work on permissions, folders and tpotinit

Add more functions to customizer.py (improve port and service checks, improve user output)
Adjust docker-compose files

.env

@@ -0,0 +1,121 @@
+# T-Pot config file. Do not remove.
+
+###############################################
+# T-Pot Base Settings - Adjust to your needs. #
+###############################################
+
+# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd.
+#  Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
+#  Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
+#  Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
+WEB_USER='change:me'
+
+# T-Pot Blackhole
+#  ENABLED: T-Pot will download a db of known mass scanners and nullroute them
+#           Be aware, this will put T-Pot off the map for stealth reasons and
+#           you will get less traffic. Routes will active until reboot and will
+#           be re-added with every T-Pot start until disabled.
+#  DISABLED: This is the default and no stealth efforts are in place.
+TPOT_BLACKHOLE=DISABLED
+
+# T-Pot Persistence
+# on: This is the default. T-Pot will keep the honeypot logfiles and rotate
+#     with logrotate for 30 days.
+# off: This is recommended for Raspberry Pi or setups with weaker CPUs or
+#      if you just do not need any of the logfiles.
+TPOT_PERSISTENCE=on
+
+# T-Pot Type
+# HIVE: This is the default and offers everything to connect T-Pot sensors.
+# SENSOR: This needs to be used when running a sensor. Be aware to adjust all other
+#         settings as well.
+#         1. You will need to copy compose/sensor.yml to ./docker-comopose.yml
+#         2. From HIVE host you will need to copy ~/tpotce/data/nginx/cert/nginx.crt to
+#            your SENSOR host to ~/tpotce/data/hive.crt
+#         3. On HIVE: Create a web user per SENSOR on HIVE and provide credentials below
+#            Create credentials with 'htpasswd ~/tpotce/data/nginx/conf/lswebpasswd <username>'
+#         4. On SENSOR: Provide username / password from (3) for TPOT_HIVE_USER as base64 encoded string:
+#                       "echo -n 'username:password' | base64"
+TPOT_TYPE=HIVE
+
+# T-Pot Hive User (only relevant for SENSOR deployment)
+# <empty>: This is empty by default.
+# <base64 encoded string>: Provide a base64 encoded string "echo -n 'username:password' | base64"
+#                          i.e. TPOT_HIVE_USER='dXNlcm5hbWU6cGFzc3dvcmQ='
+TPOT_HIVE_USER=
+
+# T-Pot Hive IP (only relevant for SENSOR deployment)
+# <empty>: This is empty by default.
+# <IP, FQDN>: This can be either a IP (i.e. 192.168.1.1) or a FQDN (i.e. foo.bar.local)
+TPOT_HIVE_IP=
+
+# T-Pot AttackMap Text Output
+#  ENABLED: This is the default and the docker container map_data will print events to the console.
+#  DISABLED: Printing events to the console is disabled.
+TPOT_ATTACKMAP_TEXT=ENABLED
+
+# T-Pot AttackMap Text Output Timezone
+#  UTC: (T-Pot default) This is usually the best option.
+#  Continent/City: In Linux you can check our timezone with `readlink` /etc/localtime or
+#                  see the full list here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+#  Examples: America/New_York, Asia/Taipei, Australia/Melbourne, Europe/Athens, Europe/Berlin
+TPOT_ATTACKMAP_TEXT_TIMEZONE=UTC
+
+###################################################################################
+# Honeypots / Tools settings
+###################################################################################
+# Some services / tools offer adjustments using ENVs which can be adjusted here.
+###################################################################################
+
+# SentryPeer P2P mode
+# Exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
+# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
+# the bad actors in its logs. Therefore this option is opt-in based.
+# 0: This is the default, P2P mode is disabled.
+# 1: Enable P2P mode.
+SENTRYPEER_PEER_TO_PEER=0
+
+# Suricata ET Pro ruleset
+# OPEN: This is the default and will the ET Open ruleset
+# OINKCODE: Replace OPEN with your Oinkcode to use the ET Pro ruleset
+OINKCODE=OPEN
+
+
+###################################################################################
+# NEVER MAKE CHANGES TO THIS SECTION UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!!! #
+###################################################################################
+
+# T-Pot Landing page provides Cockpit Link
+COCKPIT=false
+
+# docker.sock Path
+TPOT_DOCKER_SOCK=/var/run/docker.sock
+
+# docker compose .env
+TPOT_DOCKER_ENV=./.env
+
+# Docker-Compose file
+TPOT_DOCKER_COMPOSE=./docker-compose.yml
+
+# T-Pot Repo
+# Depending on where you are located you may choose between DockerHub and GHCR
+# dtagdevsec: This will use the DockerHub image registry
+# ghcr.io/telekom-security: This will use the GitHub container registry
+TPOT_REPO=ghcr.io/telekom-security
+
+# T-Pot Version Tag
+TPOT_VERSION=dev
+
+# T-Pot Pull Policy
+#  always: (T-Pot default) Compose implementations SHOULD always pull the image from the registry.
+#  never: Compose implementations SHOULD NOT pull the image from a registry and SHOULD rely on the platform cached image.
+#  missing: Compose implementations SHOULD pull the image only if it's not available in the platform cache.
+#  build: Compose implementations SHOULD build the image. Compose implementations SHOULD rebuild the image if already present.
+TPOT_PULL_POLICY=always
+
+# T-Pot Data Path
+TPOT_DATA_PATH=./data
+
+# OSType (linux, mac, win)
+#  Most docker features are available on linux
+TPOT_OSTYPE=linux

.gitignore

@@ -0,0 +1,4 @@
+# Ignore data folder
+data/
+**/.DS_Store
+.idea

CITATION.cff

@@ -0,0 +1,43 @@
+# This CITATION.cff file was generated with cffinit.
+# Visit https://bit.ly/cffinit to generate yours today!
+
+cff-version: 1.2.0
+title: T-Pot DEV
+message: >-
+  If you use this software, please cite it using the
+  metadata from this file.
+type: software
+authors:
+  - name: Deutsche Telekom Security GmbH
+    address: Bonner Talweg 100
+    city: Bonn
+    country: DE
+    post-code: '53113'
+    website: 'https://github.com/telekom-security'
+  - given-names: Marco
+    family-names: Ochse
+    affiliation: Deutsche Telekom Security GmbH
+identifiers:
+  - type: url
+    value: >-
+      https://github.com/telekom-security/tpotce/releases/tag/22.04.0
+    description: T-Pot Release 22.04.0
+repository-code: 'https://github.com/telekom-security/tpotce'
+abstract: >-
+  T-Pot is the all in one, optionally distributed, multiarch
+  (amd64, arm64) honeypot plattform, supporting 20+
+  honeypots and countless visualization options using the
+  Elastic Stack, animated live attack maps and lots of
+  security tools to further improve the deception
+  experience.
+keywords:
+  - honeypot
+  - deception
+  - t-pot
+  - telekom security
+  - docker
+  - elk
+license: GPL-3.0
+commit: unreleased, under heavy development
+version: 2x.yy.z
+date-released: '202x-yy-zz'

PREVIEW.md

@@ -0,0 +1,205 @@
+# T-Pot - Dev Preview
+
+T-Pot will be turning 10 years next year and this milestone will be celebrated when the time comes, which brings us today to the best time to reflect on how technology advanced, what this means for the project and how we can ensure T-Pot will meet the current and future requirements of the community.
+<br><br>
+
+# TL;DR
+1. [Download](#choose-your-distro) or use a running, supported distribution
+2. Install the ISO with as minimal packages / services as possible (SSH required!)
+3. Install curl: `$ sudo [apt, dnf, zypper] install curl` if not installed already
+4. Run installer as non-root:
+```
+/bin/bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/dev/install.sh)"
+```
+   * Follow instructions, read messages, check for possible port conflicts and reboot
+5. [Start](#start-t-pot) T-Pot as non-root for the first time:
+```
+cd tpotce/preview/
+docker compose up
+```
+
+
+# Table of Contents
+- [Disclaimer](#disclaimer)
+- [Last Time Departed](#last-time-departed)
+- [Present Time](#present-time)
+- [Destination Time](#destination-time)
+- [Technical Preview](#technical-preview)
+  - [Architecture](#architecture)
+- [Installation](#installation)
+  - [Choose your distro](#choose-your-distro)
+  - [Get and Install T-Pot](#get-and-install-t-pot)
+  - [T-Pot Config File](#t-pot-config-file)
+  - [macOS & Windows](#macos--windows)
+- [Start T-Pot](#start-t-pot)
+- [Stop T-Pot](#stop-t-pot)
+- [Uninstall T-Pot](#uninstall-t-pot)
+- [Feedback](#uninstall-t-pot)
+
+<br><br>
+
+# Disclaimer
+- This is a Technical Preview, a very very early stage in the development T-Pot. You have been warned - there will be dragons steering flying time machines possibly causing paradoxes.
+- The T-Pot [disclaimer](https://github.com/telekom-security/tpotce/blob/master/README.md#disclaimer) and [documentation](https://github.com/telekom-security/tpotce/blob/master/README.md) apply.
+<br><br>
+
+# Last Time Departed
+Jumping back to 2014 T-Pot was born as the direct ancestor of our Raspberry Pi images we used to offer for download (which probably by now only insiders will remember 😅). Docker was just the new kid on the block with the shiny new container engine everyone desperately unknowingly waited for and thus taking the dev-world by storm. At that point we wanted to ensure that T-Pot was something tangible, tethered to a physical device (Hello NUC my old friend 👋) while using latest technologies ensuring an easy transition should we ever leave hardware based installations (or VMs for that matter). And Oh-My-Zsh as you all know that day came faster than anticipated! (Special thanks @vorband, @shaderecker and @tmariuss for all of their contributions!)  
+<br><br>
+
+# Present Time
+Flash Forward to today, T-Pot offers support for Debian, both as an ISO based installation or a post installation method (install your own Debian Server), support for OTC, AWS and other clouds through Ansible and Terraform Support. All of this in many different flavors and even a distributed installation. At the same time we are still relying on the same base concept we originally started with which does not seem fit for the foreseeable future.<br>
+In the last couple of years being independent of a certain platform was the one feature that stood out by far. The reason for this, until today, is the simple fact that T-Pot, although relying heavily on Docker, still relies on a fully controlled environment. This has its advantages but can not meet a demand where cloud based installations need different settings than we can provide (we can only run limited platform tests), companies follow different guidelines for allowed distributions or hosters simply offer Debian images slightly adjusted to their environments causing issues with the setting T-Pot relies on. Roll the dice or ask the Magic-8-Ball.     
+<br><br>
+
+# Destination Time
+Back to the future of T-Pot. For a brief time we had the idea of T-Pot Light which should compensate for the missing platform support. A concept was whipped up to support all of T-Pot's dockered services on minimal installations of Debian, Fedora, OpenSuse and Ubuntu Server. And it worked! It worked so good that we have almost achieved feature parity for this Technical Preview and decided that this is the best candidate for the future of the development of T-Pot<br>
+We are thrilled to share this now, so you can test, provide us with feedback, open issues and discussions and give us the chance to make the next T-Pot the best T-Pot we have ever released!
+<br><br>
+
+## Technical Preview
+For the purpose of the Technical Preview T-Pot will still use the 22.04 images and for a great part rely on the 22.04 release. This will lay the groundwork though for the next T-Pot release by just relying on the latest Docker package repositories (yes, the distros mostly do not offer Docker's bleeding edge features), some tiny modifications on the host (installer and uninstaller provided!) and move all of T-Pot's core in its own Docker image with a simple, user adjustable, configuration.<br>
+<br><br>
+
+## Architecture
+While the basic architecture still remains, the Technical Preview of T-Pot is mostly independent of the underlying OS with only some basic requirements:
+1. Underlying OS is available as supported distribution:
+    * Only the bare minimum of services and packages are installed to avoid possible port conflicts with T-Pot's services
+    * Debian, Fedora, OpenSuse and Ubuntu Server are currently supported, others might follow if the requirements will be met
+2. Latest Docker Engine from Docker's repositories is supported
+    * Only the latest Docker Engine packages offer all the features needed for T-Pot
+    * Docker Desktop does not offer host network capabilities and thus only a limited T-Pot experience (not available for the Technical Preview, but planned to even get started faster!)
+3. Changes to the host
+    * Some changes to the host are necessary but will be kept as minimalistic as possible, just enough T-Pot will be able to run
+    * There are uninstallers available this time 😁
+<br><br>
+
+# System Requirements
+The known T-Pot hardware (CPU, RAM, SSD) requirements and recommendations still apply.
+<br><br>
+
+# Installation
+[Download](#choose-your-distro) one of the supported Linux distro images, `git clone` the T-Pot repository and run the installer specific to your system. Running T-Pot on top of a running and supported Linux system is possible, but a clean installation is recommended to avoid port conflicts with running services.
+<br><br>
+
+## Choose your distro
+Choose a supported distro of your choice. It is recommended to use the minimum / netiso installers linked below and only install a minimalistic set of packages. SSH is mandatory or you will not be able to connect to the machine remotely.
+
+| Distribution Name                              | x64                                                                                                                                   | arm64 
+|:-----------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------|:--------------
+| [AlmaLinux](https://almalinux.org)             | [download](https://mirrors.almalinux.org/isos/x86_64/9.2.html)                                                                        | [download](https://mirrors.almalinux.org/isos/aarch64/9.2.html)
+| [Debian](https://www.debian.org/index.en.html) | [download](https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.0.0-amd64-netinst.iso)                                 | [download](https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-12.0.0-arm64-netinst.iso)
+| [DietPi](https://dietpi.com/#home)             |                                                                                                                                       | [download](https://dietpi.com/downloads/images/DietPi_RPi-ARMv8-Bookworm.7z)
+| [Fedora](https://fedoraproject.org)            | [download](https://download.fedoraproject.org/pub/fedora/linux/releases/38/Server/x86_64/iso/Fedora-Server-netinst-x86_64-38-1.6.iso) | [download](https://download.fedoraproject.org/pub/fedora/linux/releases/38/Server/aarch64/iso/Fedora-Server-netinst-aarch64-38-1.6.iso)
+| [OpenSuse](https://www.opensuse.org)           | [download](https://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-NET-x86_64-Current.iso)                                   | [download](https://download.opensuse.org/ports/aarch64/tumbleweed/iso/openSUSE-Tumbleweed-NET-aarch64-Current.iso)
+| [Rocky Linux](https://rockylinux.org)          | [download](https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.2-x86_64-minimal.iso)                                      | [download](https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.2-aarch64-minimal.iso)
+| [Ubuntu](https://ubuntu.com)                   | [download](https://releases.ubuntu.com/22.04.2/ubuntu-22.04.2-live-server-amd64.iso)                                                  | [download](https://cdimage.ubuntu.com/releases/22.04/release/ubuntu-22.04.2-live-server-arm64.iso)
+
+## Raspberry Pi 4 (8GB) Support
+| Distribution Name                              | arm64                                                                                                                                               | Notes                                                                                                                                 
+|:-----------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|:--------------
+| [DietPi](https://dietpi.com/#home)             | [download](https://dietpi.com/downloads/images/DietPi_RPi-ARMv8-Bookworm.7z)                                                                        | In DietPi config you need to choose OpenSSH instead of Dropbear or T-Pot will fail to install
+| [Raspberry Pi OS](https://www.raspberrypi.com) | [download](https://downloads.raspberrypi.org/raspios_lite_arm64/images/raspios_lite_arm64-2023-05-03/2023-05-03-raspios-bullseye-arm64-lite.img.xz) | Recommended, everything incl. Wifi works as expected right away (when using Raspberry Pi Imager)
+
+<br><br> 
+
+## Get and install T-Pot
+1. Clone the GitHub repository: `$ git clone https://github.com/telekom-security/tpotce`
+2. Change into the **tpotce/preview/installer** folder: `$ cd tpotce/preview/installer`
+3. Locate your distribution, i.e. `fedora`: `$ cd fedora`
+4. Run the installer as non-root: `$ ./install.sh`:
+   * ⚠️ ***Depending on your Linux distribution of choice the installer will:***
+     * Change the SSH port to `tcp/64295`
+     * Disable the DNS Stub Listener to avoid port conflicts with honeypots
+     * Set SELinux to Monitor Mode
+     * Set the firewall target for the public zone to ACCEPT
+     * Add Docker's repository and install Docker
+     * Install recommended packages
+     * Remove package known to cause issues
+     * Add the current user to the docker group (allow docker interaction without `sudo`)
+     * Add `dps` and `dpsw` aliases (`grc docker ps -a`, `watch -c "grc --colour=on docker ps -a`)
+     * Display open ports on the host (compare with T-Pot [required](https://github.com/telekom-security/tpotce#required-ports) ports)
+5. Follow the installer instructions, you will have to enter your password at least once
+6. Check the installer messages for errors and open ports that might cause port conflicts
+7. Reboot: `$ sudo reboot`
+<br><br>
+
+## T-Pot Config File
+T-Pot offers a configuration file providing environment variables not only for the docker services (i.e. honeypots and tools) but also for the docker compose environment. The configuration file is hidden in the `preview` folder and is called `.env`. There is however an example file (`env.example`) which holds the default configuration.<br> Before the first start set the `WEB_USER` and `WEB_PW`. Once T-Pot was initialized it is recommended to remove the password and set `WEB_PW=<changeme>`. Other settings are available also, these however should only be changed if you are comfortable with possible errors 🫠 as some of the features are not fully integrated and tested yet.
+```
+# T-Pot config file. Do not remove.
+
+# Set Web username and password here, only required for first run
+#  Removing the password after first run is recommended
+#  You can always add or remove users as you see fit using htpasswd:
+#  htpasswd -b -c /<data_folder>/nginx/conf/nginxpasswd <username> <password>
+WEB_USER=<changeme>
+WEB_PW=<changeme>
+
+# T-Pot Blackhole
+#  ENABLED: T-Pot will download a db of known mass scanners and nullroute them
+#           Be aware, this will put T-Pot off the map for stealth reasons and
+#           you will get less traffic. Routes will active until reboot and will
+#           be re-added with every T-Pot start until disabled.
+#  DISABLED: This is the default and no stealth efforts are in place.
+TPOT_BLACKHOLE=DISABLED
+```
+
+## macOS & Windows
+Sometimes it is just nice if you can spin up a T-Pot instance on macOS or Windows, i.e. for development, testing or just the fun of it. While Docker Desktop is rather limited not all honeypot types or T-Pot features are supported. Also remember, by default the macOS and Windows firewall are blocking access from remote, so testing is limited to the host. For production it is recommended to run T-Pot on Linux.<br>
+To get things up and running just follow these steps:
+1. Install Docker Desktop for [macOS](https://docs.docker.com/desktop/install/mac-install/) or [Windows](https://docs.docker.com/desktop/install/windows-install/)
+2. Clone the GitHub repository: `$ git clone https://github.com/telekom-security/tpotce`
+2. Change into the **tpotce/preview/compose** folder: `$ cd tpotce/preview/compose`
+3. Copy **mac_win.yml** to the **tpotce/preview** folder by overwriting **docker-compose.yml**: `$ cp mac_win.yml ../docker-compose.yml`
+4. Adjust the **.env** file by changing **TPOT_OSTYPE** to either **mac** or **win**:
+```
+# OSType (linux, mac, win)
+#  Most docker features are available on linux
+TPOT_OSTYPE=mac
+```
+5. You have to ensure on your own there are no port conflicts keeping T-Pot from starting up.
+You can follow the README on how to [Start T-Pot](#start-t-pot), however you may skip the **crontab**.
+
+
+# Start T-Pot
+1. Change into the **tpotce/preview/** folder: `$ cd tpotce/preview/`
+2. Run: `$ docker compose up` (notice the missing dash, `docker-compose` no longer exists with the latest Docker installation)
+   * You can also run `$ docker compose -f /<path_to_tpot>/tpotce/preview/docker-compose.yml up` directly if you want to avoid to change into the `preview` folder or add an alias of your choice.
+3. `docker compose` will now download all the necessary images to run the T-Pot Docker containers
+4. On the first run T-Pot (`tpotinit`) will initialize and create the `data` folder in the path specified (by default it is located in `tpotce/preview/data/`):
+   * It takes about 2-3 minutes to bring all the containers up (should port conflicts arise `docker compose` will simply abort)
+   * Once all containers have started successfully for the first time you can access T-Pot as described [here](https://github.com/telekom-security/tpotce#remote-access-and-tools) or cancel with `CTRL-C` ...
+5. ... and run T-Pot in the background: `$ docker compose up -d`
+   * Unless you run `docker compose down -v` T-Pot's Docker service will remain persistent and restart with a reboot
+   * You can however add a crontab entry with `crontab -e` which will also add some container and image management.
+```
+@reboot docker compose -f /<path_to_tpot_>/tpotce/preview/docker-compose.yml down -v; \
+docker container prune -f; \
+docker image prune -f; \
+docker compose -f /<path_to_tpot_>/tpotce/preview/docker-compose.yml up -d
+```
+6. By default Docker will always check if the local and remote docker images match, if not, Docker will either revert to a fitting locally cached image or download the image from remote. This ensures T-Pot images will always be up-to-date
+
+# Stop T-Pot
+1. Change into the **tpotce/preview/** folder: `$ cd tpotce/preview/`
+2. Run: `$ docker compose down -v` (notice the missing dash, `docker-compose` no longer exists with the latest docker installation)
+3. Docker will now stop all running T-Pot containers and disable reboot persistence (unless you made a [crontab entry](#start-t-pot)
+   * You can also run `$ docker compose -f /<path_to_tpot>/tpotce/preview/docker-compose.yml down -v` directly if you want to avoid to change into the `preview` folder or add an alias of your choice.
+ 
+# Uninstall T-Pot
+1. Change into the **tpotce/preview/uninstaller/** folder: `$ cd tpotce/preview/uninstaller/`
+2. Locate your distribution, i.e. `fedora`: `$ cd fedora`
+3. Run the installer as non-root: `$ ./uninstall.sh`:
+   * The uninstaller will reverse the installation steps
+4. Follow the uninstaller instructions, you will have to enter your password at least once
+5. Check the uninstaller messages for errors
+6. Reboot: `$ sudo reboot`
+<br><br>
+
+# Feedback
+To ensure the next T-Pot release will be everything we and you - The T-Pot Community - have in mind please feel free to leave comments in the `Technical Preview` [discussion](https://github.com/telekom-security/tpotce/discussions/1325) pinned on our GitHub [Discussions](https://github.com/telekom-security/tpotce/discussions) section. Please bear in mind that this Technical Preview is made public in the earliest stage of the T-Pot development process at your convenience for ***your*** valuable input.
+<br><br>
+Thank you for testing 💖
+
+Special thanks to all the [contributors](https://github.com/telekom-security/tpotce/graphs/contributors) and [developers](https://github.com/telekom-security/tpotce#credits) making this project possible!

README.md

@@ -1,4 +1,4 @@
-# T-Pot - The All In One Multi Honeypot Plattform
+# T-Pot - The All In One Multi Honeypot Platform
 
 ![T-Pot](doc/tpotsocial.png)
 
@@ -7,7 +7,7 @@ T-Pot is the all in one, optionally distributed, multiarch (amd64, arm64) honeyp
 
 # TL;DR
 1. Meet the [system requirements](#system-requirements). The T-Pot installation needs at least 8-16 GB RAM and 128 GB free disk space as well as a working (outgoing non-filtered) internet connection.
-2. Download the T-Pot ISO from [GitHub](https://github.com/telekom-security/tpotce/releases) acording to your architecture (amd64, arm64) or [create it yourself](#create-your-own-iso-image).
+2. Download the T-Pot ISO from [GitHub](https://github.com/telekom-security/tpotce/releases) according to your architecture (amd64, arm64) or [create it yourself](#create-your-own-iso-image).
 3. Install the system in a [VM](#running-in-a-vm) or on [physical hardware](#running-on-hardware) with [internet access](#system-placement).
 4. Enjoy your favorite beverage - [watch](https://sicherheitstacho.eu) and [analyze](#kibana-dashboard).
 <br><br>
@@ -25,29 +25,29 @@ T-Pot is the all in one, optionally distributed, multiarch (amd64, arm64) honeyp
   - [Required Ports](#required-ports)
 - [System Placement](#system-placement)
 - [Installation](#installation)
-  - [ISO Based](#isoinstall)
-    - [Download ISO Image](#downloadiso)
-    - [Build your own ISO Image](#makeiso)
+  - [ISO Based](#iso-based)
+    - [Download ISO Image](#download-iso-image)
+    - [Create your own ISO Image](#create-your-own-iso-image)
   - [Post Install](#post-install)
     - [Download Debian Netinstall Image](#download-debian-netinstall-image)
-    - [User](#post-install-user-method)
-    - [Auto](#postauto)
-  - [T-Pot Installer](#tpotinstaller)
-    - [Installation Types](#installtypes)
-    - [Standalone](#standalonetype)
-    - [Distributed](#distributedtype)
-  - [Cloud Deployments](#cloud)
-    - [Ansible](#ansible-deployment)
-    - [Terraform](#terraform-configuration)
+    - [Post Install User Method](#post-install-user-method)
+    - [Post Install Auto Method](#post-install-auto-method)
+  - [T-Pot Installer](#t-pot-installer)
+    - [Installation Types](#installation-types)
+    - [Standalone](#standalone)
+    - [Distributed](#distributed)
+  - [Cloud Deployments](#cloud-deployments)
+    - [Ansible Deployment](#ansible-deployment)
+    - [Terraform Configuration](#terraform-configuration)
 - [First Start](#first-start)
   - [Standalone Start](#standalone-first-start)
   - [Distributed Deployment](#distributed-deployment)
   - [Community Data Submission](#community-data-submission)
   - [Opt-In HPFEEDS Data Submission](#opt-in-hpfeeds-data-submission)
 - [Remote Access and Tools](#remote-access-and-tools)
-  - [SSH and Cockpit](#ssh)
+  - [SSH and Cockpit](#ssh-and-cockpit)
   - [T-Pot Landing Page](#t-pot-landing-page)
-  - [Kibana Dashboard](#kibana-dashboardibana)
+  - [Kibana Dashboard](#kibana-dashboard)
   - [Attack Map](#attack-map)
   - [Cyberchef](#cyberchef)
   - [Elasticvue](#elasticvue)
@@ -103,7 +103,7 @@ T-Pot offers docker images for the following honeypots ...
 * [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot),
 * [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot),
 * [conpot](http://conpot.org/),
-* [cowrie](http://www.micheloosterhof.com/cowrie/),
+* [cowrie](https://github.com/cowrie/cowrie),
 * [ddospot](https://github.com/aelth/ddospot),
 * [dicompot](https://github.com/nsmfoo/dicompot),
 * [dionaea](https://github.com/DinoTools/dionaea),
@@ -127,11 +127,11 @@ T-Pot offers docker images for the following honeypots ...
 * [Cockpit](https://cockpit-project.org/running) for a lightweight and secure WebManagement and WebTerminal.
 * [Cyberchef](https://gchq.github.io/CyberChef/) a web app for encryption, encoding, compression and data analysis.
 * [Elastic Stack](https://www.elastic.co/videos) to beautifully visualize all the events captured by T-Pot.
-* [Elasticvue](https://github.com/cars10/elasticvue/) a web front end for browsing and interacting with an Elastic Search cluster.
+* [Elasticvue](https://github.com/cars10/elasticvue/) a web front end for browsing and interacting with an Elasticsearch cluster.
 * [Fatt](https://github.com/0x4D31/fatt) a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.
-* [Geoip-Attack-Map](https://github.com/eddie4/geoip-attack-map) a beautifully animated attack map [optimized](https://github.com/t3chn0m4g3/geoip-attack-map) for T-Pot.
+* [T-Pot-Attack-Map](https://github.com/t3chn0m4g3/t-pot-attack-map) a beautifully animated attack map for T-Pot.
 * [P0f](https://lcamtuf.coredump.cx/p0f3/) is a tool for purely passive traffic fingerprinting.
-* [Spiderfoot](https://github.com/smicallef/spiderfoot) a open source intelligence automation tool.
+* [Spiderfoot](https://github.com/smicallef/spiderfoot) an open source intelligence automation tool.
 * [Suricata](http://suricata-ids.org/) a Network Security Monitoring engine.
 
 ... to give you the best out-of-the-box experience possible and an easy-to-use multi-honeypot appliance.
@@ -150,17 +150,17 @@ The individual Dockerfiles and configurations are located in the [docker folder]
 T-Pot offers a number of services which are basically divided into five groups:
 1. System services provided by the OS
     * SSH for secure remote access.
-    * Cockpit for web based remote acccess, management and web terminal.
+    * Cockpit for web based remote access, management and web terminal.
 2. Elastic Stack
     * Elasticsearch for storing events.
     * Logstash for ingesting, receiving and sending events to Elasticsearch.
-    * Kibana for displaying events on beautyfully rendered dashboards.
+    * Kibana for displaying events on beautifully rendered dashboards.
 3. Tools
-    * NGINX for providing secure remote access (reverse proxy) to Kibana, CyberChef, Elasticvue, GeoIP AttackMap and Spiderfoot.
+    * NGINX provides secure remote access (reverse proxy) to Kibana, CyberChef, Elasticvue, GeoIP AttackMap and Spiderfoot.
     * CyberChef a web app for encryption, encoding, compression and data analysis.
-    * Elasticvue a web front end for browsing and interacting with an Elastic Search cluster.
-    * Geoip Attack Map a beautifully animated attack map for T-Pot.
-    * Spiderfoot a open source intelligence automation tool.
+    * Elasticvue a web front end for browsing and interacting with an Elasticsearch cluster.
+    * T-Pot Attack Map a beautifully animated attack map for T-Pot.
+    * Spiderfoot an open source intelligence automation tool.
 4. Honeypots
     * A selection of the 22 available honeypots based on the selected edition and / or setup.
 5. Network Security Monitoring (NSM)
@@ -207,7 +207,7 @@ All T-Pot installations will require ...
 <br><br>
 
 ## Running in a VM
-T-Pot is reported to run with with the following hypervisors, however not each and every combination is tested.
+T-Pot is reported to run with the following hypervisors, however not each and every combination is tested.
 * [UTM (Intel & Apple Silicon)](https://mac.getutm.app/)
 * [VirtualBox](https://www.virtualbox.org/)
 * [VMWare vSphere / ESXi](https://kb.vmware.com/s/article/2107518)
@@ -237,7 +237,7 @@ Some users report working installations on other clouds and hosters, i.e. Azure
 <br><br>
 
 ## Required Ports
-Besides the ports generally needed by the OS, i.e. obtaining a DHCP lease, DNS, etc. T-Pot will require the following ports for incomding / outgoing connections. Review the [T-Pot Architecure](#technical-architecture) for a visual representation. Also some ports will show up as duplicates, which is fine since used in different editions.
+Besides the ports generally needed by the OS, i.e. obtaining a DHCP lease, DNS, etc. T-Pot will require the following ports for incoming / outgoing connections. Review the [T-Pot Architecture](#technical-architecture) for a visual representation. Also some ports will show up as duplicates, which is fine since used in different editions.
 | Port        | Protocol | Direction | Description                                                   |
 | :---        | :---     | :---      | :---                                                          |
 | 80, 443     | tcp      | outgoing  | T-Pot Management: Install, Updates, Logs (i.e. Debian, GitHub, DockerHub, PyPi, Sicherheitstacho, etc. |
@@ -269,20 +269,20 @@ Besides the ports generally needed by the OS, i.e. obtaining a DHCP lease, DNS,
 | 80          | tcp      | incoming  | Honeypot: Snare (Tanner)                                      |
 
 
-Ports and availability of SaaS services may vary based on your geographical location. Also during first install outgoing ICMP / TRACEROUTE is required additionally to find the closest and fastest mirror to you.
+Ports and availability of SaaS services may vary based on your geographical location. Also during the first install outgoing ICMP / TRACEROUTE is required additionally to find the closest and fastest mirror to you.
 
 For some honeypots to reach full functionality (i.e. Cowrie or Log4Pot) outgoing connections are necessary as well, in order for them to download the attackers malware. Please see the individual honeypot's documentation to learn more by following the [links](#technical-concept) to their repositories.
 
 <br><br>
 
 # System Placement
-It is recommended to get yourself familiar how T-Pot and the honeypots work before you start exposing towards the interet. For a quickstart run a T-Pot installation in a virtual machine.
+It is recommended to get yourself familiar with how T-Pot and the honeypots work before you start exposing towards the internet. For a quickstart run a T-Pot installation in a virtual machine.
 <br><br>
-Once you are familiar how things work you should choose a network you suspect intruders in or from (i.e. the internet). Otherwise T-Pot will most likely not capture any attacks (unless you want to proof a point)! For starters it is recommended to put T-Pot in an unfiltered zone, where all TCP and UDP traffic is forwarded to T-Pot's network interface. To avoid probing for T-Pot's management ports you can put T-Pot behind a firewall and forward all TCP / UDP traffic in the port range of 1-64000 to T-Pot while allowing access to ports > 64000 only from trusted IPs and / or only expose the [ports](#required-ports) relevant to your use-case. If you wish to catch malware traffic on unknown ports you should not limit the ports you forward since glutton and honeytrap dynamically bind any TCP port that is not covered by other honeypot daemons and thus give you a better representation what risks your setup is exposed to.
+Once you are familiar with how things work you should choose a network you suspect intruders in or from (i.e. the internet). Otherwise T-Pot will most likely not capture any attacks (unless you want to prove a point)! For starters it is recommended to put T-Pot in an unfiltered zone, where all TCP and UDP traffic is forwarded to T-Pot's network interface. To avoid probing for T-Pot's management ports you can put T-Pot behind a firewall and forward all TCP / UDP traffic in the port range of 1-64000 to T-Pot while allowing access to ports > 64000 only from trusted IPs and / or only expose the [ports](#required-ports) relevant to your use-case. If you wish to catch malware traffic on unknown ports you should not limit the ports you forward since glutton and honeytrap dynamically bind any TCP port that is not covered by other honeypot daemons and thus give you a better representation of the risks your setup is exposed to.
 <br><br>
 
 # Installation
-The T-Pot installation is offered in different variations. While the overall installation of T-Pot is straight forward it heavily depends on a working, non-proxied (unless you made modifications) up and running internet connection (also see [required outgoing ports](#required-ports)). If these conditions are not met the installation **will fail!** either during the execution of the Debian Installer, after the first reboot before the T-Pot Installer is starting up or while the T-Pot installer is trying to download all the necessary dependencies.
+The T-Pot installation is offered in different variations. While the overall installation of T-Pot is straightforward it heavily depends on a working, non-proxied (unless you made modifications) up and running internet connection (also see [required outgoing ports](#required-ports)). If these conditions are not met the installation **will fail!** either during the execution of the Debian Installer, after the first reboot before the T-Pot Installer is starting up or while the T-Pot installer is trying to download all the necessary dependencies.
 <br><br>
 
 ## ISO Based
@@ -337,7 +337,7 @@ cd tpotce/iso/installer/
 The installation will now start, you can now move on to the [T-Pot Installer](#t-pot-installer) section.
 <br><br>
 
-### **Post-Install Auto**
+### **Post-Install Auto Method**
 You can also let the installer run automatically if you provide your own `tpot.conf`. An example is available in `tpotce/iso/installer/tpot.conf.dist`. This should make things easier in case you want to automate the installation i.e. with **Ansible**.
 
 Just follow these steps while adjusting `tpot.conf` to your needs:
@@ -359,7 +359,7 @@ In the past T-Pot was only available as a [standalone](#standalone) solution wit
 <br><br>
 
 ### **Standalone**
-With T-Pot Standalone all services, tools, honeypots, etc. will be installed on to a single host. Make sure to meet the [system requirements](#system-requirements). You can choose from various pre-defined T-Pot editions (or flavors) depending on your personal use-case (you can always adjust `/opt/tpot/etc/tpot.yml` to your needs).
+With T-Pot Standalone all services, tools, honeypots, etc. will be installed on to a single host. Make sure to meet the [system requirements](#system-requirements). You can choose from various predefined T-Pot editions (or flavors) depending on your personal use-case (you can always adjust `/opt/tpot/etc/tpot.yml` to your needs).
 Once the installation is finished you can proceed to [First Start](#first-start).
 <br><br>
 
@@ -544,7 +544,7 @@ T-Pot is designed to be low maintenance. Basically there is nothing you have to
 <br><br>
 
 ## Updates
-While security update are installed automatically by the OS and docker images are pulled once per day (`/etc/crontab`) to check for updated images, T-Pot offers the option to be updated to the latest master and / or upgrade a previous version. Updating and upgrading always introduces the risk of loosing your data, so it is heavily encouraged you backup your machine before proceeding.
+While security updates are installed automatically by the OS and docker images are pulled once per day (`/etc/crontab`) to check for updated images, T-Pot offers the option to be updated to the latest master and / or upgrade a previous version. Updating and upgrading always introduces the risk of losing your data, so it is heavily encouraged to backup your machine before proceeding.
 <br><br>
 Should an update fail, opening an issue or a discussion will help to improve things in the future, but the solution will always be to perform a ***fresh install*** as we simply ***cannot*** provide any support for lost data!
 <br>
@@ -561,13 +561,8 @@ The update script will ...
 
 
 ### **Update from 20.06.x**
-If you are running T-Pot 20.06.x you simply follow these commands ***after you backed up any relevant data***:
-```
-sudo su -
-cd /opt/tpot/
-wget -O update.sh https://raw.githubusercontent.com/telekom-security/tpotce/master/update.sh
-./update.sh
-```
+Due to massive changes in Elasticsearch automated updates from 20.06.x are no longer available. If you have not upgraded already a fresh install with 22.04.x is required.
+
 
 ### **Updates for 22.04.x**
 If you are already running T-Pot 22.04.x you simply run the update script ***after you backed up any relevant data***:
@@ -698,7 +693,7 @@ Some T-Pot updates will require you to update the Kibana objects. Either to supp
 1. Go to Kibana
 2. Click on "Stack Management"
 3. Click on "Saved Objects"
-4. Click on "Export <no.> objetcs"
+4. Click on "Export <no.> objects"
 5. Click on "Export all"
 This will export a NDJSON file with all your objects. Always run a full export to make sure all references are included.
 
@@ -728,7 +723,7 @@ reboot
 <br><br>
 
 ## Adjust tpot.yml
-Maybe the avaialble T-Pot editions do not apply to your use-case or you need a different set of honeypots. You can adjust `/opt/tpot/etc/tpot.yml` to your own preference. If you need examples how this works, just follow the configuration of the existing editions (docker-compose files) in `/opt/tpot/etc/compose` and follow the [Docker Compose Specification](https://docs.docker.com/compose/compose-file/).
+Maybe the available T-Pot editions do not apply to your use-case or you need a different set of honeypots. You can adjust `/opt/tpot/etc/tpot.yml` to your own preference. If you need examples of how this works, just follow the configuration of the existing editions (docker-compose files) in `/opt/tpot/etc/compose` and follow the [Docker Compose Specification](https://docs.docker.com/compose/compose-file/).
 ```
 sudo su -
 systemctl stop tpot
@@ -744,13 +739,13 @@ You can enable two-factor-authentication for Cockpit by running `2fa.sh`.
 <br><br>
 
 # Troubleshooting
-Generally T-Pot is offered ***as is*** without any committment regarding support. Issues and discussions can opened, but be prepared to include basic necessary info, so the community is able to help.
+Generally T-Pot is offered ***as is*** without any commitment regarding support. Issues and discussions can be opened, but be prepared to include basic necessary info, so the community is able to help.
 <br><br>
 
 ## Logging
 * Check if your containers are running correctly: `dps.sh`
 
-* Check if your system ressources are not exhausted: `htop`, `glances`
+* Check if your system resources are not exhausted: `htop`, `glances`
 
 * Check if there is a port conflict:
 ```
@@ -808,13 +803,13 @@ If there are any banned IPs you can unban these with `fail2ban-client unban --al
 
 ## RAM and Storage
 The Elastic Stack is hungry for RAM, specifically `logstash` and `elasticsearch`. If the Elastic Stack is unavailable, does not receive any logs or simply keeps crashing it is most likely a RAM or Storage issue.
-While T-Pot keeps trying to restart the services / containers run `docker logs -f <container_name>` (either `logstash` or `elasticsearch`) and check if there any warnings or failures involving RAM.
+While T-Pot keeps trying to restart the services / containers run `docker logs -f <container_name>` (either `logstash` or `elasticsearch`) and check if there are any warnings or failures involving RAM.
 
 Storage failures can be identified easier via `htop` or `glances`. 
 <br><br>
 
 # Contact
-T-Pot is provided ***as is*** open source ***without*** any committment regarding support ([see the disclaimer](#disclaimer)).
+T-Pot is provided ***as is*** open source ***without*** any commitment regarding support ([see the disclaimer](#disclaimer)).
 
 If you are a company or institution and wish a personal contact aside from [issues](#issues) and [discussions](#discussions) please get in contact with our [sales team](https://www.t-systems.com/de/en/security).
 
@@ -824,7 +819,7 @@ If you are a security researcher and want to responsibly report an issue please
 ## Issues
 Please report issues (errors) on our [GitHub Issues](https://github.com/telekom-security/tpotce/issues), but [troubleshoot](#troubleshooting) first. Issues not providing information to address the error will be closed or converted into [discussions](#discussions).
 
-Feel free to use the search function, it is possible a similar issues has been adressed already, with the solution just a search away.
+Feel free to use the search function, it is possible a similar issue has been addressed already, with the solution just a search away.
 <br><br>
 
 ## Discussions
@@ -840,7 +835,7 @@ The software that T-Pot is built on uses the following licenses.
 <br>Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE)
 <br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [elasticvue](https://github.com/cars10/elasticvue/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE), [maltrail](https://github.com/stamparm/maltrail/blob/master/LICENSE)
 <br> Unlicense: [endlessh](https://github.com/skeeto/endlessh/blob/master/UNLICENSE)
-<br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license)
+<br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/cowrie/cowrie/blob/master/LICENSE.rst), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license)
 <br> AGPL-3.0: [honeypots](https://github.com/qeeqbox/honeypots/blob/main/LICENSE)
 <br><br>
 
@@ -856,7 +851,7 @@ Without open source and the fruitful development community (we are proud to be a
 * [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot/graphs/contributors)
 * [cockpit](https://github.com/cockpit-project/cockpit/graphs/contributors)
 * [conpot](https://github.com/mushorg/conpot/graphs/contributors)
-* [cowrie](https://github.com/micheloosterhof/cowrie/graphs/contributors)
+* [cowrie](https://github.com/cowrie/cowrie/graphs/contributors)
 * [ddospot](https://github.com/aelth/ddospot/graphs/contributors)
 * [debian](http://www.debian.org/)
 * [dicompot](https://github.com/nsmfoo/dicompot/graphs/contributors)
@@ -906,3 +901,5 @@ And from @robcowart (creator of [ElastiFlow](https://github.com/robcowart/elasti
 ***"#TPot is one of the most well put together turnkey honeypot solutions. It is a must-have for anyone wanting to analyze and understand the behavior of malicious actors and the threat they pose to your organization."***
 <br><br>
 **Thank you!**
+
+![Alt](https://repobeats.axiom.co/api/embed/642a1032ac85996c81b12cf9f6393103058b8a04.svg "Repobeats analytics image")

SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+|---------| ------------------ |
+| 23.12.x | :white_check_mark: |
+
+
+## Reporting a Vulnerability
+
+We take security of T-Pot very seriously. If one of T-Pot's components is affected, it is most likely that a upstream component we rely on is involved, such as a honeypot, docker image, tool or package. Together we will find the best possible way to remedy the situation.
+
+Before you submit a possible vulnerability, please ensure you have done the following:
+1. You have checked the documentation, issues and discussions if the detected behavior is typical and does not revolve around other issues. I.e. Cowrie will be detected with outgoing conncection requests or T-Pot opening all possible TCP ports which Honeytrap enabled install flavors will do as a feature.
+2. You have identified the vulnerable component and isolated your finding (honeypot, docker image, tool, package, etc.).
+3. You have a detailed description including log files, possibly debug files, with all steps necessary for us to reproduce / trigger the behaviour or vulnerability. At best you already have a possible solution, hotfix, fix or patch to remedy the situation and want to submit a PR. 
+4. You have checked if the possible vulnerability is known upstream. If a fix / patch is already available, please provide the necessary info.
+
+We will get back to you as fast as possible. In case you think this is an emergency for the whole T-Pot community feel free to speed things up by **responsibly** informing our [CERT](https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/introducing-deutsche-telekom-cert-358316).

_deprecated/bin/clean.sh

@@ -117,7 +117,7 @@ fuCOWRIE () {
 # Let's create a function to clean up and prepare ddospot data
 fuDDOSPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
-  mkdir -p /data/ddospot/log
+  mkdir -p /data/ddospot/bl /data/ddospot/db /data/ddospot/log
   chmod 770 /data/ddospot -R
   chown tpot:tpot /data/ddospot -R
 }

_deprecated/bin/dps.sh

@@ -11,7 +11,7 @@ fi
 myPARAM="$1"
 if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
   then
-    watch --color -n $myPARAM "dps.sh"
+    watch --color -n $myPARAM "$0"
     exit
 fi
 

_deprecated/bin/rules.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 ### Vars, Ports for Standard services
-myHOSTPORTS="7634 64294 64295"
+myHOSTPORTS="7634 64294 64295 64297 64304"
 myDOCKERCOMPOSEYML="$1"
 myRULESFUNCTION="$2"
 

_deprecated/bin/updateip.sh

@@ -3,7 +3,7 @@
 # If the external IP cannot be detected, the internal IP will be inherited.
 source /etc/environment
 myCHECKIFSENSOR=$(head -n 1 /opt/tpot/etc/tpot.yml | grep "Sensor" | wc -l)
-myUUID=$(lsblk -o MOUNTPOINT,UUID | grep "/" | awk '{ print $2 }')
+myUUID=$(lsblk -o MOUNTPOINT,UUID | grep -e "^/ " | awk '{ print $2 }')
 myLOCALIP=$(hostname -I | awk '{ print $1 }')
 myEXTIP=$(/opt/tpot/bin/myip.sh)
 if [ "$myEXTIP" = "" ];

_deprecated/etc/compose/collector.yml

@@ -0,0 +1,260 @@
+# T-Pot (Collector)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  heralding_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+     - "21:21"
+     - "22:22"
+     - "23:23"
+     - "25:25"
+     - "80:80"
+     - "110:110"
+     - "143:143"
+     - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+     - "1080:1080"
+     - "3306:3306"
+     - "3389:3389"
+     - "5432:5432"
+     - "5900:5900"
+    image: "dtagdevsec/heralding:2204"
+    read_only: true
+    volumes:
+     - /data/heralding/log:/var/log/heralding
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/hive.yml

@@ -0,0 +1,141 @@
+# T-Pot (Hive)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+#    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+#    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    ports:
+     - "127.0.0.1:64305:64305"
+#    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/hive_sensor.yml

@@ -374,10 +374,17 @@ services:
   sentrypeer:
     container_name: sentrypeer
     restart: always
+# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
+# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
+# the bad actors in its logs. Therefore this option is opt-in based.
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=0
     networks:
      - sentrypeer_local
     ports:
+#     - "4222:4222/udp"
      - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
     image: "dtagdevsec/sentrypeer:2204"
     read_only: true
     volumes:

_deprecated/etc/compose/industrial.yml

@@ -0,0 +1,431 @@
+# T-Pot (Industrial)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  conpot_local_default:
+  conpot_local_IEC104:
+  conpot_local_guardian_ast:
+  conpot_local_ipmi:
+  conpot_local_kamstrup_382:
+  cowrie_local:
+  dicompot_local:
+  heralding_local:
+  medpot_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Conpot default service
+  conpot_default:
+    container_name: conpot_default
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_default.json
+     - CONPOT_LOG=/var/log/conpot/conpot_default.log
+     - CONPOT_TEMPLATE=default
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_default
+    ports:
+     - "69:69/udp"
+     - "80:80"
+     - "102:102"
+     - "161:161/udp"
+     - "502:502"
+#     - "623:623/udp"
+     - "21:21"
+     - "44818:44818"
+     - "47808:47808/udp"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot IEC104 service
+  conpot_IEC104:
+    container_name: conpot_iec104
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
+     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
+     - CONPOT_TEMPLATE=IEC104
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_IEC104
+    ports:
+#     - "161:161/udp"
+     - "2404:2404"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot guardian_ast service
+  conpot_guardian_ast:
+    container_name: conpot_guardian_ast
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
+     - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
+     - CONPOT_TEMPLATE=guardian_ast
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_guardian_ast
+    ports:
+     - "10001:10001"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot ipmi
+  conpot_ipmi:
+    container_name: conpot_ipmi
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
+     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
+     - CONPOT_TEMPLATE=ipmi
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_ipmi
+    ports:
+     - "623:623/udp"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot kamstrup_382
+  conpot_kamstrup_382:
+    container_name: conpot_kamstrup_382
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
+     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
+     - CONPOT_TEMPLATE=kamstrup_382
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_kamstrup_382
+    ports:
+     - "1025:1025"
+     - "50100:50100"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Cowrie service
+  cowrie:
+    container_name: cowrie
+    restart: always
+    tmpfs:
+     - /tmp/cowrie:uid=2000,gid=2000
+     - /tmp/cowrie/data:uid=2000,gid=2000
+    networks:
+     - cowrie_local
+    ports:
+     - "22:22"
+     - "23:23"
+    image: "dtagdevsec/cowrie:2204"
+    read_only: true
+    volumes:
+     - /data/cowrie/downloads:/home/cowrie/cowrie/dl
+     - /data/cowrie/keys:/home/cowrie/cowrie/etc
+     - /data/cowrie/log:/home/cowrie/cowrie/log
+     - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    networks:
+     - dicompot_local
+    ports:
+     - "11112:11112"
+    image: "dtagdevsec/dicompot:2204"
+    read_only: true
+    volumes:
+     - /data/dicompot/log:/var/log/dicompot
+#     - /data/dicompot/images:/opt/dicompot/images
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+    # - "110:110"
+    # - "143:143"
+    # - "443:443"
+    # - "465:465"
+    # - "993:993"
+    # - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+    # - "5432:5432"
+     - "5900:5900"
+    image: "dtagdevsec/heralding:2204"
+    read_only: true
+    volumes:
+     - /data/heralding/log:/var/log/heralding
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: "dtagdevsec/medpot:2204"
+    read_only: true
+    volumes:
+     - /data/medpot/log/:/var/log/medpot
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/log4j.yml

@@ -0,0 +1,250 @@
+# T-Pot (Log4j)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  log4pot_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Log4pot service
+  log4pot:
+    container_name: log4pot
+    restart: always
+    tmpfs:
+     - /tmp:uid=2000,gid=2000
+    networks:
+     - log4pot_local
+    ports:
+     - "80:8080"
+     - "443:8080"
+     - "8080:8080"
+     - "9200:8080"
+     - "25565:8080"
+    image: "dtagdevsec/log4pot:2204"
+    read_only: true
+    volumes:
+     - /data/log4pot/log:/var/log/log4pot/log
+     - /data/log4pot/payloads:/var/log/log4pot/payloads
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/medical.yml

@@ -0,0 +1,244 @@
+# T-Pot (Medical)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  dicompot_local:
+  medpot_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    networks:
+     - dicompot_local
+    ports:
+     - "11112:11112"
+    image: "dtagdevsec/dicompot:2204"
+    read_only: true
+    volumes:
+     - /data/dicompot/log:/var/log/dicompot
+#     - /data/dicompot/images:/opt/dicompot/images
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: "dtagdevsec/medpot:2204"
+    read_only: true
+    volumes:
+     - /data/medpot/log/:/var/log/medpot
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/mini.yml

@@ -0,0 +1,271 @@
+# T-Pot (Mini)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  honeypots_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# qHoneypots service
+  honeypots:
+    container_name: honeypots
+    stdin_open: true
+    tty: true
+    restart: always
+    tmpfs:
+     - /tmp:uid=2000,gid=2000
+    networks:
+     - honeypots_local
+    ports:
+     - "21:21"
+     - "22:22"
+     - "23:23"
+     - "25:25"
+     - "53:53/udp"
+     - "80:80"
+     - "110:110"
+     - "123:123"
+     - "143:143"
+     - "161:161"
+     - "389:389"
+     - "443:443"
+     - "445:445"
+     - "1080:1080"
+     - "1433:1433"
+     - "1521:1521"
+     - "3306:3306"
+     - "5060:5060"
+     - "5432:5432"
+     - "5900:5900"
+     - "6379:6379"
+     - "6667:6667"
+     - "8080:8080"
+     - "9200:9200"
+     - "11211:11211"
+    image: "dtagdevsec/honeypots:2204"
+    read_only: true
+    volumes:
+     - /data/honeypots/log:/var/log/honeypots
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/nextgen.yml

@@ -0,0 +1,575 @@
+# T-Pot (NextGen)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  adbhoney_local:
+  ciscoasa_local:
+  citrixhoneypot_local:
+  conpot_local_IEC104:
+  conpot_local_guardian_ast:
+  conpot_local_ipmi:
+  conpot_local_kamstrup_382:
+  ddospot_local:
+  dicompot_local:
+  dionaea_local:
+  elasticpot_local:
+  endlessh_local:
+  hellpot_local:
+  heralding_local:
+  ipphoney_local:
+  mailoney_local:
+  medpot_local:
+  redishoneypot_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Adbhoney service
+  adbhoney:
+    container_name: adbhoney
+    restart: always
+    networks:
+     - adbhoney_local
+    ports:
+     - "5555:5555"
+    image: "dtagdevsec/adbhoney:2204"
+    read_only: true
+    volumes:
+     - /data/adbhoney/log:/opt/adbhoney/log
+     - /data/adbhoney/downloads:/opt/adbhoney/dl
+
+# Ciscoasa service
+  ciscoasa:
+    container_name: ciscoasa
+    restart: always
+    tmpfs:
+     - /tmp/ciscoasa:uid=2000,gid=2000
+    networks:
+     - ciscoasa_local
+    ports:
+     - "5000:5000/udp"
+     - "8443:8443"
+    image: "dtagdevsec/ciscoasa:2204"
+    read_only: true
+    volumes:
+     - /data/ciscoasa/log:/var/log/ciscoasa
+
+# CitrixHoneypot service
+  citrixhoneypot:
+    container_name: citrixhoneypot
+    restart: always
+    networks:
+     - citrixhoneypot_local
+    ports:
+     - "443:443"
+    image: "dtagdevsec/citrixhoneypot:2204"
+    read_only: true
+    volumes:
+     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs       
+
+# Conpot IEC104 service
+  conpot_IEC104:
+    container_name: conpot_iec104
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
+     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
+     - CONPOT_TEMPLATE=IEC104
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_IEC104
+    ports:
+     - "161:161/udp"
+     - "2404:2404"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot guardian_ast service
+  conpot_guardian_ast:
+    container_name: conpot_guardian_ast
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
+     - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
+     - CONPOT_TEMPLATE=guardian_ast
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_guardian_ast
+    ports:
+     - "10001:10001"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot ipmi
+  conpot_ipmi:
+    container_name: conpot_ipmi
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
+     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
+     - CONPOT_TEMPLATE=ipmi
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_ipmi
+    ports:
+     - "623:623/udp"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot kamstrup_382
+  conpot_kamstrup_382:
+    container_name: conpot_kamstrup_382
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
+     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
+     - CONPOT_TEMPLATE=kamstrup_382
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_kamstrup_382
+    ports:
+     - "1025:1025"
+     - "50100:50100"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Ddospot service
+  ddospot:
+    container_name: ddospot
+    restart: always
+    networks:
+     - ddospot_local
+    ports:
+     - "19:19/udp"
+     - "53:53/udp"
+     - "123:123/udp"
+#     - "161:161/udp"
+     - "1900:1900/udp"
+    image: "dtagdevsec/ddospot:2204"
+    read_only: true
+    volumes:
+     - /data/ddospot/log:/opt/ddospot/ddospot/logs
+     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
+     - /data/ddospot/db:/opt/ddospot/ddospot/db
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/ 
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    networks:
+     - dicompot_local
+    ports:
+     - "11112:11112"
+    image: "dtagdevsec/dicompot:2204"
+    read_only: true
+    volumes:
+     - /data/dicompot/log:/var/log/dicompot
+#     - /data/dicompot/images:/opt/dicompot/images
+
+# Dionaea service
+  dionaea:
+    container_name: dionaea
+    stdin_open: true
+    tty: true
+    restart: always
+    networks:
+     - dionaea_local
+    ports:
+     - "20:20"
+     - "21:21"
+     - "42:42"
+     - "69:69/udp"
+     - "81:81"
+     - "135:135"
+     # - "443:443"
+     - "445:445"
+     - "1433:1433"
+     - "1723:1723"
+     - "1883:1883"
+     - "3306:3306"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
+     - "27017:27017"
+    image: "dtagdevsec/dionaea:2204"
+    read_only: true
+    volumes:
+     - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
+     - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
+     - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
+     - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
+     - /data/dionaea:/opt/dionaea/var/dionaea
+     - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
+     - /data/dionaea/log:/opt/dionaea/var/log
+     - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
+
+# ElasticPot service
+  elasticpot:
+    container_name: elasticpot
+    restart: always
+    networks:
+     - elasticpot_local
+    ports:
+     - "9200:9200"
+    image: "dtagdevsec/elasticpot:2204"
+    read_only: true
+    volumes:
+     - /data/elasticpot/log:/opt/elasticpot/log
+
+# Endlessh service
+  endlessh:
+    container_name: endlessh
+    restart: always
+    networks:
+     - endlessh_local
+    ports:
+     - "22:2222"
+    image: "dtagdevsec/endlessh:2204"
+    read_only: true
+    volumes:
+     - /data/endlessh/log:/var/log/endlessh
+
+# Glutton service
+  glutton:
+    container_name: glutton
+    restart: always
+    tmpfs:
+     - /var/lib/glutton:uid=2000,gid=2000
+     - /run:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/glutton:2204"
+    read_only: true
+    volumes:
+     - /data/glutton/log:/var/log/glutton
+#     - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: "dtagdevsec/heralding:2204"
+    read_only: true
+    volumes:
+     - /data/heralding/log:/var/log/heralding
+
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: "dtagdevsec/ipphoney:2204"
+    read_only: true
+    volumes:
+     - /data/ipphoney/log:/opt/ipphoney/log
+
+# Mailoney service
+  mailoney:
+    container_name: mailoney
+    restart: always
+    environment:
+     - HPFEEDS_SERVER=
+     - HPFEEDS_IDENT=user
+     - HPFEEDS_SECRET=pass
+     - HPFEEDS_PORT=20000
+     - HPFEEDS_CHANNELPREFIX=prefix
+    networks:
+     - mailoney_local
+    ports:
+     - "25:25"
+    image: "dtagdevsec/mailoney:2204"
+    read_only: true
+    volumes:
+     - /data/mailoney/log:/opt/mailoney/logs
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: "dtagdevsec/medpot:2204"
+    read_only: true
+    volumes:
+     - /data/medpot/log/:/var/log/medpot
+
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
+    restart: always
+    networks:
+     - redishoneypot_local
+    ports:
+     - "6379:6379"
+    image: "dtagdevsec/redishoneypot:2204"
+    read_only: true
+    volumes:
+     - /data/redishoneypot/log:/var/log/redishoneypot
+
+# Hellpot service
+  hellpot:
+    container_name: hellpot
+    restart: always
+    networks:
+     - hellpot_local
+    ports:
+     - "80:8080"
+    image: "dtagdevsec/hellpot:2204"
+    read_only: true
+    volumes:
+     - /data/hellpot/log:/var/log/hellpot
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/sensor.yml

@@ -374,10 +374,17 @@ services:
   sentrypeer:
     container_name: sentrypeer
     restart: always
+# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
+# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
+# the bad actors in its logs. Therefore this option is opt-in based.
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=0
     networks:
      - sentrypeer_local
     ports:
+#     - "4222:4222/udp"
      - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
     image: "dtagdevsec/sentrypeer:2204"
     read_only: true
     volumes:

_deprecated/etc/compose/standard.yml

@@ -0,0 +1,662 @@
+# T-Pot (Standard)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  adbhoney_local:
+  ciscoasa_local:
+  citrixhoneypot_local:
+  conpot_local_IEC104:
+  conpot_local_guardian_ast:
+  conpot_local_ipmi:
+  conpot_local_kamstrup_382:
+  cowrie_local:
+  ddospot_local:
+  dicompot_local:
+  dionaea_local:
+  elasticpot_local:
+  heralding_local:
+  ipphoney_local:
+  mailoney_local:
+  medpot_local:
+  redishoneypot_local:
+  tanner_local:
+  ewsposter_local:
+  sentrypeer_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Adbhoney service
+  adbhoney:
+    container_name: adbhoney
+    restart: always
+    networks:
+     - adbhoney_local
+    ports:
+     - "5555:5555"
+    image: "dtagdevsec/adbhoney:2204"
+    read_only: true
+    volumes:
+     - /data/adbhoney/log:/opt/adbhoney/log
+     - /data/adbhoney/downloads:/opt/adbhoney/dl
+
+# Ciscoasa service
+  ciscoasa:
+    container_name: ciscoasa
+    restart: always
+    tmpfs:
+     - /tmp/ciscoasa:uid=2000,gid=2000
+    networks:
+     - ciscoasa_local
+    ports:
+     - "5000:5000/udp"
+     - "8443:8443"
+    image: "dtagdevsec/ciscoasa:2204"
+    read_only: true
+    volumes:
+     - /data/ciscoasa/log:/var/log/ciscoasa
+
+# CitrixHoneypot service
+  citrixhoneypot:
+    container_name: citrixhoneypot
+    restart: always
+    networks:
+     - citrixhoneypot_local
+    ports:
+     - "443:443"
+    image: "dtagdevsec/citrixhoneypot:2204"
+    read_only: true
+    volumes:
+     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
+
+# Conpot IEC104 service
+  conpot_IEC104:
+    container_name: conpot_iec104
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
+     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
+     - CONPOT_TEMPLATE=IEC104
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_IEC104
+    ports:
+     - "161:161/udp"
+     - "2404:2404"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot guardian_ast service
+  conpot_guardian_ast:
+    container_name: conpot_guardian_ast
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
+     - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
+     - CONPOT_TEMPLATE=guardian_ast
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_guardian_ast
+    ports:
+     - "10001:10001"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot ipmi
+  conpot_ipmi:
+    container_name: conpot_ipmi
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
+     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
+     - CONPOT_TEMPLATE=ipmi
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_ipmi
+    ports:
+     - "623:623/udp"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Conpot kamstrup_382
+  conpot_kamstrup_382:
+    container_name: conpot_kamstrup_382
+    restart: always
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
+     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
+     - CONPOT_TEMPLATE=kamstrup_382
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_kamstrup_382
+    ports:
+     - "1025:1025"
+     - "50100:50100"
+    image: "dtagdevsec/conpot:2204"
+    read_only: true
+    volumes:
+     - /data/conpot/log:/var/log/conpot
+
+# Cowrie service
+  cowrie:
+    container_name: cowrie
+    restart: always
+    tmpfs:
+     - /tmp/cowrie:uid=2000,gid=2000
+     - /tmp/cowrie/data:uid=2000,gid=2000
+    networks:
+     - cowrie_local
+    ports:
+     - "22:22"
+     - "23:23"
+    image: "dtagdevsec/cowrie:2204"
+    read_only: true
+    volumes:
+     - /data/cowrie/downloads:/home/cowrie/cowrie/dl
+     - /data/cowrie/keys:/home/cowrie/cowrie/etc
+     - /data/cowrie/log:/home/cowrie/cowrie/log
+     - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
+
+# Ddospot service
+  ddospot:
+    container_name: ddospot
+    restart: always
+    networks:
+     - ddospot_local
+    ports:
+     - "19:19/udp"
+     - "53:53/udp"
+     - "123:123/udp"
+#     - "161:161/udp"
+     - "1900:1900/udp"
+    image: "dtagdevsec/ddospot:2204"
+    read_only: true
+    volumes:
+     - /data/ddospot/log:/opt/ddospot/ddospot/logs
+     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
+     - /data/ddospot/db:/opt/ddospot/ddospot/db
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    networks:
+     - dicompot_local
+    ports:
+     - "11112:11112"
+    image: "dtagdevsec/dicompot:2204"
+    read_only: true
+    volumes:
+     - /data/dicompot/log:/var/log/dicompot
+#     - /data/dicompot/images:/opt/dicompot/images
+
+# Dionaea service
+  dionaea:
+    container_name: dionaea
+    stdin_open: true
+    tty: true
+    restart: always
+    networks:
+     - dionaea_local
+    ports:
+     - "20:20"
+     - "21:21"
+     - "42:42"
+     - "69:69/udp"
+     - "81:81"
+     - "135:135"
+     # - "443:443"
+     - "445:445"
+     - "1433:1433"
+     - "1723:1723"
+     - "1883:1883"
+     - "3306:3306"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
+     - "27017:27017"
+    image: "dtagdevsec/dionaea:2204"
+    read_only: true
+    volumes:
+     - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
+     - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
+     - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
+     - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
+     - /data/dionaea:/opt/dionaea/var/dionaea
+     - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
+     - /data/dionaea/log:/opt/dionaea/var/log
+     - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
+
+# ElasticPot service
+  elasticpot:
+    container_name: elasticpot
+    restart: always
+    networks:
+     - elasticpot_local
+    ports:
+     - "9200:9200"
+    image: "dtagdevsec/elasticpot:2204"
+    read_only: true
+    volumes:
+     - /data/elasticpot/log:/opt/elasticpot/log
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: "dtagdevsec/heralding:2204"
+    read_only: true
+    volumes:
+     - /data/heralding/log:/var/log/heralding
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: "dtagdevsec/ipphoney:2204"
+    read_only: true
+    volumes:
+     - /data/ipphoney/log:/opt/ipphoney/log
+
+# Mailoney service
+  mailoney:
+    container_name: mailoney
+    restart: always
+    environment:
+     - HPFEEDS_SERVER=
+     - HPFEEDS_IDENT=user
+     - HPFEEDS_SECRET=pass
+     - HPFEEDS_PORT=20000
+     - HPFEEDS_CHANNELPREFIX=prefix
+    networks:
+     - mailoney_local
+    ports:
+     - "25:25"
+    image: "dtagdevsec/mailoney:2204"
+    read_only: true
+    volumes:
+     - /data/mailoney/log:/opt/mailoney/logs
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: "dtagdevsec/medpot:2204"
+    read_only: true
+    volumes:
+     - /data/medpot/log/:/var/log/medpot
+
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
+    restart: always
+    networks:
+     - redishoneypot_local
+    ports:
+     - "6379:6379"
+    image: "dtagdevsec/redishoneypot:2204"
+    read_only: true
+    volumes:
+     - /data/redishoneypot/log:/var/log/redishoneypot
+
+# SentryPeer service
+  sentrypeer:
+    container_name: sentrypeer
+    restart: always
+# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
+# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
+# the bad actors in its logs. Therefore this option is opt-in based.
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=0
+    networks:
+     - sentrypeer_local
+    ports:
+#     - "4222:4222/udp"
+     - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
+    image: "dtagdevsec/sentrypeer:2204"
+    read_only: true
+    volumes:
+     - /data/sentrypeer/log:/var/log/sentrypeer
+
+#### Snare / Tanner
+## Tanner Redis Service
+  tanner_redis:
+    container_name: tanner_redis
+    restart: always
+    tty: true
+    networks:
+     - tanner_local
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## PHP Sandbox service
+  tanner_phpox:
+    container_name: tanner_phpox
+    restart: always
+    tty: true
+    networks:
+     - tanner_local
+    image: "dtagdevsec/phpox:2204"
+    read_only: true
+
+## Tanner API Service
+  tanner_api:
+    container_name: tanner_api
+    restart: always
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: "dtagdevsec/tanner:2204"
+    read_only: true
+    volumes:
+     - /data/tanner/log:/var/log/tanner
+    command: tannerapi
+    depends_on:
+     - tanner_redis
+
+## Tanner Service
+  tanner:
+    container_name: tanner
+    restart: always
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: "dtagdevsec/tanner:2204"
+    command: tanner
+    read_only: true
+    volumes:
+     - /data/tanner/log:/var/log/tanner
+     - /data/tanner/files:/opt/tanner/files
+    depends_on:
+     - tanner_api
+#     - tanner_web
+     - tanner_phpox
+
+## Snare Service
+  snare:
+    container_name: snare
+    restart: always
+    tty: true
+    networks:
+     - tanner_local
+    ports:
+     - "80:80"
+    image: "dtagdevsec/snare:2204"
+    depends_on:
+     - tanner
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/etc/compose/tarpit.yml

@@ -0,0 +1,287 @@
+# T-Pot (Tarpit)
+# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
+version: '2.3'
+
+networks:
+  endlessh_local:
+  hellpot_local:
+  heralding_local:
+  ewsposter_local:
+  spiderfoot_local:
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Endlessh service
+  endlessh:
+    container_name: endlessh
+    restart: always
+    networks:
+     - endlessh_local
+    ports:
+     - "22:2222"
+    image: "dtagdevsec/endlessh:2204"
+    read_only: true
+    volumes:
+     - /data/endlessh/log:/var/log/endlessh
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: "dtagdevsec/heralding:2204"
+    read_only: true
+    volumes:
+     - /data/heralding/log:/var/log/heralding
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: "dtagdevsec/honeytrap:2204"
+    read_only: true
+    volumes:
+     - /data/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - /data/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - /data/honeytrap/log:/opt/honeytrap/var/log
+
+# Hellpot service
+  hellpot:
+    container_name: hellpot
+    restart: always
+    networks:
+     - hellpot_local
+    ports:
+     - "80:8080"
+    image: "dtagdevsec/hellpot:2204"
+    read_only: true
+    volumes:
+     - /data/hellpot/log:/var/log/hellpot
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/fatt:2204"
+    volumes:
+     - /data/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    network_mode: "host"
+    image: "dtagdevsec/p0f:2204"
+    read_only: true
+    volumes:
+     - /data/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    environment:
+    # For ET Pro ruleset replace "OPEN" with your OINKCODE
+     - OINKCODE=OPEN
+    # Loading externel Rules from URL 
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: "dtagdevsec/suricata:2204"
+    volumes:
+     - /data/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: "dtagdevsec/elasticsearch:2204"
+    volumes:
+     - /data:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: "dtagdevsec/kibana:2204"
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    mem_limit: 2g
+    image: "dtagdevsec/logstash:2204"
+    volumes:
+     - /data:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/redis:2204"
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: "dtagdevsec/map:2204"
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    stop_signal: SIGKILL
+    tty: true
+    image: "dtagdevsec/map:2204"
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    env_file:
+     - /opt/tpot/etc/compose/elk_environment
+    image: "dtagdevsec/ewsposter:2204"
+    volumes:
+     - /data:/data
+     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+      #    ports:
+      #     - "64297:64297"
+      #     - "127.0.0.1:64304:64304"
+    image: "dtagdevsec/nginx:2204"
+    read_only: true
+    volumes:
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - /data/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: "dtagdevsec/spiderfoot:2204"
+    volumes:
+     - /data/spiderfoot:/home/spiderfoot/.spiderfoot

_deprecated/install.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+cd iso/installer
+./install.sh "$@"

_deprecated/installer/debian/install.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on Debian
+if ! grep -q 'ID=debian' /etc/os-release; then
+  echo "This script is designed to run on Debian. Aborting."
+  exit 1
+fi
+
+if [ -f /var/log/debian-install-lock ]; then
+  echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
+  exit 1
+fi
+
+# Create installer lock file
+sudo touch /var/log/debian-install-lock
+
+# Update SSH config
+echo "Updating SSH config..."
+sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config'
+
+# Install recommended packages
+echo "Installing recommended packages..."
+sudo apt-get -y update
+sudo apt-get -y install bash-completion git grc neovim net-tools
+
+# Remove old Docker
+echo "Removing old docker packages..."
+sudo apt-get -y remove docker docker-engine docker.io containerd runc
+
+# Add Docker to repositories, install latest docker
+echo "Adding Docker to repositories and installing..."
+sudo apt-get -y update
+sudo apt-get -y install ca-certificates curl gnupg
+sudo install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+sudo chmod a+r /etc/apt/keyrings/docker.gpg
+echo \
+  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
+  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+sudo apt-get -y update
+sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+sudo systemctl enable docker
+sudo systemctl stop docker
+sudo systemctl start docker
+
+# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
+echo "Creating T-Pot group and user ..."
+addgroup --gid 2000 tpot
+adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot
+# Add user to Docker, T-Pot group
+echo "Adding $(whoami) to Docker group..."
+sudo usermod -aG docker $(whoami)
+echo "Adding $(whoami) to T-Pot group..."
+sudo usermod -aG tpot $(whoami)
+
+# Add aliases
+echo "Adding aliases..."
+echo "alias dps='grc docker ps -a'" >> ~/.bashrc
+echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
+
+# Show running services
+sudo grc netstat -tulpen
+echo "Please review for possible honeypot port conflicts."
+echo "While SSH is taken care of, other services such as"
+echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
+
+echo "Done. Please reboot and re-connect via SSH on tcp/64295."
+

_deprecated/installer/debian/sudo-install.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+if ! command -v sudo &> /dev/null
+then
+    echo "sudo is not installed. Installing now..."
+    su -c "apt-get -y update && apt-get -y install sudo"
+    su -c "/usr/sbin/usermod -aG sudo $(whoami)"
+else
+    echo "sudo is already installed."
+fi

_deprecated/installer/debian/uninstall.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on Debian
+if ! grep -q 'ID=debian' /etc/os-release; then
+  echo "This script is designed to run on Debian. Aborting."
+  exit 1
+fi
+
+# Check if installer lock file exists
+if [ ! -f /var/log/debian-install-lock ]; then
+  echo "Error: The installer has not been run on this system. Aborting."
+  exit 1
+fi
+
+# Remove SSH config changes
+echo "Removing SSH config changes..."
+sudo sed -i '/Port 64295/d' /etc/ssh/sshd_config
+
+# Uninstall Docker
+echo "Stopping and removing all containers ..."
+docker stop $(docker ps -aq)
+docker rm $(docker ps -aq)
+echo "Uninstalling Docker..."
+sudo systemctl stop docker
+sudo systemctl disable docker
+sudo apt-get -y remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+sudo apt-get -y autoremove
+sudo rm -rf /etc/apt/sources.list.d/docker.list
+sudo rm -rf /etc/apt/keyrings/docker.gpg
+
+# Remove user from Docker, T-Pot group
+echo "Removing $(whoami) from T-Pot group..."
+sudo deluser $(whoami) tpot
+echo "Removing $(whoami) from Docker group..."
+sudo deluser $(whoami) docker
+# Remove T-Pot user and group
+echo "Removing T-Pot user..."
+sudo deluser tpot
+echo "Removing T-Pot group..."
+sudo delgroup tpot
+
+# Remove aliases
+echo "Removing aliases..."
+sed -i '/alias dps=/d' ~/.bashrc
+sed -i '/alias dpsw=/d' ~/.bashrc
+
+# Remove installer lock file
+sudo rm -f /var/log/debian-install-lock
+
+echo "Done. Please reboot and re-connect via SSH on tcp/22"
+

_deprecated/installer/fedora/install.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on Fedora
+if ! grep -q 'ID=fedora' /etc/os-release; then
+  echo "This script is designed to run on Fedora. Aborting."
+  exit 1
+fi
+
+if [ -f /var/log/fedora-install-lock ]; then
+  echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
+  exit 1
+fi
+
+# Create installer lock file
+sudo touch /var/log/fedora-install-lock
+
+# Update SSH config
+echo "Updating SSH config..."
+sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config'
+
+# Update DNS config
+echo "Updating DNS config..."
+sudo bash -c "sed -i 's/^.*DNSStubListener=.*/DNSStubListener=no/' /etc/systemd/resolved.conf"
+sudo systemctl restart systemd-resolved.service
+
+# Update SELinux config
+echo "Updating SELinux config..."
+sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config
+
+# Update Firewall rules
+echo "Updating Firewall rules..."
+sudo firewall-cmd --permanent --add-port=64295/tcp
+sudo firewall-cmd --permanent --zone=public --set-target=ACCEPT
+#sudo firewall-cmd --reload
+sudo firewall-cmd --list-all
+
+# Load kernel modules
+echo "Loading kernel modules..."
+sudo modprobe -v iptable_filter
+echo "iptable_filter" | sudo tee /etc/modules-load.d/iptables.conf
+
+# Add Docker to repositories, install latest docker
+echo "Adding Docker to repositories and installing..."
+sudo dnf -y update
+sudo dnf -y install dnf-plugins-core
+sudo dnf -y config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
+sudo dnf -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+sudo systemctl enable docker
+sudo systemctl start docker
+
+# Install recommended packages
+echo "Installing recommended packages..."
+sudo dnf -y install bash-completion git grc net-tools
+
+# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
+echo "Creating T-Pot group and user..."
+sudo groupadd -g 2000 tpot
+sudo useradd -r -u 2000 -g 2000 -M -s /sbin/nologin tpot
+# Add user to Docker, T-Pot group
+echo "Adding $(whoami) to Docker group..."
+sudo usermod -aG docker $(whoami)
+echo "Adding $(whoami) to T-Pot group..."
+sudo usermod -aG tpot $(whoami)
+
+# Add aliases
+echo "Adding aliases..."
+echo "alias dps='grc docker ps -a'" >> ~/.bashrc
+echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
+
+# Show running services
+sudo grc netstat -tulpen
+echo "Please review for possible honeypot port conflicts."
+echo "While SSH is taken care of, other services such as"
+echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
+
+echo "Done. Please reboot and re-connect via SSH on tcp/64295."
+

_deprecated/installer/fedora/uninstall.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on Fedora
+if ! grep -q 'ID=fedora' /etc/os-release; then
+  echo "This script is designed to run on Fedora. Aborting."
+  exit 1
+fi
+
+if [ ! -f /var/log/fedora-install-lock ]; then
+  echo "Error: The installer has not been run on this system. Aborting uninstallation."
+  exit 1
+fi
+
+# Remove SSH config changes
+echo "Removing SSH config changes..."
+sudo sed -i '/Port 64295/d' /etc/ssh/sshd_config
+
+# Remove DNS config changes
+echo "Updating DNS config..."
+sudo bash -c "sed -i 's/^.*DNSStubListener=.*/#DNSStubListener=yes/' /etc/systemd/resolved.conf"
+sudo systemctl restart systemd-resolved.service
+
+# Restore SELinux config
+echo "Restoring SELinux config..."
+sudo sed -i s/SELINUX=permissive/SELINUX=enforcing/g /etc/selinux/config
+
+# Remove Firewall rules
+echo "Removing Firewall rules..."
+sudo firewall-cmd --permanent --remove-port=64295/tcp
+sudo firewall-cmd --permanent --zone=public --set-target=default
+#sudo firewall-cmd --reload
+sudo firewall-cmd --list-all
+
+# Unload kernel modules
+echo "Unloading kernel modules..."
+sudo modprobe -rv iptable_filter
+sudo rm /etc/modules-load.d/iptables.conf
+
+# Uninstall Docker
+echo "Stopping and removing all containers ..."
+docker stop $(docker ps -aq)
+docker rm $(docker ps -aq)
+echo "Uninstalling Docker..."
+sudo systemctl stop docker
+sudo systemctl disable docker
+sudo dnf -y remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+sudo dnf config-manager --disable docker-ce-stable
+sudo rm /etc/yum.repos.d/docker-ce.repo
+
+# Remove user from Docker, T-Pot group
+echo "Removing $(whoami) from T-Pot group..."
+sudo gpasswd -d $(whoami) tpot
+echo "Removing $(whoami) from Docker group..."
+sudo gpasswd -d $(whoami) docker
+# Remove T-Pot user and group
+echo "Removing T-Pot user..."
+sudo userdel tpot
+echo "Removing T-Pot group..."
+sudo groupdel tpot
+
+# Remove aliases
+echo "Removing aliases..."
+sed -i '/alias dps=/d' ~/.bashrc
+sed -i '/alias dpsw=/d' ~/.bashrc
+
+# Remove installer lock file
+sudo rm /var/log/fedora-install-lock
+
+echo "Done. Please reboot and re-connect via SSH on tcp/22"
+

_deprecated/installer/suse/install.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on OpenSuse Tumbleweed
+if ! grep -q 'ID="opensuse-tumbleweed"' /etc/os-release; then
+  echo "This script is designed to run on OpenSuse Tumbleweed. Aborting."
+  exit 1
+fi
+
+if [ -f /var/log/suse-install-lock ]; then
+  echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
+  exit 1
+fi
+
+# Create installer lock file
+sudo touch /var/log/suse-install-lock
+
+# Update SSH config
+echo "Updating SSH config..."
+sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config.d/port.conf'
+
+# Update Firewall rules
+echo "Updating Firewall rules..."
+sudo firewall-cmd --permanent --add-port=64295/tcp
+sudo firewall-cmd --permanent --zone=public --set-target=ACCEPT
+#sudo firewall-cmd --reload
+sudo firewall-cmd --list-all
+
+# Install docker and recommended packages
+echo "Installing recommended packages..."
+sudo zypper -n update
+sudo zypper -n remove cups net-tools postfix yast2-auth-client yast2-auth-server
+sudo zypper -n install bash-completion docker docker-compose git grc busybox-net-tools
+
+# Enable and start docker
+echo "Enabling and starting docker..."
+systemctl enable docker
+systemctl start docker
+
+# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
+echo "Creating T-Pot group and user ..."
+sudo groupadd -g 2000 tpot
+sudo useradd -r -u 2000 -g 2000 -s /sbin/nologin tpot
+
+# Add user to Docker, T-Pot group
+echo "Adding $(whoami) to Docker group..."
+sudo usermod -a -G docker $(whoami)
+echo "Adding $(whoami) to T-Pot group..."
+sudo usermod -a -G tpot $(whoami)
+
+# Add aliases
+echo "Adding aliases..."
+echo "alias dps='grc docker ps -a'" >> ~/.bashrc
+echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
+
+# Show running services
+sudo grc netstat -tulpen
+echo "Please review for possible honeypot port conflicts."
+echo "While SSH is taken care of, other services such as"
+echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
+
+echo "Done. Please reboot and re-connect via SSH on tcp/64295."
+

_deprecated/installer/suse/uninstall.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on OpenSuse Tumbleweed
+if ! grep -q 'ID="opensuse-tumbleweed"' /etc/os-release; then
+  echo "This script is designed to run on OpenSuse Tumbleweed. Aborting."
+  exit 1
+fi
+
+if [ ! -f /var/log/suse-install-lock ]; then
+  echo "Error: The installer has not been run on this system. Aborting uninstallation."
+  exit 1
+fi
+
+# Remove SSH config changes
+echo "Removing SSH config changes..."
+sudo sed -i '/Port 64295/d' /etc/ssh/sshd_config.d/port.conf
+
+# Remove Firewall rules
+echo "Removing Firewall rules..."
+sudo firewall-cmd --permanent --remove-port=64295/tcp
+sudo firewall-cmd --permanent --zone=public --set-target=default
+#sudo firewall-cmd --reload
+sudo firewall-cmd --list-all
+
+# Uninstall Docker
+echo "Stopping and removing all containers ..."
+docker stop $(docker ps -aq)
+docker rm $(docker ps -aq)
+echo "Uninstalling Docker..."
+sudo systemctl stop docker
+sudo systemctl disable docker
+sudo zypper -n remove docker docker-compose
+sudo zypper -n install cups postfix
+
+# Remove user from Docker, T-Pot group
+echo "Removing $(whoami) from T-Pot group..."
+sudo gpasswd -d $(whoami) tpot
+echo "Removing $(whoami) from Docker group..."
+sudo gpasswd -d $(whoami) docker
+# Remove T-Pot user and group
+echo "Removing T-Pot user..."
+sudo userdel tpot
+echo "Removing T-Pot group..."
+sudo groupdel tpot
+
+# Remove aliases
+echo "Removing aliases..."
+sed -i '/alias dps=/d' ~/.bashrc
+sed -i '/alias dpsw=/d' ~/.bashrc
+
+# Remove installer lock file
+sudo rm /var/log/suse-install-lock
+
+echo "Done. Please reboot and re-connect via SSH on tcp/22"
+

_deprecated/installer/ubuntu/install.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on Ubuntu
+if ! grep -q 'ID=ubuntu' /etc/os-release; then
+  echo "This script is designed to run on Ubuntu. Aborting."
+  exit 1
+fi
+
+if [ -f /var/log/ubuntu-install-lock ]; then
+  echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
+  exit 1
+fi
+
+# Create installer lock file
+sudo touch /var/log/ubuntu-install-lock
+
+# Update SSH config
+echo "Updating SSH config..."
+sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config'
+sudo systemctl disable ssh.socket
+sudo rm /etc/systemd/system/ssh.service.d/00-socket.conf
+sudo systemctl enable ssh.service
+
+# Update DNS config
+echo "Updating DNS config..."
+sudo bash -c "sed -i 's/^.*DNSStubListener=.*/DNSStubListener=no/' /etc/systemd/resolved.conf"
+sudo systemctl restart systemd-resolved.service
+
+# Install recommended packages
+echo "Installing recommended packages..."
+sudo apt-get -y update
+sudo apt-get -y install bash-completion git grc net-tools vim
+
+# Remove old Docker
+echo "Removing old docker packages..."
+sudo apt-get -y remove docker docker-engine docker.io containerd runc
+
+# Add Docker to repositories, install latest docker
+echo "Adding Docker to repositories and installing..."
+sudo apt-get -y update
+sudo apt-get -y install ca-certificates curl gnupg
+sudo install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+sudo chmod a+r /etc/apt/keyrings/docker.gpg
+echo \
+  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
+  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
+  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+sudo apt-get -y update
+sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+sudo systemctl enable docker
+sudo systemctl stop docker
+sudo systemctl start docker
+
+# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
+echo "Creating T-Pot group and user ..."
+addgroup --gid 2000 tpot
+adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot
+# Add user to Docker, T-Pot group
+echo "Adding $(whoami) to Docker group..."
+sudo usermod -aG docker $(whoami)
+echo "Adding $(whoami) to T-Pot group..."
+sudo usermod -aG tpot $(whoami)
+
+# Add aliases
+echo "Adding aliases..."
+echo "alias dps='grc docker ps -a'" >> ~/.bashrc
+echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
+
+# Show running services
+sudo grc netstat -tulpen
+echo "Please review for possible honeypot port conflicts."
+echo "While SSH is taken care of, other services such as"
+echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
+
+echo "Done. Please reboot and re-connect via SSH on tcp/64295."
+

_deprecated/installer/ubuntu/uninstall.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# Needs to run as non-root
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" == "root" ]
+  then
+    echo "Need to run as user ..."
+    exit
+fi
+
+# Check if running on Ubuntu
+if ! grep -q 'ID=ubuntu' /etc/os-release; then
+  echo "This script is designed to run on Ubuntu. Aborting."
+  exit 1
+fi
+
+# Check if installer lock file exists
+if [ ! -f /var/log/ubuntu-install-lock ]; then
+  echo "Error: The installer has not been run on this system. Aborting."
+  exit 1
+fi
+
+# Remove SSH config changes
+echo "Removing SSH config changes..."
+sudo sed -i '/Port 64295/d' /etc/ssh/sshd_config
+sudo systemctl disable ssh.service
+sudo systemctl enable ssh.socket
+
+# Remove DNS config changes
+echo "Updating DNS config..."
+sudo bash -c "sed -i 's/^.*DNSStubListener=.*/#DNSStubListener=yes/' /etc/systemd/resolved.conf"
+sudo systemctl restart systemd-resolved.service
+
+# Uninstall Docker
+echo "Stopping and removing all containers ..."
+docker stop $(docker ps -aq)
+docker rm $(docker ps -aq)
+echo "Uninstalling Docker..."
+sudo systemctl stop docker
+sudo systemctl disable docker
+sudo apt-get -y remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+sudo apt-get -y autoremove
+sudo rm -rf /etc/apt/sources.list.d/docker.list
+sudo rm -rf /etc/apt/keyrings/docker.gpg
+
+# Remove user from Docker, T-Pot group
+echo "Removing $(whoami) from T-Pot group..."
+sudo deluser $(whoami) tpot
+echo "Removing $(whoami) from Docker group..."
+sudo deluser $(whoami) docker
+# Remove T-Pot user and group
+echo "Removing T-Pot user..."
+sudo deluser tpot
+echo "Removing T-Pot group..."
+sudo delgroup tpot
+
+# Remove aliases
+echo "Removing aliases..."
+sed -i '/alias dps=/d' ~/.bashrc
+sed -i '/alias dpsw=/d' ~/.bashrc
+
+# Remove installer lock file
+sudo rm -f /var/log/ubuntu-install-lock
+
+echo "Done. Please reboot and re-connect via SSH on tcp/22"
+

_deprecated/iso/installer/install.sh

@@ -26,6 +26,11 @@ if [ -f "../../packages.txt" ];
   then myINSTALLPACKAGESFILE="../../packages.txt"
 elif [ -f "/opt/tpot/packages.txt" ];
   then myINSTALLPACKAGESFILE="/opt/tpot/packages.txt"
+elif [ -f "/root/tpot/packages.txt" ];
+  then myINSTALLPACKAGESFILE="/root/tpot/packages.txt"
+else
+  echo "packages.txt NOT FOUND."
+  exit 1
 fi
 myINSTALLPACKAGES=$(cat $myINSTALLPACKAGESFILE)
 myINFO="\
@@ -129,7 +134,7 @@ kernel.panic_on_oops = 1
 vm.max_map_count = 262144
 "
 myFAIL2BANCONF="[DEFAULT]
-ignore-ip = 127.0.0.1/8
+ignoreip = 127.0.0.1/8
 bantime = 3600
 findtime = 600
 maxretry = 5
@@ -696,7 +701,7 @@ echo "UseRoaming no" | tee -a /etc/ssh/ssh_config
 # Installing elasticdump, yq
 fuBANNER "Installing pkgs"
 npm install elasticdump -g
-pip3 install glances yq
+pip3 install glances[docker] yq
 hash -r
 
 # Cloning T-Pot from GitHub