && \
     rm -rf /root/* && \
     rm -rf /tmp/* && \
@@ -75,5 +90,7 @@ RUN apk -U add \
 #
 # Start conpot
 STOPSIGNAL SIGINT
+# Conpot sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings
+HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi
 USER conpot:conpot
 CMD exec /usr/bin/conpot --mibcache $CONPOT_TMP --temp_dir $CONPOT_TMP --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

docker/conpot/dist/conpot.cfg

@@ -3,7 +3,7 @@ sensorid = conpot
 
 [virtual_file_system]
 data_fs_url = %(CONPOT_TMP)s
-fs_url = tar:///usr/lib/python3.8/site-packages/conpot/data.tar
+fs_url = tar:///usr/lib/python3.10/site-packages/conpot/data.tar
 
 [session]
 timeout = 30

docker/conpot/dist/requirements.txt

@@ -0,0 +1,20 @@
+pysnmp-mibs
+pysmi
+libtaxii>=1.1.0
+crc16
+scapy==2.4.3rc1
+hpfeeds3
+modbus-tk
+stix-validator
+stix
+cybox
+bacpypes==0.17.0
+pyghmi==1.4.1
+mixbox
+modbus-tk
+cpppo
+fs==2.3.0
+tftpy
+# some freezegun versions broken
+pycrypto
+sphinx_rtd_theme

docker/conpot/dist/templates/IEC104/template.xml

@@ -91,19 +91,19 @@
                 <value type="value">1</value>
             </key>
             <key name="ifInOctets">
-                <value type="value">1618895</value>
+                <value type="function">conpot.emulators.misc.sysinfo.BytesRecv</value>		    
             </key>
             <key name="ifInUcastPkts">
-                <value type="value">7018</value>
+                <value type="function">conpot.emulators.misc.sysinfo.PacketsRecv</value> 
             </key>
             <key name="ifInNUcastPkts">
                 <value type="value">291</value>
             </key>
             <key name="ifOutOctets">
-                <value type="value">455107</value>
+                <value type="function">conpot.emulators.misc.sysinfo.BytesSent</value>
             </key>
             <key name="ifOutUcastPkts">
-                <value type="value">872264</value>
+                <value type="function">conpot.emulators.misc.sysinfo.PacketsSent</value> 
             </key>
             <key name="ifOutUNcastPkts">
                 <value type="value">143</value>
@@ -168,7 +168,7 @@
                 <value type="value">0</value>
             </key>
             <key name="ipAdEntAddr">
-                <value type="value">"217.172.190.137"</value>
+                <value type="function">conpot.emulators.misc.sysinfo.LocalIP</value>
             </key>
             <key name="ipAdEntIfIndex">
                 <value type="value">1</value>
@@ -290,7 +290,7 @@
                 <value type="value">45</value>
             </key>
             <key name="tcpCurrEstab">
-                <value type="value">0</value>
+                <value type="function">conpot.emulators.misc.sysinfo.TcpCurrEstab</value>
             </key>
             <key name="tcpInSegs">
                 <value type="value">30321</value>
@@ -305,7 +305,7 @@
                 <value type="value">2</value>
             </key>
             <key name="tcpConnLocalAddress">
-                <value type="value">"217.172.190.137"</value>
+                <value type="function">conpot.emulators.misc.sysinfo.LocalIP</value>
             </key>
             <key name="tcpConnLocalPort">
                 <value type="value">2404</value>
@@ -336,7 +336,7 @@
                 <value type="value">47</value>
             </key>
             <key name="udpLocalAddress">
-                <value type="value">"217.172.190.137"</value>
+                <value type="value">"163.172.189.137"</value>
             </key>
             <key name="udpLocalPort">
                 <value type="value">161</value>

docker/conpot/dist/templates/kamstrup_382/template.xml

@@ -11,7 +11,7 @@
         <!-- Core value that can be retrieved from the databus by key -->
         <key_value_mappings>
             <key name="power_simulator">
-                <value type="function">conpot.protocols.kamstrup.usage_simulator.UsageSimulator</value>
+                <value type="function">conpot.emulators.kamstrup.usage_simulator.UsageSimulator</value>
             </key>
             <key name="register_1024">
                 <value type="value">0</value>

docker/conpot/docker-compose.yml

@@ -23,26 +23,27 @@ services:
      - CONPOT_TMP=/tmp/conpot
     tmpfs:
      - /tmp/conpot:uid=2000,gid=2000
+#    cpu_count: 1
+#    cpus: 0.25    
     networks:
      - conpot_local_default
     ports:
-#    - "69:69"        
+#    - "69:69/udp"        
      - "80:80"
      - "102:102"
-     - "161:161"
+     - "161:161/udp"
      - "502:502"
-#     - "623:623"
+#     - "623:623/udp"
      - "2121:21"
      - "44818:44818"
-     - "47808:47808"
-    image: "ghcr.io/telekom-security/conpot:2006"
+     - "47808:47808/udp"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
 
 # Conpot IEC104 service
   conpot_IEC104:
-    build: .
     container_name: conpot_IEC104
     restart: always
     environment:
@@ -53,19 +54,20 @@ services:
      - CONPOT_TMP=/tmp/conpot
     tmpfs:
      - /tmp/conpot:uid=2000,gid=2000
+#    cpu_count: 1
+#    cpus: 0.25
     networks:
      - conpot_local_IEC104
     ports:
-#     - "161:161"
+#     - "161:161/udp"
      - "2404:2404"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
 
 # Conpot guardian_ast service
   conpot_guardian_ast:
-    build: .
     container_name: conpot_guardian_ast
     restart: always
     environment:
@@ -76,18 +78,19 @@ services:
      - CONPOT_TMP=/tmp/conpot
     tmpfs:
      - /tmp/conpot:uid=2000,gid=2000
+#    cpu_count: 1
+#    cpus: 0.25
     networks:
      - conpot_local_guardian_ast
     ports:
      - "10001:10001"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
 
 # Conpot ipmi
   conpot_ipmi:
-    build: .
     container_name: conpot_ipmi
     restart: always
     environment:
@@ -98,18 +101,19 @@ services:
      - CONPOT_TMP=/tmp/conpot
     tmpfs:
      - /tmp/conpot:uid=2000,gid=2000
+#    cpu_count: 1
+#    cpus: 0.25
     networks:
      - conpot_local_ipmi
     ports:
-     - "623:623"
-    image: "ghcr.io/telekom-security/conpot:2006"
+     - "623:623/udp"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot
 
 # Conpot kamstrup_382
   conpot_kamstrup_382:
-    build: .
     container_name: conpot_kamstrup_382
     restart: always
     environment:
@@ -120,12 +124,14 @@ services:
      - CONPOT_TMP=/tmp/conpot
     tmpfs:
      - /tmp/conpot:uid=2000,gid=2000
+#    cpu_count: 1
+#    cpus: 0.25
     networks:
      - conpot_local_kamstrup_382
     ports:
      - "1025:1025"
      - "50100:50100"
-    image: "ghcr.io/telekom-security/conpot:2006"
+    image: "dtagdevsec/conpot:2204"
     read_only: true
     volumes:
      - /data/conpot/log:/var/log/conpot

docker/cowrie/Dockerfile

@@ -1,10 +1,10 @@
-FROM alpine:3.13
+FROM alpine:3.17
 #
 # Include dist
-ADD dist/ /root/dist/
+COPY dist/ /root/dist/
 #
 # Get and install dependencies & packages
-RUN apk -U add \
+RUN apk --no-cache -U add \
              bash \
              build-base \
              git \
@@ -15,14 +15,23 @@ RUN apk -U add \
              mpfr-dev \
              openssl \
              openssl-dev \
-             py3-pip \
-             python3 \
-             python3-dev \
+	     py3-appdirs \
+	     py3-asn1-modules \
+	     py3-attrs \
 	     py3-bcrypt \
 	     py3-cryptography \
-             py3-mysqlclient \
-             py3-requests \
-             py3-setuptools && \
+	     py3-dateutil \
+	     py3-greenlet \
+	     py3-mysqlclient \
+	     py3-openssl \
+	     py3-packaging \
+	     py3-parsing \
+             py3-pip \
+	     py3-service_identity \
+	     py3-treq \
+	     py3-twisted \
+             python3 \
+             python3-dev && \
 #
 # Setup user
     addgroup -g 2000 cowrie && \
@@ -31,11 +40,13 @@ RUN apk -U add \
 # Install cowrie
     mkdir -p /home/cowrie && \
     cd /home/cowrie && \
-    git clone --depth=1 https://github.com/micheloosterhof/cowrie -b v2.2.0 && \
+    git clone --depth=1 https://github.com/cowrie/cowrie -b v2.5.0 && \
+    #git clone --depth=1 https://github.com/cowrie/cowrie && \
     cd cowrie && \
-#    sed -i s/logfile.DailyLogFile/logfile.LogFile/g src/cowrie/python/logfile.py && \
+    #git checkout 8b1e1cf4db0d3b0e70b470cf40385bbbd3ed1733 && \
     mkdir -p log && \
     cp /root/dist/requirements.txt . && \
+    pip3 install --upgrade pip && \
     pip3 install -r requirements.txt && \
 #
 # Setup configs
@@ -64,6 +75,8 @@ RUN apk -U add \
     rm -rf /root/* /tmp/* && \
     rm -rf /var/cache/apk/* && \
     rm -rf /home/cowrie/cowrie/cowrie.pid && \
+    rm -rf /home/cowrie/cowrie/.git && \
+#    ln -s /usr/bin/python3 /usr/bin/python && \
     unset PYTHON_DIR
 #
 # Start cowrie

docker/cowrie/dist/cowrie.cfg

@@ -13,10 +13,8 @@ interactive_timeout = 180
 authentication_timeout = 120
 backend = shell
 timezone = UTC
-report_public_ip = true
 auth_class = AuthRandom
 auth_class_parameters = 2, 5, 10
-reported_ssh_port = 22
 data_path = /tmp/cowrie/data
 
 [shell]
@@ -36,6 +34,11 @@ rsa_public_key = etc/ssh_host_rsa_key.pub
 rsa_private_key = etc/ssh_host_rsa_key
 dsa_public_key = etc/ssh_host_dsa_key.pub
 dsa_private_key = etc/ssh_host_dsa_key
+ecdsa_public_key = etc/ssh_host_ecdsa_key.pub
+ecdsa_private_key = etc/ssh_host_ecdsa_key
+ed25519_public_key = etc/ssh_host_ed25519_key.pub
+ed25519_private_key = etc/ssh_host_ed25519_key
+public_key_auth = ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
 #version = SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
 version = SSH-2.0-OpenSSH_7.9p1
 ciphers = aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc

docker/cowrie/dist/requirements.txt

@@ -1,14 +1,2 @@
-appdirs==1.4.4
-attrs==20.3.0
-bcrypt==3.2.0
-configparser==5.0.1
-#cryptography==3.4.5
-#packaging==20.9
-pyasn1_modules==0.2.8
-pyopenssl==20.0.1
-pyparsing==2.4.7
-python-dateutil==2.8.1
-service_identity==18.1.0
-tftpy==0.8.0
-treq==21.1.0
-twisted==20.3.0
+configparser==5.2.0
+tftpy==0.8.2

docker/cowrie/docker-compose.yml

@@ -13,12 +13,14 @@ services:
     tmpfs:
      - /tmp/cowrie:uid=2000,gid=2000
      - /tmp/cowrie/data:uid=2000,gid=2000
+#    cpu_count: 1
+#    cpus: 0.25
     networks:
      - cowrie_local
     ports:
      - "22:22"
      - "23:23"
-    image: "ghcr.io/telekom-security/cowrie:2006"
+    image: "dtagdevsec/cowrie:2204"
     read_only: true
     volumes:
      - /data/cowrie/downloads:/home/cowrie/cowrie/dl

docker/cyberchef/Dockerfile

@@ -1,34 +0,0 @@
-FROM alpine:3.10
-#
-# Get and install dependencies & packages
-RUN apk -U --no-cache add \
-            curl \
-            git \
-            npm \
-            nodejs && \
-    npm install npm@latest -g && \
-    npm install -g grunt-cli http-server && \
-#
-# Install CyberChef 
-    cd /root && \
-    git clone https://github.com/gchq/cyberchef -b v9.27.0 && \
-    cd cyberchef && \
-    npm install && \
-    grunt prod && \
-    mkdir -p /opt/cyberchef && \
-    mv build/prod/* /opt/cyberchef && \
-    cd / && \
-#
-# Clean up
-    apk del --purge git \
-                    npm && \
-    rm -rf /root/* && \
-    rm -rf /var/cache/apk/*
-#
-# Healthcheck
-HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:8000'
-#
-# Set user, workdir and start cyberchef
-USER nobody:nobody
-WORKDIR /opt/cyberchef
-CMD ["http-server", "-p", "8000"]

docker/ddospot/Dockerfile

@@ -0,0 +1,63 @@
+FROM alpine:3.17
+#
+# Include dist
+COPY dist/ /root/dist/
+#
+# Install packages
+RUN apk --no-cache -U add \
+             build-base \
+             git \
+	     libcap \
+	     py3-colorama \
+	     py3-greenlet \
+	     py3-pip \
+	     py3-schedule \
+	     py3-sqlalchemy \
+	     py3-twisted \
+	     py3-wheel \
+             python3 \
+             python3-dev && \
+#	     
+# Install ddospot from GitHub and setup
+    mkdir -p /opt && \
+    cd /opt/ && \
+    git clone https://github.com/aelth/ddospot && \
+    cd ddospot && \
+    git checkout 49f515237bd2d5744290ed21dcca9b53def243ba && \
+    # We only want JSON events, setting logger format to ('') ...
+    sed -i "/handler.setFormatter(logging.Formatter(/{n;N;d}" /opt/ddospot/ddospot/core/potloader.py && \
+    sed -i "s#handler.setFormatter(logging.Formatter(#handler.setFormatter(logging.Formatter(''))#g" /opt/ddospot/ddospot/core/potloader.py && \
+    # ... and remove msg from log message for individual honeypots
+    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/chargen/chargen.py && \
+    sed -i "s#self.logger.info('New DNS query - \%s' \% (raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/dns/dns.py && \
+    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/generic/generic.py && \
+    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/ntp/ntp.py && \
+    sed -i "s#self.logger.info('\%s - \%s' \% (msg, raw_json))#self.logger.info(raw_json)#g" /opt/ddospot/ddospot/pots/ssdp/ssdp.py && \
+    # We are using logrotate
+    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/chargen/chargenpot.conf && \
+    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/dns/dnspot.conf && \
+    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/generic/genericpot.conf && \
+    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ntp/ntpot.conf && \
+    sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ssdp/ssdpot.conf && \
+    cp /root/dist/requirements.txt . && \
+    pip3 install -r ddospot/requirements.txt && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \
+#
+# Setup user, groups and configs
+    addgroup -g 2000 ddospot && \
+    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 ddospot && \
+    chown ddospot:ddospot -R /opt/ddospot && \
+#
+# Clean up
+    apk del --purge build-base \
+                    git \
+		    python3-dev && \
+    rm -rf /root/* && \
+    rm -rf /opt/ddospot/.git && \
+    rm -rf /var/cache/apk/*
+#
+# Start ddospot
+STOPSIGNAL SIGINT
+USER ddospot:ddospot
+WORKDIR /opt/ddospot/ddospot/
+CMD ["/usr/bin/python3","ddospot.py", "-n"]

docker/ddospot/dist/requirements.txt

@@ -0,0 +1,4 @@
+git+https://github.com/hpfeeds/hpfeeds
+tabulate
+python-geoip
+python-geoip-geolite2

docker/ddospot/docker-compose.yml

@@ -0,0 +1,28 @@
+version: '2.3'
+
+networks:
+  ddospot_local:
+
+services:
+
+# Ddospot service
+  ddospot:
+    build: .
+    container_name: ddospot
+    restart: always
+#    cpu_count: 1
+#    cpus: 0.25
+    networks:
+     - ddospot_local
+    ports:
+     - "19:19/udp"
+     - "53:53/udp"
+     - "123:123/udp"
+#     - "161:161/udp"
+     - "1900:1900/udp"
+    image: "dtagdevsec/ddospot:2204"
+    read_only: true
+    volumes:
+     - /data/ddospot/log:/opt/ddospot/ddospot/logs
+     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
+     - /data/ddospot/db:/opt/ddospot/ddospot/db

docker/deprecated/cyberchef/Dockerfile

@@ -0,0 +1,34 @@
+FROM node:10.24.1-alpine3.11 as builder
+#
+# Install CyberChef 
+RUN apk -U --no-cache add git
+RUN chown -R node:node /srv
+RUN npm install -g grunt-cli
+WORKDIR /srv
+USER node
+RUN git clone https://github.com/gchq/cyberchef -b v9.32.3 .
+ENV NODE_OPTIONS=--max_old_space_size=2048
+RUN npm install
+RUN grunt prod
+#
+# Move from builder
+FROM alpine:3.15
+#
+RUN apk -U --no-cache add \
+      curl \
+      npm && \
+      npm install -g http-server && \
+#
+# Clean up
+    rm -rf /root/* && \
+    rm -rf /var/cache/apk/*
+#
+COPY --from=builder /srv/build/prod /opt/cyberchef
+#
+# Healthcheck
+HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:8000'
+#
+# Set user, workdir and start cyberchef
+USER nobody:nobody
+WORKDIR /opt/cyberchef
+CMD ["http-server", "-p", "8000"]

docker/deprecated/cyberchef/docker-compose.yml

@@ -14,5 +14,5 @@ services:
      - cyberchef_local
     ports:
      - "127.0.0.1:64299:8000"
-    image: "ghcr.io/telekom-security/cyberchef:2006"
+    image: "dtagdevsec/cyberchef:2204"
     read_only: true

docker/deprecated/head/Dockerfile

@@ -1,11 +1,12 @@
-FROM alpine:3.13
+FROM alpine:3.15
 #
 # Setup env and apt
 RUN apk -U add \
             curl \
             git \
             nodejs \
-            nodejs-npm && \
+            #nodejs-npm && \
+            npm && \
 #
 # Get and install packages
     mkdir -p /usr/src/app/ && \

docker/deprecated/head/docker-compose.yml

@@ -12,5 +12,5 @@ services:
     #        condition: service_healthy
     ports:
      - "127.0.0.1:64302:9100"
-    image: "ghcr.io/telekom-security/head:2006"
+    image: "dtagdevsec/head:2204"
     read_only: true

docker/deprecated/honeypy/Dockerfile

@@ -49,7 +49,7 @@ RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
     rm -rf /root/* && \
     rm -rf /var/cache/apk/*
 #
-# Set workdir and start mailoney
+# Set workdir and start honeypy
 USER honeypy:honeypy
 WORKDIR /opt/honeypy
 CMD ["/opt/honeypy/env/bin/python2", "/opt/honeypy/Honey.py", "-d"]

docker/deprecated/honeypy/docker-compose.yml

@@ -20,7 +20,7 @@ services:
      - "2324:2324"
      - "4096:4096"
      - "9200:9200"
-    image: "ghcr.io/telekom-security/honeypy:2006"
+    image: "dtagdevsec/honeypy:2204"
     read_only: true
     volumes:
      - /data/honeypy/log:/opt/honeypy/log

docker/deprecated/honeysap/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.10
+FROM alpine:3.11
 #
 # Include dist
 ADD dist/ /root/dist/
@@ -8,7 +8,6 @@ RUN apk -U --no-cache add \
             build-base \
             git \
 	    libstdc++ \
-	    py2-markupsafe \
             python2 \
             python2-dev \
             py2-pip \
@@ -22,6 +21,7 @@ RUN apk -U --no-cache add \
     mkdir conf && \
     cp /root/dist/* conf/ && \
     python setup.py install && \
+    pip install markupsafe && \
     pip install -r requirements-optional.txt && \
 #
 # Setup user, groups and configs