Bump Elastic Stack to 8.18.3

- Logstash: include syslog output plugin and config example

.env

@@ -0,0 +1,174 @@
+# T-Pot config file. Do not remove.
+
+###############################################
+# T-Pot Base Settings - Adjust to your needs. #
+###############################################
+
+# Set Web usernames and passwords here. This section will be used to create / update the Nginx password file nginxpasswd.
+#  <empty>: This is the default
+#  <base64 encoded htpasswd usernames / passwords>:
+#   Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the WEB_USER if you want to manually deploy T-Pot, run 'install.sh' to automatically add a user during installation, or 'genuser.sh' if you just want to add a web user.
+#   Example: 'htpasswd -n -b "tsec" "tsec" | base64 -w0' will print dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo=
+#   Copy the string and replace WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo=
+#   Multiple users are possible:
+#   WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo= dHNlYzokYXByMSR6VUFHVWdmOCRROXI3a09CTjFjY3lCeU1DTloyanEvCgo=
+WEB_USER=
+
+# Set Logstash Web usernames and passwords here. This section will be used to create / update the Nginx password file lswebpasswd.
+# The Lostsash Web usernames are used for T-Pot log ingestion via Logstash, each sensor should have its own user.
+#  <empty>: This is empty by default.
+#  <'htpasswd encoded usernames / passwords'>:
+#   Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the LS_WEB_USER if you want to manually deploy the sensor.
+#   Example: 'htpasswd -n -b "sensor" "sensor" | base64 -w0' will print c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg==
+#   Copy the string and replace / add LS_WEB_USER=c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg==
+#   Multiple users are possible:
+#   LS_WEB_USER=c2Vuc29yMTokYXByMSQ5aXhNRk5yMCR6d3F2dGFwQ2x0cFBhU1pqMm9ZemYxCgo= c2Vuc29yMjokYXByMSRtYTlOS1J2NCQvU3dsVVBMeW5RaVIyM3pyWVAzOUkwCgo=
+LS_WEB_USER=
+
+# T-Pot Blackhole
+#  ENABLED: T-Pot will download a db of known mass scanners and nullroute them.
+#           Be aware, this will put T-Pot off the map for stealth reasons and
+#           you will get less traffic. Routes will be active until next reboot
+#           and will be re-added with every T-Pot start until disabled.
+#  DISABLED: This is the default and no stealth efforts are in place.
+TPOT_BLACKHOLE=DISABLED
+
+# T-Pot Persistence
+#  on: This is the default. T-Pot will keep the honeypot logfiles and rotate
+#      with logrotate for 30 days.
+#  off: This is recommended for Raspberry Pi or setups with weaker CPUs or
+#       if you just do not need any of the logfiles.
+TPOT_PERSISTENCE=on
+
+# T-Pot Persistence Cycles
+#  <1-999>: Set the number of T-Pot restart cycles for logrotate.
+#           Be mindful of this setting as the logs will use up a lot of available disk space.
+#           In case the setting is invalid, T-Pot will default to 30 cycles.
+#  Remember to adjust the Elastic Search Lifecycle Policy (https://github.com/telekom-security/tpotce/?tab=readme-ov-file#log-persistence) 
+#  as this setting only accounts for the honeypot logs in the ~/tpotce/data folder.
+TPOT_PERSISTENCE_CYCLES=30
+
+# T-Pot Type
+#  HIVE: This is the default and offers everything to connect T-Pot sensors.
+#  SENSOR: This needs to be used when running a sensor. Be aware to adjust all other
+#          settings as well.
+#          1. You will need to copy compose/sensor.yml to ./docker-compose.yml
+#          2. From HIVE host you will need to copy ~/tpotce/data/nginx/cert/nginx.crt to
+#             your SENSOR host to ~/tpotce/data/hive.crt
+#          3. On HIVE: Create a web user per SENSOR on HIVE and provide credentials below
+#             Create credentials with 'htpasswd ~/tpotce/data/nginx/conf/lswebpasswd <username>'
+#          4. On SENSOR: Provide username / password from (3) for TPOT_HIVE_USER as base64 encoded string:
+#                        "echo -n 'username:password' | base64 -w0"
+#  MOBILE: This will set the correct type for T-Pot Mobile (https://github.com/telekom-security/tpotmobile)
+TPOT_TYPE=HIVE
+
+# T-Pot Hive User (only relevant for SENSOR deployment)
+#  <empty>: This is empty by default.
+#  <base64 encoded string>: Provide a base64 encoded string "echo -n 'username:password' | base64 -w0"
+#                           i.e. TPOT_HIVE_USER='dXNlcm5hbWU6cGFzc3dvcmQ='
+TPOT_HIVE_USER=
+
+# Logstash Sensor SSL verfication (only relevant on SENSOR hosts)
+# full: This is the default. Logstash, by default, verifies the complete certificate chain for ssl certificates.
+#       This also includes the FQDN and sANs. By default T-Pot will only generate a self-signed certificate which
+#       contains a sAN for the HIVE IP. In scenario where the HIVE needs to be accessed via Internet, maybe with
+#       a different NAT address, a new certificate needs to be generated before deployment that includes all the
+#       IPs and FQDNs as sANs for logstash successfully establishing a connection to the HIVE for transmitting
+#       logs. Details here: https://github.com/telekom-security/tpotce?tab=readme-ov-file#distributed-deployment
+# none: This setting will disable the ssl verification check of logstash and should only be used in a testing
+#       environment where IPs often change. It is not recommended for a production environment where trust between
+#       HIVE and SENSOR is only established through a self signed certificate. 
+LS_SSL_VERIFICATION=full
+
+# T-Pot Hive IP (only relevant for SENSOR deployment)
+#  <empty>: This is empty by default.
+#  <IP, FQDN>: This can be either a IP (i.e. 192.168.1.1) or a FQDN (i.e. foo.bar.local)
+TPOT_HIVE_IP=
+
+# T-Pot AttackMap Text Output
+#  ENABLED: This is the default and the docker container map_data will print events to the console.
+#  DISABLED: Printing events to the console is disabled.
+TPOT_ATTACKMAP_TEXT=ENABLED
+
+# T-Pot AttackMap Text Output Timezone
+#  UTC: (T-Pot default) This is usually the best option.
+#  Continent/City: In Linux you can check our timezone with `readlink` /etc/localtime or
+#                  see the full list here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+#  Examples: America/New_York, Asia/Taipei, Australia/Melbourne, Europe/Athens, Europe/Berlin
+TPOT_ATTACKMAP_TEXT_TIMEZONE=UTC
+
+###################################################################################
+# Honeypots / Tools settings
+###################################################################################
+# Some services / tools offer adjustments using ENVs which can be adjusted here.
+###################################################################################
+
+# Suricata ET Pro ruleset
+#  OPEN: This is the default and will the ET Open ruleset
+#  OINKCODE: Replace OPEN with your Oinkcode to use the ET Pro ruleset
+OINKCODE=OPEN
+
+# Beelzebub Honeypot supports LLMs such as ChatGPT and the Ollama backend.
+# Beelzebub is not part of the standard edition, please follow the README regarding setup.
+# It is recommended to use the Ollama backend to keep costs at bay.
+# Remember to rate limit API usage / set budget alerts when using ChatGPT API.
+# BEELZEBUB_LLM_MODEL: Set to "ollama" or "gpt4-o".
+# BEELZEBUB_LLM_HOST: When using "ollama" set it to the URL of your Ollama backend.
+# BEELZEBUB_OLLAMA_MODEL: Set to the model you are serving on your Ollama backend, i.e. "openchat".
+# BEELZEBUB_LLM_MODEL: "gpt4-o"
+# BEELZEBUB_OPENAISECRETKEY: "sk-proj-123456"
+BEELZEBUB_LLM_MODEL: "ollama"
+BEELZEBUB_LLM_HOST: "http://ollama.local:11434/api/chat"
+BEELZEBUB_OLLAMA_MODEL: "openchat"
+
+# Galah is a LLM-powered web honeypot supporting various LLM backends.
+# Galah is not part of the standard edition, please follow the README regarding setup.
+# It is recommended to use the Ollama backend to keep costs at bay.
+# Remember to rate limit API usage / set budget alerts when using ChatGPT API.
+# GALAH_LLM_PROVIDER: Set to "ollama" or "gpt4-o".
+# GALAH_LLM_SERVER_URL: When using "ollama" set it to the URL of your Ollama backend.
+# GALAH_LLM_MODEL: Set to the model you are serving on your Ollama backend, i.e. "llama3".
+# GALAH_LLM_TEMPERATURE: "1"
+# GALAH_LLM_API_KEY: "sk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+# GALAH_LLM_CLOUD_LOCATION: ""
+# GALAH_LLM_CLOUD_PROJECT: ""
+GALAH_LLM_PROVIDER: "ollama"
+GALAH_LLM_SERVER_URL: "http://ollama.local:11434"
+GALAH_LLM_MODEL: "llama3.1"
+
+
+###################################################################################
+# NEVER MAKE CHANGES TO THIS SECTION UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!!! #
+###################################################################################
+
+# docker.sock Path
+TPOT_DOCKER_SOCK=/var/run/docker.sock
+
+# docker compose .env
+TPOT_DOCKER_ENV=./.env
+
+# Docker-Compose file
+TPOT_DOCKER_COMPOSE=./docker-compose.yml
+
+# T-Pot Docker Repo
+#  Depending on where you are located you may choose between DockerHub and GHCR
+#  dtagdevsec: This will use the DockerHub image registry
+#  ghcr.io/telekom-security: This will use the GitHub container registry
+TPOT_REPO=ghcr.io/telekom-security
+
+# T-Pot Version Tag
+TPOT_VERSION=24.04.1
+
+# T-Pot Pull Policy
+#  always: (T-Pot default) Compose implementations SHOULD always pull the image from the registry.
+#  never: Compose implementations SHOULD NOT pull the image from a registry and SHOULD rely on the platform cached image.
+#  missing: Compose implementations SHOULD pull the image only if it's not available in the platform cache.
+#  build: Compose implementations SHOULD build the image. Compose implementations SHOULD rebuild the image if already present.
+TPOT_PULL_POLICY=always
+
+# T-Pot Data Path
+TPOT_DATA_PATH=./data
+
+# OSType (linux, mac, win)
+#  Most docker features are available on linux
+TPOT_OSTYPE=linux

.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md

@@ -1,37 +1,43 @@
 ---
-name: Bug report for T-Pot
-about: Bug report for T-Pot
+name: Bug report for T-Pot 24.04.x
+about: Bug report for T-Pot 24.04.x
 title: ''
 labels: ''
 assignees: ''
 
 ---
 
-Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
+# Successfully raise an issue
+Before you post your issue make sure it has not been answered yet and provide **⚠️ BASIC SUPPORT INFORMATION** (as requested below) if you come to the conclusion it is a new issue.
 
 - 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
-- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
-- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
-- **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice**
+- 🧐 Check our [Wiki](https://github.com/dtag-dev-sec/tpotce/wiki) and the [discussions](https://github.com/telekom-security/tpotce/discussions)
+- 📚 Consult the documentation of 💻 your Linux OS, 🐳 [Docker](https://docs.docker.com/), the 🦌 [Elastic stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
+- ⚙️ The [Troubleshoot Section](https://github.com/telekom-security/tpotce?tab=readme-ov-file#troubleshooting) of the [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md) is a good starting point to collect a good set of information for the issue and / or to fix things on your own.
+- **⚠️ Provide [BASIC SUPPORT INFORMATION](#-basic-support-information-commands-are-expected-to-run-as-root) or similar detailed information with regard to your issue or we will close the issue or convert it into a discussion without further interaction from the maintainers**.<br>
 
-<br>
-<br>
-<br>
+# ⚠️ Basic support information (commands are expected to run as `root`)
 
-<a name="info"></a>
-## ⚠️ Basic support information (commands are expected to run as `root`)
+**We happily take the time to improve T-Pot and take care of things, but we need you to take the time to create an issue that provides us with all the information we need.** 
 
-- What version of the OS are you currently using `lsb_release -a` and `uname -a`?
-- What T-Pot version are you currently using?
-- What edition (Standard, Nextgen, etc.) of T-Pot are you running?
+- What OS are you T-Pot running on?
+- What is the version of the OS `lsb_release -a` and `uname -a`?
+- What T-Pot version are you currently using (only **T-Pot 24.04.x** is currently supported)?
 - What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
-- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.
+- Review the `~/install_tpot.log`, attach the log and highlight the errors.
 - How long has your installation been running?
+  - If it is a fresh install consult the documentation first.
+  - Most likely it is a port conflict or a remote dependency was unavailable.
+  - Retry a fresh installation and only open the issue if the error keeps coming up and is not resolved using the documentation as described [here](#how-to-raise-an-issue).  
 - Did you install upgrades, packages or use the update script?
 - Did you modify any scripts or configs? If yes, please attach the changes.
-- Please provide a screenshot of `glances` and `htop`.
+- Please provide a screenshot of `htop` and `docker stats`.
 - How much free disk space is available (`df -h`)?
-- What is the current container status (`dps.sh`)?
-- What is the status of the T-Pot service (`systemctl status tpot`)?
-- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`
+- What is the current container status (`dps`)?
+- On Linux: What is the status of the T-Pot service (`systemctl status tpot`)?
+- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `grc netstat -tulpen`
+  - Stop T-Pot `systemctl stop tpot`
+  - Run `grc netstat -tulpen`
+  - Run T-Pot manually with `docker compose -f ~/tpotce/docker-compose.yml up` and check for errors
+  - Stop execution with `CTRL-C` and `docker compose -f ~/tpotce/docker-compose.yml down -v`
 - If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md

@@ -1,6 +1,6 @@
 ---
-name: Feature request for T-Pot
-about: Suggest an idea for T-Pot
+name: Feature request for T-Pot 24.04.x
+about: Suggest an idea for T-Pot 24.04.x
 title: ''
 labels: ''
 assignees: ''

.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md

@@ -1,39 +1,43 @@
 ---
-name: General issue for T-Pot
-about: General issue for T-Pot
+name: General issue for T-Pot 24.04.x
+about: General issue for T-Pot 24.04.x
 title: ''
 labels: ''
 assignees: ''
 
 ---
 
-🗨️ Please post your questions in [Discussions](https://github.com/telekom-security/tpotce/discussions) and keep the issues for **issues**. Thank you 😁.<br>
-
-Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
+# Successfully raise an issue
+Before you post your issue make sure it has not been answered yet and provide **⚠️ BASIC SUPPORT INFORMATION** (as requested below) if you come to the conclusion it is a new issue.
 
 - 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
-- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
-- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
-- **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice**
+- 🧐 Check our [Wiki](https://github.com/dtag-dev-sec/tpotce/wiki) and the [discussions](https://github.com/telekom-security/tpotce/discussions)
+- 📚 Consult the documentation of 💻 your Linux OS, 🐳 [Docker](https://docs.docker.com/), the 🦌 [Elastic stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
+- ⚙️ The [Troubleshoot Section](https://github.com/telekom-security/tpotce?tab=readme-ov-file#troubleshooting) of the [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md) is a good starting point to collect a good set of information for the issue and / or to fix things on your own.
+- **⚠️ Provide [BASIC SUPPORT INFORMATION](#-basic-support-information-commands-are-expected-to-run-as-root) or similar detailed information with regard to your issue or we will close the issue or convert it into a discussion without further interaction from the maintainers**.<br>
 
-<br>
-<br>
-<br>
+# ⚠️ Basic support information (commands are expected to run as `root`)
 
-<a name="info"></a>
-## ⚠️ Basic support information (commands are expected to run as `root`)
+**We happily take the time to improve T-Pot and take care of things, but we need you to take the time to create an issue that provides us with all the information we need.** 
 
-- What version of the OS are you currently using `lsb_release -a` and `uname -a`?
-- What T-Pot version are you currently using?
-- What edition (Standard, Nextgen, etc.) of T-Pot are you running?
+- What OS are you T-Pot running on?
+- What is the version of the OS `lsb_release -a` and `uname -a`?
+- What T-Pot version are you currently using (only **T-Pot 24.04.x** is currently supported)?
 - What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
-- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.
+- Review the `~/install_tpot.log`, attach the log and highlight the errors.
 - How long has your installation been running?
+  - If it is a fresh install consult the documentation first.
+  - Most likely it is a port conflict or a remote dependency was unavailable.
+  - Retry a fresh installation and only open the issue if the error keeps coming up and is not resolved using the documentation as described [here](#how-to-raise-an-issue).  
 - Did you install upgrades, packages or use the update script?
 - Did you modify any scripts or configs? If yes, please attach the changes.
-- Please provide a screenshot of `glances` and `htop`.
+- Please provide a screenshot of `htop` and `docker stats`.
 - How much free disk space is available (`df -h`)?
-- What is the current container status (`dps.sh`)?
-- What is the status of the T-Pot service (`systemctl status tpot`)?
-- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`
+- What is the current container status (`dps`)?
+- On Linux: What is the status of the T-Pot service (`systemctl status tpot`)?
+- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `grc netstat -tulpen`
+  - Stop T-Pot `systemctl stop tpot`
+  - Run `grc netstat -tulpen`
+  - Run T-Pot manually with `docker compose -f ~/tpotce/docker-compose.yml up` and check for errors
+  - Stop execution with `CTRL-C` and `docker compose -f ~/tpotce/docker-compose.yml down -v`
 - If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

.github/workflows/basic-support-info.yml

@@ -0,0 +1,49 @@
+name: "Check Basic Support Info"
+
+on:
+  issues:
+    types: [opened, edited]
+
+permissions:
+  issues: write
+  contents: read
+
+jobs:
+  check-issue:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repository
+      uses: actions/checkout@v4
+
+    - name: Install jq
+      run: sudo apt-get install jq -y
+
+    - name: Check issue for basic support info
+      id: check_issue
+      run: |
+        REQUIRED_INFO=("What OS are you T-Pot running on?" "What is the version of the OS" "What T-Pot version are you currently using" "What architecture are you running on" "Review the \`~/install_tpot.log\`" "How long has your installation been running?" "Did you install upgrades, packages or use the update script?" "Did you modify any scripts or configs?" "Please provide a screenshot of \`htop\` and \`docker stats\`." "How much free disk space is available" "What is the current container status" "What is the status of the T-Pot service" "What ports are being occupied?")
+
+        ISSUE_BODY=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.body')
+        MISSING_INFO=()
+        
+        for info in "${REQUIRED_INFO[@]}"; do
+          if [[ "$ISSUE_BODY" != *"$info"* ]]; then
+            MISSING_INFO+=("$info")
+          fi
+        done
+        
+        if [ ${#MISSING_INFO[@]} -ne 0 ]; then
+          echo "missing=true" >> $GITHUB_ENV
+        else
+          echo "missing=false" >> $GITHUB_ENV
+        fi
+
+    - name: Add "no basic support info" label if necessary
+      if: env.missing == 'true'
+      run: gh issue edit "$NUMBER" --add-label "$LABELS"
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GH_REPO: ${{ github.repository }}
+        NUMBER: ${{ github.event.issue.number }}
+        LABELS: no basic support info

.github/workflows/main.yml

@@ -0,0 +1,15 @@
+name: Link Checker
+
+on:
+  schedule:
+    - cron: '0 2 * * *' # daily at 2 AM UTC
+  workflow_dispatch:
+
+jobs:
+  linkChecker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: lycheeverse/lychee-action@v1.9.1
+        with:
+          args: --verbose README.md

.github/workflows/stale.yml

@@ -0,0 +1,24 @@
+name: "Tag stale issues and pull requests"
+
+on:
+  schedule:
+    - cron: "0 0 * * *" # Runs every day at midnight
+  workflow_dispatch: # Allows the workflow to be triggered manually
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/stale@v7
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: "This issue has been marked as stale because it has had no activity for 7 days. If you are still experiencing this issue, please comment or it will be closed in 7 days."
+        stale-pr-message: "This pull request has been marked as stale because it has had no activity for 7 days. If you are still working on this, please comment or it will be closed in 7 days."
+        days-before-stale: 7
+        days-before-close: 7
+        stale-issue-label: "stale"
+        exempt-issue-labels: "keep-open"
+        stale-pr-label: "stale"
+        exempt-pr-labels: "keep-open"
+        operations-per-run: 30
+        debug-only: false

.gitignore

@@ -0,0 +1,6 @@
+# Ignore data folder
+data/
+_data/
+**/.DS_Store
+.idea
+install_tpot.log

CHANGELOG.md

@@ -1,45 +1,46 @@
 # Release Notes / Changelog
-T-Pot 22.04.0 is probably the most feature rich release ever provided with long awaited (wanted!) features readily available after installation. 
+T-Pot 24.04.1 brings significant updates and exciting new honeypot additions, especially the LLM-based honeypots **Beelzebub** and **Galah**!
 
 ## New Features
-* **Distributed** Installation with **HIVE** and **HIVE_SENSOR**
-* **ARM64** support for all provided Docker images
-* **GeoIP Attack Map** visualizing Live Attacks on a dedicated webpage
-* **Kibana Live Attack Map** visualizing Live Attacks from different **HIVE_SENSORS**
-* **Blackhole** is a script trying to avoid mass scanner detection 
-* **Elasticvue** a web front end for browsing and interacting with an Elastic Search cluster
-* **Ddospot** a honeypot for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks
-* **Endlessh** is a SSH tarpit that very slowly sends an endless, random SSH banner
-* **HellPot** is an endless honeypot based on Heffalump that sends unruly HTTP bots to hell
-* **qHoneypots** 25 honeypots in a single container for monitoring network traffic, bots activities, and username \ password credentials
-* **Redishoneypot** is a honeypot mimicking some of the Redis' functions
-* **SentryPeer** a dedicated SIP honeypot
-* **Index Lifecycle Management** for Elasticseach indices is now being used
-
-## Upgrades
-* **Debian 11.x** is now being used for the T-Pot ISO images and required for post installs
-* **Elastic Stack 8.x** is now provided as Docker images
+* **Beelzebub** (SSH) and **Galah** (HTTP) are the first LLM-based honeypots included in T-Pot (requires Ollama installation or a ChatGPT subscription).
+* **Go-Pot** a HTTP tarpit designed to maximize bot misery by slowly feeding them an infinite stream of fake secrets.
+* **Honeyaml** a configurable API server honeypot even supporting JWT-based HTTP bearer/token authentication.
+* **H0neytr4p** a HTTP/S honeypot capable of emulating vulnerabilities using configurable traps.
+* **Miniprint** a medium-interaction printer honeypot.
 
 ## Updates
-* **Honeypots** and **tools** were updated to their latest masters and releases
-* Updates will be provided continuously through Docker Images updates 
+* **Honeypots** were updated to their latest pushed code and / or releases.
+* **Editions** have been re-introduced. You can now additionally choose to install T-Pot as **Mini**, **LLM** and **Tarpit** edition.
+* **Attack Map** has been updated to 2.2.6 including support for all new honeypots.
+* **Elastic Stack** has been upgrade to 8.16.1.
+* **Cyberchef** has been updated to the latest release.
+* **Elasticvue** has been updated to 1.1.0.
+* **Suricata** has been updated to 7.0.7, now supporting JA4 hashes.
+* Most honeypots now use **PyInstaller** (for Python) and **Scratch** (for Go) to minimize Docker image sizes.
+* All new honeypots have been integrated with **Kibana**, featuring dedicated dashboards and visualizations.
+* **Github Container Registry** is now the default container registry for the T-Pot configuration file `.env`.
+* Compatibility tested with **Alma 9.5**, **Fedora 41**, **Rocky 9.5**, and **Ubuntu 24.04.1**, with updated supported ISO links.
+* Docker images now use **Alpine 3.20** or **Scratch** wherever possible.
+* Updates for `24.04.1` images will be provided continuously through Docker image updates.
+* **Ddospot** has been moved from the Hive / Sensor installation to the Tarpit installation.
 
 ## Breaking Changes  
-* For security reasons all Py2.x honeypots with the need of PyPi packages have been removed: **HoneyPy**, **HoneySAP** and **RDPY**
-* If you are upgrading from a previous version of T-Pot (20.06.x) you need to import the new Kibana objects or some of the functionality will be broken or will be unavailabe
-* **Cyberchef** is now part of the Nginx Docker image, no longer as individual image
-* **ElasticSearch Head** is superseded by **Elasticvue** and part the Nginx Docker image
-* **Heimdall** is no longer supported and superseded with a new Bento based landing page
-* **Elasticsearch Curator** is no longer supprted and superseded with **Index Lifecycle Policies** available through Kibana.
+### NGINX  
+- The container no longer runs in host mode, requiring changes to the `docker-compose.yml` and related services.  
+- To avoid confusion and downtime, the `24.04.1` tag for Docker images has been introduced.  
+- **Important**: Actively update T-Pot as described in the [README](https://github.com/telekom-security/tpotce/blob/master/README.md).  
+- **Deprecation Notice**: The `24.04` tagged images will no longer be maintained and will be removed by **2025-01-31**.  
 
-# Thanks & Credits
-* @ghenry, for some fun late night debugging and of course SentryPeer!
-* @giga-a, for adding much appreciated features (i.e. JSON logging, 
-X-Forwarded-For, etc.) and of course qHoneypots! 
-* @sp3t3rs, @trixam, for their backend and ews support!
-* @tadashi-oya, for spotting some errors and propose fixes!
-* @tmariuss, @shaderecker for their cloud contributions!
-* @vorband, for much appreciated and helpful insights regarding the GeoIP Attack Map!
-* @yunginnanet, on not giving up on squashing a bug and of course Hellpot!
+### Suricata  
+- Capture filters have been updated to exclude broadcast, multicast, NetBIOS, IGMP, and MDNS traffic.  
 
-... and many others from the T-Pot community by opening valued issues and discussions, suggesting ideas and thus helping to improve T-Pot!
+## Thanks & Credits
+A heartfelt thank you to the contributors who made this release possible:
+* @elivlo, @mancasa, koalafiedTroll, @trixam, for their backend and ews support!
+* @mariocandela for his work and updates on Beelzebub based on our discussions!
+* @ryanolee for approaching us and adding valuable features to go-pot based on our discussions! 
+* @neon-ninja for the work on #1661!
+* @sarkoziadam for the work on #1643!
+* @glaslos for the work on #1538!
+
+… and to the entire T-Pot community for opening issues, sharing ideas, and helping improve T-Pot!

CITATION.cff

@@ -0,0 +1,43 @@
+# This CITATION.cff file was generated with cffinit.
+# Visit https://bit.ly/cffinit to generate yours today!
+
+cff-version: 1.2.0
+title: T-Pot 24.04.1
+message: >-
+  If you use this software, please cite it using the
+  metadata from this file.
+type: software
+authors:
+  - name: Deutsche Telekom Security GmbH
+    address: Bonner Talweg 100
+    city: Bonn
+    country: DE
+    post-code: '53113'
+    website: 'https://github.com/telekom-security'
+  - given-names: Marco
+    family-names: Ochse
+    affiliation: Deutsche Telekom Security GmbH
+identifiers:
+  - type: url
+    value: >-
+      https://github.com/telekom-security/tpotce/releases/tag/24.04.1
+    description: T-Pot Release 24.04.1
+repository-code: 'https://github.com/telekom-security/tpotce'
+abstract: >-
+  T-Pot is the all in one, optionally distributed, multiarch
+  (amd64, arm64) honeypot plattform, supporting 20+
+  honeypots and countless visualization options using the
+  Elastic Stack, animated live attack maps and lots of
+  security tools to further improve the deception
+  experience.
+keywords:
+  - honeypot
+  - deception
+  - t-pot
+  - telekom security
+  - docker
+  - elk
+license: GPL-3.0
+commit: release
+version: 24.04.1
+date-released: '2024-12-11'

SECURITY.md

@@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 24.04.1 | :white_check_mark: |
+
+
+## Reporting a Vulnerability
+
+We prioritize the security of T-Pot highly. Often, vulnerabilities in T-Pot components stem from upstream dependencies, including honeypots, Docker images, tools, or packages. We are committed to working together to resolve any issues effectively.
+
+Please follow these steps before reporting a potential vulnerability:
+
+1. Verify that the behavior you've observed isn't already documented as a normal aspect or unrelated issue of T-Pot. For example, Cowrie may initiate outgoing connections, or T-Pot might open all possible TCP ports — a feature enabled by Honeytrap.
+2. Clearly identify which component is vulnerable (e.g., a specific honeypot, Docker image, tool, package) and isolate the issue.
+3. Provide a detailed description of the issue, including log and, if available, debug files. Include all steps necessary to reproduce the vulnerability. If you have a proposed solution, hotfix, or patch, please be prepared to submit a pull request (PR).
+4. Check whether the vulnerability is already known upstream. If there is an existing fix or patch, include that information in your report.
+
+This approach ensures a thorough and efficient resolution process.
+
+We aim to respond as quickly as possible. If you believe the issue poses an immediate threat to the entire T-Pot community, you can expedite the process by responsibly alerting our [CERT](https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/introducing-deutsche-telekom-cert-358316).

bin/2fa.sh

@@ -1,77 +0,0 @@
-#!/bin/bash
-
-# Make sure script is started as non-root.
-myWHOAMI=$(whoami)
-if [ "$myWHOAMI" = "root" ]
-  then
-    echo "Need to run as non-root ..."
-    echo ""
-    exit
-fi
-
-# set vars, check deps
-myPAM_COCKPIT_FILE="/etc/pam.d/cockpit"
-if ! [ -s "$myPAM_COCKPIT_FILE" ];
-  then
-    echo "### Cockpit PAM module config does not exist. Something went wrong."
-    echo ""
-    exit 1
-fi
-myPAM_COCKPIT_GA="
-
-# google authenticator for two-factor
-auth required pam_google_authenticator.so
-"
-myAUTHENTICATOR=$(which google-authenticator)
-if [ "$myAUTHENTICATOR" == "" ];
-  then
-    echo "### Could not locate google-authenticator, trying to install (if asked provide root password)."
-    echo ""
-    sudo apt-get update
-    sudo apt-get install -y libpam-google-authenticator
-    exec "$1" "$2"    
-    exit 1
-fi
-
-
-# write PAM changes 
-function fuWRITE_PAM_CHANGES {
-  myCHECK=$(cat $myPAM_COCKPIT_FILE | grep -c "google")
-  if ! [ "$myCHECK" == "0" ];
-    then
-      echo "### PAM config already enabled. Skipped."
-      echo ""
-    else
-      echo "### Updating PAM config for Cockpit (if asked provide root password)."
-      echo "$myPAM_COCKPIT_GA" | sudo tee -a $myPAM_COCKPIT_FILE
-      sudo systemctl restart cockpit
-  fi
-}
-
-# create 2fa
-function fuGEN_TOKEN {
-  echo "### Now generating token for Google Authenticator."
-  echo ""
-  google-authenticator -t -d -r 3 -R 30 -w 17
-}
-
-
-# main
-echo "### This script will enable Two Factor Authentication for Cockpit."
-echo ""
-echo "### Please download one of the many authenticator apps from the appstore of your choice."
-echo ""
-while true;
-  do
-    read -p "### Ready to start (y/n)? " myANSWER
-    case $myANSWER in
-      [Yy]* ) echo "### OK. Starting ..."; break;;
-      [Nn]* ) echo "### Exiting."; exit;;
-    esac
-done
-
-fuWRITE_PAM_CHANGES
-fuGEN_TOKEN
-
-echo "Done. Re-run this script by every user who needs Cockpit access."
-echo ""

bin/backup_es_folders.sh

@@ -1,61 +0,0 @@
-#!/bin/bash
-# Run as root only.
-myWHOAMI=$(whoami)
-if [ "$myWHOAMI" != "root" ];
-  then
-    echo "Need to run as root ..."
-    exit
-fi
-
-if [ "$1" == "" ] || [ "$1" != "all" ] && [ "$1" != "base" ];
-  then
-    echo "Usage: backup_es_folders [all, base]"
-    echo "       all  = backup all ES folder"
-    echo "       base = backup only Kibana index".
-    echo
-    exit
-fi
-
-# Backup all ES relevant folders
-# Make sure ES is available
-myES="http://127.0.0.1:64298/"
-myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
-if ! [ "$myESSTATUS" = "1" ]
-  then
-    echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
-    exit
-  else
-    echo "### Elasticsearch is available, now continuing."
-    echo
-fi
-
-# Set vars
-myCOUNT=1
-myDATE=$(date +%Y%m%d%H%M)
-myELKPATH="/data/elk/data"
-myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }')
-myKIBANAINDEXPATH=$myELKPATH/indices/$myKIBANAINDEXNAME
-
-# Let's ensure normal operation on exit or if interrupted ...
-function fuCLEANUP {
-  ### Start ELK
-  systemctl start tpot
-  echo "### Now starting T-Pot ..."
-}
-trap fuCLEANUP EXIT
-
-# Stop T-Pot to lift db lock
-echo "### Now stopping T-Pot"
-systemctl stop tpot
-sleep 2
-
-# Backup DB in 2 flavors
-echo "### Now backing up Elasticsearch folders ..."
-if [ "$1" == "all" ];
-  then
-    tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
-elif [ "$1" == "base" ];
-  then
-    tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
-fi
-

bin/dps.sh

@@ -1,73 +0,0 @@
-#!/bin/bash
-
-# Run as root only.
-myWHOAMI=$(whoami)
-if [ "$myWHOAMI" != "root" ]
-  then
-    echo "Need to run as root ..."
-    exit
-fi
-
-myPARAM="$1"
-if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
-  then
-    watch --color -n $myPARAM "dps.sh"
-    exit
-fi
-
-# Show current status of T-Pot containers
-myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")"
-myRED=""
-myGREEN=""
-myBLUE=""
-myWHITE=""
-myMAGENTA=""
-
-# Blackhole Status
-myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
-if [ "$myBLACKHOLE_STATUS" -gt "500" ];
-  then
-    myBLACKHOLE_STATUS="${myGREEN}ENABLED"
-  else
-    myBLACKHOLE_STATUS="${myRED}DISABLED"
-fi
-
-function fuGETTPOT_STATUS {
-# T-Pot Status
-myTPOT_STATUS=$(systemctl status tpot | grep "Active" | awk '{ print $2 }')
-if [ "$myTPOT_STATUS" == "active" ];
-  then
-    echo "${myGREEN}ACTIVE"
-  else
-    echo "${myRED}INACTIVE"
-fi
-}
-
-function fuGETSTATUS {
-grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
-}
-
-function fuGETSYS {
-printf "[ ========| System |======== ]\n"
-printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "DATE: " "$(date)"
-printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "UPTIME: " "$(grc --colour=on uptime)"
-printf "${myMAGENTA}%+11s %-20s\n" "T-POT: " "$(fuGETTPOT_STATUS)"
-printf "${myMAGENTA}%+11s %-20s\n" "BLACKHOLE: " "$myBLACKHOLE_STATUS${myWHITE}"
-echo
-}
-
-    myDPS=$(fuGETSTATUS)
-    myDPSNAMES=$(echo "$myDPS" | awk '{ print $1 }' | sort)
-    fuGETSYS
-    printf "%-21s %-28s %s\n" "NAME" "STATUS" "PORTS"
-    if [ "$myDPS" != "" ];
-      then
-        echo "$myDPS"
-    fi
-    for i in $myCONTAINERS; do
-      myAVAIL=$(echo "$myDPSNAMES" | grep -o "$i" | uniq | wc -l)      	    
-      if [ "$myAVAIL" = "0" ];
-	then
-	  printf "%-28s %-28s\n" "$myRED$i" "DOWN$myWHITE"
-      fi
-    done

bin/hptest.sh

@@ -1,68 +0,0 @@
-#!/bin/bash
-
-myHOST="$1"
-myPACKAGES="nmap"
-myDOCKERCOMPOSEYML="/opt/tpot/etc/tpot.yml"
-
-function fuGOTROOT {
-myWHOAMI=$(whoami)
-if [ "$myWHOAMI" != "root" ]
-  then
-    echo "Need to run as root ..."
-    exit
-fi
-}
-
-function fuCHECKDEPS {
-myINST=""
-for myDEPS in $myPACKAGES;
-do
-  myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
-  if [ "$myOK" != "ok" ]
-    then
-      myINST=$(echo $myINST $myDEPS)
-  fi
-done
-if [ "$myINST" != "" ]
-  then
-    apt-get update -y
-    for myDEPS in $myINST;
-    do
-      apt-get install $myDEPS -y
-    done
-fi
-}
-
-function fuCHECKFORARGS {
-if [ "$myHOST" != "" ];
-  then
-    echo "All arguments met. Continuing."
-    echo
-  else
-    echo "Usage: hptest.sh <[host or ip]>"
-    echo
-    exit
-fi
-}
-
-function fuGETPORTS {
-myDOCKERCOMPOSEUDPPORTS=$(cat $myDOCKERCOMPOSEYML | grep "udp" | tr -d '"\|#\-' | cut -d ":" -f2 | cut -d "/" -f1 | sort -gu)
-myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
-myUDPPORTS=$(for i in $myDOCKERCOMPOSEUDPPORTS; do echo -n "U:$i,"; done)
-myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo -n "T:$i,"; done)
-}
-
-# Main
-fuGETPORTS
-fuGOTROOT
-fuCHECKDEPS
-fuCHECKFORARGS
-echo
-echo "Starting scan on all UDP / TCP ports defined in /opt/tpot/etc/tpot.yml ..."
-nmap -sV -sC -v -p $myPORTS $1 &
-nmap -sU -sV -sC -v -p $myUDPPORTS $1 &
-echo
-wait
-echo "Done."
-echo
-

bin/setup_builder.sh

@@ -1,45 +0,0 @@
-#!/bin/bash
-
-# Got root?
-myWHOAMI=$(whoami)
-if [ "$myWHOAMI" != "root" ]
-  then
-    echo "Need to run as root ..."
-    exit
-fi
-
-# Only run with command switch
-if [ "$1" != "-y" ]; then
-  echo "### Setting up docker for Multi Arch Builds."
-  echo "### Use on x64 only!"
-  echo "### Run with -y to install!"
-  echo
-  exit
-fi
-
-# Main
-mkdir -p /root/.docker/cli-plugins/
-cd /root/.docker/cli-plugins/
-wget https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-amd64 -O docker-buildx
-chmod +x docker-buildx
-
-docker buildx ls
-
-# We need to create a new builder as the default one cannot handle multi-arch builds
-# https://docs.docker.com/desktop/multi-arch/
-docker buildx create --name mybuilder
-
-# Set as default
-docker buildx use mybuilder
-
-# We need to install emulators, arm64 should be fine for now
-# https://github.com/tonistiigi/binfmt/
-docker run --privileged --rm tonistiigi/binfmt --install arm64
-
-# Check if everything is setup correctly
-docker buildx inspect --bootstrap
-echo
-echo "### Done."
-echo
-echo "Example: docker buildx build --platform linux/amd64,linux/arm64 -t username/demo:latest --push ."
-echo "Docs: https://docs.docker.com/desktop/multi-arch/"

bin/tpdclean.sh

@@ -1,29 +0,0 @@
-#!/bin/bash
-# T-Pot Compose and Container Cleaner
-# Set colors
-myRED=""
-myGREEN=""
-myWHITE=""
-
-# Only run with command switch
-if [ "$1" != "-y" ]; then
-  echo $myRED"### WARNING"$myWHITE
-  echo ""
-  echo $myRED"###### This script is only intended for the tpot.service."$myWHITE
-  echo $myRED"###### Run <systemctl stop tpot> first and then <tpdclean.sh -y>."$myWHITE
-  echo $myRED"###### Be aware, all T-Pot container volumes and images will be removed."$myWHITE
-  echo ""
-  echo $myRED"### WARNING "$myWHITE
-  echo
-  exit
-fi
-
-# Remove old containers, images and volumes
-docker-compose -f /opt/tpot/etc/tpot.yml down -v >> /dev/null 2>&1
-docker-compose -f /opt/tpot/etc/tpot.yml rm -v >> /dev/null 2>&1
-docker network rm $(docker network ls -q) >> /dev/null 2>&1
-docker volume rm $(docker volume ls -q) >> /dev/null 2>&1
-docker rm -v $(docker ps -aq) >> /dev/null 2>&1
-docker rmi $(docker images | grep "<none>" | awk '{print $3}') >> /dev/null 2>&1
-docker rmi $(docker images | grep "2203" | awk '{print $3}') >> /dev/null 2>&1
-exit 0

bin/tped.sh

@@ -1,56 +0,0 @@
-#!/bin/bash
-
-# Run as root only.
-myWHOAMI=$(whoami)
-if [ "$myWHOAMI" != "root" ]
-  then
-    echo "Need to run as root ..."
-    exit
-fi
-
-# set backtitle, get filename
-myBACKTITLE="T-Pot Edition Selection Tool"
-myYMLS=$(cd /opt/tpot/etc/compose/ && ls -1 *.yml)
-myLINK="/opt/tpot/etc/tpot.yml"
-
-# Let's load docker images in parallel
-function fuPULLIMAGES {
-local myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml"
-for name in $(cat $myTPOTCOMPOSE | grep -v '#' | grep image | cut -d'"' -f2 | uniq)
-  do
-    docker pull $name &
-  done
-wait
-echo
-}
-
-# setup menu
-for i in $myYMLS;
-  do
-    myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " 
-done
-myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 18 50 1 $myITEMS 3>&1 1>&2 2>&3 3>&-)
-if [ "$myEDITION" == "" ];
-  then
-    echo "Have a nice day!"
-    exit
-fi
-dialog --backtitle "$myBACKTITLE" --title "[ Activate now? ]" --yesno "\n$myEDITION" 7 50
-myOK=$?
-if [ "$myOK" == "0" ];
-  then
-    echo "OK - Activating and downloading latest images."
-    systemctl stop tpot
-    if [ "$(docker ps -aq)" != "" ];
-      then
-        docker stop $(docker ps -aq)
-        docker rm $(docker ps -aq)
-    fi
-    rm -f $myLINK
-    ln -s /opt/tpot/etc/compose/$myEDITION $myLINK
-    fuPULLIMAGES
-    systemctl start tpot
-    echo "Done. Use \"dps.sh\" for monitoring"
-  else 
-    echo "Have a nice day!"
-fi

bin/updateip.sh

@@ -1,89 +0,0 @@
-#!/bin/bash
-# Let's add the first local ip to the /etc/issue and external ip to ews.ip file
-# If the external IP cannot be detected, the internal IP will be inherited.
-source /etc/environment
-myCHECKIFSENSOR=$(head -n 1 /opt/tpot/etc/tpot.yml | grep "Sensor" | wc -l)
-myUUID=$(lsblk -o MOUNTPOINT,UUID | grep "/" | awk '{ print $2 }')
-myLOCALIP=$(hostname -I | awk '{ print $1 }')
-myEXTIP=$(/opt/tpot/bin/myip.sh)
-if [ "$myEXTIP" = "" ];
-  then
-    myEXTIP=$myLOCALIP
-    myEXTIP_LAT="49.865835022498125"
-    myEXTIP_LONG="8.62606472775735"
-  else
-    myEXTIP_LOC=$(curl -s ipinfo.io/$myEXTIP/loc)
-    myEXTIP_LAT=$(echo "$myEXTIP_LOC" | cut -f1 -d",")
-    myEXTIP_LONG=$(echo "$myEXTIP_LOC" | cut -f2 -d",")
-fi
-
-# Load Blackhole routes if enabled 
-myBLACKHOLE_FILE1="/etc/blackhole/mass_scanner.txt"
-myBLACKHOLE_FILE2="/etc/blackhole/mass_scanner_cidr.txt"
-if [ -f "$myBLACKHOLE_FILE1" ] || [ -f "$myBLACKHOLE_FILE2" ];
-  then
-    /opt/tpot/bin/blackhole.sh add
-fi
-
-myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
-if [ "$myBLACKHOLE_STATUS" -gt "500" ];
-  then
-    myBLACKHOLE_STATUS="| BLACKHOLE: [ ENABLED ]"
-  else
-    myBLACKHOLE_STATUS="| BLACKHOLE: [ DISABLED ]"
-fi
-
-mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1)
-
-# Export
-export myUUID
-export myLOCALIP
-export myEXTIP
-export myEXTIP_LAT
-export myEXTIP_LONG
-export myBLACKHOLE_STATUS
-export mySSHUSER
-
-# Build issue
-echo "" > /etc/issue
-toilet -f ivrit -F metal --filter border:metal "T-Pot   22.04" | sed 's/\\/\\\\/g' >> /etc/issue
-echo >> /etc/issue
-echo ",---- [ \n ] [ \d ] [ \t ]" >> /etc/issue
-echo "|" >> /etc/issue
-echo "| IP: $myLOCALIP ($myEXTIP)" >> /etc/issue
-echo "| SSH: ssh -l tsec -p 64295 $myLOCALIP" >> /etc/issue 
-if [ "$myCHECKIFSENSOR" == "0" ];
-  then
-    echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue
-fi
-echo "| ADMIN: https://$myLOCALIP:64294" >> /etc/issue
-echo "$myBLACKHOLE_STATUS" >> /etc/issue
-echo "|" >> /etc/issue
-echo "\`----" >> /etc/issue
-echo >> /etc/issue
-tee /data/ews/conf/ews.ip << EOF
-[MAIN]
-ip = $myEXTIP
-EOF
-tee /opt/tpot/etc/compose/elk_environment << EOF
-HONEY_UUID=$myUUID
-MY_EXTIP=$myEXTIP
-MY_EXTIP_LAT=$myEXTIP_LAT
-MY_EXTIP_LONG=$myEXTIP_LONG
-MY_INTIP=$myLOCALIP
-MY_HOSTNAME=$HOSTNAME
-EOF
-
-if [ -s "/data/elk/logstash/ls_environment" ];
-  then
-    source /data/elk/logstash/ls_environment
-    tee -a /opt/tpot/etc/compose/elk_environment << EOF
-MY_TPOT_TYPE=$MY_TPOT_TYPE
-MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
-MY_HIVE_USERNAME=$MY_HIVE_USERNAME
-MY_HIVE_IP=$MY_HIVE_IP
-EOF
-fi
-
-chown tpot:tpot /data/ews/conf/ews.ip
-chmod 770 /data/ews/conf/ews.ip

cloud/.gitignore

@@ -1,10 +0,0 @@
-# Ansible
-*.retry
-
-# Terraform
-**/.terraform
-**/terraform.*
-
-# OpenStack clouds
-**/clouds.yaml
-**/secure.yaml

cloud/ansible/README.md

@@ -1,257 +0,0 @@
-# T-Pot Ansible
-
-Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/).  
-It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box.  
-Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/scenario_guides/cloud_guides.html). Check out [Ansible Galaxy](https://galaxy.ansible.com/search?keywords=&order_by=-relevance&page=1&deprecated=false&type=collection&tags=cloud) for more cloud collections.
-
-The Playbook first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them.
-
-This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en).
-
-# Table of contents
-- [Preparation of Ansible Master](#ansible-master)
-  - [Ansible Installation](#ansible)
-  - [OpenStack Collection Installation](#collection)
-  - [Agent Forwarding](#agent-forwarding)
-- [Preparations in Open Telekom Cloud Console](#preparation)
-  - [Create new project](#project)
-  - [Create API user](#api-user)
-  - [Import Key Pair](#key-pair)
-- [Clone Git Repository](#clone-git)
-- [Settings and recommended values](#settings)
-  - [clouds.yaml](#clouds-yaml)
-  - [Ansible remote user](#remote-user)
-  - [Number of instances to deploy](#number)
-  - [Instance settings](#instance-settings)
-  - [User password](#user-password)
-  - [Configure `tpot.conf.dist`](#tpot-conf)
-  - [Optional: Custom `ews.cfg`](#ews-cfg)
-  - [Optional: Custom HPFEEDS](#hpfeeds)
-- [Deploying a T-Pot](#deploy)
-- [Further documentation](#documentation)
-
-<a name="ansible-master"></a>
-# Preparation of Ansible Master
-You can either run the Ansible Playbook locally on your Linux or macOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did.  
-I used Ubuntu 18.04 for my Ansible Master Server, but other OSes are fine too.  
-Ansible works over the SSH Port, so you don't have to add any special rules to your Security Group.
-
-<a name="ansible"></a>
-## Ansible Installation
-:warning: Ansible 2.10 or newer is required!
-
-Example for Ubuntu 18.04:  
-
-At first we update the system:  
-`sudo apt update`  
-`sudo apt dist-upgrade`
-
-Then we need to add the repository and install Ansible:  
-`sudo apt-add-repository --yes --update ppa:ansible/ansible`  
-`sudo apt install ansible`
-
-For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
-
-If your OS does not offer a recent version of Ansible (>= 2.10) you should consider [installing Ansible with pip](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-with-pip).  
-In short (if you already have Python3/pip3 installed):
-```
-pip3 install ansible
-```
-
-<a name="collection"></a>
-## OpenStack Collection Installation
-For interacting with OpenStack resources in Ansible, you need to install the collection from Ansible Galaxy:  
-`ansible-galaxy collection install openstack.cloud`
-
-<a name="agent-forwarding"></a>
-## Agent Forwarding
-If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines.  
-- On Linux or macOS:  
-  - Create or edit `~/.ssh/config`
-    ```
-    Host ANSIBLE_MASTER_IP
-    ForwardAgent yes
-    ```
-- On Windows using Putty:  
-![Putty Agent Forwarding](doc/putty_agent_forwarding.png)
-
-<a name="preparation"></a>
-# Preparations in Open Telekom Cloud Console
-(You can skip this if you have already set up a project and an API account with key pair)  
-(Just make sure you know the naming for everything, as you need to configure the Ansible variables.)
-
-Before we can start deploying, we have to prepare the Open Telekom Cloud tenant.  
-For that, go to the [Web Console](https://auth.otc.t-systems.com/authui/login) and log in with an admin user.
-
-<a name="project"></a>
-## Create new project
-I strongly advise you to create a separate project for the T-Pots in your tenant.  
-In my case I named it `tpot`.
-
-![Create new project](doc/otc_1_project.gif)
-
-<a name="api-user"></a>
-## Create API user
-The next step is to create a new user account, which is restricted to the project.  
-This ensures that the API access is limited to that project.
-
-![Create API user](doc/otc_2_user.gif)
-
-<a name="key-pair"></a>
-## Import Key Pair
-:warning: Now log in with the newly created API user account and select your project.
-
-![Login as API user](doc/otc_3_login.gif)
-
-Import your SSH public key.
-
-![Import SSH Public Key](doc/otc_4_import_key.gif)
-
-
-<a name="clone-git"></a>
-# Clone Git Repository
-Clone the `tpotce` repository to your Ansible Master:  
-`git clone https://github.com/telekom-security/tpotce.git`  
-All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder.
-
-<a name="settings"></a>
-# Settings and recommended values
-You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook:
-
-<a name="clouds-yaml"></a>
-## clouds.yaml
-Located at [`openstack/clouds.yaml`](openstack/clouds.yaml).  
-Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name):  
-```
-clouds:
-  open-telekom-cloud:
-    profile: otc
-    auth:
-      project_name: eu-de_your_project
-      username: your_api_user
-      password: your_password
-      user_domain_name: OTC-EU-DE-000000000010000XXXXX
-```
-You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary.  
-For more information have a look in the [openstack.cloud.server](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html) Ansible module documentation.
-
-If you already have your own `clouds.yaml` file or have multiple clouds in there, you can specify which one to use in the `openstack/my_os_cloud.yaml` file:
-```
-# Enter the name of your cloud to use from clouds.yaml
-cloud: open-telekom-cloud
-```
-
-<a name="remote-user"></a>
-## Ansible remote user
-You may have to adjust the `remote_user` in the Ansible Playbook under [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml) depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is `linux`).
-
-<a name="number"></a>
-## Number of instances to deploy
-You can adjust the number of VMs/T-Pots that you want to create in [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml):
-```
-loop: "{{ range(0, 1) }}"
-```
-One instance is set as the default, increase to your liking.
-
-<a name="instance-settings"></a>
-## Instance settings
-Located at [`openstack/roles/create_vm/vars/main.yaml`](openstack/roles/create_vm/vars/main.yaml).  
-Here you can customize your virtual machine specifications:
-  - Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html).
-  - Change the OS image (For T-Pot we need Debian)
-  - (Optional) Change the volume size
-  - Specify your key pair (:warning: Mandatory)
-  - (Optional) Change the instance type (flavor)  
-    `s3.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.  
-    A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html).
-
-```
-availability_zone: eu-de-03
-image: Standard_Debian_10_latest
-volume_size: 128
-key_name: your-KeyPair
-flavor: s3.medium.8
-```
-
-<a name="user-password"></a>
-## User password
-Located at [`openstack/roles/install/vars/main.yaml`](openstack/roles/install/vars/main.yaml).  
-Here you can set the password for your Debian user (**you should definitely change that**).
-```
-user_password: LiNuXuSeRPaSs#
-```
-
-<a name="tpot-conf"></a>
-## Configure `tpot.conf.dist`
-The file is located in [`iso/installer/tpot.conf.dist`](/iso/installer/tpot.conf.dist).  
-Here you can choose:
-  - between the various T-Pot editions
-  - a username for the web interface
-  - a password for the web interface (**you should definitely change that**)
-
-<a name="ews-cfg"></a>
-## Optional: Custom `ews.cfg`
-Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
-```
-#    - custom_ews
-```
-
-You can use a custom config file for `ewsposter`.  
-e.g. when you have your own credentials for delivering data to our [Sicherheitstacho](https://sicherheitstacho.eu/start/main).  
-You can find the `ews.cfg` template file here: [`openstack/roles/custom_ews/templates/ews.cfg`](openstack/roles/custom_ews/templates/ews.cfg) and adapt it for your needs.
-
-For setting custom credentials, these settings would be relevant for you (the rest of the file can stay as is):  
-```
-[MAIN]
-...
-contact = your_email_address
-...
-
-[EWS]
-...
-username = your_username
-token = your_token
-...
-```
-
-<a name="hpfeeds"></a>
-## Optional: Custom HPFEEDS
-Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
-```
-#    - custom_hpfeeds
-```
-
-You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/files/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/files/hpfeeds.cfg).  
-That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN:
-```
-myENABLE=true
-myHOST=hpfeeds.sissden.eu
-myPORT=10000
-myCHANNEL=t-pot.events
-myCERT=/opt/ewsposter/sissden.pem
-myIDENT=your_user
-mySECRET=your_secret
-myFORMAT=json
-```
-
-<a name="deploy"></a>
-# Deploying a T-Pot :honey_pot::honeybee:
-Now, after configuring everything, we can finally start deploying T-Pots!  
-
-Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:  
-`ansible-playbook deploy_tpot.yaml`  
-(Yes, it is as easy as that :smile:)
-
-If you are running on a machine which asks for a sudo password, you can use:  
-`ansible-playbook --ask-become-pass deploy_tpot.yaml`
-
-The Playbook will first install required packages on the Ansible Master and then deploy one (or more) new server instances.  
-After that, T-Pot gets installed and configured on them, optionally custom configs are applied and finally it reboots.
-
-Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
-
-<a name="documentation"></a>
-# Further documentation
-- [Ansible Documentation](https://docs.ansible.com/ansible/latest/)
-- [openstack.cloud.server – Create/Delete Compute Instances from OpenStack](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html)
-- [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/)

cloud/ansible/openstack/ansible.cfg

@@ -1,6 +0,0 @@
-[defaults]
-host_key_checking = false
-
-[ssh_connection]
-scp_if_ssh = true
-ssh_args = -o ServerAliveInterval=60

cloud/ansible/openstack/clouds.yaml

@@ -1,9 +0,0 @@
-clouds:
-  open-telekom-cloud:
-    profile: otc
-    region_name: eu-de
-    auth:
-      project_name: eu-de_your_project
-      username: your_api_user
-      password: your_password
-      user_domain_name: OTC-EU-DE-000000000010000XXXXX

cloud/ansible/openstack/deploy_tpot.yaml

@@ -1,30 +0,0 @@
-- name: Check host prerequisites
-  hosts: localhost
-  become: yes
-  roles:
-    - check
-
-- name: Deploy instances
-  hosts: localhost
-  vars_files: my_os_cloud.yaml
-  tasks:
-    - name: Create security group and network
-      ansible.builtin.include_role:
-        name: create_net
-    - name: Create one or more instances
-      ansible.builtin.include_role:
-        name: create_vm
-      loop: "{{ range(0, 1) }}"
-      loop_control:
-        extended: yes
-
-- name: Install T-Pot
-  hosts: tpot
-  remote_user: linux
-  become: yes
-  gather_facts: no
-  roles:
-    - install
-#    - custom_ews
-#    - custom_hpfeeds
-    - reboot

cloud/ansible/openstack/my_os_cloud.yaml

@@ -1,2 +0,0 @@
-# Enter the name of your cloud to use from clouds.yaml
-cloud: open-telekom-cloud

cloud/ansible/openstack/requirements.yaml

@@ -1,2 +0,0 @@
-collections:
-- name: openstack.cloud

cloud/ansible/openstack/roles/check/tasks/main.yaml

@@ -1,19 +0,0 @@
-- name: Install dependencies
-  ansible.builtin.package:
-    name:
-      - gcc
-      - python3-dev
-      - python3-setuptools
-      - python3-pip
-    state: present
-
-- name: Install openstacksdk
-  ansible.builtin.pip:
-    name: openstacksdk
-    executable: pip3
-
-- name: Check if agent forwarding is enabled
-  ansible.builtin.fail:
-    msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
-  ignore_errors: yes
-  failed_when: lookup('env','SSH_AUTH_SOCK') == ""

cloud/ansible/openstack/roles/create_net/tasks/main.yaml

@@ -1,33 +0,0 @@
-- name: Create security group
-  openstack.cloud.security_group:
-    cloud: "{{ cloud }}"
-    name: sg-tpot-ansible
-    description: Security Group for T-Pot
-
-- name: Add rules to security group
-  openstack.cloud.security_group_rule:
-    cloud: "{{ cloud }}"
-    security_group: sg-tpot-ansible
-    remote_ip_prefix: 0.0.0.0/0
-
-- name: Create network
-  openstack.cloud.network:
-    cloud: "{{ cloud }}"
-    name: network-tpot-ansible
-
-- name: Create subnet
-  openstack.cloud.subnet:
-    cloud: "{{ cloud }}"
-    network_name: network-tpot-ansible
-    name: subnet-tpot-ansible
-    cidr: 192.168.0.0/24
-    dns_nameservers:
-      - 100.125.4.25
-      - 100.125.129.199
-
-- name: Create router
-  openstack.cloud.router:
-    cloud: "{{ cloud }}"
-    name: router-tpot-ansible
-    interfaces:
-      - subnet-tpot-ansible

cloud/ansible/openstack/roles/create_vm/tasks/main.yaml

@@ -1,24 +0,0 @@
-- name: Generate T-Pot name
-  ansible.builtin.set_fact:
-    tpot_name: "t-pot-ansible-{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=6') }}"
-
-- name: Create instance {{ ansible_loop.index }} of {{ ansible_loop.length }}
-  openstack.cloud.server:
-    cloud: "{{ cloud }}"
-    name: "{{ tpot_name }}"
-    availability_zone: "{{ availability_zone }}"
-    image: "{{ image }}"
-    boot_from_volume: yes
-    volume_size: "{{ volume_size }}"
-    key_name: "{{ key_name }}"
-    auto_ip: yes
-    flavor: "{{ flavor }}"
-    security_groups: sg-tpot-ansible
-    network: network-tpot-ansible
-  register: tpot
-
-- name: Add instance to inventory
-  ansible.builtin.add_host:
-    hostname: "{{ tpot_name }}"
-    ansible_host: "{{ tpot.server.public_v4 }}"
-    groups: tpot

cloud/ansible/openstack/roles/create_vm/vars/main.yaml

@@ -1,5 +0,0 @@
-availability_zone: eu-de-03
-image: Standard_Debian_10_latest
-volume_size: 128
-key_name: your-KeyPair
-flavor: s3.medium.8

cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml

@@ -1,13 +0,0 @@
-- name: Copy ews configuration file
-  ansible.builtin.template:
-    src: ews.cfg
-    dest: /data/ews/conf
-    owner: root
-    group: root
-    mode: 0644
-
-- name: Patching tpot.yml with custom ews configuration file
-  ansible.builtin.lineinfile:
-    path: /opt/tpot/etc/tpot.yml
-    insertafter: "/opt/ewsposter/ews.ip"
-    line: "     - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg"

cloud/ansible/openstack/roles/custom_ews/templates/ews.cfg

@@ -1,137 +0,0 @@
-[MAIN]
-homedir = /opt/ewsposter/
-spooldir = /opt/ewsposter/spool/
-logdir = /opt/ewsposter/log/
-del_malware_after_send = false
-send_malware = true
-sendlimit = 500
-contact = your_email_address
-proxy =
-ip =
-
-[EWS]
-ews = true
-username = your_username
-token = your_token
-rhost_first = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage
-rhost_second = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage
-ignorecert = false
-
-[HPFEED]
-hpfeed = %(EWS_HPFEEDS_ENABLE)s
-host = %(EWS_HPFEEDS_HOST)s
-port = %(EWS_HPFEEDS_PORT)s
-channels = %(EWS_HPFEEDS_CHANNELS)s
-ident = %(EWS_HPFEEDS_IDENT)s
-secret= %(EWS_HPFEEDS_SECRET)s
-# path/to/certificate for tls broker - or "false" for non-tls broker
-tlscert = %(EWS_HPFEEDS_TLSCERT)s
-# hpfeeds submission format: "ews" (xml) or "json"
-hpfformat = %(EWS_HPFEEDS_FORMAT)s
-
-[EWSJSON]
-json = false
-jsondir = /data/ews/json/
-
-[GLASTOPFV3]
-glastopfv3 = true
-nodeid = glastopfv3-{{ ansible_hostname }}
-sqlitedb = /data/glastopf/db/glastopf.db
-malwaredir = /data/glastopf/data/files/
-
-[GLASTOPFV2]
-glastopfv2 = false
-nodeid =
-mysqlhost =
-mysqldb =
-mysqluser =
-mysqlpw =
-malwaredir =
-
-[KIPPO]
-kippo = false
-nodeid =
-mysqlhost =
-mysqldb =
-mysqluser =
-mysqlpw =
-malwaredir =
-
-[COWRIE]
-cowrie = true
-nodeid = cowrie-{{ ansible_hostname }}
-logfile = /data/cowrie/log/cowrie.json
-
-[DIONAEA]
-dionaea = true
-nodeid = dionaea-{{ ansible_hostname }}
-malwaredir = /data/dionaea/binaries/
-sqlitedb = /data/dionaea/log/dionaea.sqlite
-
-[HONEYTRAP]
-honeytrap = true
-nodeid = honeytrap-{{ ansible_hostname }}
-newversion = true
-payloaddir = /data/honeytrap/attacks/
-attackerfile = /data/honeytrap/log/attacker.log
-
-[RDPDETECT]
-rdpdetect = false
-nodeid =
-iptableslog =
-targetip =
-
-[EMOBILITY]
-eMobility = false
-nodeid = emobility-{{ ansible_hostname }}
-logfile = /data/emobility/log/centralsystemEWS.log
-
-[CONPOT]
-conpot = true
-nodeid = conpot-{{ ansible_hostname }}
-logfile = /data/conpot/log/conpot*.json
-
-[ELASTICPOT]
-elasticpot = true
-nodeid = elasticpot-{{ ansible_hostname }}
-logfile = /data/elasticpot/log/elasticpot.log
-
-[SURICATA]
-suricata = true
-nodeid = suricata-{{ ansible_hostname }}
-logfile = /data/suricata/log/eve.json
-
-[MAILONEY]
-mailoney = true
-nodeid = mailoney-{{ ansible_hostname }}
-logfile = /data/mailoney/log/commands.log
-
-[RDPY]
-rdpy = true
-nodeid = rdpy-{{ ansible_hostname }}
-logfile = /data/rdpy/log/rdpy.log
-
-[VNCLOWPOT]
-vnclowpot = true
-nodeid = vnclowpot-{{ ansible_hostname }}
-logfile = /data/vnclowpot/log/vnclowpot.log
-
-[HERALDING]
-heralding = true
-nodeid = heralding-{{ ansible_hostname }}
-logfile = /data/heralding/log/auth.csv
-
-[CISCOASA]
-ciscoasa = true
-nodeid = ciscoasa-{{ ansible_hostname }}
-logfile = /data/ciscoasa/log/ciscoasa.log
-
-[TANNER]
-tanner = true
-nodeid = tanner-{{ ansible_hostname }}
-logfile = /data/tanner/log/tanner_report.json
-
-[GLUTTON]
-glutton = true
-nodeid = glutton-{{ ansible_hostname }}
-logfile = /data/glutton/log/glutton.log

cloud/ansible/openstack/roles/custom_hpfeeds/files/hpfeeds.cfg

@@ -1,8 +0,0 @@
-myENABLE=false
-myHOST=host
-myPORT=port
-myCHANNEL=channels
-myCERT=false
-myIDENT=user
-mySECRET=secret
-myFORMAT=json

cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml

@@ -1,12 +0,0 @@
-- name: Copy hpfeeds configuration file
-  ansible.builtin.copy:
-    src: hpfeeds.cfg
-    dest: /data/ews/conf
-    owner: tpot
-    group: tpot
-    mode: 0770
-  register: config
-
-- name: Applying hpfeeds settings
-  ansible.builtin.command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg
-  when: config.changed == true

cloud/ansible/openstack/roles/install/tasks/main.yaml

@@ -1,48 +0,0 @@
-- name: Waiting for SSH connection
-  ansible.builtin.wait_for_connection:
-
-- name: Gathering facts
-  ansible.builtin.setup:
-
-- name: Cloning T-Pot install directory
-  ansible.builtin.git:
-    repo: "https://github.com/telekom-security/tpotce.git"
-    dest: /root/tpot
-
-- name: Prepare to set user password
-  ansible.builtin.set_fact:
-    user_name: "{{ ansible_user }}"
-    user_salt: "s0mew1ck3dTpoT"
-  no_log: true
-
-- name: Changing password for user {{ user_name }}
-  ansible.builtin.user:
-   name: "{{ ansible_user }}"
-   password: "{{ user_password | password_hash('sha512', user_salt) }}"
-   state: present
-   shell: /bin/bash
-
-- name: Copy T-Pot configuration file
-  ansible.builtin.copy:
-    src: ../../../../../../iso/installer/tpot.conf.dist
-    dest: /root/tpot.conf
-    owner: root
-    group: root
-    mode: 0644
-
-- name: Install T-Pot on instance -  be patient, this might take 15 to 30 minutes depending on the connection speed.
-  ansible.builtin.command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
-
-- name: Delete T-Pot configuration file
-  ansible.builtin.file:
-    path: /root/tpot.conf
-    state: absent
-
-- name: Change unattended-upgrades to take default action
-  ansible.builtin.blockinfile:
-    dest: /etc/apt/apt.conf.d/50unattended-upgrades
-    block: |
-      Dpkg::Options {
-        "--force-confdef";
-        "--force-confold";
-      }

cloud/ansible/openstack/roles/install/vars/main.yaml

@@ -1 +0,0 @@
-user_password: LiNuXuSeRPaSs#

cloud/ansible/openstack/roles/reboot/tasks/main.yaml

@@ -1,16 +0,0 @@
-- name: Finally rebooting T-Pot
-  ansible.builtin.command: shutdown -r now
-  async: 1
-  poll: 0
-
-- name: Next login options
-  ansible.builtin.debug:
-    msg:
-    - "*****    SSH Access:"
-    - "*****    ssh {{ ansible_user }}@{{ ansible_host }} -p 64295"
-    - ""
-    - "*****    Web UI:"
-    - "*****    https://{{ ansible_host }}:64297"
-    - ""
-    - "*****    Admin UI:"
-    - "*****    https://{{ ansible_host }}:64294"

cloud/terraform/README.md

@@ -1,129 +0,0 @@
-# T-Pot Terraform
-This [Terraform](https://www.terraform.io/) configuration can be used to launch a virtual machine, bootstrap any dependencies and install T-Pot in a single step.  
-Configuration for Amazon Web Services (AWS) and Open Telekom Cloud (OTC) is currently included.
-This can easily be extended to support other [Terraform providers](https://registry.terraform.io/browse/providers?category=public-cloud%2Ccloud-automation%2Cinfrastructure).
-
-[Cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used to bootstrap the instance and install T-Pot on startup.
-
-# Table of Contents
-- [What get's created](#what-created)
-  - [Amazon Web Services (AWS)](#what-created-aws)
-  - [Open Telekom Cloud (OTC)](#what-created-otc)
-- [Prerequisites](#pre)
-  - [Amazon Web Services (AWS)](#pre-aws)
-  - [Open Telekom Cloud (OTC)](#pre-otc)
-- [Terraform Variables](#variables)
-  - [Common configuration items](#variables-common)
-  - [Amazon Web Services (AWS)](#variables-aws)
-  - [Open Telekom Cloud (OTC)](#variables-otc)
-- [Initialising](#initialising)
-- [Applying the Configuration](#applying)
-- [Connecting to the Instance](#connecting)
-
-<a name="what-created"></a>
-## What get's created
-
-<a name="what-created-aws"></a>
-### Amazon Web Services (AWS)
-* EC2 instance:
-  * t3.large (2 vCPUs, 8 GB RAM)
-  * 128 GB disk
-  * Debian 10
-  * Public IP
-* Security Group:
-  * TCP/UDP ports <= 64000 open to the Internet
-  * TCP ports 64294, 64295 and 64297 open to a chosen administrative IP
-
-<a name="what-created-otc"></a>
-### Open Telekom Cloud (OTC)
-* ECS instance:
-  * s3.medium.8 (1 vCPU, 8 GB RAM)
-  * 128 GB disk
-  * Debian 10
-  * Public EIP
-* Security Group
-  * All TCP/UDP ports are open to the Internet
-* Virtual Private Cloud (VPC) and Subnet
-
-<a name="pre"></a>
-## Prerequisites
-* [Terraform](https://www.terraform.io/) 0.13
-
-<a name="pre-aws"></a>
-### Amazon Web Services (AWS)
-* AWS Account
-  * Existing VPC: VPC ID needs to be specified in `aws/variables.tf`
-  * Existing subnet: Subnet ID needs to be specified in `aws/variables.tf`
-  * Existing SSH key pair: Key name needs to be specified in `aws/variables.tf`
-* AWS Authentication credentials should be [set using environment variables](https://www.terraform.io/docs/providers/aws/index.html#environment-variables)
-
-<a name="pre-otc"></a>
-### Open Telekom Cloud (OTC)
-* OTC Account
-  * Existing SSH key pair: Key name needs to be specified in `otc/variables.tf`
-* OTC Authentication credentials (Username, Password, Project Name, User Domain Name) can be set in the `otc/clouds.yaml` file
-
-<a name="variables"></a>
-## Terraform Variables
-
-<a name="variables-common"></a>
-### Common configuration items
-These variables exist in `aws/variables.tf` and `otc/variables.tf` respectively.  
-Settings for cloud-init:  
-* `timezone` - Set the Server's timezone
-* `linux_password`- Set a password for the Linux Operating System user (which is also used on the Admin UI)
-
-Settings for T-Pot:  
-* `tpot_flavor` - Set the flavor of the T-Pot (Available flavors are listed in the variable's description)
-* `web_user` - Set a username for the T-Pot Kibana Dasboard
-* `web_password` - Set a password for the T-Pot Kibana Dashboard
-
-<a name="variables-aws"></a>
-### Amazon Web Services (AWS)
-In `aws/variables.tf`, you can change the additional variables:
-* `admin_ip` - source IP address(es) that you will use to administer the system. Connections to TCP ports 64294, 64295 and 64297 will be allowed from this IP only. Multiple IPs or CIDR blocks can be specified in the format: `["127.0.0.1/32", "192.168.0.0/24"]`
-* `ec2_vpc_id` - Specify an existing VPC ID
-* `ec2_subnet_id` - Specify an existing Subnet ID
-* `ec2_region`
-* `ec2_ssh_key_name` - Specify an existing SSH key pair
-* `ec2_instance_type`
-
-<a name="variables-otc"></a>
-### Open Telekom Cloud (OTC)
-In `otc/variables.tf`, you can change the additional variables:
-* `ecs_flavor`
-* `ecs_disk_size`
-* `availability_zone`
-* `key_pair` - Specify an existing SSH key pair
-* `eip_size`
-
-... and some more, but these are the most relevant.
-
-<a name="initialising"></a>
-## Initialising
-The [`terraform init`](https://www.terraform.io/docs/commands/init.html) command is used to initialize a working directory containing Terraform configuration files.
-
-```
-$ cd aws
-$ terraform init
-```
-OR
-```
-$ cd otc
-$ terraform init
-```
-
-<a name="applying"></a>
-## Applying the Configuration
-The [`terraform apply`](https://www.terraform.io/docs/commands/apply.html) command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a [`terraform plan`](https://www.terraform.io/docs/commands/plan.html) execution plan.
-
-```
-$ terraform apply
-```
-This will create your infrastructure and start a Cloud Server. On startup, the Server gets bootstrapped with cloud-init and will install T-Pot. Once this is done, the server will reboot.
-
-If you want the remove the built infrastructure, you can run [`terraform destroy`](https://www.terraform.io/docs/commands/destroy.html) to delete it.
-
-<a name="connecting"></a>
-## Connecting to the Instance
-When the installation is completed, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).

cloud/terraform/aws/.terraform.lock.hcl

@@ -1,20 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "3.26.0"
-  constraints = "3.26.0"
-  hashes = [
-    "h1:0i78FItlPeiomd+4ThZrtm56P5K33k7/6dnEe4ZePI0=",
-    "zh:26043eed36d070ca032cf04bc980c654a25821a8abc0c85e1e570e3935bbfcbb",
-    "zh:2fe68f3f78d23830a04d7fac3eda550eef1f627dfc130486f70a65dc5c254300",
-    "zh:3d66484c608c64678e639db25d63872783ce60363a1246e30317f21c9c23b84b",
-    "zh:46ffd755cfd4cf94fe66342797b5afdcef010a24e126c67fee141b357d393535",
-    "zh:5e96f24357e945c9067cf5e032ad1d003609629c956c2f9f642fefe714e74587",
-    "zh:60c27aca36bb63bf3e865c2193be80ca83b376581d00f9c220af4b013e163c4d",
-    "zh:896f0f22d19d41e71b22f9240b261714c3915b165ddefeb771e7734d69dc47ea",
-    "zh:90de9966cb2fd3e2f326df291595e55d2dd2d90e7d6dd085c2c8691dce82bdb4",
-    "zh:ad05a91a88ceb1d6de5a568f7cc0b0e5bc0a79f3da70bc28c1e7f3750e362d58",
-    "zh:e8c63f59c6465329e1f3357498face3dd7ef10a033df3c366a33aa9e94b46c01",
-  ]
-}

cloud/terraform/aws/main.tf

@@ -1,66 +0,0 @@
-provider "aws" {
-  region = var.ec2_region
-}
-
-resource "aws_security_group" "tpot" {
-  name        = "T-Pot"
-  description = "T-Pot Honeypot"
-  vpc_id      = var.ec2_vpc_id
-  ingress {
-    from_port   = 0
-    to_port     = 64000
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-  ingress {
-    from_port   = 0
-    to_port     = 64000
-    protocol    = "udp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-  ingress {
-    from_port   = 64294
-    to_port     = 64294
-    protocol    = "tcp"
-    cidr_blocks = var.admin_ip
-  }
-  ingress {
-    from_port   = 64295
-    to_port     = 64295
-    protocol    = "tcp"
-    cidr_blocks = var.admin_ip
-  }
-  ingress {
-    from_port   = 64297
-    to_port     = 64297
-    protocol    = "tcp"
-    cidr_blocks = var.admin_ip
-  }
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-  tags = {
-    Name = "T-Pot"
-  }
-}
-
-resource "aws_instance" "tpot" {
-  ami           = var.ec2_ami[var.ec2_region]
-  instance_type = var.ec2_instance_type
-  key_name      = var.ec2_ssh_key_name
-  subnet_id     = var.ec2_subnet_id
-  tags = {
-    Name = "T-Pot Honeypot"
-  }
-  root_block_device {
-    volume_type           = "gp2"
-    volume_size           = 128
-    delete_on_termination = true
-  }
-  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
-  vpc_security_group_ids      = [aws_security_group.tpot.id]
-  associate_public_ip_address = true
-}

cloud/terraform/aws/outputs.tf

@@ -1,12 +0,0 @@
-output "Admin_UI" {
-  value = "https://${aws_instance.tpot.public_dns}:64294/"
-}
-
-output "SSH_Access" {
-  value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
-}
-
-output "Web_UI" {
-  value = "https://${aws_instance.tpot.public_dns}:64297/"
-}
-

cloud/terraform/aws/variables.tf

@@ -1,93 +0,0 @@
-variable "admin_ip" {
-  default     = ["127.0.0.1/32"]
-  description = "admin IP addresses in CIDR format"
-}
-
-variable "ec2_vpc_id" {
-  description = "ID of AWS VPC"
-  default     = "vpc-XXX"
-}
-
-variable "ec2_subnet_id" {
-  description = "ID of AWS VPC subnet"
-  default     = "subnet-YYY"
-}
-
-variable "ec2_region" {
-  description = "AWS region to launch servers"
-  default     = "eu-west-1"
-}
-
-variable "ec2_ssh_key_name" {
-  default = "default"
-}
-
-# https://aws.amazon.com/ec2/instance-types/
-# t3.large = 2 vCPU, 8 GiB RAM
-variable "ec2_instance_type" {
-  default = "t3.large"
-}
-
-# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
-variable "ec2_ami" {
-  type = map(string)
-  default = {
-    "af-south-1"     = "ami-0c372f041acae6d49"
-    "ap-east-1"      = "ami-079b8d011d4655385"
-    "ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
-    "ap-northeast-2" = "ami-0269fe7d013b8e2dd"
-    "ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
-    "ap-south-1"     = "ami-020d429f17c9f1d0a"
-    "ap-southeast-1" = "ami-09625a221230d9fe6"
-    "ap-southeast-2" = "ami-03cbc6cddb06af2c2"
-    "ca-central-1"   = "ami-09125623b02302014"
-    "eu-central-1"   = "ami-00c36c60f07e21791"
-    "eu-north-1"     = "ami-052bea934e2d9dbfe"
-    "eu-south-1"     = "ami-04e2bb16d37324719"
-    "eu-west-1"      = "ami-0f87948fe2cf1b2a4"
-    "eu-west-2"      = "ami-02ed1bc837487d535"
-    "eu-west-3"      = "ami-080efd2add7e29430"
-    "me-south-1"     = "ami-0dbde382c834c4a72"
-    "sa-east-1"      = "ami-0a0792814cb068077"
-    "us-east-1"      = "ami-05dd1b6e7ef6f8378"
-    "us-east-2"      = "ami-04dd0542609808c50"
-    "us-west-1"      = "ami-07af5f877b3db9f73"
-    "us-west-2"      = "ami-0d0d8694ba492c02b"
-  }
-}
-
-## cloud-init configuration ##
-variable "timezone" {
-  default = "UTC"
-}
-
-variable "linux_password" {
-  #default = "LiNuXuSeRPaSs#"
-  description = "Set a password for the default user"
-
-  validation {
-    condition     = length(var.linux_password) > 0
-    error_message = "Please specify a password for the default user."
-  }
-}
-
-## These will go in the generated tpot.conf file ##
-variable "tpot_flavor" {
-  default     = "STANDARD"
-  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
-}
-
-variable "web_user" {
-  default     = "webuser"
-  description = "Set a username for the web user"
-}
-
-variable "web_password" {
-  #default = "w3b$ecret"
-  description = "Set a password for the web user"
-
-  validation {
-    condition     = length(var.web_password) > 0
-    error_message = "Please specify a password for the web user."
-  }
-}

cloud/terraform/aws/versions.tf

@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">= 0.13"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "3.26.0"
-    }
-  }
-}

cloud/terraform/aws_multi_region/_provider.tf

@@ -1,9 +0,0 @@
-provider "aws" {
-  alias  = "eu-west-2"
-  region = "eu-west-2"
-}
-
-provider "aws" {
-  alias  = "us-west-1"
-  region = "us-west-1"
-}

cloud/terraform/aws_multi_region/main.tf

@@ -1,27 +0,0 @@
-module "eu-west-2" {
-  source = "./modules/multi-region"
-  ec2_vpc_id = "vpc-xxxxxxxx"
-  ec2_subnet_id = "subnet-xxxxxxxx"
-  ec2_region = "eu-west-2"
-  tpot_name = "T-Pot Honeypot"
-  
-  linux_password = var.linux_password
-  web_password = var.web_password
-  providers = {
-    aws = aws.eu-west-2
-  }
-}
-
-module "us-west-1" {
-  source = "./modules/multi-region"
-  ec2_vpc_id = "vpc-xxxxxxxx"
-  ec2_subnet_id = "subnet-xxxxxxxx"
-  ec2_region = "us-west-1"
-  tpot_name = "T-Pot Honeypot"
-
-  linux_password = var.linux_password
-  web_password = var.web_password
-  providers = {
-    aws = aws.us-west-1
-  }
-}

cloud/terraform/aws_multi_region/modules/multi-region/main.tf

@@ -1,69 +0,0 @@
-variable "ec2_vpc_id" {}
-variable "ec2_subnet_id" {}
-variable "ec2_region" {}
-variable "linux_password" {}
-variable "web_password" {}
-variable "tpot_name" {}
-
-resource "aws_security_group" "tpot" {
-  name        = "T-Pot"
-  description = "T-Pot Honeypot"
-  vpc_id      = var.ec2_vpc_id
-  ingress {
-    from_port   = 0
-    to_port     = 64000
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-  ingress {
-    from_port   = 0
-    to_port     = 64000
-    protocol    = "udp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-  ingress {
-    from_port   = 64294
-    to_port     = 64294
-    protocol    = "tcp"
-    cidr_blocks = var.admin_ip
-  }
-  ingress {
-    from_port   = 64295
-    to_port     = 64295
-    protocol    = "tcp"
-    cidr_blocks = var.admin_ip
-  }
-  ingress {
-    from_port   = 64297
-    to_port     = 64297
-    protocol    = "tcp"
-    cidr_blocks = var.admin_ip
-  }
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-  tags = {
-    Name = "T-Pot"
-  }
-}
-
-resource "aws_instance" "tpot" {
-  ami           = var.ec2_ami[var.ec2_region]
-  instance_type = var.ec2_instance_type
-  key_name      = var.ec2_ssh_key_name
-  subnet_id     = var.ec2_subnet_id
-  tags = {
-    Name = var.tpot_name
-  }
-  root_block_device {
-    volume_type           = "gp2"
-    volume_size           = 128
-    delete_on_termination = true
-  }
-  user_data                   = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
-  vpc_security_group_ids      = [aws_security_group.tpot.id]
-  associate_public_ip_address = true
-}

cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf

@@ -1,12 +0,0 @@
-output "Admin_UI" {
-  value = "https://${aws_instance.tpot.public_dns}:64294/"
-}
-
-output "SSH_Access" {
-  value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
-}
-
-output "Web_UI" {
-  value = "https://${aws_instance.tpot.public_dns}:64297/"
-}
-

cloud/terraform/aws_multi_region/modules/multi-region/variables.tf

@@ -1,57 +0,0 @@
-variable "admin_ip" {
-  default     = ["127.0.0.1/32"]
-  description = "admin IP addresses in CIDR format"
-}
-
-variable "ec2_ssh_key_name" {
-  default = "default"
-}
-
-# https://aws.amazon.com/ec2/instance-types/
-variable "ec2_instance_type" {
-  default = "t3.xlarge"
-}
-
-# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
-variable "ec2_ami" {
-  type = map(string)
-  default = {
-    "af-south-1"     = "ami-0c372f041acae6d49"
-    "ap-east-1"      = "ami-079b8d011d4655385"
-    "ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
-    "ap-northeast-2" = "ami-0269fe7d013b8e2dd"
-    "ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
-    "ap-south-1"     = "ami-020d429f17c9f1d0a"
-    "ap-southeast-1" = "ami-09625a221230d9fe6"
-    "ap-southeast-2" = "ami-03cbc6cddb06af2c2"
-    "ca-central-1"   = "ami-09125623b02302014"
-    "eu-central-1"   = "ami-00c36c60f07e21791"
-    "eu-north-1"     = "ami-052bea934e2d9dbfe"
-    "eu-south-1"     = "ami-04e2bb16d37324719"
-    "eu-west-1"      = "ami-0f87948fe2cf1b2a4"
-    "eu-west-2"      = "ami-02ed1bc837487d535"
-    "eu-west-3"      = "ami-080efd2add7e29430"
-    "me-south-1"     = "ami-0dbde382c834c4a72"
-    "sa-east-1"      = "ami-0a0792814cb068077"
-    "us-east-1"      = "ami-05dd1b6e7ef6f8378"
-    "us-east-2"      = "ami-04dd0542609808c50"
-    "us-west-1"      = "ami-07af5f877b3db9f73"
-    "us-west-2"      = "ami-0d0d8694ba492c02b"
-  }
-}
-
-## cloud-init configuration ##
-variable "timezone" {
-  default = "UTC"
-}
-
-## These will go in the generated tpot.conf file ##
-variable "tpot_flavor" {
-  default     = "STANDARD"
-  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
-}
-
-variable "web_user" {
-  default     = "webuser"
-  description = "Set a username for the web user"
-}

cloud/terraform/aws_multi_region/modules/multi-region/versions.tf

@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">= 0.13"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "3.72.0"
-    }
-  }
-}

cloud/terraform/aws_multi_region/outputs.tf

@@ -1,7 +0,0 @@
-output "eu-west-2_Web_UI" {
-  value = module.eu-west-2.Web_UI
-}
-
-output "us-west-1_Web_UI" {
-  value = module.us-west-1.Web_UI
-}

cloud/terraform/aws_multi_region/variables.tf

@@ -1,19 +0,0 @@
-variable "linux_password" {
-  #default = "LiNuXuSeRP4Ss!"
-  description = "Set a password for the default user"
-
-  validation {
-    condition     = length(var.linux_password) > 0
-    error_message = "Please specify a password for the default user."
-  }
-}
-
-variable "web_password" {
-  #default = "w3b$ecret20"
-  description = "Set a password for the web user"
-
-  validation {
-    condition     = length(var.web_password) > 0
-    error_message = "Please specify a password for the web user."
-  }
-}

cloud/terraform/cloud-init.yaml

@@ -1,26 +0,0 @@
-#cloud-config
-timezone: ${timezone}
-
-packages:
-  - git
-
-runcmd:
-  - curl -sS --retry 5 https://github.com
-  - git clone https://github.com/telekom-security/tpotce /root/tpot
-  - /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
-  - rm /root/tpot.conf
-  - /sbin/shutdown -r now
-
-password: ${password}
-chpasswd:
-  expire: false
-
-write_files:
-  - content: |
-      # tpot configuration file
-      myCONF_TPOT_FLAVOR='${tpot_flavor}'
-      myCONF_WEB_USER='${web_user}'
-      myCONF_WEB_PW='${web_password}'
-    owner: root:root
-    path: /root/tpot.conf
-    permissions: '0600'

cloud/terraform/otc/.terraform.lock.hcl

@@ -1,38 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/random" {
-  version     = "3.1.0"
-  constraints = "~> 3.1.0"
-  hashes = [
-    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
-    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
-    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
-    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
-    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
-    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
-    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
-    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
-    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
-    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
-    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
-    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
-  ]
-}
-
-provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
-  version     = "1.23.6"
-  constraints = "~> 1.23.4"
-  hashes = [
-    "h1:B/1Md957jWaDgFqsJDzmJc75KwL0eC/PCVuZ8HV5xSc=",
-    "zh:1aa79010869d082157fb44fc83c3bff4e40938ec0ca916f704d974c7f7ca39e4",
-    "zh:3155b8366828ce50231f69962b55df1e2261ed63c44bb64e2c950dd68769df1b",
-    "zh:4a909617aa96a6d8aead14f56996ad94e0a1cae9d28e8df1ddae19c2095ed337",
-    "zh:4f71046719632b4b90f88d29d8ba88915ee6ad66cd9d7ebe84a7459013e5003a",
-    "zh:67e4d10b2db79ad78ae2ec8d9dfac53c4721028f97f4436a7aa45e80b1beefd3",
-    "zh:7f12541fc5a3513e5522ff2bd5fee17d1e67bfe64f9ef59d03863fc7389e12ce",
-    "zh:86fadabfc8307cf6084a412ffc9c797ec94932d08bc663a3fcebf98101e951f6",
-    "zh:98744b39c2bfe3e8e6f929f750a689971071b257f3f066f669f93c8e0b76d179",
-    "zh:c363d41debb060804e2c6bd9cb50b4e8daa37362299e3ea74e187265cd85f2ca",
-  ]
-}

cloud/terraform/otc/clouds.yaml

@@ -1,9 +0,0 @@
-clouds:
-  open-telekom-cloud:
-    region_name: eu-de
-    auth:
-      project_name: eu-de_your_project
-      username: your_api_user
-      password: your_password
-      user_domain_name: OTC-EU-DE-000000000010000XXXXX
-      auth_url: https://iam.eu-de.otc.t-systems.com/v3

cloud/terraform/otc/main.tf

@@ -1,68 +0,0 @@
-data "opentelekomcloud_images_image_v2" "debian" {
-  name = "Standard_Debian_10_latest"
-}
-
-resource "opentelekomcloud_networking_secgroup_v2" "secgroup_1" {
-  name        = var.secgroup_name
-  description = var.secgroup_desc
-}
-
-resource "opentelekomcloud_networking_secgroup_rule_v2" "secgroup_rule_1" {
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  remote_ip_prefix  = "0.0.0.0/0"
-  security_group_id = opentelekomcloud_networking_secgroup_v2.secgroup_1.id
-}
-
-resource "opentelekomcloud_vpc_v1" "vpc_1" {
-  name = var.vpc_name
-  cidr = var.vpc_cidr
-}
-
-resource "opentelekomcloud_vpc_subnet_v1" "subnet_1" {
-  name   = var.subnet_name
-  cidr   = var.subnet_cidr
-  vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
-
-  gateway_ip = var.subnet_gateway_ip
-  dns_list   = ["100.125.4.25", "100.125.129.199"]
-}
-
-resource "random_id" "tpot" {
-  byte_length = 6
-  prefix      = var.ecs_prefix
-}
-
-resource "opentelekomcloud_ecs_instance_v1" "ecs_1" {
-  name     = random_id.tpot.b64_url
-  image_id = data.opentelekomcloud_images_image_v2.debian.id
-  flavor   = var.ecs_flavor
-  vpc_id   = opentelekomcloud_vpc_v1.vpc_1.id
-
-  nics {
-    network_id = opentelekomcloud_vpc_subnet_v1.subnet_1.id
-  }
-
-  system_disk_size  = var.ecs_disk_size
-  system_disk_type  = "SAS"
-  security_groups   = [opentelekomcloud_networking_secgroup_v2.secgroup_1.id]
-  availability_zone = var.availability_zone
-  key_name          = var.key_pair
-  user_data         = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
-}
-
-resource "opentelekomcloud_vpc_eip_v1" "eip_1" {
-  publicip {
-    type = "5_bgp"
-  }
-  bandwidth {
-    name       = "bandwidth-${random_id.tpot.b64_url}"
-    size       = var.eip_size
-    share_type = "PER"
-  }
-}
-
-resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_1" {
-  floating_ip = opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address
-  instance_id = opentelekomcloud_ecs_instance_v1.ecs_1.id
-}

cloud/terraform/otc/outputs.tf

@@ -1,11 +0,0 @@
-output "Admin_UI" {
-  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64294"
-}
-
-output "SSH_Access" {
-  value = "ssh -p 64295 linux@${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}"
-}
-
-output "Web_UI" {
-  value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64297"
-}

cloud/terraform/otc/provider.tf

@@ -1,3 +0,0 @@
-provider "opentelekomcloud" {
-  cloud = "open-telekom-cloud"
-}

cloud/terraform/otc/variables.tf

@@ -1,98 +0,0 @@
-## cloud-init configuration ##
-variable "timezone" {
-  default = "UTC"
-}
-
-variable "linux_password" {
-  #default = "LiNuXuSeRPaSs#"
-  description = "Set a password for the default user"
-
-  validation {
-    condition     = length(var.linux_password) > 0
-    error_message = "Please specify a password for the default user."
-  }
-}
-
-## Security Group ##
-variable "secgroup_name" {
-  default = "sg-tpot"
-}
-
-variable "secgroup_desc" {
-  default = "Security Group for T-Pot"
-}
-
-## Virtual Private Cloud ##
-variable "vpc_name" {
-  default = "vpc-tpot"
-}
-
-variable "vpc_cidr" {
-  default = "192.168.0.0/16"
-}
-
-## Subnet ##
-variable "subnet_name" {
-  default = "subnet-tpot"
-}
-
-variable "subnet_cidr" {
-  default = "192.168.0.0/24"
-}
-
-variable "subnet_gateway_ip" {
-  default = "192.168.0.1"
-}
-
-## Elastic Cloud Server ##
-variable "ecs_prefix" {
-  default = "tpot-"
-}
-
-variable "ecs_flavor" {
-  default = "s3.medium.8"
-}
-
-variable "ecs_disk_size" {
-  default = "128"
-}
-
-variable "availability_zone" {
-  default = "eu-de-03"
-}
-
-variable "key_pair" {
-  #default = ""
-  description = "Specify your SSH key pair"
-
-  validation {
-    condition     = length(var.key_pair) > 0
-    error_message = "Please specify a Key Pair."
-  }
-}
-
-## Elastic IP ##
-variable "eip_size" {
-  default = "100"
-}
-
-## These will go in the generated tpot.conf file ##
-variable "tpot_flavor" {
-  default     = "STANDARD"
-  description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
-}
-
-variable "web_user" {
-  default     = "webuser"
-  description = "Set a username for the web user"
-}
-
-variable "web_password" {
-  #default = "w3b$ecret"
-  description = "Set a password for the web user"
-
-  validation {
-    condition     = length(var.web_password) > 0
-    error_message = "Please specify a password for the web user."
-  }
-}

cloud/terraform/otc/versions.tf

@@ -1,13 +0,0 @@
-terraform {
-  required_version = ">= 0.13"
-  required_providers {
-    opentelekomcloud = {
-      source  = "opentelekomcloud/opentelekomcloud"
-      version = "~> 1.23.4"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3.1.0"
-    }
-  }
-}

compose/customizer.py

@@ -0,0 +1,181 @@
+from datetime import datetime
+import yaml
+
+version = \
+"""
+ ____  [T-Pot]         _            ____        _ _     _
+/ ___|  ___ _ ____   _(_) ___ ___  | __ ) _   _(_) | __| | ___ _ __
+\___ \ / _ \ '__\ \ / / |/ __/ _ \ |  _ \| | | | | |/ _` |/ _ \ '__|
+ ___) |  __/ |   \ V /| | (_|  __/ | |_) | |_| | | | (_| |  __/ |
+|____/ \___|_|    \_/ |_|\___\___| |____/ \__,_|_|_|\__,_|\___|_| v0.21
+    
+# This script is intended for users who want to build a customized docker-compose.yml for T-Pot.
+# T-Pot Service Builder will ask for all the docker services to be included in docker-compose.yml.
+# The configuration file will be checked for conflicting ports.
+# Port conflicts have to be resolved manually or re-running the script and excluding the conflicting services.
+# Review the resulting docker-compose-custom.yml and adjust to your needs by (un)commenting the corresponding lines in the config.
+"""
+
+header = \
+"""# T-Pot: CUSTOM EDITION
+# Generated on: {current_date}
+"""
+
+config_filename = "tpot_services.yml"
+service_filename = "docker-compose-custom.yml"
+
+
+def load_config(filename):
+    try:
+        with open(filename, 'r') as file:
+            config = yaml.safe_load(file)
+    except:
+        print_color(f"Error: {filename} not found. Exiting.", "red")
+        exit()
+    return config
+
+
+def prompt_service_include(service_name):
+    while True:
+        try:
+            response = input(f"Include {service_name}? (y/n): ").strip().lower()
+            if response in ['y', 'n']:
+                return response == 'y'
+            else:
+                print_color("Please enter 'y' for yes or 'n' for no.", "red")
+        except KeyboardInterrupt:
+            print()
+            print_color("Interrupted by user. Exiting.", "red")
+            print()
+            exit()
+
+
+def check_port_conflicts(selected_services):
+    all_ports = {}
+    conflict_ports = []
+
+    for service_name, config in selected_services.items():
+        ports = config.get('ports', [])
+        for port in ports:
+            # Split the port mapping and take only the host port part
+            parts = port.split(':')
+            host_port = parts[1] if len(parts) == 3 else (parts[0] if parts[1].isdigit() else parts[1])
+
+            # Check for port conflict and associate it with the service name
+            if host_port in all_ports:
+                conflict_ports.append((service_name, host_port))
+                if all_ports[host_port] not in [service for service, _ in conflict_ports]:
+                    conflict_ports.append((all_ports[host_port], host_port))
+            else:
+                all_ports[host_port] = service_name
+
+    if conflict_ports:
+        print_color("[WARNING] - Port conflict(s) detected:", "red")
+        for service, port in conflict_ports:
+            print_color(f"{service}: {port}", "red")
+        return True
+    return False
+
+
+
+def print_color(text, color):
+    colors = {
+        "red": "\033[91m",
+        "green": "\033[92m",
+        "blue": "\033[94m",  # Added blue
+        "magenta": "\033[95m",  # Added magenta
+        "end": "\033[0m",
+    }
+    print(f"{colors[color]}{text}{colors['end']}")
+
+def enforce_dependencies(selected_services, services):
+    # If snare or any tanner services are selected, ensure all are enabled
+    tanner_services = {'snare', 'tanner', 'tanner_redis', 'tanner_phpox', 'tanner_api'}
+    if tanner_services.intersection(selected_services):
+        print_color("[OK] - For Snare / Tanner to work all required services have been added to your configuration.", "green")
+        for service in tanner_services:
+            selected_services[service] = services[service]
+
+    # If kibana is enabled, also enable elasticsearch
+    if 'kibana' in selected_services:
+        selected_services['elasticsearch'] = services['elasticsearch']
+        print_color("[OK] - Kibana requires Elasticsearch which has been added to your configuration.", "green")
+
+    # If spiderfoot is enabled, also enable nginx
+    if 'spiderfoot' in selected_services:
+        selected_services['nginx'] = services['nginx']
+        print_color("[OK] - Spiderfoot requires Nginx which has been added to your configuration.","green")
+
+
+    # If any map services are detected, enable logstash, elasticsearch, nginx, and all map services
+    map_services = {'map_web', 'map_redis', 'map_data'}
+    if map_services.intersection(selected_services):
+        print_color("[OK] - For AttackMap to work all required services have been added to your configuration.", "green")
+        for service in map_services.union({'elasticsearch', 'nginx'}):
+            selected_services[service] = services[service]
+
+    # honeytrap and glutton cannot be active at the same time, always vote in favor of honeytrap
+    if 'honeytrap' in selected_services and 'glutton' in selected_services:
+        # Remove glutton and notify
+        del selected_services['glutton']
+        print_color("[OK] - Honeytrap and Glutton cannot be active at the same time. Glutton has been removed from your configuration.","green")
+
+
+def remove_unused_networks(selected_services, services, networks):
+    used_networks = set()
+    # Identify networks used by selected services
+    for service_name in selected_services:
+        service_config = services[service_name]
+        if 'networks' in service_config:
+            for network in service_config['networks']:
+                used_networks.add(network)
+
+    # Remove unused networks
+    for network in list(networks):
+        if network not in used_networks:
+            del networks[network]
+
+
+def main():
+    config = load_config(config_filename)
+
+    # Separate services and networks
+    services = config['services']
+    networks = config.get('networks', {})
+    selected_services = {'tpotinit': services['tpotinit'],
+                         'logstash': services['logstash']}  # Always include tpotinit and logstash
+
+    for service_name, service_config in services.items():
+        if service_name not in selected_services:  # Skip already included services
+            if prompt_service_include(service_name):
+                selected_services[service_name] = service_config
+
+    # Enforce dependencies
+    enforce_dependencies(selected_services, services)
+
+    # Remove unused networks based on selected services
+    remove_unused_networks(selected_services, services, networks)
+
+    output_config = {
+        'networks': networks,
+        'services': selected_services,
+    }
+
+    current_date = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+
+    with open(service_filename, 'w') as file:
+        file.write(header.format(current_date=current_date))
+        yaml.dump(output_config, file, default_flow_style=False, sort_keys=False, indent=2)
+
+    if check_port_conflicts(selected_services):
+        print_color(f"[WARNING] - Adjust the conflicting ports in the {service_filename} or re-run the script and select services that do not occupy the same port(s).",
+            "red")
+    else:
+        print_color(f"[OK] - Custom {service_filename} has been generated without port conflicts.", "green")
+    print_color(f"Copy {service_filename} to ~/tpotce and test with: docker compose -f {service_filename} up", "blue")
+    print_color(f"If everything works, exit with CTRL-C and replace docker-compose.yml with the new config.", "blue")
+
+
+if __name__ == "__main__":
+    print_color(version, "magenta")
+    main()

compose/llm.yml

@@ -0,0 +1,350 @@
+# T-Pot: LLM
+networks:
+  beelzebub_local:
+  galah_local:
+  nginx_local:
+  ewsposter_local:
+
+services:
+
+#########################################
+#### DEV
+#########################################
+#### T-Pot Init - Never delete this!
+#########################################
+
+# T-Pot Init Service
+  tpotinit:
+    container_name: tpotinit
+    env_file:
+      - .env
+    restart: always
+    stop_grace_period: 60s
+    tmpfs:
+      - /tmp/etc:uid=2000,gid=2000
+      - /tmp/:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/tpotinit:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+      - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
+      - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
+      - ${TPOT_DATA_PATH}:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+
+##################
+#### Honeypots
+##################
+
+# Beelzebub service
+  beelzebub:
+    container_name: beelzebub
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - beelzebub_local
+    ports:
+      - "22:22"
+    #  - "80:80"
+    #  - "2222:2222"
+    #  - "3306:3306"
+    #  - "8080:8080"
+    image: ${TPOT_REPO}/beelzebub:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    environment:
+      LLM_MODEL: ${BEELZEBUB_LLM_MODEL}
+      LLM_HOST: ${BEELZEBUB_LLM_HOST}
+      OLLAMA_MODEL: ${BEELZEBUB_OLLAMA_MODEL}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/beelzebub/key:/opt/beelzebub/configurations/key
+     - ${TPOT_DATA_PATH}/beelzebub/log:/opt/beelzebub/configurations/log
+
+# Galah service
+  galah:
+    container_name: galah
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - galah_local
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8443:8443"
+      - "8080:8080"
+    image: ${TPOT_REPO}/galah:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    environment:
+      LLM_PROVIDER: ${GALAH_LLM_PROVIDER}
+      LLM_SERVER_URL: ${GALAH_LLM_SERVER_URL}
+      LLM_MODEL: ${GALAH_LLM_MODEL}
+      # LLM_TEMPERATURE: ${GALAH_LLM_TEMPERATURE}
+      # LLM_API_KEY: ${GALAH_LLM_API_KEY}
+      # LLM_CLOUD_LOCATION: ${GALAH_LLM_CLOUD_LOCATION}
+      # LLM_CLOUD_PROJECT: ${GALAH_LLM_CLOUD_PROJECT}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/galah/cache:/opt/galah/config/cache
+     - ${TPOT_DATA_PATH}/galah/cert:/opt/galah/config/cert
+     - ${TPOT_DATA_PATH}/galah/log:/opt/galah/log
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/fatt:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    image: ${TPOT_REPO}/p0f:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - OINKCODE=${OINKCODE:-OPEN} # Default to OPEN if unset or NULL (value provided by T-Pot .env)
+    # Loading external Rules from URL
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/suricata:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools 
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: ${TPOT_REPO}/elasticsearch:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: ${TPOT_REPO}/kibana:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+     - TPOT_TYPE=${TPOT_TYPE:-HIVE}
+     - TPOT_HIVE_USER=${TPOT_HIVE_USER}
+     - TPOT_HIVE_IP=${TPOT_HIVE_IP}
+     - LS_SSL_VERIFICATION=${LS_SSL_VERIFICATION:-full}
+    ports:
+     - "127.0.0.1:64305:64305"
+    mem_limit: 2g
+    image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+     - TPOT_ATTACKMAP_TEXT=${TPOT_ATTACKMAP_TEXT}
+     - TZ=${TPOT_ATTACKMAP_TEXT_TIMEZONE}
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    image: ${TPOT_REPO}/ewsposter:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+     - ${TPOT_DATA_PATH}/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    environment:
+      - TPOT_OSTYPE=${TPOT_OSTYPE}
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    networks:
+     - nginx_local
+    ports:
+     - "64297:64297"
+     - "64294:64294"
+    image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/lswebpasswd:/etc/nginx/lswebpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: ${TPOT_REPO}/spiderfoot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/spiderfoot:/home/spiderfoot/.spiderfoot

compose/mac_win.yml

@@ -0,0 +1,734 @@
+# T-Pot: MAC_WIN
+networks:
+  tpotinit_local:
+  adbhoney_local:
+  ciscoasa_local:
+  cowrie_local:
+  dicompot_local:
+  dionaea_local:
+  elasticpot_local:
+  h0neytr4p_local:
+  heralding_local:
+  honeyaml_local:
+  ipphoney_local:
+  mailoney_local:
+  medpot_local:
+  miniprint_local:
+  redishoneypot_local:
+  sentrypeer_local:
+  suricata_local:
+  tanner_local:
+  wordpot_local:
+  nginx_local:
+  ewsposter_local:
+
+services:
+
+########################################
+#### DEV
+########################################
+#### T-Pot Init - Never delete this!
+########################################
+
+# T-Pot Init Service
+  tpotinit:
+    container_name: tpotinit
+    env_file:
+     - .env
+    restart: always
+    stop_grace_period: 60s
+    tmpfs:
+     - /tmp/etc:uid=2000,gid=2000
+     - /tmp/:uid=2000,gid=2000
+    networks:
+     - tpotinit_local
+    image: ${TPOT_REPO}/tpotinit:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
+     - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
+     - ${TPOT_DATA_PATH}:/data
+     - /var/run/docker.sock:/var/run/docker.sock:ro
+
+
+##################
+#### Honeypots
+##################
+
+# Adbhoney service
+  adbhoney:
+    container_name: adbhoney
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - adbhoney_local
+    ports:
+     - "5555:5555"
+    image: ${TPOT_REPO}/adbhoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/adbhoney/log:/opt/adbhoney/log
+     - ${TPOT_DATA_PATH}/adbhoney/downloads:/opt/adbhoney/dl
+
+# Ciscoasa service
+  ciscoasa:
+    container_name: ciscoasa
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/ciscoasa:uid=2000,gid=2000
+    networks:
+     - ciscoasa_local
+    ports:
+     - "5000:5000/udp"
+     - "8443:8443"
+    image: ${TPOT_REPO}/ciscoasa:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ciscoasa/log:/var/log/ciscoasa
+
+# Cowrie service
+  cowrie:
+    container_name: cowrie
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+      - /tmp/cowrie:uid=2000,gid=2000
+      - /tmp/cowrie/data:uid=2000,gid=2000
+    networks:
+      - cowrie_local
+    ports:
+      - "22:22"
+      - "23:23"
+    image: ${TPOT_REPO}/cowrie:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+      - ${TPOT_DATA_PATH}/cowrie/downloads:/home/cowrie/cowrie/dl
+      - ${TPOT_DATA_PATH}/cowrie/keys:/home/cowrie/cowrie/etc
+      - ${TPOT_DATA_PATH}/cowrie/log:/home/cowrie/cowrie/log
+      - ${TPOT_DATA_PATH}/cowrie/log/tty:/home/cowrie/cowrie/log/tty
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - dicompot_local
+    ports:
+     - "104:11112"
+     - "11112:11112"
+    image: ${TPOT_REPO}/dicompot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/dicompot/log:/var/log/dicompot
+#     - ${TPOT_DATA_PATH}/dicompot/images:/opt/dicompot/images
+
+# Dionaea service
+  dionaea:
+    container_name: dionaea
+    stdin_open: true
+    tty: true
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - dionaea_local
+    ports:
+     - "20:20"
+     - "21:21"
+     - "42:42"
+     - "69:69/udp"
+     - "81:81"
+     - "135:135"
+     # - "443:443"
+     # - "445:445"
+     - "1433:1433"
+     - "1723:1723"
+     - "1883:1883"
+     - "3306:3306"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
+     - "27017:27017"
+    image: ${TPOT_REPO}/dionaea:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
+     - ${TPOT_DATA_PATH}/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
+     - ${TPOT_DATA_PATH}/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
+     - ${TPOT_DATA_PATH}/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
+     - ${TPOT_DATA_PATH}/dionaea:/opt/dionaea/var/dionaea
+     - ${TPOT_DATA_PATH}/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
+     - ${TPOT_DATA_PATH}/dionaea/log:/opt/dionaea/var/log
+     - ${TPOT_DATA_PATH}/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
+
+# ElasticPot service
+  elasticpot:
+    container_name: elasticpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - elasticpot_local
+    ports:
+     - "9200:9200"
+    image: ${TPOT_REPO}/elasticpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/elasticpot/log:/opt/elasticpot/log
+
+# H0neytr4p service
+  h0neytr4p:
+    container_name: h0neytr4p
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - h0neytr4p_local
+    ports:
+      - "443:443"
+    # - "80:80"
+    image: ${TPOT_REPO}/h0neytr4p:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+      - ${TPOT_DATA_PATH}/h0neytr4p/log/:/opt/h0neytr4p/log/
+      - ${TPOT_DATA_PATH}/h0neytr4p/payloads/:/data/h0neytr4p/payloads/
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: ${TPOT_REPO}/heralding:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
+
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "3000:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: ${TPOT_REPO}/ipphoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ipphoney/log:/opt/ipphoney/log
+
+# Mailoney service
+  mailoney:
+    container_name: mailoney
+    stdin_open: true
+    tty: true
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - mailoney_local
+    ports:
+     - "25:25"
+     - "587:25"
+    image: ${TPOT_REPO}/mailoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/mailoney/log:/opt/mailoney/logs
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: ${TPOT_REPO}/medpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/medpot/log/:/var/log/medpot
+
+# Miniprint service
+  miniprint:
+    container_name: miniprint
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - miniprint_local
+    ports:
+      - "9100:9100"
+    image: ${TPOT_REPO}/miniprint:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/miniprint/log/:/opt/miniprint/log/
+     - ${TPOT_DATA_PATH}/miniprint/uploads/:/opt/miniprint/uploads/
+
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - redishoneypot_local
+    ports:
+     - "6379:6379"
+    image: ${TPOT_REPO}/redishoneypot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/redishoneypot/log:/var/log/redishoneypot
+
+# SentryPeer service
+  sentrypeer:
+    container_name: sentrypeer
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=1
+    networks:
+     - sentrypeer_local
+    ports:
+#     - "4222:4222/udp"
+     - "5060:5060/tcp"
+     - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
+    image: ${TPOT_REPO}/sentrypeer:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/sentrypeer/log:/var/log/sentrypeer
+
+#### Snare / Tanner
+## Tanner Redis Service
+  tanner_redis:
+    container_name: tanner_redis
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## PHP Sandbox service
+  tanner_phpox:
+    container_name: tanner_phpox
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/phpox:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Tanner API Service
+  tanner_api:
+    container_name: tanner_api
+    restart: always
+    depends_on:
+     - tanner_redis
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/tanner:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/tanner/log:/var/log/tanner
+    command: tannerapi
+
+## Tanner Service
+  tanner:
+    container_name: tanner
+    restart: always
+    depends_on:
+     - tanner_api
+     - tanner_phpox
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/tanner:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    command: tanner
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/tanner/log:/var/log/tanner
+     - ${TPOT_DATA_PATH}/tanner/files:/opt/tanner/files
+
+## Snare Service
+  snare:
+    container_name: snare
+    restart: always
+    depends_on:
+     - tanner
+    tty: true
+    networks:
+     - tanner_local
+    ports:
+     - "80:80"
+    image: ${TPOT_REPO}/snare:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+# Wordpot service
+  wordpot:
+    container_name: wordpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - wordpot_local
+    ports:
+     - "8080:80"
+    image: ${TPOT_REPO}/wordpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/wordpot/log:/opt/wordpot/logs/
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/fatt:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/p0f:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - suricata_local
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    environment:
+     - OINKCODE=${OINKCODE:-OPEN} # Default to OPEN if unset or NULL (value provided by T-Pot .env)
+    # Loading external Rules from URL
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    image: ${TPOT_REPO}/suricata:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    networks:
+     - nginx_local
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: ${TPOT_REPO}/elasticsearch:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: ${TPOT_REPO}/kibana:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+     - TPOT_TYPE=${TPOT_TYPE:-HIVE}
+     - TPOT_HIVE_USER=${TPOT_HIVE_USER}
+     - TPOT_HIVE_IP=${TPOT_HIVE_IP}
+     - LS_SSL_VERIFICATION=${LS_SSL_VERIFICATION:-full}
+    ports:
+      - "127.0.0.1:64305:64305"
+    mem_limit: 2g
+    image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+     - TPOT_ATTACKMAP_TEXT=${TPOT_ATTACKMAP_TEXT}
+     - TZ=${TPOT_ATTACKMAP_TEXT_TIMEZONE}
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    image: ${TPOT_REPO}/ewsposter:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+     - ${TPOT_DATA_PATH}/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    environment:
+      - TPOT_OSTYPE=${TPOT_OSTYPE}
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    networks:
+     - nginx_local
+    ports:
+     - "64297:64297"
+    image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: ${TPOT_REPO}/spiderfoot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/spiderfoot:/home/spiderfoot/.spiderfoot

compose/mini.yml

@@ -1,31 +1,47 @@
-# T-Pot (NextGen)
-# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
-version: '2.3'
-
+# T-Pot: MINI
 networks:
   adbhoney_local:
   ciscoasa_local:
-  citrixhoneypot_local:
   conpot_local_IEC104:
   conpot_local_guardian_ast:
   conpot_local_ipmi:
   conpot_local_kamstrup_382:
-  ddospot_local:
   dicompot_local:
-  dionaea_local:
-  elasticpot_local:
-  endlessh_local:
-  hellpot_local:
-  heralding_local:
-  ipphoney_local:
-  mailoney_local:
+  honeypots_local:
   medpot_local:
-  redishoneypot_local:
+  nginx_local:
   ewsposter_local:
-  spiderfoot_local:
 
 services:
 
+#########################################
+#### DEV
+#########################################
+#### T-Pot Init - Never delete this!
+#########################################
+
+# T-Pot Init Service
+  tpotinit:
+    container_name: tpotinit
+    env_file:
+      - .env
+    restart: always
+    stop_grace_period: 60s
+    tmpfs:
+      - /tmp/etc:uid=2000,gid=2000
+      - /tmp/:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/tpotinit:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+      - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
+      - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
+      - ${TPOT_DATA_PATH}:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+
 ##################
 #### Honeypots
 ##################
@@ -34,20 +50,27 @@ services:
   adbhoney:
     container_name: adbhoney
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     networks:
      - adbhoney_local
     ports:
      - "5555:5555"
-    image: "dtagdevsec/adbhoney:2204"
+    image: ${TPOT_REPO}/adbhoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/adbhoney/log:/opt/adbhoney/log
-     - /data/adbhoney/downloads:/opt/adbhoney/dl
+     - ${TPOT_DATA_PATH}/adbhoney/log:/opt/adbhoney/log
+     - ${TPOT_DATA_PATH}/adbhoney/downloads:/opt/adbhoney/dl
 
 # Ciscoasa service
   ciscoasa:
     container_name: ciscoasa
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     tmpfs:
      - /tmp/ciscoasa:uid=2000,gid=2000
     networks:
@@ -55,28 +78,19 @@ services:
     ports:
      - "5000:5000/udp"
      - "8443:8443"
-    image: "dtagdevsec/ciscoasa:2204"
+    image: ${TPOT_REPO}/ciscoasa:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/ciscoasa/log:/var/log/ciscoasa
-
-# CitrixHoneypot service
-  citrixhoneypot:
-    container_name: citrixhoneypot
-    restart: always
-    networks:
-     - citrixhoneypot_local
-    ports:
-     - "443:443"
-    image: "dtagdevsec/citrixhoneypot:2204"
-    read_only: true
-    volumes:
-     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs       
+     - ${TPOT_DATA_PATH}/ciscoasa/log:/var/log/ciscoasa
 
 # Conpot IEC104 service
   conpot_IEC104:
     container_name: conpot_iec104
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     environment:
      - CONPOT_CONFIG=/etc/conpot/conpot.cfg
      - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
@@ -90,15 +104,19 @@ services:
     ports:
      - "161:161/udp"
      - "2404:2404"
-    image: "dtagdevsec/conpot:2204"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/conpot/log:/var/log/conpot
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
 
 # Conpot guardian_ast service
   conpot_guardian_ast:
     container_name: conpot_guardian_ast
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     environment:
      - CONPOT_CONFIG=/etc/conpot/conpot.cfg
      - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
@@ -111,15 +129,19 @@ services:
      - conpot_local_guardian_ast
     ports:
      - "10001:10001"
-    image: "dtagdevsec/conpot:2204"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/conpot/log:/var/log/conpot
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
 
 # Conpot ipmi
   conpot_ipmi:
     container_name: conpot_ipmi
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     environment:
      - CONPOT_CONFIG=/etc/conpot/conpot.cfg
      - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
@@ -132,15 +154,19 @@ services:
      - conpot_local_ipmi
     ports:
      - "623:623/udp"
-    image: "dtagdevsec/conpot:2204"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/conpot/log:/var/log/conpot
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
 
 # Conpot kamstrup_382
   conpot_kamstrup_382:
     container_name: conpot_kamstrup_382
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     environment:
      - CONPOT_CONFIG=/etc/conpot/conpot.cfg
      - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
@@ -154,29 +180,11 @@ services:
     ports:
      - "1025:1025"
      - "50100:50100"
-    image: "dtagdevsec/conpot:2204"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/conpot/log:/var/log/conpot
-
-# Ddospot service
-  ddospot:
-    container_name: ddospot
-    restart: always
-    networks:
-     - ddospot_local
-    ports:
-     - "19:19/udp"
-     - "53:53/udp"
-     - "123:123/udp"
-#     - "161:161/udp"
-     - "1900:1900/udp"
-    image: "dtagdevsec/ddospot:2204"
-    read_only: true
-    volumes:
-     - /data/ddospot/log:/opt/ddospot/ddospot/logs
-     - /data/ddospot/bl:/opt/ddospot/ddospot/bl
-     - /data/ddospot/db:/opt/ddospot/ddospot/db
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
 
 # Dicompot service
 # Get the Horos Client for testing: https://horosproject.org/
@@ -185,195 +193,108 @@ services:
   dicompot:
     container_name: dicompot
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     networks:
      - dicompot_local
     ports:
+     - "104:11112"
      - "11112:11112"
-    image: "dtagdevsec/dicompot:2204"
+    image: ${TPOT_REPO}/dicompot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/dicompot/log:/var/log/dicompot
-#     - /data/dicompot/images:/opt/dicompot/images
+     - ${TPOT_DATA_PATH}/dicompot/log:/var/log/dicompot
+#     - ${TPOT_DATA_PATH}/dicompot/images:/opt/dicompot/images
 
-# Dionaea service
-  dionaea:
-    container_name: dionaea
+# Honeypots service
+  honeypots:
+    container_name: honeypots
     stdin_open: true
     tty: true
     restart: always
-    networks:
-     - dionaea_local
-    ports:
-     - "20:20"
-     - "21:21"
-     - "42:42"
-     - "69:69/udp"
-     - "81:81"
-     - "135:135"
-     # - "443:443"
-     - "445:445"
-     - "1433:1433"
-     - "1723:1723"
-     - "1883:1883"
-     - "3306:3306"
-     # - "5060:5060"
-     # - "5060:5060/udp"
-     # - "5061:5061"
-     - "27017:27017"
-    image: "dtagdevsec/dionaea:2204"
-    read_only: true
-    volumes:
-     - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
-     - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
-     - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
-     - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
-     - /data/dionaea:/opt/dionaea/var/dionaea
-     - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
-     - /data/dionaea/log:/opt/dionaea/var/log
-     - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
-
-# ElasticPot service
-  elasticpot:
-    container_name: elasticpot
-    restart: always
-    networks:
-     - elasticpot_local
-    ports:
-     - "9200:9200"
-    image: "dtagdevsec/elasticpot:2204"
-    read_only: true
-    volumes:
-     - /data/elasticpot/log:/opt/elasticpot/log
-
-# Endlessh service
-  endlessh:
-    container_name: endlessh
-    restart: always
-    networks:
-     - endlessh_local
-    ports:
-     - "22:2222"
-    image: "dtagdevsec/endlessh:2204"
-    read_only: true
-    volumes:
-     - /data/endlessh/log:/var/log/endlessh
-
-# Glutton service
-  glutton:
-    container_name: glutton
-    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     tmpfs:
-     - /var/lib/glutton:uid=2000,gid=2000
-     - /run:uid=2000,gid=2000
+     - /tmp:uid=2000,gid=2000
+    networks:
+     - honeypots_local
+    ports:
+     - "21:21"
+     - "22:22"
+     - "23:23"
+     - "25:25"
+     - "53:53"
+     - "67:67/udp"
+     - "80:80"
+     - "110:110"
+     - "123:123"
+     - "143:143"
+     - "161:161"
+     - "389:389"
+     - "443:443"
+     - "445:445"
+     - "631:631"
+     - "1080:1080"
+     - "1433:1433"
+     - "1521:1521"
+     - "3306:3306"
+     - "3389:3389"
+     - "5060:5060/tcp"
+     - "5060:5060/udp"
+     - "5432:5432"
+     - "5900:5900"
+     - "6379:6379"
+     - "6667:6667"
+     - "8080:8080"
+     - "9100:9100"
+     - "9200:9200"
+     - "11211:11211"
+    image: ${TPOT_REPO}/honeypots:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeypots/log:/var/log/honeypots
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
     network_mode: "host"
     cap_add:
      - NET_ADMIN
-    image: "dtagdevsec/glutton:2204"
+    image: ${TPOT_REPO}/honeytrap:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/glutton/log:/var/log/glutton
-#     - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml
-
-# Heralding service
-  heralding:
-    container_name: heralding
-    restart: always
-    tmpfs:
-     - /tmp/heralding:uid=2000,gid=2000
-    networks:
-     - heralding_local
-    ports:
-    # - "21:21"
-    # - "22:22"
-    # - "23:23"
-    # - "25:25"
-    # - "80:80"
-     - "110:110"
-     - "143:143"
-    # - "443:443"
-     - "465:465"
-     - "993:993"
-     - "995:995"
-    # - "3306:3306"
-    # - "3389:3389"
-     - "1080:1080"
-     - "5432:5432"
-     - "5900:5900"
-    image: "dtagdevsec/heralding:2204"
-    read_only: true
-    volumes:
-     - /data/heralding/log:/var/log/heralding
-
-# Ipphoney service
-  ipphoney:
-    container_name: ipphoney
-    restart: always
-    networks:
-     - ipphoney_local
-    ports:
-     - "631:631"
-    image: "dtagdevsec/ipphoney:2204"
-    read_only: true
-    volumes:
-     - /data/ipphoney/log:/opt/ipphoney/log
-
-# Mailoney service
-  mailoney:
-    container_name: mailoney
-    restart: always
-    environment:
-     - HPFEEDS_SERVER=
-     - HPFEEDS_IDENT=user
-     - HPFEEDS_SECRET=pass
-     - HPFEEDS_PORT=20000
-     - HPFEEDS_CHANNELPREFIX=prefix
-    networks:
-     - mailoney_local
-    ports:
-     - "25:25"
-    image: "dtagdevsec/mailoney:2204"
-    read_only: true
-    volumes:
-     - /data/mailoney/log:/opt/mailoney/logs
+     - ${TPOT_DATA_PATH}/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - ${TPOT_DATA_PATH}/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - ${TPOT_DATA_PATH}/honeytrap/log:/opt/honeytrap/var/log
 
 # Medpot service
   medpot:
     container_name: medpot
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     networks:
      - medpot_local
     ports:
      - "2575:2575"
-    image: "dtagdevsec/medpot:2204"
+    image: ${TPOT_REPO}/medpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/medpot/log/:/var/log/medpot
+     - ${TPOT_DATA_PATH}/medpot/log/:/var/log/medpot
 
-# Redishoneypot service
-  redishoneypot:
-    container_name: redishoneypot
-    restart: always
-    networks:
-     - redishoneypot_local
-    ports:
-     - "6379:6379"
-    image: "dtagdevsec/redishoneypot:2204"
-    read_only: true
-    volumes:
-     - /data/redishoneypot/log:/var/log/redishoneypot
-
-# Hellpot service
-  hellpot:
-    container_name: hellpot
-    restart: always
-    networks:
-     - hellpot_local
-    ports:
-     - "80:8080"
-    image: "dtagdevsec/hellpot:2204"
-    read_only: true
-    volumes:
-     - /data/hellpot/log:/var/log/hellpot
 
 ##################
 #### NSM
@@ -383,42 +304,53 @@ services:
   fatt:
     container_name: fatt
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     network_mode: "host"
     cap_add:
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
-    image: "dtagdevsec/fatt:2204"
+    image: ${TPOT_REPO}/fatt:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     volumes:
-     - /data/fatt/log:/opt/fatt/log
+     - ${TPOT_DATA_PATH}/fatt/log:/opt/fatt/log
 
 # P0f service
   p0f:
     container_name: p0f
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     network_mode: "host"
-    image: "dtagdevsec/p0f:2204"
+    image: ${TPOT_REPO}/p0f:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/p0f/log:/var/log/p0f
+     - ${TPOT_DATA_PATH}/p0f/log:/var/log/p0f
 
 # Suricata service
   suricata:
     container_name: suricata
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     environment:
-    # For ET Pro ruleset replace "OPEN" with your OINKCODE
-     - OINKCODE=OPEN
-    # Loading externel Rules from URL 
+     - OINKCODE=${OINKCODE:-OPEN} # Default to OPEN if unset or NULL (value provided by T-Pot .env)
+    # Loading external Rules from URL
     # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
     network_mode: "host"
     cap_add:
      - NET_ADMIN
      - SYS_NICE
      - NET_RAW
-    image: "dtagdevsec/suricata:2204"
+    image: ${TPOT_REPO}/suricata:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     volumes:
-     - /data/suricata/log:/var/log/suricata
+     - ${TPOT_DATA_PATH}/suricata/log:/var/log/suricata
 
 
 ##################
@@ -430,6 +362,11 @@ services:
   elasticsearch:
     container_name: elasticsearch
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
     environment:
      - bootstrap.memory_lock=true
      - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
@@ -446,9 +383,10 @@ services:
     mem_limit: 4g
     ports:
      - "127.0.0.1:64298:9200"
-    image: "dtagdevsec/elasticsearch:2204"
+    image: ${TPOT_REPO}/elasticsearch:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     volumes:
-     - /data:/data
+     - ${TPOT_DATA_PATH}:/data
 
 ## Kibana service
   kibana:
@@ -457,49 +395,69 @@ services:
     depends_on:
       elasticsearch:
         condition: service_healthy
+    networks:
+     - nginx_local
     mem_limit: 1g
     ports:
      - "127.0.0.1:64296:5601"
-    image: "dtagdevsec/kibana:2204"
+    image: ${TPOT_REPO}/kibana:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
 
 ## Logstash service
   logstash:
     container_name: logstash
     restart: always
-    environment:
-     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
     depends_on:
       elasticsearch:
         condition: service_healthy
-    env_file:
-     - /opt/tpot/etc/compose/elk_environment
+    networks:
+     - nginx_local
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+     - TPOT_TYPE=${TPOT_TYPE:-HIVE}
+     - TPOT_HIVE_USER=${TPOT_HIVE_USER}
+     - TPOT_HIVE_IP=${TPOT_HIVE_IP}
+     - LS_SSL_VERIFICATION=${LS_SSL_VERIFICATION:-full}
+    ports:
+     - "127.0.0.1:64305:64305"
     mem_limit: 2g
-    image: "dtagdevsec/logstash:2204"
+    image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     volumes:
-     - /data:/data
+     - ${TPOT_DATA_PATH}:/data
 
 ## Map Redis Service
   map_redis:
     container_name: map_redis
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
     stop_signal: SIGKILL
     tty: true
-    image: "dtagdevsec/redis:2204"
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
 
 ## Map Web Service
   map_web:
     container_name: map_web
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
     environment:
      - MAP_COMMAND=AttackMapServer.py
-    env_file:
-     - /opt/tpot/etc/compose/elk_environment
     stop_signal: SIGKILL
     tty: true
     ports:
      - "127.0.0.1:64299:64299"
-    image: "dtagdevsec/map:2204"
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
 
 ## Map Data Service
   map_data:
@@ -508,19 +466,25 @@ services:
     depends_on:
       elasticsearch:
         condition: service_healthy
+    networks:
+     - nginx_local
     environment:
      - MAP_COMMAND=DataServer_v2.py
-    env_file:
-     - /opt/tpot/etc/compose/elk_environment
+     - TPOT_ATTACKMAP_TEXT=${TPOT_ATTACKMAP_TEXT}
+     - TZ=${TPOT_ATTACKMAP_TEXT_TIMEZONE}
     stop_signal: SIGKILL
     tty: true
-    image: "dtagdevsec/map:2204"
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
 #### /ELK
 
 # Ewsposter service
   ewsposter:
     container_name: ewsposter
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     networks:
      - ewsposter_local
     environment:
@@ -532,17 +496,21 @@ services:
      - EWS_HPFEEDS_SECRET=secret
      - EWS_HPFEEDS_TLSCERT=false
      - EWS_HPFEEDS_FORMAT=json
-    env_file:
-     - /opt/tpot/etc/compose/elk_environment
-    image: "dtagdevsec/ewsposter:2204"
+    image: ${TPOT_REPO}/ewsposter:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     volumes:
-     - /data:/data
-     - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+     - ${TPOT_DATA_PATH}:/data
+     - ${TPOT_DATA_PATH}/ews/conf/ews.ip:/opt/ewsposter/ews.ip
 
 # Nginx service
   nginx:
     container_name: nginx
     restart: always
+    environment:
+      - TPOT_OSTYPE=${TPOT_OSTYPE}
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     tmpfs:
      - /var/tmp/nginx/client_body
      - /var/tmp/nginx/proxy
@@ -551,25 +519,32 @@ services:
      - /var/tmp/nginx/scgi
      - /run
      - /var/lib/nginx/tmp:uid=100,gid=82
-    network_mode: "host"
+    networks:
+     - nginx_local
     ports:
      - "64297:64297"
-     - "127.0.0.1:64304:64304"
-    image: "dtagdevsec/nginx:2204"
+     - "64294:64294"
+    image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     read_only: true
     volumes:
-     - /data/nginx/cert/:/etc/nginx/cert/:ro
-     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
-     - /data/nginx/log/:/var/log/nginx/
+     - ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/lswebpasswd:/etc/nginx/lswebpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
 
 # Spiderfoot service
   spiderfoot:
     container_name: spiderfoot
     restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
     networks:
-     - spiderfoot_local
+     - nginx_local
     ports:
      - "127.0.0.1:64303:8080"
-    image: "dtagdevsec/spiderfoot:2204"
+    image: ${TPOT_REPO}/spiderfoot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
     volumes:
-     - /data/spiderfoot:/home/spiderfoot/.spiderfoot
+     - ${TPOT_DATA_PATH}/spiderfoot:/home/spiderfoot/.spiderfoot

compose/mobile.yml

@@ -0,0 +1,664 @@
+# T-Pot: MOBILE
+# Note: This docker compose file has been adjusted to limit the number of tools, services and honeypots to run
+#       T-Pot on a Raspberry Pi 4 (8GB of RAM).
+#       The standard docker compose file should work mostly fine (depending on traffic) if you do not enable a
+#       desktop environment such as LXDE and meet the minimum requirements of 8GB RAM.
+networks:
+  ciscoasa_local:
+  conpot_local_IEC104:
+  conpot_local_ipmi:
+  conpot_local_kamstrup_382:
+  cowrie_local:
+  dicompot_local:
+  dionaea_local:
+  elasticpot_local:
+  h0neytr4p_local:
+  heralding_local:
+  honeyaml_local:
+  ipphoney_local:
+  log4pot_local:
+  mailoney_local:
+  medpot_local:
+  miniprint_local:
+  redishoneypot_local:
+  sentrypeer_local:
+  tanner_local:
+  wordpot_local:
+  ewsposter_local:
+
+services:
+
+#########################################
+#### DEV
+#########################################
+#### T-Pot Init - Never delete this!
+#########################################
+
+# T-Pot Init Service
+  tpotinit:
+    container_name: tpotinit
+    env_file:
+      - .env
+    restart: always
+    stop_grace_period: 60s
+    tmpfs:
+      - /tmp/etc:uid=2000,gid=2000
+      - /tmp/:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/tpotinit:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+      - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
+      - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
+      - ${TPOT_DATA_PATH}:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+##################
+#### Honeypots
+##################
+
+# Ciscoasa service
+  ciscoasa:
+    container_name: ciscoasa
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/ciscoasa:uid=2000,gid=2000
+    networks:
+     - ciscoasa_local
+    ports:
+     - "5000:5000/udp"
+     - "8443:8443"
+    image: ${TPOT_REPO}/ciscoasa:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ciscoasa/log:/var/log/ciscoasa
+
+# Conpot IEC104 service
+  conpot_IEC104:
+    container_name: conpot_iec104
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
+     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
+     - CONPOT_TEMPLATE=IEC104
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_IEC104
+    ports:
+     - "161:161/udp"
+     - "2404:2404"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot ipmi
+  conpot_ipmi:
+    container_name: conpot_ipmi
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
+     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
+     - CONPOT_TEMPLATE=ipmi
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_ipmi
+    ports:
+     - "623:623/udp"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot kamstrup_382
+  conpot_kamstrup_382:
+    container_name: conpot_kamstrup_382
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
+     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
+     - CONPOT_TEMPLATE=kamstrup_382
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_kamstrup_382
+    ports:
+     - "1025:1025"
+     - "50100:50100"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Cowrie service
+  cowrie:
+    container_name: cowrie
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    tmpfs:
+      - /tmp/cowrie:uid=2000,gid=2000
+      - /tmp/cowrie/data:uid=2000,gid=2000
+    networks:
+      - cowrie_local
+    ports:
+      - "22:22"
+      - "23:23"
+    image: ${TPOT_REPO}/cowrie:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+      - ${TPOT_DATA_PATH}/cowrie/downloads:/home/cowrie/cowrie/dl
+      - ${TPOT_DATA_PATH}/cowrie/keys:/home/cowrie/cowrie/etc
+      - ${TPOT_DATA_PATH}/cowrie/log:/home/cowrie/cowrie/log
+      - ${TPOT_DATA_PATH}/cowrie/log/tty:/home/cowrie/cowrie/log/tty
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - dicompot_local
+    ports:
+     - "104:11112"
+     - "11112:11112"
+    image: ${TPOT_REPO}/dicompot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/dicompot/log:/var/log/dicompot
+#     - ${TPOT_DATA_PATH}/dicompot/images:/opt/dicompot/images
+
+# Dionaea service
+  dionaea:
+    container_name: dionaea
+    stdin_open: true
+    tty: true
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - dionaea_local
+    ports:
+     - "20:20"
+     - "21:21"
+     - "42:42"
+     - "69:69/udp"
+     - "81:81"
+     - "135:135"
+     # - "443:443"
+     - "445:445"
+     - "1433:1433"
+     - "1723:1723"
+     - "1883:1883"
+     - "3306:3306"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
+     - "27017:27017"
+    image: ${TPOT_REPO}/dionaea:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
+     - ${TPOT_DATA_PATH}/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
+     - ${TPOT_DATA_PATH}/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
+     - ${TPOT_DATA_PATH}/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
+     - ${TPOT_DATA_PATH}/dionaea:/opt/dionaea/var/dionaea
+     - ${TPOT_DATA_PATH}/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
+     - ${TPOT_DATA_PATH}/dionaea/log:/opt/dionaea/var/log
+     - ${TPOT_DATA_PATH}/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
+
+# ElasticPot service
+  elasticpot:
+    container_name: elasticpot
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - elasticpot_local
+    ports:
+     - "9200:9200"
+    image: ${TPOT_REPO}/elasticpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/elasticpot/log:/opt/elasticpot/log
+
+# H0neytr4p service
+  h0neytr4p:
+    container_name: h0neytr4p
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - h0neytr4p_local
+    ports:
+      - "443:443"
+    # - "80:80"
+    image: ${TPOT_REPO}/h0neytr4p:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+      - ${TPOT_DATA_PATH}/h0neytr4p/log/:/opt/h0neytr4p/log/
+      - ${TPOT_DATA_PATH}/h0neytr4p/payloads/:/data/h0neytr4p/payloads/
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: ${TPOT_REPO}/heralding:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
+
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "3000:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/honeytrap:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - ${TPOT_DATA_PATH}/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - ${TPOT_DATA_PATH}/honeytrap/log:/opt/honeytrap/var/log
+
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: ${TPOT_REPO}/ipphoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ipphoney/log:/opt/ipphoney/log
+
+# Log4pot service
+  log4pot:
+    container_name: log4pot
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    tmpfs:
+     - /tmp:uid=2000,gid=2000
+    networks:
+     - log4pot_local
+    ports:
+    # - "80:8080"
+    # - "443:8080"
+    # - "8080:8080"
+    # - "9200:8080"
+     - "25565:8080"
+    image: ${TPOT_REPO}/log4pot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/log4pot/log:/var/log/log4pot/log
+     - ${TPOT_DATA_PATH}/log4pot/payloads:/var/log/log4pot/payloads
+
+# Mailoney service
+  mailoney:
+    container_name: mailoney
+    stdin_open: true
+    tty: true
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - mailoney_local
+    ports:
+     - "25:25"
+     - "587:25"
+    image: ${TPOT_REPO}/mailoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/mailoney/log:/opt/mailoney/logs
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: ${TPOT_REPO}/medpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/medpot/log/:/var/log/medpot
+
+# Miniprint service
+  miniprint:
+    container_name: miniprint
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - miniprint_local
+    ports:
+      - "9100:9100"
+    image: ${TPOT_REPO}/miniprint:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/miniprint/log/:/opt/miniprint/log/
+     - ${TPOT_DATA_PATH}/miniprint/uploads/:/opt/miniprint/uploads/
+
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - redishoneypot_local
+    ports:
+     - "6379:6379"
+    image: ${TPOT_REPO}/redishoneypot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/redishoneypot/log:/var/log/redishoneypot
+
+# SentryPeer service
+  sentrypeer:
+    container_name: sentrypeer
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=1
+    networks:
+     - sentrypeer_local
+    ports:
+#     - "4222:4222/udp"
+     - "5060:5060/tcp"
+     - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
+    image: ${TPOT_REPO}/sentrypeer:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/sentrypeer/log:/var/log/sentrypeer
+
+#### Snare / Tanner
+## Tanner Redis Service
+  tanner_redis:
+    container_name: tanner_redis
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## PHP Sandbox service
+  tanner_phpox:
+    container_name: tanner_phpox
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/phpox:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Tanner API Service
+  tanner_api:
+    container_name: tanner_api
+    restart: always
+    depends_on:
+     - tanner_redis
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/tanner:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/tanner/log:/var/log/tanner
+    command: tannerapi
+
+## Tanner Service
+  tanner:
+    container_name: tanner
+    restart: always
+    depends_on:
+     - tanner_api
+     - tanner_phpox
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/tanner:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    command: tanner
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/tanner/log:/var/log/tanner
+     - ${TPOT_DATA_PATH}/tanner/files:/opt/tanner/files
+
+## Snare Service
+  snare:
+    container_name: snare
+    restart: always
+    depends_on:
+     - tanner
+    tty: true
+    networks:
+     - tanner_local
+    ports:
+     - "80:80"
+    image: ${TPOT_REPO}/snare:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+# Wordpot service
+  wordpot:
+    container_name: wordpot
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - wordpot_local
+    ports:
+     - "8080:80"
+    image: ${TPOT_REPO}/wordpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/wordpot/log:/opt/wordpot/logs/
+
+
+##################
+#### Tools
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: ${TPOT_REPO}/elasticsearch:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+     - TPOT_TYPE=${TPOT_TYPE:-HIVE}
+     - TPOT_HIVE_USER=${TPOT_HIVE_USER}
+     - TPOT_HIVE_IP=${TPOT_HIVE_IP}
+     - LS_SSL_VERIFICATION=${LS_SSL_VERIFICATION:-full}
+    ports:
+     - "127.0.0.1:64305:64305"
+    mem_limit: 2g
+    image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    depends_on:
+      logstash:
+        condition: service_healthy
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    image: ${TPOT_REPO}/ewsposter:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+     - ${TPOT_DATA_PATH}/ews/conf/ews.ip:/opt/ewsposter/ews.ip

compose/sensor.yml

@@ -0,0 +1,711 @@
+# T-Pot: SENSOR
+networks:
+  adbhoney_local:
+  ciscoasa_local:
+  conpot_local_IEC104:
+  conpot_local_guardian_ast:
+  conpot_local_ipmi:
+  conpot_local_kamstrup_382:
+  cowrie_local:
+  dicompot_local:
+  dionaea_local:
+  elasticpot_local:
+  h0neytr4p_local:
+  heralding_local:
+  honeyaml_local:
+  ipphoney_local:
+  mailoney_local:
+  medpot_local:
+  miniprint_local:
+  redishoneypot_local:
+  sentrypeer_local:
+  tanner_local:
+  wordpot_local:
+  ewsposter_local:
+
+services:
+
+#########################################
+#### DEV
+#########################################
+#### T-Pot Init - Never delete this!
+#########################################
+
+# T-Pot Init Service
+  tpotinit:
+    container_name: tpotinit
+    env_file:
+      - .env
+    restart: always
+    stop_grace_period: 60s
+    tmpfs:
+      - /tmp/etc:uid=2000,gid=2000
+      - /tmp/:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/tpotinit:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+      - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
+      - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
+      - ${TPOT_DATA_PATH}:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+##################
+#### Honeypots
+##################
+
+# Adbhoney service
+  adbhoney:
+    container_name: adbhoney
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - adbhoney_local
+    ports:
+     - "5555:5555"
+    image: ${TPOT_REPO}/adbhoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/adbhoney/log:/opt/adbhoney/log
+     - ${TPOT_DATA_PATH}/adbhoney/downloads:/opt/adbhoney/dl
+
+# Ciscoasa service
+  ciscoasa:
+    container_name: ciscoasa
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/ciscoasa:uid=2000,gid=2000
+    networks:
+     - ciscoasa_local
+    ports:
+     - "5000:5000/udp"
+     - "8443:8443"
+    image: ${TPOT_REPO}/ciscoasa:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ciscoasa/log:/var/log/ciscoasa
+
+# Conpot IEC104 service
+  conpot_IEC104:
+    container_name: conpot_iec104
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
+     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
+     - CONPOT_TEMPLATE=IEC104
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_IEC104
+    ports:
+     - "161:161/udp"
+     - "2404:2404"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot guardian_ast service
+  conpot_guardian_ast:
+    container_name: conpot_guardian_ast
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
+     - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
+     - CONPOT_TEMPLATE=guardian_ast
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_guardian_ast
+    ports:
+     - "10001:10001"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot ipmi
+  conpot_ipmi:
+    container_name: conpot_ipmi
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
+     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
+     - CONPOT_TEMPLATE=ipmi
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_ipmi
+    ports:
+     - "623:623/udp"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot kamstrup_382
+  conpot_kamstrup_382:
+    container_name: conpot_kamstrup_382
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
+     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
+     - CONPOT_TEMPLATE=kamstrup_382
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_kamstrup_382
+    ports:
+     - "1025:1025"
+     - "50100:50100"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Cowrie service
+  cowrie:
+    container_name: cowrie
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+      - /tmp/cowrie:uid=2000,gid=2000
+      - /tmp/cowrie/data:uid=2000,gid=2000
+    networks:
+      - cowrie_local
+    ports:
+      - "22:22"
+      - "23:23"
+    image: ${TPOT_REPO}/cowrie:${TPOT_VERSION} 
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+      - ${TPOT_DATA_PATH}/cowrie/downloads:/home/cowrie/cowrie/dl
+      - ${TPOT_DATA_PATH}/cowrie/keys:/home/cowrie/cowrie/etc
+      - ${TPOT_DATA_PATH}/cowrie/log:/home/cowrie/cowrie/log
+      - ${TPOT_DATA_PATH}/cowrie/log/tty:/home/cowrie/cowrie/log/tty
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - dicompot_local
+    ports:
+     - "104:11112"
+     - "11112:11112"
+    image: ${TPOT_REPO}/dicompot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/dicompot/log:/var/log/dicompot
+#     - ${TPOT_DATA_PATH}/dicompot/images:/opt/dicompot/images
+
+# Dionaea service
+  dionaea:
+    container_name: dionaea
+    stdin_open: true
+    tty: true
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - dionaea_local
+    ports:
+     - "20:20"
+     - "21:21"
+     - "42:42"
+     - "69:69/udp"
+     - "81:81"
+     - "135:135"
+     # - "443:443"
+     - "445:445"
+     - "1433:1433"
+     - "1723:1723"
+     - "1883:1883"
+     - "3306:3306"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
+     - "27017:27017"
+    image: ${TPOT_REPO}/dionaea:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
+     - ${TPOT_DATA_PATH}/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
+     - ${TPOT_DATA_PATH}/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
+     - ${TPOT_DATA_PATH}/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
+     - ${TPOT_DATA_PATH}/dionaea:/opt/dionaea/var/dionaea
+     - ${TPOT_DATA_PATH}/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
+     - ${TPOT_DATA_PATH}/dionaea/log:/opt/dionaea/var/log
+     - ${TPOT_DATA_PATH}/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
+
+# ElasticPot service
+  elasticpot:
+    container_name: elasticpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - elasticpot_local
+    ports:
+     - "9200:9200"
+    image: ${TPOT_REPO}/elasticpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/elasticpot/log:/opt/elasticpot/log
+
+# H0neytr4p service
+  h0neytr4p:
+    container_name: h0neytr4p
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - h0neytr4p_local
+    ports:
+      - "443:443"
+    # - "80:80"
+    image: ${TPOT_REPO}/h0neytr4p:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+      - ${TPOT_DATA_PATH}/h0neytr4p/log/:/opt/h0neytr4p/log/
+      - ${TPOT_DATA_PATH}/h0neytr4p/payloads/:/data/h0neytr4p/payloads/
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: ${TPOT_REPO}/heralding:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
+
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "3000:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/honeytrap:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - ${TPOT_DATA_PATH}/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - ${TPOT_DATA_PATH}/honeytrap/log:/opt/honeytrap/var/log
+
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: ${TPOT_REPO}/ipphoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ipphoney/log:/opt/ipphoney/log
+
+# Mailoney service
+  mailoney:
+    container_name: mailoney
+    stdin_open: true
+    tty: true
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - mailoney_local
+    ports:
+     - "25:25"
+     - "587:25"
+    image: ${TPOT_REPO}/mailoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/mailoney/log:/opt/mailoney/logs
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: ${TPOT_REPO}/medpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/medpot/log/:/var/log/medpot
+
+# Miniprint service
+  miniprint:
+    container_name: miniprint
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - miniprint_local
+    ports:
+      - "9100:9100"
+    image: ${TPOT_REPO}/miniprint:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/miniprint/log/:/opt/miniprint/log/
+     - ${TPOT_DATA_PATH}/miniprint/uploads/:/opt/miniprint/uploads/
+
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - redishoneypot_local
+    ports:
+     - "6379:6379"
+    image: ${TPOT_REPO}/redishoneypot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/redishoneypot/log:/var/log/redishoneypot
+
+# SentryPeer service
+  sentrypeer:
+    container_name: sentrypeer
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=1
+    networks:
+     - sentrypeer_local
+    ports:
+#     - "4222:4222/udp"
+     - "5060:5060/tcp"
+     - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
+    image: ${TPOT_REPO}/sentrypeer:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/sentrypeer/log:/var/log/sentrypeer
+
+#### Snare / Tanner
+## Tanner Redis Service
+  tanner_redis:
+    container_name: tanner_redis
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## PHP Sandbox service
+  tanner_phpox:
+    container_name: tanner_phpox
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/phpox:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Tanner API Service
+  tanner_api:
+    container_name: tanner_api
+    restart: always
+    depends_on:
+     - tanner_redis
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/tanner:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/tanner/log:/var/log/tanner
+    command: tannerapi
+
+## Tanner Service
+  tanner:
+    container_name: tanner
+    restart: always
+    depends_on:
+     - tanner_api
+     - tanner_phpox
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/tanner:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    command: tanner
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/tanner/log:/var/log/tanner
+     - ${TPOT_DATA_PATH}/tanner/files:/opt/tanner/files
+
+## Snare Service
+  snare:
+    container_name: snare
+    restart: always
+    depends_on:
+     - tanner
+    tty: true
+    networks:
+     - tanner_local
+    ports:
+     - "80:80"
+    image: ${TPOT_REPO}/snare:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+# Wordpot service
+  wordpot:
+    container_name: wordpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - wordpot_local
+    ports:
+     - "8080:80"
+    image: ${TPOT_REPO}/wordpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/wordpot/log:/opt/wordpot/logs/
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/fatt:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    image: ${TPOT_REPO}/p0f:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - OINKCODE=${OINKCODE:-OPEN} # Default to OPEN if unset or NULL (value provided by T-Pot .env)
+    # Loading external Rules from URL
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/suricata:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools 
+##################
+
+#### ELK
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+     - TPOT_TYPE=${TPOT_TYPE:-HIVE}
+     - TPOT_HIVE_USER=${TPOT_HIVE_USER}
+     - TPOT_HIVE_IP=${TPOT_HIVE_IP}
+     - LS_SSL_VERIFICATION=${LS_SSL_VERIFICATION:-full}
+    ports:
+     - "127.0.0.1:64305:64305"
+    mem_limit: 2g
+    image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    image: ${TPOT_REPO}/ewsposter:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+     - ${TPOT_DATA_PATH}/ews/conf/ews.ip:/opt/ewsposter/ews.ip

compose/standard.yml

@@ -0,0 +1,856 @@
+# T-Pot: STANDARD
+networks:
+  adbhoney_local:
+  ciscoasa_local:
+  conpot_local_IEC104:
+  conpot_local_guardian_ast:
+  conpot_local_ipmi:
+  conpot_local_kamstrup_382:
+  cowrie_local:
+  dicompot_local:
+  dionaea_local:
+  elasticpot_local:
+  h0neytr4p_local:
+  heralding_local:
+  honeyaml_local:
+  ipphoney_local:
+  mailoney_local:
+  medpot_local:
+  miniprint_local:
+  redishoneypot_local:
+  sentrypeer_local:
+  tanner_local:
+  wordpot_local:
+  nginx_local:
+  ewsposter_local:
+
+services:
+
+#########################################
+#### DEV
+#########################################
+#### T-Pot Init - Never delete this!
+#########################################
+
+# T-Pot Init Service
+  tpotinit:
+    container_name: tpotinit
+    env_file:
+      - .env
+    restart: always
+    stop_grace_period: 60s
+    tmpfs:
+      - /tmp/etc:uid=2000,gid=2000
+      - /tmp/:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/tpotinit:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+      - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
+      - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
+      - ${TPOT_DATA_PATH}:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+
+##################
+#### Honeypots
+##################
+
+# Adbhoney service
+  adbhoney:
+    container_name: adbhoney
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - adbhoney_local
+    ports:
+     - "5555:5555"
+    image: ${TPOT_REPO}/adbhoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/adbhoney/log:/opt/adbhoney/log
+     - ${TPOT_DATA_PATH}/adbhoney/downloads:/opt/adbhoney/dl
+
+# Ciscoasa service
+  ciscoasa:
+    container_name: ciscoasa
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/ciscoasa:uid=2000,gid=2000
+    networks:
+     - ciscoasa_local
+    ports:
+     - "5000:5000/udp"
+     - "8443:8443"
+    image: ${TPOT_REPO}/ciscoasa:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ciscoasa/log:/var/log/ciscoasa
+
+# Conpot IEC104 service
+  conpot_IEC104:
+    container_name: conpot_iec104
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
+     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
+     - CONPOT_TEMPLATE=IEC104
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_IEC104
+    ports:
+     - "161:161/udp"
+     - "2404:2404"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot guardian_ast service
+  conpot_guardian_ast:
+    container_name: conpot_guardian_ast
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
+     - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
+     - CONPOT_TEMPLATE=guardian_ast
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_guardian_ast
+    ports:
+     - "10001:10001"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot ipmi
+  conpot_ipmi:
+    container_name: conpot_ipmi
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
+     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
+     - CONPOT_TEMPLATE=ipmi
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_ipmi
+    ports:
+     - "623:623/udp"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot kamstrup_382
+  conpot_kamstrup_382:
+    container_name: conpot_kamstrup_382
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
+     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
+     - CONPOT_TEMPLATE=kamstrup_382
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_kamstrup_382
+    ports:
+     - "1025:1025"
+     - "50100:50100"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Cowrie service
+  cowrie:
+    container_name: cowrie
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+      - /tmp/cowrie:uid=2000,gid=2000
+      - /tmp/cowrie/data:uid=2000,gid=2000
+    networks:
+      - cowrie_local
+    ports:
+      - "22:22"
+      - "23:23"
+    image: ${TPOT_REPO}/cowrie:${TPOT_VERSION} 
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+      - ${TPOT_DATA_PATH}/cowrie/downloads:/home/cowrie/cowrie/dl
+      - ${TPOT_DATA_PATH}/cowrie/keys:/home/cowrie/cowrie/etc
+      - ${TPOT_DATA_PATH}/cowrie/log:/home/cowrie/cowrie/log
+      - ${TPOT_DATA_PATH}/cowrie/log/tty:/home/cowrie/cowrie/log/tty
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - dicompot_local
+    ports:
+     - "104:11112"
+     - "11112:11112"
+    image: ${TPOT_REPO}/dicompot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/dicompot/log:/var/log/dicompot
+#     - ${TPOT_DATA_PATH}/dicompot/images:/opt/dicompot/images
+
+# Dionaea service
+  dionaea:
+    container_name: dionaea
+    stdin_open: true
+    tty: true
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - dionaea_local
+    ports:
+     - "20:20"
+     - "21:21"
+     - "42:42"
+     - "69:69/udp"
+     - "81:81"
+     - "135:135"
+     # - "443:443"
+     - "445:445"
+     - "1433:1433"
+     - "1723:1723"
+     - "1883:1883"
+     - "3306:3306"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
+     - "27017:27017"
+    image: ${TPOT_REPO}/dionaea:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
+     - ${TPOT_DATA_PATH}/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
+     - ${TPOT_DATA_PATH}/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
+     - ${TPOT_DATA_PATH}/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
+     - ${TPOT_DATA_PATH}/dionaea:/opt/dionaea/var/dionaea
+     - ${TPOT_DATA_PATH}/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
+     - ${TPOT_DATA_PATH}/dionaea/log:/opt/dionaea/var/log
+     - ${TPOT_DATA_PATH}/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
+
+# ElasticPot service
+  elasticpot:
+    container_name: elasticpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - elasticpot_local
+    ports:
+     - "9200:9200"
+    image: ${TPOT_REPO}/elasticpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/elasticpot/log:/opt/elasticpot/log
+
+# H0neytr4p service
+  h0neytr4p:
+    container_name: h0neytr4p
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - h0neytr4p_local
+    ports:
+     - "443:443"
+    # - "80:80"
+    image: ${TPOT_REPO}/h0neytr4p:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+      - ${TPOT_DATA_PATH}/h0neytr4p/log/:/opt/h0neytr4p/log/
+      - ${TPOT_DATA_PATH}/h0neytr4p/payloads/:/data/h0neytr4p/payloads/
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: ${TPOT_REPO}/heralding:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
+
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "3000:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/honeytrap:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - ${TPOT_DATA_PATH}/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - ${TPOT_DATA_PATH}/honeytrap/log:/opt/honeytrap/var/log
+
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: ${TPOT_REPO}/ipphoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ipphoney/log:/opt/ipphoney/log
+
+# Mailoney service
+  mailoney:
+    container_name: mailoney
+    stdin_open: true
+    tty: true
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - mailoney_local
+    ports:
+     - "25:25"
+     - "587:25"
+    image: ${TPOT_REPO}/mailoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/mailoney/log:/opt/mailoney/logs
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: ${TPOT_REPO}/medpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/medpot/log/:/var/log/medpot
+
+# Miniprint service
+  miniprint:
+    container_name: miniprint
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - miniprint_local
+    ports:
+      - "9100:9100"
+    image: ${TPOT_REPO}/miniprint:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/miniprint/log/:/opt/miniprint/log/
+     - ${TPOT_DATA_PATH}/miniprint/uploads/:/opt/miniprint/uploads/
+
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - redishoneypot_local
+    ports:
+     - "6379:6379"
+    image: ${TPOT_REPO}/redishoneypot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/redishoneypot/log:/var/log/redishoneypot
+
+# SentryPeer service
+  sentrypeer:
+    container_name: sentrypeer
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=1
+    networks:
+     - sentrypeer_local
+    ports:
+#     - "4222:4222/udp"
+     - "5060:5060/tcp"
+     - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
+    image: ${TPOT_REPO}/sentrypeer:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/sentrypeer/log:/var/log/sentrypeer
+
+#### Snare / Tanner
+## Tanner Redis Service
+  tanner_redis:
+    container_name: tanner_redis
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## PHP Sandbox service
+  tanner_phpox:
+    container_name: tanner_phpox
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/phpox:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Tanner API Service
+  tanner_api:
+    container_name: tanner_api
+    restart: always
+    depends_on:
+     - tanner_redis
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/tanner:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/tanner/log:/var/log/tanner
+    command: tannerapi
+
+## Tanner Service
+  tanner:
+    container_name: tanner
+    restart: always
+    depends_on:
+     - tanner_api
+     - tanner_phpox
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/tanner:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    command: tanner
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/tanner/log:/var/log/tanner
+     - ${TPOT_DATA_PATH}/tanner/files:/opt/tanner/files
+
+## Snare Service
+  snare:
+    container_name: snare
+    restart: always
+    depends_on:
+     - tanner
+    tty: true
+    networks:
+     - tanner_local
+    ports:
+     - "80:80"
+    image: ${TPOT_REPO}/snare:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+# Wordpot service
+  wordpot:
+    container_name: wordpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - wordpot_local
+    ports:
+     - "8080:80"
+    image: ${TPOT_REPO}/wordpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/wordpot/log:/opt/wordpot/logs/
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/fatt:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    image: ${TPOT_REPO}/p0f:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - OINKCODE=${OINKCODE:-OPEN} # Default to OPEN if unset or NULL (value provided by T-Pot .env)
+    # Loading external Rules from URL
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/suricata:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools 
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: ${TPOT_REPO}/elasticsearch:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: ${TPOT_REPO}/kibana:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+     - TPOT_TYPE=${TPOT_TYPE:-HIVE}
+     - TPOT_HIVE_USER=${TPOT_HIVE_USER}
+     - TPOT_HIVE_IP=${TPOT_HIVE_IP}
+     - LS_SSL_VERIFICATION=${LS_SSL_VERIFICATION:-full}
+    ports:
+     - "127.0.0.1:64305:64305"
+    mem_limit: 2g
+    image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+     - TPOT_ATTACKMAP_TEXT=${TPOT_ATTACKMAP_TEXT}
+     - TZ=${TPOT_ATTACKMAP_TEXT_TIMEZONE}
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    image: ${TPOT_REPO}/ewsposter:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+     - ${TPOT_DATA_PATH}/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    environment:
+      - TPOT_OSTYPE=${TPOT_OSTYPE}
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    networks:
+     - nginx_local
+    ports:
+     - "64297:64297"
+     - "64294:64294"
+    image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/lswebpasswd:/etc/nginx/lswebpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: ${TPOT_REPO}/spiderfoot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/spiderfoot:/home/spiderfoot/.spiderfoot

compose/tarpit.yml

@@ -0,0 +1,406 @@
+# T-Pot: TARPIT
+networks:
+  ddospot_local:
+  endlessh_local:
+  go-pot_local:
+  hellpot_local:
+  heralding_local:
+  nginx_local:
+  ewsposter_local:
+
+services:
+
+#########################################
+#### DEV
+#########################################
+#### T-Pot Init - Never delete this!
+#########################################
+
+# T-Pot Init Service
+  tpotinit:
+    container_name: tpotinit
+    env_file:
+      - .env
+    restart: always
+    stop_grace_period: 60s
+    tmpfs:
+      - /tmp/etc:uid=2000,gid=2000
+      - /tmp/:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/tpotinit:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+      - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
+      - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
+      - ${TPOT_DATA_PATH}:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+
+##################
+#### Honeypots
+##################
+
+# Ddospot service
+  ddospot:
+    container_name: ddospot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ddospot_local
+    ports:
+     - "19:19/udp"
+     - "53:53/udp"
+     - "123:123/udp"
+#     - "161:161/udp"
+     - "1900:1900/udp"
+    image: ${TPOT_REPO}/ddospot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ddospot/log:/opt/ddospot/ddospot/logs
+     - ${TPOT_DATA_PATH}/ddospot/bl:/opt/ddospot/ddospot/bl
+     - ${TPOT_DATA_PATH}/ddospot/db:/opt/ddospot/ddospot/db
+
+# Endlessh service
+  endlessh:
+    container_name: endlessh
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - endlessh_local
+    ports:
+     - "22:2222"
+    image: ${TPOT_REPO}/endlessh:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/endlessh/log:/var/log/endlessh
+
+# Go-pot service
+  go-pot:
+    container_name: go-pot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - go-pot_local
+    ports:
+      - "8080:8080"
+    image: ${TPOT_REPO}/go-pot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/go-pot/log:/opt/go-pot/log/
+
+# Hellpot service
+  hellpot:
+    container_name: hellpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - hellpot_local
+    ports:
+     - "80:8080"
+    image: ${TPOT_REPO}/hellpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/hellpot/log:/var/log/hellpot
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+     - "21:21"
+    # - "22:22"
+     - "23:23"
+     - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+     - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+     - "3306:3306"
+     - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: ${TPOT_REPO}/heralding:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
+
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/fatt:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    image: ${TPOT_REPO}/p0f:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - OINKCODE=${OINKCODE:-OPEN} # Default to OPEN if unset or NULL (value provided by T-Pot .env)
+    # Loading external Rules from URL
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/suricata:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools 
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: ${TPOT_REPO}/elasticsearch:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: ${TPOT_REPO}/kibana:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+     - TPOT_TYPE=${TPOT_TYPE:-HIVE}
+     - TPOT_HIVE_USER=${TPOT_HIVE_USER}
+     - TPOT_HIVE_IP=${TPOT_HIVE_IP}
+     - LS_SSL_VERIFICATION=${LS_SSL_VERIFICATION:-full}
+    ports:
+     - "127.0.0.1:64305:64305"
+    mem_limit: 2g
+    image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+     - TPOT_ATTACKMAP_TEXT=${TPOT_ATTACKMAP_TEXT}
+     - TZ=${TPOT_ATTACKMAP_TEXT_TIMEZONE}
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    image: ${TPOT_REPO}/ewsposter:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+     - ${TPOT_DATA_PATH}/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    environment:
+      - TPOT_OSTYPE=${TPOT_OSTYPE}
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    networks:
+     - nginx_local
+    ports:
+     - "64297:64297"
+     - "64294:64294"
+    image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/lswebpasswd:/etc/nginx/lswebpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: ${TPOT_REPO}/spiderfoot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/spiderfoot:/home/spiderfoot/.spiderfoot

deploy.sh

@@ -0,0 +1,153 @@
+#!/usr/bin/env bash
+
+myANSIBLE_PORT=64295
+myANSIBLE_TPOT_PLAYBOOK="installer/install/deploy.yml"
+myADJECTIVE=$(shuf -n1 installer/install/a.txt)
+myNOUN=$(shuf -n1 installer/install/n.txt)
+myENV_FILE="$HOME/tpotce/.env"
+
+myDEPLOY=$(cat << "EOF"
+
+ ____   [ T-Pot ]                  ____             _
+/ ___|  ___ _ __  ___  ___  _ __  |  _ \  ___ _ __ | | ___  _   _
+\___ \ / _ \  _ \/ __|/ _ \|  __| | | | |/ _ \  _ \| |/ _ \| | | |
+ ___) |  __/ | | \__ \ (_) | |    | |_| |  __/ |_) | | (_) | |_| |
+|____/ \___|_| |_|___/\___/|_|    |____/ \___| .__/|_|\___/ \__, |
+                                             |_|            |___/
+
+EOF
+)
+
+# Check if the script is running in a HIVE installation
+if ! grep -q 'TPOT_TYPE=HIVE' "$HOME/tpotce/.env";
+  then
+    echo "# This script is only supported on HIVE installations."
+    echo
+    exit 1
+fi
+
+# Check if running on a supported distribution
+mySUPPORTED_DISTRIBUTIONS=("AlmaLinux" "Debian GNU/Linux" "Fedora Linux" "openSUSE Tumbleweed" "Raspbian GNU/Linux" "Rocky Linux" "Ubuntu")
+myCURRENT_DISTRIBUTION=$(awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"')
+
+if [[ ! " ${mySUPPORTED_DISTRIBUTIONS[@]} " =~ " ${myCURRENT_DISTRIBUTION} " ]];
+  then
+    echo "# Only the following distributions are supported: AlmaLinux, Fedora, Debian, openSUSE Tumbleweed, Rocky Linux and Ubuntu."
+    echo
+    exit 1
+fi
+
+echo "${myDEPLOY}"
+echo
+echo "# This script will prepare a T-Pot SENSOR installation to transmit logs into this HIVE."
+echo
+
+# Ask if a T-Pot SENSOR was installed
+read -p "# Was a T-Pot SENSOR installed? (y/n): " mySENSOR_INSTALLED
+if [[ ${mySENSOR_INSTALLED} != "y" ]]; 
+    then
+      echo "# A T-Pot SENSOR must be installed to continue."
+      exit 1
+fi
+
+# Ask for the remote user
+read -p "# Enter the remote username T-Pot SENSOR was installed with: " mySSHUSER
+if [[ ${mySSHUSER} == "" ]]; 
+    then
+      echo "# You need to enter a user. Aborting."
+      exit 1
+fi
+
+# Validate IP/domain name loop
+while true; do
+  read -p "# Enter the IP/domain name of the SENSOR: " mySENSOR_IP
+  if [[ ${mySENSOR_IP} =~ ^([a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*\.[a-zA-Z]{2,})|(([0-9]{1,3}\.){3}[0-9]{1,3})$ ]];
+    then
+      break
+    else
+      echo "# Invalid IP/domain. Please enter a valid IP or domain name."
+  fi
+done
+
+# Check if ssh key has been deployed
+read -p "# Has a SSH key been deployed to the SENSOR? (y/n): " mySSHKEY_DEPLOYED
+if [[ ${mySSHKEY_DEPLOYED} != "y" ]]; 
+    then
+      echo "# Generate a SSH key using 'ssh-keygen' and deploy it to the SENSOR (Example: ssh-copy-id -p 64295 ${mySSHUSER}@${mySENSOR_IP})."
+      exit 1
+fi
+
+# Validate IP/domain name of HIVE
+while true; do
+  read -p "# Enter the IP/domain name of this HIVE: " myTPOT_HIVE_IP
+  if [[ ${myTPOT_HIVE_IP} =~ ^([a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*\.[a-zA-Z]{2,})|(([0-9]{1,3}\.){3}[0-9]{1,3})$ ]]; 
+    then
+      break
+    else
+      echo "# Invalid IP/domain. Please enter a valid IP or domain name."
+  fi
+done
+
+# Create a random SENSOR user name that is easily readable
+myLS_WEB_USER="sensor-${myADJECTIVE}-${myNOUN}"
+
+# Create a random password
+myLS_WEB_PW=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)
+
+# Create myLS_WEB_USER_ENC
+myLS_WEB_USER_ENC=$(htpasswd -b -n "${myLS_WEB_USER}" "${myLS_WEB_PW}")
+myLS_WEB_USER_ENC_B64=$(echo -n "${myLS_WEB_USER_ENC}" | base64 -w0)
+
+# Create myTPOT_HIVE_USER, since this is for Logstash on the SENSOR, it needs to directly base64 encoded
+myTPOT_HIVE_USER=$(echo -n "${myLS_WEB_USER}:${myLS_WEB_PW}" | base64 -w0)
+
+# Print credentials
+echo "# The following SENSOR credentials have been created:"
+echo "# New SENSOR username: ${myLS_WEB_USER}"
+echo "# New SENSOR passowrd: ${myLS_WEB_PW}"
+echo "# New htpasswd encoded credentials: ${myLS_WEB_USER_ENC}"
+echo "# New htpasswd credentials base64 encoded: ${myLS_WEB_USER_ENC_B64}"
+echo "# New SENSOR credentials base64 encoded: ${myTPOT_HIVE_USER}"
+echo
+echo "# Ansible will ask for the ‘BECOME password‘ which is typically the password you ’sudo’ with on the SENSOR."
+echo "# The password will allow Ansible to run a reboot via sudo on the SENSOR."
+echo
+
+# Read LS_WEB_USER from file
+myENV_LS_WEB_USER=$(grep "^LS_WEB_USER=" "${myENV_FILE}" | sed 's/^LS_WEB_USER=//g' | tr -d "\"'")
+
+# Add the new SENSOR user
+if [ "${myENV_LS_WEB_USER}" == "" ];
+  then
+    myENV_LS_WEB_USER="${myLS_WEB_USER_ENC_B64}"
+  else
+    myENV_LS_WEB_USER="${myENV_LS_WEB_USER} ${myLS_WEB_USER_ENC_B64}"
+fi
+
+# Need to export for Ansible
+export myTPOT_HIVE_USER
+export myTPOT_HIVE_IP
+
+ANSIBLE_LOG_PATH=${HOME}/tpotce/data/deploy_sensor.log ansible-playbook ${myANSIBLE_TPOT_PLAYBOOK} -i ${mySENSOR_IP}, -c ssh -u ${mySSHUSER} --ask-become-pass -e "ansible_port=${myANSIBLE_PORT}"
+
+if [ "$?" == 0 ];
+  then
+	# Update the T-Pot .env config and lswebpasswd (avoid the need to restart T-Pot) on the host
+	echo "# Updating SENSOR users on this HIVE and in the T-Pot .env config:"
+    sed -i "/^LS_WEB_USER=/c\LS_WEB_USER=$myENV_LS_WEB_USER" "${myENV_FILE}"
+	: > "${HOME}"/tpotce/data/nginx/conf/lswebpasswd
+	for i in $myENV_LS_WEB_USER;
+	  do
+	    if [[ -n $i ]]; 
+	      then
+	        # Need to control newlines as they kept coming up for some reason
+	        echo -n "$i" | base64 -d -w0
+	        echo
+	        echo -n "$i" | base64 -d -w0 | tr -d '\n' >> ${HOME}/tpotce/data/nginx/conf/lswebpasswd
+	        echo >> ${HOME}/tpotce/data/nginx/conf/lswebpasswd
+	      fi
+	done
+fi
+
+unset myTPOT_HIVE_USER
+unset myTPOT_HIVE_IP

docker-compose.yml

@@ -0,0 +1,856 @@
+# T-Pot: STANDARD
+networks:
+  adbhoney_local:
+  ciscoasa_local:
+  conpot_local_IEC104:
+  conpot_local_guardian_ast:
+  conpot_local_ipmi:
+  conpot_local_kamstrup_382:
+  cowrie_local:
+  dicompot_local:
+  dionaea_local:
+  elasticpot_local:
+  h0neytr4p_local:
+  heralding_local:
+  honeyaml_local:
+  ipphoney_local:
+  mailoney_local:
+  medpot_local:
+  miniprint_local:
+  redishoneypot_local:
+  sentrypeer_local:
+  tanner_local:
+  wordpot_local:
+  nginx_local:
+  ewsposter_local:
+
+services:
+
+#########################################
+#### DEV
+#########################################
+#### T-Pot Init - Never delete this!
+#########################################
+
+# T-Pot Init Service
+  tpotinit:
+    container_name: tpotinit
+    env_file:
+      - .env
+    restart: always
+    stop_grace_period: 60s
+    tmpfs:
+      - /tmp/etc:uid=2000,gid=2000
+      - /tmp/:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/tpotinit:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+      - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
+      - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
+      - ${TPOT_DATA_PATH}:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+
+##################
+#### Honeypots
+##################
+
+# Adbhoney service
+  adbhoney:
+    container_name: adbhoney
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - adbhoney_local
+    ports:
+     - "5555:5555"
+    image: ${TPOT_REPO}/adbhoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/adbhoney/log:/opt/adbhoney/log
+     - ${TPOT_DATA_PATH}/adbhoney/downloads:/opt/adbhoney/dl
+
+# Ciscoasa service
+  ciscoasa:
+    container_name: ciscoasa
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/ciscoasa:uid=2000,gid=2000
+    networks:
+     - ciscoasa_local
+    ports:
+     - "5000:5000/udp"
+     - "8443:8443"
+    image: ${TPOT_REPO}/ciscoasa:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ciscoasa/log:/var/log/ciscoasa
+
+# Conpot IEC104 service
+  conpot_IEC104:
+    container_name: conpot_iec104
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
+     - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
+     - CONPOT_TEMPLATE=IEC104
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_IEC104
+    ports:
+     - "161:161/udp"
+     - "2404:2404"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot guardian_ast service
+  conpot_guardian_ast:
+    container_name: conpot_guardian_ast
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
+     - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
+     - CONPOT_TEMPLATE=guardian_ast
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_guardian_ast
+    ports:
+     - "10001:10001"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot ipmi
+  conpot_ipmi:
+    container_name: conpot_ipmi
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
+     - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
+     - CONPOT_TEMPLATE=ipmi
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_ipmi
+    ports:
+     - "623:623/udp"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Conpot kamstrup_382
+  conpot_kamstrup_382:
+    container_name: conpot_kamstrup_382
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
+     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
+     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
+     - CONPOT_TEMPLATE=kamstrup_382
+     - CONPOT_TMP=/tmp/conpot
+    tmpfs:
+     - /tmp/conpot:uid=2000,gid=2000
+    networks:
+     - conpot_local_kamstrup_382
+    ports:
+     - "1025:1025"
+     - "50100:50100"
+    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
+
+# Cowrie service
+  cowrie:
+    container_name: cowrie
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+      - /tmp/cowrie:uid=2000,gid=2000
+      - /tmp/cowrie/data:uid=2000,gid=2000
+    networks:
+      - cowrie_local
+    ports:
+      - "22:22"
+      - "23:23"
+    image: ${TPOT_REPO}/cowrie:${TPOT_VERSION} 
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+      - ${TPOT_DATA_PATH}/cowrie/downloads:/home/cowrie/cowrie/dl
+      - ${TPOT_DATA_PATH}/cowrie/keys:/home/cowrie/cowrie/etc
+      - ${TPOT_DATA_PATH}/cowrie/log:/home/cowrie/cowrie/log
+      - ${TPOT_DATA_PATH}/cowrie/log/tty:/home/cowrie/cowrie/log/tty
+
+# Dicompot service
+# Get the Horos Client for testing: https://horosproject.org/
+# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
+# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
+  dicompot:
+    container_name: dicompot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - dicompot_local
+    ports:
+     - "104:11112"
+     - "11112:11112"
+    image: ${TPOT_REPO}/dicompot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/dicompot/log:/var/log/dicompot
+#     - ${TPOT_DATA_PATH}/dicompot/images:/opt/dicompot/images
+
+# Dionaea service
+  dionaea:
+    container_name: dionaea
+    stdin_open: true
+    tty: true
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - dionaea_local
+    ports:
+     - "20:20"
+     - "21:21"
+     - "42:42"
+     - "69:69/udp"
+     - "81:81"
+     - "135:135"
+     # - "443:443"
+     - "445:445"
+     - "1433:1433"
+     - "1723:1723"
+     - "1883:1883"
+     - "3306:3306"
+     # - "5060:5060"
+     # - "5060:5060/udp"
+     # - "5061:5061"
+     - "27017:27017"
+    image: ${TPOT_REPO}/dionaea:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
+     - ${TPOT_DATA_PATH}/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
+     - ${TPOT_DATA_PATH}/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
+     - ${TPOT_DATA_PATH}/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
+     - ${TPOT_DATA_PATH}/dionaea:/opt/dionaea/var/dionaea
+     - ${TPOT_DATA_PATH}/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
+     - ${TPOT_DATA_PATH}/dionaea/log:/opt/dionaea/var/log
+     - ${TPOT_DATA_PATH}/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
+
+# ElasticPot service
+  elasticpot:
+    container_name: elasticpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - elasticpot_local
+    ports:
+     - "9200:9200"
+    image: ${TPOT_REPO}/elasticpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/elasticpot/log:/opt/elasticpot/log
+
+# H0neytr4p service
+  h0neytr4p:
+    container_name: h0neytr4p
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - h0neytr4p_local
+    ports:
+     - "443:443"
+    # - "80:80"
+    image: ${TPOT_REPO}/h0neytr4p:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+      - ${TPOT_DATA_PATH}/h0neytr4p/log/:/opt/h0neytr4p/log/
+      - ${TPOT_DATA_PATH}/h0neytr4p/payloads/:/data/h0neytr4p/payloads/
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: ${TPOT_REPO}/heralding:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
+
+# Honeyaml service
+  honeyaml:
+    container_name: honeyaml
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - honeyaml_local
+    ports:
+      - "3000:8080"
+    image: ${TPOT_REPO}/honeyaml:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeyaml/log:/opt/honeyaml/log/
+
+# Honeytrap service
+  honeytrap:
+    container_name: honeytrap
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/honeytrap:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/honeytrap:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/honeytrap/attacks:/opt/honeytrap/var/attacks
+     - ${TPOT_DATA_PATH}/honeytrap/downloads:/opt/honeytrap/var/downloads
+     - ${TPOT_DATA_PATH}/honeytrap/log:/opt/honeytrap/var/log
+
+# Ipphoney service
+  ipphoney:
+    container_name: ipphoney
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: ${TPOT_REPO}/ipphoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/ipphoney/log:/opt/ipphoney/log
+
+# Mailoney service
+  mailoney:
+    container_name: mailoney
+    stdin_open: true
+    tty: true
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - mailoney_local
+    ports:
+     - "25:25"
+     - "587:25"
+    image: ${TPOT_REPO}/mailoney:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/mailoney/log:/opt/mailoney/logs
+
+# Medpot service
+  medpot:
+    container_name: medpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - medpot_local
+    ports:
+     - "2575:2575"
+    image: ${TPOT_REPO}/medpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/medpot/log/:/var/log/medpot
+
+# Miniprint service
+  miniprint:
+    container_name: miniprint
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - miniprint_local
+    ports:
+      - "9100:9100"
+    image: ${TPOT_REPO}/miniprint:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/miniprint/log/:/opt/miniprint/log/
+     - ${TPOT_DATA_PATH}/miniprint/uploads/:/opt/miniprint/uploads/
+
+# Redishoneypot service
+  redishoneypot:
+    container_name: redishoneypot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - redishoneypot_local
+    ports:
+     - "6379:6379"
+    image: ${TPOT_REPO}/redishoneypot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/redishoneypot/log:/var/log/redishoneypot
+
+# SentryPeer service
+  sentrypeer:
+    container_name: sentrypeer
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+#    environment:
+#     - SENTRYPEER_PEER_TO_PEER=1
+    networks:
+     - sentrypeer_local
+    ports:
+#     - "4222:4222/udp"
+     - "5060:5060/tcp"
+     - "5060:5060/udp"
+#     - "127.0.0.1:8082:8082"
+    image: ${TPOT_REPO}/sentrypeer:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/sentrypeer/log:/var/log/sentrypeer
+
+#### Snare / Tanner
+## Tanner Redis Service
+  tanner_redis:
+    container_name: tanner_redis
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## PHP Sandbox service
+  tanner_phpox:
+    container_name: tanner_phpox
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/phpox:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Tanner API Service
+  tanner_api:
+    container_name: tanner_api
+    restart: always
+    depends_on:
+     - tanner_redis
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/tanner:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/tanner/log:/var/log/tanner
+    command: tannerapi
+
+## Tanner Service
+  tanner:
+    container_name: tanner
+    restart: always
+    depends_on:
+     - tanner_api
+     - tanner_phpox
+    tmpfs:
+     - /tmp/tanner:uid=2000,gid=2000
+    tty: true
+    networks:
+     - tanner_local
+    image: ${TPOT_REPO}/tanner:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    command: tanner
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/tanner/log:/var/log/tanner
+     - ${TPOT_DATA_PATH}/tanner/files:/opt/tanner/files
+
+## Snare Service
+  snare:
+    container_name: snare
+    restart: always
+    depends_on:
+     - tanner
+    tty: true
+    networks:
+     - tanner_local
+    ports:
+     - "80:80"
+    image: ${TPOT_REPO}/snare:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+# Wordpot service
+  wordpot:
+    container_name: wordpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - wordpot_local
+    ports:
+     - "8080:80"
+    image: ${TPOT_REPO}/wordpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/wordpot/log:/opt/wordpot/logs/
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/fatt:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    image: ${TPOT_REPO}/p0f:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - OINKCODE=${OINKCODE:-OPEN} # Default to OPEN if unset or NULL (value provided by T-Pot .env)
+    # Loading external Rules from URL
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/suricata:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools 
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: ${TPOT_REPO}/elasticsearch:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: ${TPOT_REPO}/kibana:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+     - TPOT_TYPE=${TPOT_TYPE:-HIVE}
+     - TPOT_HIVE_USER=${TPOT_HIVE_USER}
+     - TPOT_HIVE_IP=${TPOT_HIVE_IP}
+     - LS_SSL_VERIFICATION=${LS_SSL_VERIFICATION:-full}
+    ports:
+     - "127.0.0.1:64305:64305"
+    mem_limit: 2g
+    image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+     - TPOT_ATTACKMAP_TEXT=${TPOT_ATTACKMAP_TEXT}
+     - TZ=${TPOT_ATTACKMAP_TEXT_TIMEZONE}
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    image: ${TPOT_REPO}/ewsposter:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+     - ${TPOT_DATA_PATH}/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    environment:
+      - TPOT_OSTYPE=${TPOT_OSTYPE}
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    networks:
+     - nginx_local
+    ports:
+     - "64297:64297"
+     - "64294:64294"
+    image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/lswebpasswd:/etc/nginx/lswebpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - nginx_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: ${TPOT_REPO}/spiderfoot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/spiderfoot:/home/spiderfoot/.spiderfoot

docker/_builder/.env

@@ -0,0 +1,23 @@
+# T-Pot builder config file. Do not remove.
+
+##########################
+# T-Pot Builder Settings #
+##########################
+
+# docker compose .env
+TPOT_DOCKER_ENV=./.env
+
+# Docker-Compose file
+TPOT_DOCKER_COMPOSE=./docker-compose.yml
+
+# T-Pot Repos
+TPOT_DOCKER_REPO=dtagdevsec
+TPOT_GHCR_REPO=ghcr.io/telekom-security
+
+# T-Pot Version Tag
+TPOT_VERSION=24.04.1
+
+# T-Pot platforms (architectures)
+# Most docker features are available on linux
+TPOT_AMD64=linux/amd64
+TPOT_ARM64=linux/arm64

docker/_builder/builder.sh

@@ -0,0 +1,202 @@
+#!/usr/bin/env bash
+
+# Got root?
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" != "root" ]
+  then
+    echo "Need to run as root ..."
+    exit
+fi
+
+# ANSI color codes for green (OK) and red (FAIL)
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+NC='\033[0m' # No Color
+
+# Default settings
+PUSH_IMAGES=false
+NO_CACHE=false
+PARALLELBUILDS=2
+UPLOAD_BANDWIDTH=40mbit # Set this to max 90% of available upload bandwidth
+INTERFACE=$(ip route | grep "^default" | awk '{ print $5 }')
+
+# Help message
+usage() {
+    echo "Usage: $0 [-p] [-n] [-h]"
+    echo "  -p  Push images after building"
+    echo "  -n  Build images with --no-cache"
+    echo "  -h  Show help message"
+    exit 1
+}
+
+# Parse command-line options
+while getopts ":pnh" opt; do
+    case ${opt} in
+        p )
+            PUSH_IMAGES=true
+            docker login
+            docker login ghcr.io
+            ;;
+        n )
+            NO_CACHE=true
+            ;;
+        h )
+            usage
+            ;;
+        \? )
+            echo "Invalid option: $OPTARG" 1>&2
+            usage
+            ;;
+    esac
+done
+
+# Function to apply upload bandwidth limit using tc
+apply_bandwidth_limit() {
+    echo -n "Applying upload bandwidth limit of $UPLOAD_BANDWIDTH on interface $INTERFACE..."
+    if tc qdisc add dev $INTERFACE root tbf rate $UPLOAD_BANDWIDTH burst 32kbit latency 400ms >/dev/null 2>&1; then
+        echo -e " [${GREEN}OK${NC}]"
+    else
+        echo -e " [${RED}FAIL${NC}]"
+        remove_bandwidth_limit
+
+        # Try to reapply the limit
+        echo -n "Reapplying upload bandwidth limit of $UPLOAD_BANDWIDTH on interface $INTERFACE..."
+        if tc qdisc add dev $INTERFACE root tbf rate $UPLOAD_BANDWIDTH burst 32kbit latency 400ms >/dev/null 2>&1; then
+            echo -e " [${GREEN}OK${NC}]"
+        else
+            echo -e " [${RED}FAIL${NC}]"
+            echo "Failed to apply bandwidth limit on $INTERFACE. Exiting."
+            echo
+            exit 1
+        fi
+    fi
+}
+
+# Function to check if the bandwidth limit is set
+is_bandwidth_limit_set() {
+    tc qdisc show dev $INTERFACE | grep -q 'tbf'
+}
+
+# Function to remove the bandwidth limit using tc if it is set
+remove_bandwidth_limit() {
+    if is_bandwidth_limit_set; then
+        echo -n "Removing upload bandwidth limit on interface $INTERFACE..."
+        if tc qdisc del dev $INTERFACE root; then
+            echo -e " [${GREEN}OK${NC}]"
+        else
+            echo -e " [${RED}FAIL${NC}]"
+        fi
+    fi
+}
+
+echo "###########################"
+echo "# T-Pot Image Builder"
+echo "###########################"
+echo
+
+# Check if 'mybuilder' exists, and ensure it's running with bootstrap
+echo -n "Checking if buildx builder 'mybuilder' exists and is running..."
+if ! docker buildx inspect mybuilder --bootstrap >/dev/null 2>&1; then
+    echo
+    echo -n "  Creating and starting buildx builder 'mybuilder'..."
+    if docker buildx create --name mybuilder --driver docker-container --use >/dev/null 2>&1 && \
+       docker buildx inspect mybuilder --bootstrap >/dev/null 2>&1; then
+        echo -e " [${GREEN}OK${NC}]"
+    else
+        echo -e " [${RED}FAIL${NC}]"
+        exit 1
+    fi
+else
+    echo -e " [${GREEN}OK${NC}]"
+fi
+
+# Ensure arm64 and amd64 platforms are active
+echo -n "Ensuring 'mybuilder' supports linux/arm64 and linux/amd64..."
+
+# Get active platforms from buildx
+active_platforms=$(docker buildx inspect mybuilder --bootstrap | grep -oP '(?<=Platforms: ).*')
+
+if [[ "$active_platforms" == *"linux/arm64"* && "$active_platforms" == *"linux/amd64"* ]]; then
+    echo -e " [${GREEN}OK${NC}]"
+else
+    echo
+    echo -n "  Enabling platforms linux/arm64 and linux/amd64..."
+    if docker buildx create --name mybuilder --driver docker-container --use --platform linux/amd64,linux/arm64 >/dev/null 2>&1 && \
+       docker buildx inspect mybuilder --bootstrap >/dev/null 2>&1; then
+        echo -e " [${GREEN}OK${NC}]"
+    else
+        echo -e " [${RED}FAIL${NC}]"
+        exit 1
+    fi
+fi
+
+# Ensure QEMU is set up for cross-platform builds
+echo -n "Ensuring QEMU is configured for cross-platform builds..."
+if docker run --rm --privileged tonistiigi/binfmt --install all > /dev/null 2>&1; then
+    echo -e " [${GREEN}OK${NC}]"
+else
+    echo -e " [${RED}FAIL${NC}]"
+fi
+
+# Apply bandwidth limit only if pushing images
+if $PUSH_IMAGES; then
+    echo
+    echo "########################################"
+    echo "# Setting Upload Bandwidth limit ..."
+    echo "########################################"
+    echo
+    apply_bandwidth_limit
+fi
+
+# Trap to ensure bandwidth limit is removed on script error, exit
+trap_cleanup() {
+    if is_bandwidth_limit_set; then
+        remove_bandwidth_limit
+    fi
+}
+trap trap_cleanup INT ERR EXIT
+
+echo
+echo "################################"
+echo "# Now building images ..."
+echo "################################"
+echo
+
+mkdir -p log
+
+# List of services to build
+services=$(docker compose config --services | sort)
+
+# Loop through each service to build
+echo $services | tr ' ' '\n' | xargs -I {} -P $PARALLELBUILDS bash -c '
+    echo "Building image: {}" && \
+    build_cmd="docker compose build {}" && \
+    if '$PUSH_IMAGES'; then \
+        build_cmd="$build_cmd --push"; \
+    fi && \
+    if '$NO_CACHE'; then \
+        build_cmd="$build_cmd --no-cache"; \
+    fi && \
+    eval "$build_cmd 2>&1 > log/{}.log" && \
+    echo -e "Image {}: ['$GREEN'OK'$NC']" || \
+    echo -e "Image {}: ['$RED'FAIL'$NC']"
+'
+
+# Remove bandwidth limit if it was applied
+if is_bandwidth_limit_set; then
+    echo
+    echo "########################################"
+    echo "# Removiong Upload Bandwidth limit ..."
+    echo "########################################"
+    echo
+    remove_bandwidth_limit
+fi
+
+echo
+echo "#######################################################"
+echo "# Done."
+if ! "$PUSH_IMAGES"; then
+  echo "# Remeber to push the images using push option."
+fi
+echo "#######################################################"
+echo

docker/_builder/docker-compose.yml

@@ -0,0 +1,421 @@
+# T-Pot Docker Compose Image Builder (use only for building docker images)
+# Settings in .env
+
+##################
+#### Anchors
+##################
+
+# Common build config
+x-common-build: &common-build
+  dockerfile: ./Dockerfile
+  platforms:
+    - ${TPOT_AMD64}
+    - ${TPOT_ARM64}
+
+services:
+
+##################
+#### Honeypots
+##################
+
+# Adbhoney
+  adbhoney:
+    image: ${TPOT_DOCKER_REPO}/adbhoney:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/adbhoney:${TPOT_VERSION}
+      context: ../adbhoney/
+      <<: *common-build
+
+# Beelzebub
+  beelzebub:
+    image: ${TPOT_DOCKER_REPO}/beelzebub:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/beelzebub:${TPOT_VERSION}
+      context: ../beelzebub/
+      <<: *common-build
+
+# Ciscoasa
+  ciscoasa:
+    image: ${TPOT_DOCKER_REPO}/ciscoasa:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/ciscoasa:${TPOT_VERSION}
+      context: ../ciscoasa/
+      <<: *common-build
+
+# Citrixhoneypot
+  citrixhoneypot:
+    image: ${TPOT_DOCKER_REPO}/citrixhoneypot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/citrixhoneypot:${TPOT_VERSION}
+      context: ../citrixhoneypot/
+      <<: *common-build
+
+# Conpot
+  conpot:
+    image: ${TPOT_DOCKER_REPO}/conpot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/conpot:${TPOT_VERSION}
+      context: ../conpot/
+      <<: *common-build
+
+# Cowrie
+  cowrie:
+    image: ${TPOT_DOCKER_REPO}/cowrie:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/cowrie:${TPOT_VERSION}
+      context: ../cowrie/
+      <<: *common-build
+
+# Ddospot
+  ddospot:
+    image: ${TPOT_DOCKER_REPO}/ddospot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/ddospot:${TPOT_VERSION}
+      context: ../ddospot/
+      <<: *common-build
+
+# Dicompot
+  dicompot:
+    image: ${TPOT_DOCKER_REPO}/dicompot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/dicompot:${TPOT_VERSION}
+      context: ../dicompot/
+      <<: *common-build
+
+# Dionaea
+  dionaea:
+    image: ${TPOT_DOCKER_REPO}/dionaea:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/dionaea:${TPOT_VERSION}
+      context: ../dionaea/
+      <<: *common-build
+
+# Elasticpot
+  elasticpot:
+    image: ${TPOT_DOCKER_REPO}/elasticpot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/elasticpot:${TPOT_VERSION}
+      context: ../elasticpot/
+      <<: *common-build
+
+# Endlessh
+  endlessh:
+    image: ${TPOT_DOCKER_REPO}/endlessh:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/endlessh:${TPOT_VERSION}
+      context: ../endlessh/
+      <<: *common-build
+
+# Galah
+  galah:
+    image: ${TPOT_DOCKER_REPO}/galah:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/galah:${TPOT_VERSION}
+      context: ../galah/
+      <<: *common-build
+
+# Glutton
+  glutton:
+    image: ${TPOT_DOCKER_REPO}/glutton:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/glutton:${TPOT_VERSION}
+      context: ../glutton/
+      <<: *common-build
+
+# Go-pot
+  go-pot:
+    image: ${TPOT_DOCKER_REPO}/go-pot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/go-pot:${TPOT_VERSION}
+      context: ../go-pot/
+      <<: *common-build
+
+# H0neytr4p
+  h0neytr4p:
+    image: ${TPOT_DOCKER_REPO}/h0neytr4p:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/h0neytr4p:${TPOT_VERSION}
+      context: ../h0neytr4p/
+      <<: *common-build
+
+# Hellpot
+  hellpot:
+    image: ${TPOT_DOCKER_REPO}/hellpot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/hellpot:${TPOT_VERSION}
+      context: ../hellpot/
+      <<: *common-build
+
+# Herlading
+  heralding:
+    image: ${TPOT_DOCKER_REPO}/heralding:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/heralding:${TPOT_VERSION}
+      context: ../heralding/
+      <<: *common-build
+
+# Honeyaml
+  honeyaml:
+    image: ${TPOT_DOCKER_REPO}/honeyaml:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/honeyaml:${TPOT_VERSION}
+      context: ../honeyaml/
+      <<: *common-build
+
+# Honeypots
+  honeypots:
+    image: ${TPOT_DOCKER_REPO}/honeypots:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/honeypots:${TPOT_VERSION}
+      context: ../honeypots/
+      <<: *common-build
+
+# Honeytrap
+  honeytrap:
+    image: ${TPOT_DOCKER_REPO}/honeytrap:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/honeytrap:${TPOT_VERSION}
+      context: ../honeytrap/
+      <<: *common-build
+
+# Ipphoney
+  ipphoney:
+    image: ${TPOT_DOCKER_REPO}/ipphoney:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/ipphoney:${TPOT_VERSION}
+      context: ../ipphoney/
+      <<: *common-build
+
+# Log4pot
+  log4pot:
+    image: ${TPOT_DOCKER_REPO}/log4pot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/log4pot:${TPOT_VERSION}
+      context: ../log4pot/
+      <<: *common-build
+
+# Mailoney
+  mailoney:
+    image: ${TPOT_DOCKER_REPO}/mailoney:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/mailoney:${TPOT_VERSION}
+      context: ../mailoney/
+      <<: *common-build
+
+# Medpot
+  medpot:
+    image: ${TPOT_DOCKER_REPO}/medpot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/medpot:${TPOT_VERSION}
+      context: ../medpot/
+      <<: *common-build
+
+# Miniprint
+  miniprint:
+    image: ${TPOT_DOCKER_REPO}/miniprint:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/miniprint:${TPOT_VERSION}
+      context: ../miniprint/
+      <<: *common-build
+
+# Redishoneypot
+  redishoneypot:
+    image: ${TPOT_DOCKER_REPO}/redishoneypot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/redishoneypot:${TPOT_VERSION}
+      context: ../redishoneypot/
+      <<: *common-build
+
+# Sentrypeer
+  sentrypeer:
+    image: ${TPOT_DOCKER_REPO}/sentrypeer:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/sentrypeer:${TPOT_VERSION}
+      context: ../sentrypeer/
+      <<: *common-build
+
+#### Snare / Tanner
+## Tanner Redis
+  redis:
+    image: ${TPOT_DOCKER_REPO}/redis:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/redis:${TPOT_VERSION}
+      context: ../tanner/redis/
+      <<: *common-build
+
+## PHP Sandbox
+  phpox:
+    image: ${TPOT_DOCKER_REPO}/phpox:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/phpox:${TPOT_VERSION}
+      context: ../tanner/phpox/
+      <<: *common-build
+
+## Tanner
+  tanner:
+    image: ${TPOT_DOCKER_REPO}/tanner:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/tanner:${TPOT_VERSION}
+      context: ../tanner/tanner/
+      <<: *common-build
+
+## Snare
+  snare:
+    image: ${TPOT_DOCKER_REPO}/snare:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/snare:${TPOT_VERSION}
+      context: ../tanner/snare/
+      <<: *common-build
+####
+
+# Wordpot
+  wordpot:
+    image: ${TPOT_DOCKER_REPO}/wordpot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/wordpot:${TPOT_VERSION}
+      context: ../wordpot/
+      <<: *common-build
+
+
+##################
+#### NSM
+##################
+
+# Fatt
+  fatt:
+    image: ${TPOT_DOCKER_REPO}/fatt:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/fatt:${TPOT_VERSION}
+      context: ../fatt/
+      <<: *common-build
+
+# P0f
+  p0f:
+    image: ${TPOT_DOCKER_REPO}/p0f:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/p0f:${TPOT_VERSION}
+      context: ../p0f/
+      <<: *common-build
+
+# Suricata
+  suricata:
+    image: ${TPOT_DOCKER_REPO}/suricata:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/suricata:${TPOT_VERSION}
+      context: ../suricata/
+      <<: *common-build
+
+
+##################
+#### Tools
+##################
+
+# T-Pot Init
+  tpotinit:
+    image: ${TPOT_DOCKER_REPO}/tpotinit:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/tpotinit:${TPOT_VERSION}
+      context: ../tpotinit/
+      <<: *common-build
+
+#### ELK
+## Elasticsearch
+  elasticsearch:
+    image: ${TPOT_DOCKER_REPO}/elasticsearch:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/elasticsearch:${TPOT_VERSION}
+      context: ../elk/elasticsearch/
+      <<: *common-build
+
+## Kibana
+  kibana:
+    image: ${TPOT_DOCKER_REPO}/kibana:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/kibana:${TPOT_VERSION}
+      context: ../elk/kibana/
+      <<: *common-build
+
+## Logstash
+  logstash:
+    image: ${TPOT_DOCKER_REPO}/logstash:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/logstash:${TPOT_VERSION}
+      context: ../elk/logstash/
+      <<: *common-build
+
+## Map Web
+  map:
+    image: ${TPOT_DOCKER_REPO}/map:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/map:${TPOT_VERSION}
+      context: ../elk/map/
+      <<: *common-build
+####
+
+# Ewsposter
+  ewsposter:
+    image: ${TPOT_DOCKER_REPO}/ewsposter:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/ewsposter:${TPOT_VERSION}
+      context: ../ewsposter/
+      <<: *common-build
+
+# Nginx
+  nginx:
+    image: ${TPOT_DOCKER_REPO}/nginx:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/nginx:${TPOT_VERSION}
+      context: ../nginx/
+      <<: *common-build
+
+# Spiderfoot
+  spiderfoot:
+    image: ${TPOT_DOCKER_REPO}/spiderfoot:${TPOT_VERSION}
+    build:
+      tags:
+        - ${TPOT_GHCR_REPO}/spiderfoot:${TPOT_VERSION}
+      context: ../spiderfoot/
+      <<: *common-build
+

docker/_builder/setup_builder.sh

@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+
+# ANSI color codes for green (OK) and red (FAIL)
+BLUE='\033[0;34m'
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+NC='\033[0m' # No Color
+
+# Check if the user is in the docker group
+if ! groups $(whoami) | grep &>/dev/null '\bdocker\b'; then
+    echo -e "${RED}You need to be in the docker group to run this script without root privileges.${NC}"
+    echo "Please run the following command to add yourself to the docker group:"
+    echo "  sudo usermod -aG docker $(whoami)"
+    echo "Then log out and log back in or run the script with sudo."
+    exit 1
+fi
+
+# Command-line switch check
+if [ "$1" != "-y" ]; then
+    echo "### Setting up Docker for Multi-Arch Builds."
+    echo "### Requires Docker packages from https://get.docker.com/"
+    echo "### Run with -y if you meet the requirements!"
+    exit 0
+fi
+
+# Check if the mybuilder exists and is running
+echo -n "Checking if buildx builder 'mybuilder' exists and is running..."
+if ! docker buildx inspect mybuilder --bootstrap >/dev/null 2>&1; then
+    echo
+    echo -n "  Creating and starting buildx builder 'mybuilder'..."
+    if docker buildx create --name mybuilder --driver docker-container --use >/dev/null 2>&1 && \
+       docker buildx inspect mybuilder --bootstrap >/dev/null 2>&1; then
+        echo -e " [${GREEN}OK${NC}]"
+    else
+        echo -e " [${RED}FAIL${NC}]"
+        exit 1
+    fi
+else
+    echo -e " [${GREEN}OK${NC}]"
+fi
+
+# Ensure QEMU is set up for cross-platform builds
+echo -n "Ensuring QEMU is configured for cross-platform builds..."
+if docker run --rm --privileged tonistiigi/binfmt --install all >/dev/null 2>&1; then
+    echo -e " [${GREEN}OK${NC}]"
+else
+    echo -e " [${RED}FAIL${NC}]"
+    exit 1
+fi
+
+# Ensure arm64 and amd64 platforms are active
+echo -n "Ensuring 'mybuilder' supports linux/arm64 and linux/amd64..."
+active_platforms=$(docker buildx inspect mybuilder --bootstrap | grep -oP '(?<=Platforms: ).*')
+
+if [[ "$active_platforms" == *"linux/arm64"* && "$active_platforms" == *"linux/amd64"* ]]; then
+    echo -e " [${GREEN}OK${NC}]"
+else
+    echo
+    echo -n "  Enabling platforms linux/arm64 and linux/amd64..."
+    if docker buildx create --name mybuilder --driver docker-container --use --platform linux/amd64,linux/arm64 >/dev/null 2>&1 && \
+       docker buildx inspect mybuilder --bootstrap >/dev/null 2>&1; then
+        echo -e " [${GREEN}OK${NC}]"
+    else
+        echo -e " [${RED}FAIL${NC}]"
+        exit 1
+    fi
+fi
+
+echo
+echo -e "${BLUE}### Done.${NC}"
+echo
+echo -e "${BLUE}Examples:${NC}"
+echo -e "  ${BLUE}Manual multi-arch build:${NC}"
+echo "    docker buildx build --platform linux/amd64,linux/arm64 -t username/demo:latest --push ."
+echo
+echo -e "  ${BLUE}Documentation:${NC} https://docs.docker.com/desktop/multi-arch/"
+echo
+echo -e "  ${BLUE}Build release with Docker Compose:${NC}"
+echo "    docker compose build"
+echo
+echo -e "  ${BLUE}Build and push release with Docker Compose:${NC}"
+echo "    docker compose build --push"
+echo
+echo -e "  ${BLUE}Build a single image with Docker Compose:${NC}"
+echo "    docker compose build tpotinit"
+echo
+echo -e "  ${BLUE}Build and push a single image with Docker Compose:${NC}"
+echo "    docker compose build tpotinit --push"
+echo
+echo -e "${BLUE}Resolve buildx issues:${NC}"
+echo "    docker buildx create --use --name mybuilder"
+echo "    docker buildx inspect mybuilder --bootstrap"
+echo "    docker login -u <username>"
+echo "    docker login ghcr.io -u <username>"
+echo
+echo -e "${BLUE}Fix segmentation faults when building arm64 images:${NC}"
+echo "    docker buildx rm mybuilder && docker run --rm --privileged tonistiigi/binfmt --install all"
+echo

docker/adbhoney/Dockerfile

@@ -1,36 +1,35 @@
-FROM alpine:3.15
+FROM alpine:3.20 AS builder
 #
 # Include dist
 COPY dist/ /root/dist/
 #
 # Install packages
-RUN apk --no-cache -U add \
-            git \
-	    procps \
-            python3 && \
+RUN	apk --no-cache -U upgrade && \
+	apk --no-cache -U add \
+		build-base \
+		git \
+		procps \
+		py3-psutil \
+		py3-requests \
+		py3-pip \
+		python3 && \
+		pip3 install --break-system-packages pyinstaller && \
 #
 # Install adbhoney from git
-    git clone https://github.com/huuck/ADBHoney /opt/adbhoney && \
+    git clone https://github.com/t3chn0m4g3/ADBHoney /opt/adbhoney && \
     cd /opt/adbhoney && \
-#    git checkout ad7c17e78d01f6860d58ba826a4b6a4e4f83acbd && \
-    git checkout 2417a7a982f4fd527b3a048048df9a23178767ad && \
+	git checkout 42a73cd8a82ddd4d137de70ac37b1a8b2e3e0119 && \
     cp /root/dist/adbhoney.cfg /opt/adbhoney && \
     sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \
     sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \
+    pyinstaller adbhoney.spec
 #
-# Setup user, groups and configs
-    addgroup -g 2000 adbhoney && \
-    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 adbhoney && \
-    chown -R adbhoney:adbhoney /opt/adbhoney && \
-#
-# Clean up
-    apk del --purge git && \
-    rm -rf /root/* /opt/adbhoney/.git /var/cache/apk/*
+FROM alpine:3.20
+RUN apk --no-cache -U upgrade
+COPY --from=builder /opt/adbhoney/dist/adbhoney/ /opt/adbhoney/
 #
 # Set workdir and start adbhoney
 STOPSIGNAL SIGINT
-# Adbhoney sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings
-HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi
-USER adbhoney:adbhoney
+USER 2000:2000
 WORKDIR /opt/adbhoney/
-CMD /usr/bin/python3 run.py
+CMD ["./adbhoney"]

docker/adbhoney/dist/adbhoney.cfg

@@ -3,6 +3,8 @@ hostname = honeypot01
 
 address = 0.0.0.0
 port = 5555
+http_download = true
+http_timeout = 45
 
 download_dir = dl/
 log_dir = log/

docker/adbhoney/dist/cpu_check.py

@@ -0,0 +1,42 @@
+import psutil
+import sys
+import time
+
+if len(sys.argv) != 3:
+    print("Usage: cpu_check.py <PID> <CPU_USAGE_THRESHOLD>")
+    sys.exit(1)
+
+try:
+    pid = int(sys.argv[1])
+except ValueError:
+    print("Please provide a valid integer value for the PID.")
+    sys.exit(1)
+
+try:
+    cpu_threshold = float(sys.argv[2])
+except ValueError:
+    print("Please provide a valid number for the CPU usage threshold.")
+    sys.exit(1)
+
+try:
+    target_process = psutil.Process(pid)
+except psutil.NoSuchProcess:
+    print(f"No process with the PID {pid} was found.")
+    sys.exit(1)
+
+# Prepare to calculate the average CPU usage over 3 intervals of 1 second each
+cpu_usages = []
+for _ in range(3):
+    cpu_usages.append(target_process.cpu_percent(interval=1))
+
+# Calculate the average CPU usage
+average_cpu_usage = sum(cpu_usages) / len(cpu_usages)
+print(f"Average CPU Usage of PID {pid} over 3 seconds: {average_cpu_usage}%")
+
+# Check average CPU usage against the threshold
+if average_cpu_usage >= cpu_threshold:
+    print(f"Average CPU usage of PID {pid} is above or equal to the threshold of {cpu_threshold}%.")
+    sys.exit(1)
+else:
+    print(f"Average CPU usage of PID {pid} is below the threshold of {cpu_threshold}%. Exiting with code 0.")
+    sys.exit(0)

docker/adbhoney/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '2.3'
-
 networks:
   adbhoney_local:
 
@@ -16,8 +14,8 @@ services:
      - adbhoney_local
     ports:
      - "5555:5555"
-    image: "dtagdevsec/adbhoney:2204"
+    image: "dtagdevsec/adbhoney:24.04"
     read_only: true
     volumes:
-     - /data/adbhoney/log:/opt/adbhoney/log
-     - /data/adbhoney/downloads:/opt/adbhoney/dl
+     - $HOME/tpotce/data/adbhoney/log:/opt/adbhoney/log
+     - $HOME/tpotce/data/adbhoney/downloads:/opt/adbhoney/dl

docker/beelzebub/Dockerfile

@@ -0,0 +1,31 @@
+FROM golang:1.23-alpine AS builder
+#
+ENV GO111MODULE=on \
+    CGO_ENABLED=0 \
+    GOOS=linux
+#
+# Install packages
+RUN apk -U add git
+#
+WORKDIR /root
+#
+# Build beelzebub
+RUN git clone https://github.com/t3chn0m4g3/beelzebub && \
+    cd beelzebub && \
+    git checkout 0b9aba53ec1671f669d22782758142a1d411b858
+WORKDIR /root/beelzebub
+RUN go mod download
+RUN go build -o main .
+RUN sed -i "s#logsPath: ./log#logsPath: ./configurations/log/beelzebub.json#g" /root/beelzebub/configurations/beelzebub.yaml
+RUN sed -i 's/passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"/passwordRegex: ".*"/g' /root/beelzebub/configurations/services/ssh-22.yaml
+#
+FROM scratch
+#
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /root/beelzebub/main /opt/beelzebub/
+COPY --from=builder /root/beelzebub/configurations /opt/beelzebub/configurations
+#
+# Start beelzebub
+WORKDIR /opt/beelzebub
+USER 2000:2000
+ENTRYPOINT ["./main"]

docker/beelzebub/docker-compose.yml

@@ -0,0 +1,29 @@
+networks:
+  beelzebub_local:
+
+services:
+
+# Beelzebub service
+  beelzebub:
+    build: .
+    container_name: beelzebub
+    restart: always
+#    cpu_count: 1
+#    cpus: 0.25
+    networks:
+     - beelzebub_local
+    ports:
+      - "22:22"
+      - "80:80"
+      - "2222:2222"
+      - "3306:3306"
+      - "8080:8080"
+    environment:
+      LLM_MODEL: "ollama"
+      LLM_HOST: "http://ollama.local:11434/api/chat"
+      OLLAMA_MODEL: "openchat"
+    image: "ghcr.io/telekom-security/beelzebub:24.04.1"
+    read_only: true
+    volumes:
+     - $HOME/tpotce/data/beelzebub/key:/opt/beelzebub/configurations/key
+     - $HOME/tpotce/data/beelzebub/log:/opt/beelzebub/configurations/log

docker/builder.sh

@@ -1,79 +0,0 @@
-#!/bin/bash
-
-# Setup Vars
-myPLATFORMS="linux/amd64,linux/arm64"
-myHUBORG="dtagdevsec"
-myTAG="2204"
-myIMAGESBASE="adbhoney ciscoasa citrixhoneypot conpot cowrie ddospot dicompot dionaea elasticpot endlessh ewsposter fatt glutton hellpot heralding honeypots honeytrap ipphoney log4pot mailoney medpot nginx p0f redishoneypot sentrypeer spiderfoot suricata wordpot"
-myIMAGESELK="elasticsearch kibana logstash map"
-myIMAGESTANNER="phpox redis snare tanner"
-myBUILDERLOG="builder.log"
-myBUILDERERR="builder.err"
-myBUILDCACHE="/buildcache"
-
-# Got root?
-myWHOAMI=$(whoami)
-if [ "$myWHOAMI" != "root" ]
-  then
-    echo "Need to run as root ..."
-    exit
-fi
-
-# Check for Buildx
-docker buildx > /dev/null 2>&1 
-if [ "$?" == "1" ];
-  then
-    echo "### Build environment not setup. Run bin/setup_builder.sh"
-fi
-
-# Only run with command switch
-if [ "$1" == "" ]; then
-  echo "### T-Pot Multi Arch Image Builder."
-  echo "## Usage: builder.sh [build, push]"
-  echo "## build - Just build images, do not push."
-  echo "## push - Build and push images."
-  echo "## Pushing requires an active docker login."
-  exit
-fi
-
-fuBUILDIMAGES () {
-local myPATH="$1"
-local myIMAGELIST="$2"
-local myPUSHOPTION="$3"
-
-for myREPONAME in $myIMAGELIST;
-  do
-    echo -n "Now building: $myREPONAME in $myPATH$myREPONAME/."
-    docker buildx build --cache-from "type=local,src=$myBUILDCACHE" --cache-to "type=local,dest=$myBUILDCACHE" --platform $myPLATFORMS -t $myHUBORG/$myREPONAME:$myTAG $myPUSHOPTION $myPATH$myREPONAME/. >> $myBUILDERLOG 2>&1
-    if [ "$?" != "0" ];
-      then
-	echo " [ ERROR ] - Check logs!"
-	echo "Error building $myREPONAME" >> "$myBUILDERERR"
-      else
-	echo " [ OK ]"
-    fi
-done
-}
-
-# Just build images
-if [ "$1" == "build" ];
-  then
-    mkdir -p $myBUILDCACHE
-    rm -f "$myBUILDERLOG" "$myBUILDERERR" 
-    echo "### Building images ..."
-    fuBUILDIMAGES "" "$myIMAGESBASE" ""
-    fuBUILDIMAGES "elk/" "$myIMAGESELK" ""
-    fuBUILDIMAGES "tanner/" "$myIMAGESTANNER" ""
-fi
-
-# Build and push images
-if [ "$1" == "push" ];
-  then
-    mkdir -p $myBUILDCACHE
-    rm -f "$myBUILDERLOG" "$myBUILDERERR" 
-    echo "### Building and pushing images ..."
-    fuBUILDIMAGES "" "$myIMAGESBASE" "--push"
-    fuBUILDIMAGES "elk/" "$myIMAGESELK" "--push"
-    fuBUILDIMAGES "tanner/" "$myIMAGESTANNER" "--push"
-fi
-

docker/ciscoasa/Dockerfile

@@ -1,48 +1,36 @@
-FROM alpine:3.15
+FROM alpine:3.20 AS builder
 #
-# Include dist
-COPY dist/ /root/dist/
-#
-# Setup env and apt
+# Install packages
 RUN apk --no-cache -U upgrade && \
-    apk --no-cache add build-base \
-            git \
-            libffi \
-            libffi-dev \
-            openssl \
-            openssl-dev \
-	    py3-cryptography \
-	    py3-pip \
-            python3 \
-            python3-dev && \
-#
-# Setup user
-    addgroup -g 2000 ciscoasa && \
-    adduser -S -s /bin/bash -u 2000 -D -g 2000 ciscoasa && \
+	apk --no-cache -U add \
+		build-base \
+		git \
+		libffi \
+		libffi-dev \
+		openssl \
+		openssl-dev \
+		py3-pip \
+		python3 \
+		python3-dev && \
 #
 # Get and install packages
-    mkdir -p /opt/ && \
+	mkdir -p /opt/ && \
     cd /opt/ && \
-    git clone https://github.com/cymmetria/ciscoasa_honeypot && \
+    git clone https://github.com/t3chn0m4g3/ciscoasa_honeypot && \
     cd ciscoasa_honeypot && \
-    git checkout d6e91f1aab7fe6fc01fabf2046e76b68dd6dc9e2 && \
+	git checkout 4bd2795cfa14320a87c00b7159fa3b7d6a8ba254 && \
     sed -i "s/git+git/git+https/g" requirements.txt && \
-    pip3 install --no-cache-dir -r requirements.txt && \
-    cp /root/dist/asa_server.py /opt/ciscoasa_honeypot && \
-    chown -R ciscoasa:ciscoasa /opt/ciscoasa_honeypot && \
+    pip3 install --break-system-packages pyinstaller && \
+    pip3 install --break-system-packages --no-cache-dir -r requirements.txt
+WORKDIR /opt/ciscoasa_honeypot
+RUN pyinstaller asa_server.py --add-data "./asa:./asa"
 #
-# Clean up
-    apk del --purge build-base \
-                    git \
-                    libffi-dev \
-                    openssl-dev \
-                    python3-dev && \
-    rm -rf /root/* && \
-    rm -rf /opt/ciscoasa_honeypot/.git && \
-    rm -rf /var/cache/apk/*
+FROM alpine:3.20
+RUN apk --no-cache -U upgrade
+COPY --from=builder /opt/ciscoasa_honeypot/dist/ /opt/
 #
 # Start ciscoasa
 STOPSIGNAL SIGINT
-WORKDIR /tmp/ciscoasa/
-USER ciscoasa:ciscoasa
-CMD cp -R /opt/ciscoasa_honeypot/* /tmp/ciscoasa && exec python3 asa_server.py --ike-port 5000 --enable_ssl --port 8443 --verbose >> /var/log/ciscoasa/ciscoasa.log 2>&1
+WORKDIR /opt/asa_server/
+USER 2000:2000
+CMD ./asa_server --ike-port 5000 --enable_ssl --port 8443 --verbose >> /var/log/ciscoasa/ciscoasa.log 2>&1

docker/ciscoasa/dist/asa_server.py

@@ -1,307 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-import os
-import time
-import socket
-import logging
-logging.basicConfig(format='%(message)s')
-import threading
-from io import BytesIO
-from xml.etree import ElementTree
-from http.server import HTTPServer
-from socketserver import ThreadingMixIn
-from http.server import SimpleHTTPRequestHandler
-import ike_server
-import datetime
-
-
-class NonBlockingHTTPServer(ThreadingMixIn, HTTPServer):
-    pass
-
-class hpflogger:
-    def __init__(self, hpfserver, hpfport, hpfident, hpfsecret, hpfchannel, serverid, verbose):
-        self.hpfserver=hpfserver
-        self.hpfport=hpfport
-        self.hpfident=hpfident
-        self.hpfsecret=hpfsecret
-        self.hpfchannel=hpfchannel
-        self.serverid=serverid
-        self.hpc=None
-        self.verbose=verbose
-        if (self.hpfserver and self.hpfport and self.hpfident and self.hpfport and self.hpfchannel and self.serverid):
-            import hpfeeds
-            try:
-                self.hpc = hpfeeds.new(self.hpfserver, self.hpfport, self.hpfident, self.hpfsecret)
-                logger.debug("Logging to hpfeeds using server: {0}, channel {1}.".format(self.hpfserver, self.hpfchannel))
-            except (hpfeeds.FeedException, socket.error, hpfeeds.Disconnect):
-                logger.critical("hpfeeds connection not successful")
-
-    def log(self, level, message):
-        if self.hpc:
-            if level in ['debug', 'info'] and not self.verbose:
-                return
-            self.hpc.publish(self.hpfchannel, "["+self.serverid+"] ["+level+"] ["+datetime.datetime.now().isoformat() +"] "  + str(message))
-
-
-def header_split(h):
-    return [list(map(str.strip, l.split(': ', 1))) for l in h.strip().splitlines()]
-
-
-class WebLogicHandler(SimpleHTTPRequestHandler):
-    logger = None
-    hpfl = None
-
-    protocol_version = "HTTP/1.1"
-
-    EXPLOIT_STRING = b"host-scan-reply"
-    RESPONSE = b"""<?xml version="1.0" encoding="UTF-8"?>
-<config-auth client="vpn" type="complete">
-<version who="sg">9.0(1)</version>
-<error id="98" param1="" param2="">VPN Server could not parse request.</error>
-</config-auth>"""
-
-    basepath = os.path.dirname(os.path.abspath(__file__))
-
-    alert_function = None
-
-    def setup(self):
-        SimpleHTTPRequestHandler.setup(self)
-        self.request.settimeout(3)
-
-    def send_header(self, keyword, value):
-        if keyword.lower() == 'server':
-            return
-        SimpleHTTPRequestHandler.send_header(self, keyword, value)
-
-    def send_head(self):
-        # send_head will return a file object that do_HEAD/GET will use
-        # do_GET/HEAD are already implemented by SimpleHTTPRequestHandler
-        filename = os.path.basename(self.path.rstrip('/').split('?', 1)[0])
-
-        if self.path == '/':
-            self.send_response(200)
-            for k, v in header_split("""
-                Content-Type: text/html
-                Cache-Control: no-cache
-                Pragma: no-cache
-                Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
-                Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
-                Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
-                Set-Cookie: webvpn_portal=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
-                Set-Cookie: webvpnSharePoint=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
-                Set-Cookie: webvpnlogin=1; path=/; secure
-                Set-Cookie: sdesktop=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
-            """):
-                self.send_header(k, v)
-            self.end_headers()
-            return BytesIO(b'<html><script>document.location.replace("/+CSCOE+/logon.html")</script></html>\n')
-        elif filename == 'asa':  # don't allow dir listing
-            return self.send_file('wrong_url.html', 403)
-        else:
-            return self.send_file(filename)
-
-    def redirect(self, loc):
-        self.send_response(302)
-        for k, v in header_split("""
-            Content-Type: text/html
-            Content-Length: 0
-            Cache-Control: no-cache
-            Pragma: no-cache
-            Location: %s
-            Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
-        """ % (loc,)):
-            self.send_header(k, v)
-        self.end_headers()
-
-    def do_GET(self):
-        if self.path == '/+CSCOE+/logon.html':
-            self.redirect('/+CSCOE+/logon.html?fcadbadd=1')
-            return
-        elif self.path.startswith('/+CSCOE+/logon.html?') and 'reason=1' in self.path:
-            self.wfile.write(self.send_file('logon_failure').getvalue())
-            return
-        SimpleHTTPRequestHandler.do_GET(self)
-
-    def do_POST(self):
-        data_len = int(self.headers.get('Content-length', 0))
-        data = self.rfile.read(data_len) if data_len else b''
-        body = self.RESPONSE
-        if self.EXPLOIT_STRING in data:
-            xml = ElementTree.fromstring(data)
-            payloads = []
-            for x in xml.iter('host-scan-reply'):
-                payloads.append(x.text)
-
-            self.alert_function(self.client_address[0], self.client_address[1], payloads)
-
-        elif self.path == '/':
-            self.redirect('/+webvpn+/index.html')
-            return
-        elif self.path == '/+CSCOE+/logon.html':
-            self.redirect('/+CSCOE+/logon.html?fcadbadd=1')
-            return
-        elif self.path.split('?', 1)[0] == '/+webvpn+/index.html':
-            with open(os.path.join(self.basepath, 'asa', "logon_redir.html"), 'rb') as fh:
-                body = fh.read()
-
-        self.send_response(200)
-        self.send_header('Content-Length', int(len(body)))
-        self.send_header('Content-Type', 'text/html; charset=UTF-8')
-        self.end_headers()
-        self.wfile.write(body)
-        return
-
-    def send_file(self, filename, status_code=200, headers=[]):
-        try:
-            with open(os.path.join(self.basepath, 'asa', filename), 'rb') as fh:
-                body = fh.read()
-                self.send_response(status_code)
-                for k, v in headers:
-                    self.send_header(k, v)
-                if status_code == 200:
-                    for k, v in header_split("""
-                        Cache-Control: max-age=0
-                        Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
-                        Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
-                        Set-Cookie: webvpnlogin=1; secure
-                        X-Transcend-Version: 1
-                    """):
-                        self.send_header(k, v)
-                self.send_header('Content-Length', int(len(body)))
-                self.send_header('Content-Type', 'text/html')
-                self.end_headers()
-                return BytesIO(body)
-        except IOError:
-            return self.send_file('wrong_url.html', 404)
-
-    def log_message(self, format, *args):
-        self.logger.debug("{'timestamp': '%s', 'src_ip': '%s', 'payload_printable': '%s'}" %
-                          (datetime.datetime.now().isoformat(),
-                           self.client_address[0],
-                           format % args))
-        self.hpfl.log('debug', "%s - - [%s] %s" %
-                          (self.client_address[0],
-                           self.log_date_time_string(),
-                           format % args))
-
-    def handle_one_request(self):
-        """Handle a single HTTP request.
-        Overriden to not send 501 errors
-        """
-        self.close_connection = True
-        try:
-            self.raw_requestline = self.rfile.readline(65537)
-            if len(self.raw_requestline) > 65536:
-                self.requestline = ''
-                self.request_version = ''
-                self.command = ''
-                self.close_connection = 1
-                return
-            if not self.raw_requestline:
-                self.close_connection = 1
-                return
-            if not self.parse_request():
-                # An error code has been sent, just exit
-                return
-            mname = 'do_' + self.command
-            if not hasattr(self, mname):
-                self.log_request()
-                self.close_connection = True
-                return
-            method = getattr(self, mname)
-            method()
-            self.wfile.flush()  # actually send the response if not already done.
-        except socket.timeout as e:
-            # a read or a write timed out.  Discard this connection
-            self.log_error("Request timed out: %r", e)
-            self.close_connection = 1
-            return
-
-
-if __name__ == '__main__':
-    import click
-
-    logging.basicConfig(level=logging.INFO)
-    logger = logging.getLogger()
-    logger.info('info')
-
-    @click.command()
-    @click.option('-h', '--host', default='0.0.0.0', help='Host to listen')
-    @click.option('-p', '--port', default=8443, help='Port to listen', type=click.INT)
-    @click.option('-i', '--ike-port', default=5000, help='Port to listen for IKE', type=click.INT)
-    @click.option('-s', '--enable_ssl', default=False, help='Enable SSL', is_flag=True)
-    @click.option('-c', '--cert', default=None, help='Certificate File Path (will generate self signed '
-                                                     'cert if not supplied)')
-    @click.option('-v', '--verbose', default=False, help='Verbose logging', is_flag=True)
-
-    # hpfeeds options
-    @click.option('--hpfserver', default=os.environ.get('HPFEEDS_SERVER'), help='HPFeeds Server')
-    @click.option('--hpfport', default=os.environ.get('HPFEEDS_PORT'), help='HPFeeds Port', type=click.INT)
-    @click.option('--hpfident', default=os.environ.get('HPFEEDS_IDENT'), help='HPFeeds Ident')
-    @click.option('--hpfsecret', default=os.environ.get('HPFEEDS_SECRET'), help='HPFeeds Secret')
-    @click.option('--hpfchannel', default=os.environ.get('HPFEEDS_CHANNEL'), help='HPFeeds Channel')
-    @click.option('--serverid', default=os.environ.get('SERVERID'), help='Verbose logging')
-
-
-    def start(host, port, ike_port, enable_ssl, cert, verbose, hpfserver, hpfport, hpfident, hpfsecret, hpfchannel, serverid):
-        """
-           A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101,
-           a DoS and remote code execution vulnerability
-        """
-
-        hpfl=hpflogger(hpfserver, hpfport, hpfident, hpfsecret, hpfchannel, serverid, verbose)
-
-        def alert(cls, host, port, payloads):
-            logger.critical({
-                 'timestamp': datetime.datetime.utcnow().isoformat(),
-                 'src_ip': host,
-                 'src_port': port,
-                 'payload_printable': payloads,
-            })
-            #log to hpfeeds
-            hpfl.log("critical", {
-                 'src': host,
-                 'spt': port,
-                 'data': payloads,
-             })
-
-        if verbose:
-            logger.setLevel(logging.DEBUG)
-
-        requestHandler = WebLogicHandler
-        requestHandler.alert_function = alert
-        requestHandler.logger = logger
-        requestHandler.hpfl = hpfl
-
-        def log_date_time_string():
-            """Return the current time formatted for logging."""
-            now = datetime.datetime.now().isoformat()
-            return now
-
-        def ike():
-            ike_server.start(host, ike_port, alert, logger, hpfl)
-        t = threading.Thread(target=ike)
-        t.daemon = True
-        t.start()
-
-        httpd = HTTPServer((host, port), requestHandler)
-        if enable_ssl:
-            import ssl
-            if not cert:
-                import gencert
-                cert = gencert.gencert()
-            httpd.socket = ssl.wrap_socket(httpd.socket, certfile=cert, server_side=True)
-
-        logger.info('Starting server on port {:d}/tcp, use <Ctrl-C> to stop'.format(port))
-        hpfl.log('info', 'Starting server on port {:d}/tcp, use <Ctrl-C> to stop'.format(port))
-
-        try:
-            httpd.serve_forever()
-        except KeyboardInterrupt:
-            pass
-        logger.info('Stopping server.')
-        hpfl.log('info', 'Stopping server.')
-
-        httpd.server_close()
-
-    start()

docker/ciscoasa/docker-compose.yml

@@ -1,4 +1,5 @@
-version: '2.3'
+networks:
+  ciscoasa_local:
 
 services:
 
@@ -16,7 +17,7 @@ services:
     ports:
      - "5000:5000/udp"
      - "8443:8443"
-    image: "dtagdevsec/ciscoasa:2204"
+    image: "dtagdevsec/ciscoasa:24.04"
     read_only: true
     volumes:
-     - /data/ciscoasa/log:/var/log/ciscoasa
+     - $HOME/tpotce/data/ciscoasa/log:/var/log/ciscoasa

docker/citrixhoneypot/Dockerfile

@@ -1,21 +1,21 @@
-FROM alpine:3.15
+FROM alpine:3.20 AS builder
 #
 # Install packages
-RUN apk --no-cache -U add \
-            git \
-            libcap \
-	    openssl \
-            py3-pip \
-            python3 && \
-#
-    pip3 install --no-cache-dir python-json-logger && \
+RUN apk --no-cache -U upgrade && \
+    apk --no-cache -U add \
+        build-base \
+		git \
+		openssl \
+		py3-pip \
+		python3 && \
+    pip3 install --break-system-packages --no-cache-dir \
+        pyinstaller \
+        python-json-logger
 #
 # Install CitrixHoneypot from GitHub
-    git clone https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
+RUN git clone https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
     cd /opt/citrixhoneypot && \
-    git checkout f59ad7320dc5bbb8c23c8baa5f111b52c52fbef3 && \
-#
-# Setup user, groups and configs
+    git checkout dee32447033a0296d053e8f881bf190f9dd7ad44 && \
     mkdir -p /opt/citrixhoneypot/logs /opt/citrixhoneypot/ssl && \
     openssl req \
           -nodes \
@@ -25,20 +25,19 @@ RUN apk --no-cache -U add \
           -out "/opt/citrixhoneypot/ssl/cert.pem" \
           -days 365 \
           -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' && \
-    addgroup -g 2000 citrixhoneypot && \
-    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 citrixhoneypot && \
-    chown -R citrixhoneypot:citrixhoneypot /opt/citrixhoneypot && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
+    chown 2000:2000 -R ssl/
 #
-# Clean up
-    apk del --purge git \
-                    openssl && \
-    rm -rf /root/* && \
-    rm -rf /opt/citrixhoneypot/.git && \
-    rm -rf /var/cache/apk/*
+WORKDIR /opt/citrixhoneypot
+RUN pyinstaller CitrixHoneypot.py
+#
+FROM alpine:3.20
+RUN apk --no-cache -U upgrade
+COPY --from=builder /opt/citrixhoneypot/dist/CitrixHoneypot/ /opt/citrixhoneypot
+COPY --from=builder /opt/citrixhoneypot/ssl /opt/citrixhoneypot/ssl
+COPY --from=builder /opt/citrixhoneypot/responses/ /opt/citrixhoneypot/responses
 #
 # Set workdir and start citrixhoneypot
 STOPSIGNAL SIGINT
-USER citrixhoneypot:citrixhoneypot
+USER 2000:2000
 WORKDIR /opt/citrixhoneypot/
-CMD nohup /usr/bin/python3 CitrixHoneypot.py
+CMD nohup ./CitrixHoneypot

docker/citrixhoneypot/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '2.3'
-
 networks:
   citrixhoneypot_local:
 
@@ -16,7 +14,7 @@ services:
      - citrixhoneypot_local
     ports:
      - "443:443"
-    image: "dtagdevsec/citrixhoneypot:2204"
+    image: "dtagdevsec/citrixhoneypot:24.04"
     read_only: true
     volumes:
-     - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
+     - $HOME/tpotce/data/citrixhoneypot/log:/opt/citrixhoneypot/logs