telekom-security/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 01:27:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: telekom-security:22.04.0
Branches Tags
telekom-security:master telekom-security:24.04 telekom-security:alpha telekom-security:22.04 telekom-security:dev telekom-security:20.06 telekom-security:19.03 telekom-security:18.11
telekom-security:24.04.1 telekom-security:24.04.0 telekom-security:24.04.0beta telekom-security:22.04.0 telekom-security:20.06.2 telekom-security:20.06.1 telekom-security:20.06.0 telekom-security:19.03.3 telekom-security:19.03.1 telekom-security:19.03 telekom-security:19.03.beta telekom-security:18.11.1 telekom-security:18.11 telekom-security:17.10 telekom-security:17.10.beta telekom-security:17.10.alpha telekom-security:16.10.1 telekom-security:16.10
..
compare: telekom-security:18.11
Branches Tags
telekom-security:master telekom-security:24.04 telekom-security:alpha telekom-security:22.04 telekom-security:dev telekom-security:20.06 telekom-security:19.03 telekom-security:18.11
telekom-security:24.04.1 telekom-security:24.04.0 telekom-security:24.04.0beta telekom-security:22.04.0 telekom-security:20.06.2 telekom-security:20.06.1 telekom-security:20.06.0 telekom-security:19.03.3 telekom-security:19.03.1 telekom-security:19.03 telekom-security:19.03.beta telekom-security:18.11.1 telekom-security:18.11 telekom-security:17.10 telekom-security:17.10.beta telekom-security:17.10.alpha telekom-security:16.10.1 telekom-security:16.10

1 Commits
22.04.0 ... 18.11

Author SHA1 Message Date
Marco Ochse
be42aaa958 Update Dockerfile 2019-04-18 10:24:42 +02:00
372 changed files with 13433 additions and 15014 deletions
Expand all files Collapse all files

31
.github/ISSUE_TEMPLATE.md vendored Normal file
View File

@ -0,0 +1,31 @@
# Contribution
Thank you for your decision to contribute to T-Pot.
## Issues
Please feel free to post your problems, ideas and issues [here](https://github.com/dtag-dev-sec/tpotce/issues). We will try to answer ASAP, but to speed things up we encourage you to ...
- [ ] Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
- [ ] Check the FAQs in our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
- [ ] Provide [basic support information](#info) with regard to your issue
Thank you :smiley:
-
<a name="info"></a>
### Basic support information
- What T-Pot version are you currently using?
- Are you running on a Intel NUC or a VM?
- How long has your installation been running?
- Did you install any upgrades or packages?
- Did you modify any scripts?
- Have you turned persistence on/off?
- How much RAM is available (login via ssh and run `htop`)?
- How much stress are the CPUs under (login via ssh and run `htop`)?
- How much swap space is being used (login via ssh and run `htop`)?
- How much free disk space is available (login via ssh and run `sudo df -h`)?
- What is the current container status (login via ssh and run `sudo dps.sh`)?

37
.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md vendored
View File

@ -1,37 +0,0 @@
---
name: Bug report for T-Pot
about: Bug report for T-Pot
title: ''
labels: ''
assignees: ''
---
Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
- **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice**
<br>
<br>
<br>
<a name="info"></a>
## ⚠️ Basic support information (commands are expected to run as `root`)
- What version of the OS are you currently using `lsb_release -a` and `uname -a`?
- What T-Pot version are you currently using?
- What edition (Standard, Nextgen, etc.) of T-Pot are you running?
- What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.
- How long has your installation been running?
- Did you install upgrades, packages or use the update script?
- Did you modify any scripts or configs? If yes, please attach the changes.
- Please provide a screenshot of `glances` and `htop`.
- How much free disk space is available (`df -h`)?
- What is the current container status (`dps.sh`)?
- What is the status of the T-Pot service (`systemctl status tpot`)?
- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`
- If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

20
.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md vendored
View File

@ -1,20 +0,0 @@
---
name: Feature request for T-Pot
about: Suggest an idea for T-Pot
title: ''
labels: ''
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

39
.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md vendored
View File

@ -1,39 +0,0 @@
---
name: General issue for T-Pot
about: General issue for T-Pot
title: ''
labels: ''
assignees: ''
---
🗨️ Please post your questions in [Discussions](https://github.com/telekom-security/tpotce/discussions) and keep the issues for **issues**. Thank you 😁.<br>
Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
- **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice**
<br>
<br>
<br>
<a name="info"></a>
## ⚠️ Basic support information (commands are expected to run as `root`)
- What version of the OS are you currently using `lsb_release -a` and `uname -a`?
- What T-Pot version are you currently using?
- What edition (Standard, Nextgen, etc.) of T-Pot are you running?
- What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.
- How long has your installation been running?
- Did you install upgrades, packages or use the update script?
- Did you modify any scripts or configs? If yes, please attach the changes.
- Please provide a screenshot of `glances` and `htop`.
- How much free disk space is available (`df -h`)?
- What is the current container status (`dps.sh`)?
- What is the status of the T-Pot service (`systemctl status tpot`)?
- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`
- If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

45
CHANGELOG.md
View File

@ -1,45 +0,0 @@
# Release Notes / Changelog
T-Pot 22.04.0 is probably the most feature rich release ever provided with long awaited (wanted!) features readily available after installation.
## New Features
* **Distributed** Installation with **HIVE** and **HIVE_SENSOR**
* **ARM64** support for all provided Docker images
* **GeoIP Attack Map** visualizing Live Attacks on a dedicated webpage
* **Kibana Live Attack Map** visualizing Live Attacks from different **HIVE_SENSORS**
* **Blackhole** is a script trying to avoid mass scanner detection
* **Elasticvue** a web front end for browsing and interacting with an Elastic Search cluster
* **Ddospot** a honeypot for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks
* **Endlessh** is a SSH tarpit that very slowly sends an endless, random SSH banner
* **HellPot** is an endless honeypot based on Heffalump that sends unruly HTTP bots to hell
* **qHoneypots** 25 honeypots in a single container for monitoring network traffic, bots activities, and username \ password credentials
* **Redishoneypot** is a honeypot mimicking some of the Redis' functions
* **SentryPeer** a dedicated SIP honeypot
* **Index Lifecycle Management** for Elasticseach indices is now being used
## Upgrades
* **Debian 11.x** is now being used for the T-Pot ISO images and required for post installs
* **Elastic Stack 8.x** is now provided as Docker images
## Updates
* **Honeypots** and **tools** were updated to their latest masters and releases
* Updates will be provided continuously through Docker Images updates
## Breaking Changes
* For security reasons all Py2.x honeypots with the need of PyPi packages have been removed: **HoneyPy**, **HoneySAP** and **RDPY**
* If you are upgrading from a previous version of T-Pot (20.06.x) you need to import the new Kibana objects or some of the functionality will be broken or will be unavailabe
* **Cyberchef** is now part of the Nginx Docker image, no longer as individual image
* **ElasticSearch Head** is superseded by **Elasticvue** and part the Nginx Docker image
* **Heimdall** is no longer supported and superseded with a new Bento based landing page
* **Elasticsearch Curator** is no longer supprted and superseded with **Index Lifecycle Policies** available through Kibana.
# Thanks & Credits
* @ghenry, for some fun late night debugging and of course SentryPeer!
* @giga-a, for adding much appreciated features (i.e. JSON logging,
X-Forwarded-For, etc.) and of course qHoneypots!
* @sp3t3rs, @trixam, for their backend and ews support!
* @tadashi-oya, for spotting some errors and propose fixes!
* @tmariuss, @shaderecker for their cloud contributions!
* @vorband, for much appreciated and helpful insights regarding the GeoIP Attack Map!
* @yunginnanet, on not giving up on squashing a bug and of course Hellpot!
... and many others from the T-Pot community by opening valued issues and discussions, suggesting ideas and thus helping to improve T-Pot!

31
CONTRIBUTING.MD Normal file
View File

@ -0,0 +1,31 @@
# Contribution
Thank you for your decision to contribute to T-Pot.
## Issues
Please feel free to post your problems, ideas and issues [here](https://github.com/dtag-dev-sec/tpotce/issues). We will try to answer ASAP, but to speed things up we encourage you to ...
- [ ] Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
- [ ] Check the FAQs in our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
- [ ] Provide [basic support information](#info) with regard to your issue
Thank you :smiley:
-
<a name="info"></a>
### Basic support information
- What T-Pot version are you currently using?
- Are you running on a Intel NUC or a VM?
- How long has your installation been running?
- Did you install any upgrades or packages?
- Did you modify any scripts?
- Have you turned persistence on/off?
- How much RAM is available (login via ssh and run `htop`)?
- How much stress are the CPUs under (login via ssh and run `htop`)?
- How much swap space is being used (login via ssh and run `htop`)?
- How much free disk space is available (login via ssh and run `sudo df -h`)?
- What is the current container status (login via ssh and run `sudo dps.sh`)?

1125
README.md
View File

File diff suppressed because it is too large Load Diff

77
bin/2fa.sh
View File

@ -1,77 +0,0 @@
#!/bin/bash
# Make sure script is started as non-root.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" = "root" ]
then
echo "Need to run as non-root ..."
echo ""
exit
fi
# set vars, check deps
myPAM_COCKPIT_FILE="/etc/pam.d/cockpit"
if ! [ -s "$myPAM_COCKPIT_FILE" ];
then
echo "### Cockpit PAM module config does not exist. Something went wrong."
echo ""
exit 1
fi
myPAM_COCKPIT_GA="
# google authenticator for two-factor
auth required pam_google_authenticator.so
"
myAUTHENTICATOR=$(which google-authenticator)
if [ "$myAUTHENTICATOR" == "" ];
then
echo "### Could not locate google-authenticator, trying to install (if asked provide root password)."
echo ""
sudo apt-get update
sudo apt-get install -y libpam-google-authenticator
exec "$1" "$2"
exit 1
fi
# write PAM changes
function fuWRITE_PAM_CHANGES {
myCHECK=$(cat $myPAM_COCKPIT_FILE | grep -c "google")
if ! [ "$myCHECK" == "0" ];
then
echo "### PAM config already enabled. Skipped."
echo ""
else
echo "### Updating PAM config for Cockpit (if asked provide root password)."
echo "$myPAM_COCKPIT_GA" | sudo tee -a $myPAM_COCKPIT_FILE
sudo systemctl restart cockpit
fi
}
# create 2fa
function fuGEN_TOKEN {
echo "### Now generating token for Google Authenticator."
echo ""
google-authenticator -t -d -r 3 -R 30 -w 17
}
# main
echo "### This script will enable Two Factor Authentication for Cockpit."
echo ""
echo "### Please download one of the many authenticator apps from the appstore of your choice."
echo ""
while true;
do
read -p "### Ready to start (y/n)? " myANSWER
case $myANSWER in
[Yy]* ) echo "### OK. Starting ..."; break;;
[Nn]* ) echo "### Exiting."; exit;;
esac
done
fuWRITE_PAM_CHANGES
fuGEN_TOKEN
echo "Done. Re-run this script by every user who needs Cockpit access."
echo ""

27
bin/backup_es_folders.sh
View File

@ -1,21 +1,4 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ];
then
echo "Need to run as root ..."
exit
fi
if [ "$1" == "" ] || [ "$1" != "all" ] && [ "$1" != "base" ];
then
echo "Usage: backup_es_folders [all, base]"
echo " all = backup all ES folder"
echo " base = backup only Kibana index".
echo
exit
fi
# Backup all ES relevant folders
# Make sure ES is available
myES="http://127.0.0.1:64298/"
@ -33,8 +16,8 @@ fi
myCOUNT=1
myDATE=$(date +%Y%m%d%H%M)
myELKPATH="/data/elk/data"
myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }')
myKIBANAINDEXPATH=$myELKPATH/indices/$myKIBANAINDEXNAME
myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/' | grep -w ".kibana_1" | awk '{ print $4 }')
myKIBANAINDEXPATH=$myELKPATH/nodes/0/indices/$myKIBANAINDEXNAME
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
@ -51,11 +34,5 @@ sleep 2
# Backup DB in 2 flavors
echo "### Now backing up Elasticsearch folders ..."
if [ "$1" == "all" ];
then
tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
elif [ "$1" == "base" ];
then
tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
fi

109
bin/blackhole.sh
View File

@ -1,109 +0,0 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "### Need to run as root ..."
echo
exit
fi
# Disclaimer
if [ "$1" == "" ];
then
echo "### Warning!"
echo "### This script will download and add blackhole routes for known mass scanners in an attempt to decrease the chance of detection."
echo "### IPs are neither curated or verified, use at your own risk!"
echo "###"
echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
echo
echo "Usage: blackhole.sh add (add blackhole routes)"
echo " blackhole.sh del (delete blackhole routes)"
echo
exit
fi
# QnD paths, files
mkdir -p /etc/blackhole
cd /etc/blackhole
myFILE="mass_scanner.txt"
myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"
myBASELINE="500"
# Alternatively, using less routes, but blocking complete /24 networks
#myFILE="mass_scanner_cidr.txt"
#myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner_cidr.txt"
# Calculate age of downloaded list, read IPs
if [ -f "$myFILE" ];
then
myNOW=$(date +%s)
myOLD=$(date +%s -r "$myFILE")
myDAYS=$(( ($myNOW-$myOLD) / (60*60*24) ))
echo "### Downloaded $myFILE list is $myDAYS days old."
myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
fi
# Let's load ip list
if [[ ! -f "$myFILE" && "$1" == "add" || "$myDAYS" -gt 30 ]];
then
echo "### Downloading $myFILE list."
aria2c --allow-overwrite -s16 -x 16 "$myURL" && \
myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
fi
myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w)
# Let's extract mass scanner IPs
if [ "$myCOUNT" -lt "$myBASELINE" ] && [ "$1" == "add" ];
then
echo "### Something went wrong. Please check contents of /etc/blackhole/$myFILE."
echo "### Aborting."
echo
exit
elif [ "$(ip r | grep 'blackhole' -c)" -gt "$myBASELINE" ] && [ "$1" == "add" ];
then
echo "### Blackhole already enabled."
echo "### Aborting."
echo
exit
fi
# Let's add blackhole routes for all mass scanner IPs
if [ "$1" == "add" ];
then
echo
echo -n "Now adding $myCOUNT IPs to blackhole."
for i in $myBLACKHOLE_IPS;
do
ip route add blackhole "$i"
echo -n "."
done
echo
echo "Added $(ip r | grep "blackhole" -c) IPs to blackhole."
echo
echo "### Remember!"
echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
echo
exit
fi
# Let's delete blackhole routes for all mass scanner IPs
if [ "$1" == "del" ] && [ "$myCOUNT" -gt "$myBASELINE" ];
then
echo
echo -n "Now deleting $myCOUNT IPs from blackhole."
for i in $myBLACKHOLE_IPS;
do
ip route del blackhole "$i"
echo -n "."
done
echo
echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole."
echo
rm "$myFILE"
else
echo "### Blackhole already disabled."
echo
fi

89
bin/change_ews_config.sh
View File

@ -1,89 +0,0 @@
#!/bin/bash
echo """
##############################
# T-POT DTAG Data Submission #
# Contact: #
# cert@telekom.de #
##############################
"""
# Got root?
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
sudo ./$0
exit
fi
printf "[*] Enter your API UserID: "
read apiUser
printf "[*] Enter your API Token: "
read apiToken
printf "[*] If you have multiple T-Pots running, give them each a unique NUMBER, e.g. '2' for your second T-Pot installation. Enter unique number for THIS T-Pot: "
read indexNumber
if ! [[ "$indexNumber" =~ ^[0-9]+$ ]]
then
echo "Sorry integers only. You have to start over..."
exit 1
fi
apiURL="https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage"
printf "[*] Currently, your honeypot is configured to transmit data the default backend at 'https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage'. Do you want to change this API endpoint? Only do this if you run your own PEBA backend instance? (N/y): "
read replyAPI
if [[ $replyAPI =~ ^[Yy]$ ]]
then
printf "[*] Enter your API endpoint URL and make sure it contains the full path, e.g. 'https://myDomain.local:9922/ews-0.1/alert/postSimpleMessage': "
read apiURL
fi
echo ""
echo "[*] Recap! You defined: "
echo "############################"
echo "API User: " $apiUser
echo "API Token: " $apiToken
echo "API URL: " $apiURL
echo "Unique numeric ID for your T-Pot Installation: " $indexNumber
echo "Specific honeypot-IDs will look like : <honeypotType>-"$apiUser"-"$indexNumber
echo "############################"
echo ""
printf "[*] Is the above correct (y/N)? "
read reply
if [[ ! $reply =~ ^[Yy]$ ]]
then
echo "OK, then run this again..."
exit 1
fi
echo ""
echo "[+] Creating config file with API UserID '$apiUser' and API Token '$apiToken'."
echo "[+] Fetching config file from github. Outgoing https requests must be enabled!"
wget -q https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist
if [[ -f "ews.cfg.dist" ]]; then
echo "[+] Successfully downloaded ews.cfg from github."
else
echo "[+] Could not download ews.cfg from github."
exit 1
fi
echo "[+] Patching ews.cfg API Credentials."
sed 's/community-01-user/'$apiUser'/' ews.cfg.dist > ews.cfg
sed -i 's/foth{a5maiCee8fineu7/'$apiToken'/' ews.cfg
echo "[+] Patching ews.cfg API Url."
apiURL=${apiURL////\\/};
sed -i 's/https:\/\/community.sicherheitstacho.eu\/ews-0.1\/alert\/postSimpleMessage/'$apiURL'/' ews.cfg
echo "[+] Patching ews.cfg honeypot IDs."
sed -i 's/community-01/'$apiUser'-'$indexNumber'/' ews.cfg
rm ews.cfg.dist
echo "[+] Changing tpot.yml to include new ews.cfg."
cp ews.cfg /data/ews/conf/ews.cfg
cp /opt/tpot/etc/tpot.yml /opt/tpot/etc/tpot.yml.bak
sed -i '/- \/data\/ews\/conf\/ews.ip:\/opt\/ewsposter\/ews.ip/a\ \ \ - \/data\/ews\/conf\/ews.cfg:\/opt\/ewsposter\/ews.cfg' /opt/tpot/etc/tpot.yml
echo "[+] Restarting T-Pot."
systemctl restart tpot
echo "[+] Done."

174
bin/clean.sh
View File

@ -1,13 +1,11 @@
#!/bin/bash
# T-Pot Container Data Cleaner & Log Rotator
# Set colors
myRED=""
myGREEN=""
myWHITE=""
# Set pigz
myPIGZ=$(which pigz)
# Set persistence
myPERSISTENCE=$1
@ -40,7 +38,7 @@ fuLOGROTATE () {
local myTANNERFTGZ="/data/tanner/files.tgz"
# Ensure correct permissions and ownerships for logrotate to run without issues
chmod 770 /data/ -R
chmod 760 /data/ -R
chown tpot:tpot /data -R
chmod 644 /data/nginx/conf -R
chmod 644 /data/nginx/cert -R
@ -49,17 +47,17 @@ chmod 644 /data/nginx/cert -R
logrotate -f -s $mySTATUS $myCONF
# Compressing some folders first and rotate them later
if [ "$(fuEMPTY $myADBHONEYDL)" != "0" ]; then tar -I $myPIGZ -cvf $myADBHONEYTGZ $myADBHONEYDL; fi
if [ "$(fuEMPTY $myCOWRIETTYLOGS)" != "0" ]; then tar -I $myPIGZ -cvf $myCOWRIETTYTGZ $myCOWRIETTYLOGS; fi
if [ "$(fuEMPTY $myCOWRIEDL)" != "0" ]; then tar -I $myPIGZ -cvf $myCOWRIEDLTGZ $myCOWRIEDL; fi
if [ "$(fuEMPTY $myDIONAEABI)" != "0" ]; then tar -I $myPIGZ -cvf $myDIONAEABITGZ $myDIONAEABI; fi
if [ "$(fuEMPTY $myDIONAEABIN)" != "0" ]; then tar -I $myPIGZ -cvf $myDIONAEABINTGZ $myDIONAEABIN; fi
if [ "$(fuEMPTY $myHONEYTRAPATTACKS)" != "0" ]; then tar -I $myPIGZ -cvf $myHONEYTRAPATTACKSTGZ $myHONEYTRAPATTACKS; fi
if [ "$(fuEMPTY $myHONEYTRAPDL)" != "0" ]; then tar -I $myPIGZ -cvf $myHONEYTRAPDLTGZ $myHONEYTRAPDL; fi
if [ "$(fuEMPTY $myTANNERF)" != "0" ]; then tar -I $myPIGZ -cvf $myTANNERFTGZ $myTANNERF; fi
if [ "$(fuEMPTY $myADBHONEYDL)" != "0" ]; then tar cvfz $myADBHONEYTGZ $myADBHONEYDL; fi
if [ "$(fuEMPTY $myCOWRIETTYLOGS)" != "0" ]; then tar cvfz $myCOWRIETTYTGZ $myCOWRIETTYLOGS; fi
if [ "$(fuEMPTY $myCOWRIEDL)" != "0" ]; then tar cvfz $myCOWRIEDLTGZ $myCOWRIEDL; fi
if [ "$(fuEMPTY $myDIONAEABI)" != "0" ]; then tar cvfz $myDIONAEABITGZ $myDIONAEABI; fi
if [ "$(fuEMPTY $myDIONAEABIN)" != "0" ]; then tar cvfz $myDIONAEABINTGZ $myDIONAEABIN; fi
if [ "$(fuEMPTY $myHONEYTRAPATTACKS)" != "0" ]; then tar cvfz $myHONEYTRAPATTACKSTGZ $myHONEYTRAPATTACKS; fi
if [ "$(fuEMPTY $myHONEYTRAPDL)" != "0" ]; then tar cvfz $myHONEYTRAPDLTGZ $myHONEYTRAPDL; fi
if [ "$(fuEMPTY $myTANNERF)" != "0" ]; then tar cvfz $myTANNERFTGZ $myTANNERF; fi
# Ensure correct permissions and ownership for previously created archives
chmod 770 $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
chmod 760 $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
chown tpot:tpot $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
# Need to remove subfolders since too many files cause rm to exit with errors
@ -67,7 +65,7 @@ rm -rf $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $my
# Recreate subfolders with correct permissions and ownership
mkdir -p $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
chmod 770 $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
chmod 760 $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
chown tpot:tpot $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
# Run logrotate again to account for previously created archives - DO NOT FORCE HERE!
@ -78,7 +76,7 @@ logrotate -s $mySTATUS $myCONF
fuADBHONEY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/adbhoney/*; fi
mkdir -p /data/adbhoney/log/ /data/adbhoney/downloads/
chmod 770 /data/adbhoney/ -R
chmod 760 /data/adbhoney/ -R
chown tpot:tpot /data/adbhoney/ -R
}
@ -86,23 +84,15 @@ fuADBHONEY () {
fuCISCOASA () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ciscoasa/*; fi
mkdir -p /data/ciscoasa/log
chmod 770 /data/ciscoasa -R
chmod 760 /data/ciscoasa -R
chown tpot:tpot /data/ciscoasa -R
}
# Let's create a function to clean up and prepare citrixhoneypot data
fuCITRIXHONEYPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi
mkdir -p /data/citrixhoneypot/logs/
chmod 770 /data/citrixhoneypot/ -R
chown tpot:tpot /data/citrixhoneypot/ -R
}
# Let's create a function to clean up and prepare conpot data
fuCONPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
mkdir -p /data/conpot/log
chmod 770 /data/conpot -R
chmod 760 /data/conpot -R
chown tpot:tpot /data/conpot -R
}
@ -110,32 +100,15 @@ fuCONPOT () {
fuCOWRIE () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/cowrie/*; fi
mkdir -p /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/
chmod 770 /data/cowrie -R
chmod 760 /data/cowrie -R
chown tpot:tpot /data/cowrie -R
}
# Let's create a function to clean up and prepare ddospot data
fuDDOSPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
mkdir -p /data/ddospot/log
chmod 770 /data/ddospot -R
chown tpot:tpot /data/ddospot -R
}
# Let's create a function to clean up and prepare dicompot data
fuDICOMPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
mkdir -p /data/dicompot/log
mkdir -p /data/dicompot/images
chmod 770 /data/dicompot -R
chown tpot:tpot /data/dicompot -R
}
# Let's create a function to clean up and prepare dionaea data
fuDIONAEA () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi
mkdir -p /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp
chmod 770 /data/dionaea -R
chmod 760 /data/dionaea -R
chown tpot:tpot /data/dionaea -R
}
@ -143,7 +116,7 @@ fuDIONAEA () {
fuELASTICPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elasticpot/*; fi
mkdir -p /data/elasticpot/log
chmod 770 /data/elasticpot -R
chmod 760 /data/elasticpot -R
chown tpot:tpot /data/elasticpot -R
}
@ -153,95 +126,47 @@ fuELK () {
# ELK daemon log files will be removed
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elk/log/*; fi
mkdir -p /data/elk
chmod 770 /data/elk -R
chmod 760 /data/elk -R
chown tpot:tpot /data/elk -R
}
# Let's create a function to clean up and prepare endlessh data
fuENDLESSH () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
mkdir -p /data/endlessh/log
chmod 770 /data/endlessh -R
chown tpot:tpot /data/endlessh -R
}
# Let's create a function to clean up and prepare fatt data
fuFATT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
mkdir -p /data/fatt/log
chmod 770 -R /data/fatt
chown tpot:tpot -R /data/fatt
# Let's create a function to clean up and prepare glastopf data
fuGLASTOPF () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glastopf/*; fi
mkdir -p /data/glastopf/db /data/glastopf/log
chmod 760 /data/glastopf -R
chown tpot:tpot /data/glastopf -R
}
# Let's create a function to clean up and prepare glastopf data
fuGLUTTON () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi
mkdir -p /data/glutton/log
chmod 770 /data/glutton -R
chmod 760 /data/glutton -R
chown tpot:tpot /data/glutton -R
}
# Let's create a function to clean up and prepare hellpot data
fuHELLPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
mkdir -p /data/hellpot/log
chmod 770 /data/hellpot -R
chown tpot:tpot /data/hellpot -R
}
# Let's create a function to clean up and prepare heralding data
fuHERALDING () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
mkdir -p /data/heralding/log
chmod 770 /data/heralding -R
chmod 760 /data/heralding -R
chown tpot:tpot /data/heralding -R
}
# Let's create a function to clean up and prepare honeypots data
fuHONEYPOTS () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
mkdir -p /data/honeypots/log
chmod 770 /data/honeypots -R
chown tpot:tpot /data/honeypots -R
}
# Let's create a function to clean up and prepare honeysap data
fuHONEYSAP () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeysap/*; fi
mkdir -p /data/honeysap/log
chmod 770 /data/honeysap -R
chown tpot:tpot /data/honeysap -R
}
# Let's create a function to clean up and prepare honeytrap data
fuHONEYTRAP () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi
mkdir -p /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/
chmod 770 /data/honeytrap/ -R
chmod 760 /data/honeytrap/ -R
chown tpot:tpot /data/honeytrap/ -R
}
# Let's create a function to clean up and prepare ipphoney data
fuIPPHONEY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi
mkdir -p /data/ipphoney/log
chmod 770 /data/ipphoney -R
chown tpot:tpot /data/ipphoney -R
}
# Let's create a function to clean up and prepare log4pot data
fuLOG4POT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
mkdir -p /data/log4pot/log
chmod 770 /data/log4pot -R
chown tpot:tpot /data/log4pot -R
}
# Let's create a function to clean up and prepare mailoney data
fuMAILONEY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
mkdir -p /data/mailoney/log/
chmod 770 /data/mailoney/ -R
chmod 760 /data/mailoney/ -R
chown tpot:tpot /data/mailoney/ -R
}
@ -249,7 +174,7 @@ fuMAILONEY () {
fuMEDPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/medpot/*; fi
mkdir -p /data/medpot/log/
chmod 770 /data/medpot/ -R
chmod 760 /data/medpot/ -R
chown tpot:tpot /data/medpot/ -R
}
@ -265,31 +190,15 @@ fuNGINX () {
fuRDPY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/rdpy/*; fi
mkdir -p /data/rdpy/log/
chmod 770 /data/rdpy/ -R
chmod 760 /data/rdpy/ -R
chown tpot:tpot /data/rdpy/ -R
}
# Let's create a function to clean up and prepare redishoneypot data
fuREDISHONEYPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
mkdir -p /data/redishoneypot/log
chmod 770 /data/redishoneypot -R
chown tpot:tpot /data/redishoneypot -R
}
# Let's create a function to clean up and prepare sentrypeer data
fuSENTRYPEER () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi
mkdir -p /data/sentrypeer/log
chmod 770 /data/sentrypeer -R
chown tpot:tpot /data/sentrypeer -R
}
# Let's create a function to prepare spiderfoot db
fuSPIDERFOOT () {
mkdir -p /data/spiderfoot
touch /data/spiderfoot/spiderfoot.db
chmod 770 -R /data/spiderfoot
chmod 760 -R /data/spiderfoot
chown tpot:tpot -R /data/spiderfoot
}
@ -297,7 +206,7 @@ fuSPIDERFOOT () {
fuSURICATA () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/suricata/*; fi
mkdir -p /data/suricata/log
chmod 770 -R /data/suricata
chmod 760 -R /data/suricata
chown tpot:tpot -R /data/suricata
}
@ -305,7 +214,7 @@ fuSURICATA () {
fuP0F () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/p0f/*; fi
mkdir -p /data/p0f/log
chmod 770 -R /data/p0f
chmod 760 -R /data/p0f
chown tpot:tpot -R /data/p0f
}
@ -313,7 +222,7 @@ fuP0F () {
fuTANNER () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/tanner/*; fi
mkdir -p /data/tanner/log /data/tanner/files
chmod 770 -R /data/tanner
chmod 760 -R /data/tanner
chown tpot:tpot -R /data/tanner
}
@ -341,30 +250,19 @@ if [ "$myPERSISTENCE" = "on" ];
echo "Cleaning up and preparing data folders."
fuADBHONEY
fuCISCOASA
fuCITRIXHONEYPOT
fuCONPOT
fuCOWRIE
fuDDOSPOT
fuDICOMPOT
fuDIONAEA
fuELASTICPOT
fuELK
fuENDLESSH
fuFATT
fuGLASTOPF
fuGLUTTON
fuHERALDING
fuHELLPOT
fuHONEYSAP
fuHONEYPOTS
fuHONEYTRAP
fuIPPHONEY
fuLOG4POT
fuMAILONEY
fuMEDPOT
fuNGINX
fuREDISHONEYPOT
fuRDPY
fuSENTRYPEER
fuSPIDERFOOT
fuSURICATA
fuP0F

182
bin/deploy.sh
View File

@ -1,182 +0,0 @@
#!/bin/bash
# Do we have root?
function fuGOT_ROOT {
echo
echo -n "### Checking for root: "
if [ "$(whoami)" != "root" ];
then
echo "[ NOT OK ]"
echo "### Please run as root."
echo "### Example: sudo $0"
exit
else
echo "[ OK ]"
fi
}
function fuDEPLOY_SENSOR () {
echo
echo "###############################"
echo "# Deploying to T-Pot Hive ... #"
echo "###############################"
echo
sshpass -e ssh -4 -t -T -l "$MY_TPOT_USERNAME" -p 64295 "$MY_HIVE_IP" << EOF
echo "$SSHPASS" | sudo -S bash -c 'useradd -m -s /sbin/nologin -G tpotlogs "$MY_HIVE_USERNAME";
mkdir -p /home/"$MY_HIVE_USERNAME"/.ssh;
echo "$MY_SENSOR_PUBLICKEY" >> /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
chmod 600 /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
chmod 755 /home/"$MY_HIVE_USERNAME"/.ssh;
chown "$MY_HIVE_USERNAME":"$MY_HIVE_USERNAME" -R /home/"$MY_HIVE_USERNAME"/.ssh'
EOF
echo
echo "###########################"
echo "# Done. Please reboot ... #"
echo "###########################"
echo
exit 0
}
# Check Hive availability
function fuCHECK_HIVE () {
echo
echo "############################################"
echo "# Checking for T-Pot Hive availability ... #"
echo "############################################"
echo
sshpass -e ssh -4 -t -l "$MY_TPOT_USERNAME" -p 64295 -f -N -L64305:127.0.0.1:64305 "$MY_HIVE_IP" -o "StrictHostKeyChecking=no"
if [ $? -eq 0 ];
then
echo
echo "#########################"
echo "# T-Pot Hive available! #"
echo "#########################"
echo
myHIVE_OK=$(curl -s http://127.0.0.1:64305)
if [ "$myHIVE_OK" == "ok" ];
then
echo
echo "##############################"
echo "# T-Pot Hive tunnel test OK! #"
echo "##############################"
echo
kill -9 $(pidof ssh)
else
echo
echo "######################################################"
echo "# T-Pot Hive tunnel test FAILED! #"
echo "# Tunneled port tcp/64305 unreachable on T-Pot Hive. #"
echo "# Aborting. #"
echo "######################################################"
echo
kill -9 $(pidof ssh)
rm $MY_SENSOR_PUBLICKEYFILE
rm $MY_SENSOR_PRIVATEKEYFILE
rm $MY_LS_ENVCONFIGFILE
exit 1
fi;
else
echo
echo "#################################################################"
echo "# Something went wrong, most likely T-Pot Hive was unreachable! #"
echo "# Aborting. #"
echo "#################################################################"
echo
rm $MY_SENSOR_PUBLICKEYFILE
rm $MY_SENSOR_PRIVATEKEYFILE
rm $MY_LS_ENVCONFIGFILE
exit 1
fi;
}
function fuGET_DEPLOY_DATA () {
echo
echo "### Please provide data from your T-Pot Hive installation."
echo "### This usually is the one running the 'T-Pot Hive' type."
echo "### You will be needing the OS user (typically 'tsec'), the users' password and the IP / FQDN."
echo "### Do not worry, the password will not be persisted!"
echo
read -p "Username: " MY_TPOT_USERNAME
read -s -p "Password: " SSHPASS
echo
export SSHPASS
read -p "IP / FQDN: " MY_HIVE_IP
MY_HIVE_USERNAME="$(hostname)"
MY_TPOT_TYPE="SENSOR"
MY_LS_ENVCONFIGFILE="/data/elk/logstash/ls_environment"
MY_SENSOR_PUBLICKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME.pub"
MY_SENSOR_PRIVATEKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME"
if ! [ -s "$MY_SENSOR_PRIVATEKEYFILE" ] && ! [ -s "$MY_SENSOR_PUBLICKEYFILE" ];
then
echo
echo "##############################"
echo "# Generating ssh keyfile ... #"
echo "##############################"
echo
mkdir -p /data/elk/logstash
ssh-keygen -f "$MY_SENSOR_PRIVATEKEYFILE" -N "" -C "$MY_HIVE_USERNAME"
MY_SENSOR_PUBLICKEY="$(cat "$MY_SENSOR_PUBLICKEYFILE")"
else
echo
echo "#############################################"
echo "# There is already a ssh keyfile. Aborting. #"
echo "#############################################"
echo
exit 1
fi
echo
echo "###########################################################"
echo "# Writing config to /data/elk/logstash/ls_environment. #"
echo "# If you make changes to this file, you need to reboot or #"
echo "# run /opt/tpot/bin/updateip.sh. #"
echo "###########################################################"
echo
tee $MY_LS_ENVCONFIGFILE << EOF
MY_TPOT_TYPE=$MY_TPOT_TYPE
MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
MY_HIVE_USERNAME=$MY_HIVE_USERNAME
MY_HIVE_IP=$MY_HIVE_IP
EOF
}
# Deploy Pot to Hive
fuGOT_ROOT
echo
echo "#################################"
echo "# Ship T-Pot Logs to T-Pot Hive #"
echo "#################################"
echo
echo "If you already have a T-Pot Hive installation running and"
echo "this T-Pot installation is running the type \"Pot\" the"
echo "script will automagically setup this T-Pot to ship and"
echo "prepare the Hive to receive logs from this T-Pot."
echo
echo
echo "###################################"
echo "# Deploy T-Pot Logs to T-Pot Hive #"
echo "###################################"
echo
echo "[c] - Continue deplyoment"
echo "[q] - Abort and exit"
echo
while [ 1 != 2 ]
do
read -s -n 1 -p "Your choice: " mySELECT
echo $mySELECT
case "$mySELECT" in
[c,C])
fuGET_DEPLOY_DATA
fuCHECK_HIVE
fuDEPLOY_SENSOR
break
;;
[q,Q])
echo "Aborted."
exit 0
;;
esac
done

122
bin/deprecated/hptest.sh
View File

@ -1,122 +0,0 @@
#!/bin/bash
myHOST="$1"
myPACKAGES="dcmtk netcat nmap"
myMEDPOTPACKET="
MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
EVN|A01|198808181123
PID|||PATID1234^5^M11^^AN||JONES^WILLIAM^A^III||19610615|M||2106-3|677 DELAWARE AVENUE^^EVERETT^MA^02149|GL|(919)379-1212|(919)271-3434~(919)277-3114||S||PATID12345001^2^M10^^ACSN|123456789|9-87654^NC
NK1|1|JONES^BARBARA^K|SPO|||||20011105
NK1|1|JONES^MICHAEL^A|FTH
PV1|1|I|2000^2012^01||||004777^LEBAUER^SIDNEY^J.|||SUR||-||ADM|A0
AL1|1||^PENICILLIN||CODE16~CODE17~CODE18
AL1|2||^CAT DANDER||CODE257
DG1|001|I9|1550|MAL NEO LIVER, PRIMARY|19880501103005|F
PR1|2234|M11|111^CODE151|COMMON PROCEDURES|198809081123
ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^SMITH^ELLEN|199505011201
GT1|1122|1519|BILL^GATES^A
IN1|001|A357|1234|BCMD|||||132987
IN2|ID1551001|SSN12345678
ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^ELLEN|199505011201"
function fuGOTROOT {
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
}
function fuCHECKDEPS {
myINST=""
for myDEPS in $myPACKAGES;
do
myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
if [ "$myOK" != "ok" ]
then
myINST=$(echo $myINST $myDEPS)
fi
done
if [ "$myINST" != "" ]
then
apt-get update -y
for myDEPS in $myINST;
do
apt-get install $myDEPS -y
done
fi
}
function fuCHECKFORARGS {
if [ "$myHOST" != "" ];
then
echo "All arguments met. Continuing."
else
echo "Usage: hp_test.sh <[host or ip]>"
exit
fi
}
function fuGETPORTS {
myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo "$i"; done)
echo "Found these ports enabled:"
echo "$myPORTS"
exit
}
function fuSCAN {
local myTIMEOUT="$1"
local mySCANPORT="$2"
local mySCANIP="$3"
local mySCANOPTS="$4"
timeout --foreground ${myTIMEOUT} nmap ${mySCANOPTS} -T4 -v -p ${mySCANPORT} ${mySCANIP} &
}
# Main
fuGOTROOT
fuCHECKDEPS
fuCHECKFORARGS
echo "Starting scans ..."
echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
curl -XGET "http://$myHOST:9200/logstash-*/_search" &
curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" &
echo "I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
findscu -P -k PatientName="*" $myHOST 11112 &
getscu -P -k PatientName="*" $myHOST 11112 &
telnet $myHOST 3299 &
fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"
fuSCAN "120" "22" "$myHOST" "--script=ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,sshv1 -sC -sS -sV"
fuSCAN "30" "22" "$myHOST" "--script=ssh-brute"
fuSCAN "120" "23,2323,2324" "$myHOST" "--script=telnet-encryption,telnet-ntlm-info -sC -sS -sV --version-light"
fuSCAN "120" "25" "$myHOST" "--script=smtp* -sC -sS -sV"
fuSCAN "180" "42" "$myHOST" "-sC -sS -sV"
fuSCAN "120" "69" "$myHOST" "--script=tftp-enum -sU"
fuSCAN "120" "80,81,8080,8443" "$myHOST" "-sC -sS -sV"
fuSCAN "120" "110,995" "$myHOST" "--script=pop3-capabilities,pop3-ntlm-info -sC -sS -sV --version-light"
fuSCAN "30" "110,995" "$myHOST" "--script=pop3-brute -sS"
fuSCAN "120" "143,993" "$myHOST" "--script=imap-capabilities,imap-ntlm-info -sC -sS -sV --version-light"
fuSCAN "30" "143,993" "$myHOST" "--script=imap-brute -sS"
fuSCAN "240" "445" "$myHOST" "--script=smb-vuln* -sS -sU"
fuSCAN "120" "502" "$myHOST" "--script=modbus-discover -sS -sU"
fuSCAN "120" "623" "$myHOST" "--script=ipmi-cipher-zero,ipmi-version,supermicro-ipmi -sS -sU"
fuSCAN "30" "623" "$myHOST" "--script=ipmi-brute -sS -sU"
fuSCAN "120" "1433" "$myHOST" "--script=ms-sql* -sS"
fuSCAN "120" "1723" "$myHOST" "--script=pptp-version -sS"
fuSCAN "120" "1883" "$myHOST" "--script=mqtt-subscribe -sS"
fuSCAN "120" "2404" "$myHOST" "--script=iec-identify -sS"
fuSCAN "120" "3306" "$myHOST" "--script=mysql-vuln* -sC -sS -sV"
fuSCAN "120" "3389" "$myHOST" "--script=rdp* -sC -sS -sV"
fuSCAN "120" "5000" "$myHOST" "--script=*upnp* -sS -sU"
fuSCAN "120" "5060,5061" "$myHOST" "--script=sip-call-spoof,sip-enum-users,sip-methods -sS -sU"
fuSCAN "120" "5900" "$myHOST" "--script=vnc-info,vnc-title,realvnc-auth-bypass -sS"
fuSCAN "120" "27017" "$myHOST" "--script=mongo* -sS"
fuSCAN "120" "47808" "$myHOST" "--script=bacnet* -sS"
wait
reset
echo "Done."

59
bin/dps.sh
View File

@ -1,21 +1,6 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
myPARAM="$1"
if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
then
watch --color -n $myPARAM "dps.sh"
exit
fi
#/bin/bash
# Show current status of T-Pot containers
myPARAM="$1"
myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")"
myRED=""
myGREEN=""
@ -23,39 +8,20 @@ myBLUE=""
myWHITE=""
myMAGENTA=""
# Blackhole Status
myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
if [ "$myBLACKHOLE_STATUS" -gt "500" ];
then
myBLACKHOLE_STATUS="${myGREEN}ENABLED"
else
myBLACKHOLE_STATUS="${myRED}DISABLED"
fi
function fuGETTPOT_STATUS {
# T-Pot Status
myTPOT_STATUS=$(systemctl status tpot | grep "Active" | awk '{ print $2 }')
if [ "$myTPOT_STATUS" == "active" ];
then
echo "${myGREEN}ACTIVE"
else
echo "${myRED}INACTIVE"
fi
}
function fuGETSTATUS {
grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
grc docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
}
function fuGETSYS {
printf "[ ========| System |======== ]\n"
printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "DATE: " "$(date)"
printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "UPTIME: " "$(grc --colour=on uptime)"
printf "${myMAGENTA}%+11s %-20s\n" "T-POT: " "$(fuGETTPOT_STATUS)"
printf "${myMAGENTA}%+11s %-20s\n" "BLACKHOLE: " "$myBLACKHOLE_STATUS${myWHITE}"
printf "========| System |========\n"
printf "%+10s %-20s\n" "Date: " "$(date)"
printf "%+10s %-20s\n" "Uptime: " "$(uptime | cut -b 2-)"
printf "%+10s %-20s\n" "CPU temp: " "$(sensors | grep 'Physical' | awk '{ print $4" " }' | tr -d [:cntrl:])"
echo
}
while true
do
myDPS=$(fuGETSTATUS)
myDPSNAMES=$(echo "$myDPS" | awk '{ print $1 }' | sort)
fuGETSYS
@ -71,3 +37,10 @@ echo
printf "%-28s %-28s\n" "$myRED$i" "DOWN$myWHITE"
fi
done
if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
then
sleep "$myPARAM"
else
break
fi
done

10
bin/dump_es.sh
View File

@ -2,10 +2,10 @@
# Dump all ES data
# Make sure ES is available
myES="http://127.0.0.1:64298/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow")
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit
else
echo "### Elasticsearch is available, now continuing."
@ -20,12 +20,12 @@ trap fuCLEANUP EXIT
# Set vars
myDATE=$(date +%Y%m%d%H%M)
myINDICES=$(curl -s -XGET ''$myES'_cat/indices/logstash-*' | awk '{ print $3 }' | sort | grep -v 1970)
myINDICES+=" .kibana"
myINDICES=$(curl -s -XGET ''$myES'_cat/indices/' | awk '{ print $3 }' | sort | grep -v 1970)
myES="http://127.0.0.1:64298/"
myCOL1=""
myCOL0=""
# Dumping Kibana and Logstash data
# Dumping all ES data
echo $myCOL1"### The following indices will be dumped: "$myCOL0
echo $myINDICES
echo

34
bin/deprecated/export_kibana-objects.sh → bin/export_kibana-objects.sh
View File

@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit
else
echo "### Elasticsearch is available, now continuing."
@ -15,25 +15,24 @@ fi
# Set vars
myDATE=$(date +%Y%m%d%H%M)
myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep "scripted" | wc -w)
myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"')
myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myCONFIGS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=config&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
myCOL1=""
myCOL0=""
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
rm -rf patterns/ dashboards/ visualizations/ searches/
}
trap fuCLEANUP EXIT
# Export index patterns
mkdir -p patterns
echo $myCOL1"### Now exporting"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes, references}' > patterns/$myINDEXID.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes}' > patterns/$myINDEXID.json &
echo
# Export dashboards
@ -42,7 +41,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"das
for i in $myDASHBOARDS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes, references}' > dashboards/$i.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes}' > dashboards/$i.json &
done;
echo
@ -52,7 +51,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1
for i in $myVISUALIZATIONS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes, references}' > visualizations/$i.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes}' > visualizations/$i.json &
done;
echo
@ -62,17 +61,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searc
for i in $mySEARCHES;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes, references}' > searches/$i.json &
done;
echo
# Export configs
mkdir -p configs
echo $myCOL1"### Now exporting"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
for i in $myCONFIGS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/config/'$i'' | jq '. | {attributes, references}' > configs/$i.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes}' > searches/$i.json &
done;
echo
@ -81,7 +70,7 @@ wait
# Building tar archive
echo $myCOL1"### Now building archive"$myCOL0 "kibana-objects_"$myDATE".tgz"
tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches configs > /dev/null
tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches > /dev/null
# Stats
echo
@ -90,5 +79,4 @@ echo $myCOL1"###### Exported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myC
echo $myCOL1"###### Exported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
echo

134
bin/hpfeeds_optin.sh
View File

@ -1,134 +0,0 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
myTPOTYMLFILE="/opt/tpot/etc/tpot.yml"
function fuGENERIC () {
echo
echo "You chose generic, please provide all the details of the broker"
echo
myENABLE="true"
read -p "Host URL: " myHOST
read -p "Port: " myPORT
read -p "Channel: " myCHANNEL
echo "For generic providers set this to 'false'"
echo "If you received a CA certficate mount it into the ewsposter container by modifying $myTPOTYMLFILE"
read -p "TLS - 'false' or path to CA in container: " myCERT
read -p "Ident: " myIDENT
read -p "Secret: " mySECRET
read -p "Format ews (xml) or json: " myFORMAT
}
function fuOPTOUT () {
echo
while [ 1 != 2 ]
do
read -s -n 1 -p "You chose to opt out (y/n)? " mySELECT
echo $mySELECT
case "$mySELECT" in
[y,Y])
echo "Opt out."
break
;;
[n,N])
echo "Aborted."
exit
;;
esac
done
myENABLE="false"
myHOST="host"
myPORT="port"
myCHANNEL="channels"
myCERT="false"
myIDENT="user"
mySECRET="secret"
myFORMAT="json"
}
function fuWRITETOFILE () {
if [ -f '/data/ews/conf/hpfeeds.cfg' ]; then
echo "Creating backup of current config in /data/ews/conf/hpfeeds.cfg.old"
mv /data/ews/conf/hpfeeds.cfg /data/ews/conf/hpfeeds.cfg.old
fi
echo "Storing new config in /data/ews/conf/hpfeeds.cfg"
cat >> /data/ews/conf/hpfeeds.cfg <<EOF
myENABLE=$myENABLE
myHOST=$myHOST
myPORT=$myPORT
myCHANNEL=$myCHANNEL
myCERT=$myCERT
myIDENT=$myIDENT
mySECRET=$mySECRET
myFORMAT=$myFORMAT
EOF
}
function fuAPPLY () {
echo "Now stopping T-Pot ..."
systemctl stop tpot
echo "Applying your settings to tpot.yml ... "
sed --follow-symlinks -i "s/EWS_HPFEEDS_ENABLE.*/EWS_HPFEEDS_ENABLE=${myENABLE}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_HOST.*/EWS_HPFEEDS_HOST=${myHOST}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_PORT.*/EWS_HPFEEDS_PORT=${myPORT}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_CHANNELS.*/EWS_HPFEEDS_CHANNELS=${myCHANNEL}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s#EWS_HPFEEDS_TLSCERT.*#EWS_HPFEEDS_TLSCERT=${myCERT}#g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_IDENT.*/EWS_HPFEEDS_IDENT=${myIDENT}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_SECRET.*/EWS_HPFEEDS_SECRET=${mySECRET}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_FORMAT.*/EWS_HPFEEDS_FORMAT=${myFORMAT}/g" "$myTPOTYMLFILE"
echo "Now starting T-Pot ..."
systemctl start tpot
echo "You can always change or review your settings in /data/ews/conf/hpfeeds.cfg and apply changes by"
echo "running \"./hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg\""
echo "Done."
}
# Check for cmdline argument and parse config file
filename=$(echo $@ | cut -d= -f2)
if [ $# == 1 ] && echo $@ | grep '\-\-conf=' > /dev/null && [ ! -z $filename ] && [ -f $filename ]
then
source $filename
else
# Proceed with interactive setup when no config file is found
echo "HPFEEDS Delivery Opt-In for T-Pot"
echo "---------------------------------"
echo "By running this script you agree to share your data with a 3rd party and agree to their corresponding sharing terms."
echo
echo
echo "Please choose your broker"
echo "---------------------------"
echo "[1] - Generic (enter details manually)"
echo "[0] - Opt out of HPFEEDS"
echo "[q] - Do not agree end exit"
echo
while [ 1 != 2 ]
do
read -s -n 1 -p "Your choice: " mySELECT
echo $mySELECT
case "$mySELECT" in
[1])
fuGENERIC
break
;;
[0])
fuOPTOUT
break
;;
[q,Q])
echo "Aborted."
exit
;;
esac
done
fi
fuWRITETOFILE
fuAPPLY

68
bin/hptest.sh
View File

@ -1,68 +0,0 @@
#!/bin/bash
myHOST="$1"
myPACKAGES="nmap"
myDOCKERCOMPOSEYML="/opt/tpot/etc/tpot.yml"
function fuGOTROOT {
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
}
function fuCHECKDEPS {
myINST=""
for myDEPS in $myPACKAGES;
do
myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
if [ "$myOK" != "ok" ]
then
myINST=$(echo $myINST $myDEPS)
fi
done
if [ "$myINST" != "" ]
then
apt-get update -y
for myDEPS in $myINST;
do
apt-get install $myDEPS -y
done
fi
}
function fuCHECKFORARGS {
if [ "$myHOST" != "" ];
then
echo "All arguments met. Continuing."
echo
else
echo "Usage: hptest.sh <[host or ip]>"
echo
exit
fi
}
function fuGETPORTS {
myDOCKERCOMPOSEUDPPORTS=$(cat $myDOCKERCOMPOSEYML | grep "udp" | tr -d '"\|#\-' | cut -d ":" -f2 | cut -d "/" -f1 | sort -gu)
myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
myUDPPORTS=$(for i in $myDOCKERCOMPOSEUDPPORTS; do echo -n "U:$i,"; done)
myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo -n "T:$i,"; done)
}
# Main
fuGETPORTS
fuGOTROOT
fuCHECKDEPS
fuCHECKFORARGS
echo
echo "Starting scan on all UDP / TCP ports defined in /opt/tpot/etc/tpot.yml ..."
nmap -sV -sC -v -p $myPORTS $1 &
nmap -sU -sV -sC -v -p $myUDPPORTS $1 &
echo
wait
echo "Done."
echo

23
bin/deprecated/import_kibana-objects.sh → bin/import_kibana-objects.sh
View File

@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit
else
echo "### Elasticsearch is available, now continuing."
@ -20,7 +20,7 @@ myCOL0=""
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
rm -rf patterns/ dashboards/ visualizations/ searches/
}
trap fuCLEANUP EXIT
@ -43,7 +43,7 @@ tar xvfz $myDUMP > /dev/null
# Restore index patterns
myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev)
myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep "scripted" | wc -w)
echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
@ -98,22 +98,6 @@ for i in $mySEARCHES;
echo
wait
# Restore configs
myCONFIGS=$(ls configs/*.json | cut -c 9- | rev | cut -c 6- | rev)
echo $myCOL1"### Now importing "$myCOL0$(echo $myCONFIGS | wc -w)$myCOL1 "configs." $myCOL0
for i in $myCONFIGS;
do
curl -s -XDELETE ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null &
done;
wait
for i in $myCONFIGS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XPOST ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @configs/$i.json > /dev/null &
done;
echo
wait
# Stats
echo
echo $myCOL1"### Statistics"
@ -121,6 +105,5 @@ echo $myCOL1"###### Imported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myC
echo $myCOL1"###### Imported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
echo

27
bin/mytopips.sh
View File

@ -1,27 +0,0 @@
#!/bin/bash
# Make sure ES is available
myES="http://127.0.0.1:64298/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit 1
else
echo "### Elasticsearch is available, now continuing."
echo
fi
function fuMYTOPIPS {
curl -s -XGET $myES"_search" -H 'Content-Type: application/json' -d'
{
"aggs": {
"ips": {
"terms": { "field": "src_ip.keyword", "size": 100 }
}
},
"size" : 0
}'
}
echo "### Aggregating top 100 source IPs in ES"
fuMYTOPIPS | jq '.aggregations.ips.buckets[].key' | tr -d '"'

39
bin/restore_es.sh
View File

@ -2,10 +2,10 @@
# Restore folder based ES backup
# Make sure ES is available
myES="http://127.0.0.1:64298/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow")
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit
else
echo "### Elasticsearch is available, now continuing."
@ -41,46 +41,13 @@ echo $myCOL1"### Now unpacking tar archive: "$myDUMP $myCOL0
tar xvf $myDUMP
# Build indices list
myINDICES="$(ls tmp/logstash*.gz | cut -c 5- | rev | cut -c 4- | rev)"
myINDICES=$(ls tmp/logstash*.gz | cut -c 5- | rev | cut -c 4- | rev)
myINDICES+=" .kibana"
echo $myCOL1"### The following indices will be restored: "$myCOL0
echo $myINDICES
echo
# Force single seat template for everything
echo -n $myCOL1"### Forcing single seat template: "$myCOL0
curl -s XPUT ''$myES'_template/.*' -H 'Content-Type: application/json' -d'
{ "index_patterns": ".*",
"order": 1,
"settings":
{
"number_of_shards": 1,
"number_of_replicas": 0
}
}'
echo
# Set logstash template
echo -n $myCOL1"### Setting up logstash template: "$myCOL0
curl -s XPUT ''$myES'_template/logstash' -H 'Content-Type: application/json' -d'
{
"index_patterns": "logstash-*",
"settings" : {
"index" : {
"number_of_shards": 1,
"number_of_replicas": 0,
"mapping" : {
"total_fields" : {
"limit" : "2000"
}
}
}
}
}'
echo
# Restore indices
curl -s -X DELETE ''$myES'.kibana*' > /dev/null
for i in $myINDICES;
do
# Delete index if it already exists

40
bin/rules.sh
View File

@ -23,10 +23,10 @@ function fuNFQCHECK {
myNFQCHECK=$(grep -e '^\s*honeytrap:\|^\s*glutton:' $myDOCKERCOMPOSEYML | tr -d ': ' | uniq)
if [ "$myNFQCHECK" == "" ];
then
echo "No NFQ related honeypot detected, no iptables-legacy rules needed. Exiting."
echo "No NFQ related honeypot detected, no iptables rules needed. Exiting."
exit
else
echo "Detected $myNFQCHECK as NFQ based honeypot, iptables-legacy rules needed. Continuing."
echo "Detected $myNFQCHECK as NFQ based honeypot, iptables rules needed. Continuing."
fi
}
@ -41,54 +41,54 @@ echo "$myRULESPORTS"
}
function fuSETRULES {
### Setting up iptables-legacy rules for honeytrap
### Setting up iptables rules for honeytrap
if [ "$myNFQCHECK" == "honeytrap" ];
then
/usr/sbin/iptables-legacy -w -A INPUT -s 127.0.0.1 -j ACCEPT
/usr/sbin/iptables-legacy -w -A INPUT -d 127.0.0.1 -j ACCEPT
/sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
for myPORT in $myRULESPORTS; do
/usr/sbin/iptables-legacy -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
/sbin/iptables -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
done
/usr/sbin/iptables-legacy -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
fi
### Setting up iptables-legacy rules for glutton
### Setting up iptables rules for glutton
if [ "$myNFQCHECK" == "glutton" ];
then
/usr/sbin/iptables-legacy -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT
/usr/sbin/iptables-legacy -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT
/sbin/iptables -w -t raw -A PREROUTING -s 127.0.0.1 -j ACCEPT
/sbin/iptables -w -t raw -A PREROUTING -d 127.0.0.1 -j ACCEPT
for myPORT in $myRULESPORTS; do
/usr/sbin/iptables-legacy -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT
/sbin/iptables -w -t raw -A PREROUTING -p tcp --dport $myPORT -j ACCEPT
done
# No need for NFQ forwarding, such rules are set up by glutton
fi
}
function fuUNSETRULES {
### Removing iptables-legacy rules for honeytrap
### Removing iptables rules for honeytrap
if [ "$myNFQCHECK" == "honeytrap" ];
then
/usr/sbin/iptables-legacy -w -D INPUT -s 127.0.0.1 -j ACCEPT
/usr/sbin/iptables-legacy -w -D INPUT -d 127.0.0.1 -j ACCEPT
/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
for myPORT in $myRULESPORTS; do
/usr/sbin/iptables-legacy -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
/sbin/iptables -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
done
/usr/sbin/iptables-legacy -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
fi
### Removing iptables-legacy rules for glutton
### Removing iptables rules for glutton
if [ "$myNFQCHECK" == "glutton" ];
then
/usr/sbin/iptables-legacy -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT
/usr/sbin/iptables-legacy -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT
/sbin/iptables -w -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT
/sbin/iptables -w -t raw -D PREROUTING -d 127.0.0.1 -j ACCEPT
for myPORT in $myRULESPORTS; do
/usr/sbin/iptables-legacy -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT
/sbin/iptables -w -t raw -D PREROUTING -p tcp --dport $myPORT -j ACCEPT
done
# No need for removing NFQ forwarding, such rules are removed by glutton
fi

45
bin/setup_builder.sh
View File

@ -1,45 +0,0 @@
#!/bin/bash
# Got root?
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
# Only run with command switch
if [ "$1" != "-y" ]; then
echo "### Setting up docker for Multi Arch Builds."
echo "### Use on x64 only!"
echo "### Run with -y to install!"
echo
exit
fi
# Main
mkdir -p /root/.docker/cli-plugins/
cd /root/.docker/cli-plugins/
wget https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-amd64 -O docker-buildx
chmod +x docker-buildx
docker buildx ls
# We need to create a new builder as the default one cannot handle multi-arch builds
# https://docs.docker.com/desktop/multi-arch/
docker buildx create --name mybuilder
# Set as default
docker buildx use mybuilder
# We need to install emulators, arm64 should be fine for now
# https://github.com/tonistiigi/binfmt/
docker run --privileged --rm tonistiigi/binfmt --install arm64
# Check if everything is setup correctly
docker buildx inspect --bootstrap
echo
echo "### Done."
echo
echo "Example: docker buildx build --platform linux/amd64,linux/arm64 -t username/demo:latest --push ."
echo "Docs: https://docs.docker.com/desktop/multi-arch/"

29
bin/tpdclean.sh
View File

@ -1,29 +0,0 @@
#!/bin/bash
# T-Pot Compose and Container Cleaner
# Set colors
myRED=""
myGREEN=""
myWHITE=""
# Only run with command switch
if [ "$1" != "-y" ]; then
echo $myRED"### WARNING"$myWHITE
echo ""
echo $myRED"###### This script is only intended for the tpot.service."$myWHITE
echo $myRED"###### Run <systemctl stop tpot> first and then <tpdclean.sh -y>."$myWHITE
echo $myRED"###### Be aware, all T-Pot container volumes and images will be removed."$myWHITE
echo ""
echo $myRED"### WARNING "$myWHITE
echo
exit
fi
# Remove old containers, images and volumes
docker-compose -f /opt/tpot/etc/tpot.yml down -v >> /dev/null 2>&1
docker-compose -f /opt/tpot/etc/tpot.yml rm -v >> /dev/null 2>&1
docker network rm $(docker network ls -q) >> /dev/null 2>&1
docker volume rm $(docker volume ls -q) >> /dev/null 2>&1
docker rm -v $(docker ps -aq) >> /dev/null 2>&1
docker rmi $(docker images | grep "<none>" | awk '{print $3}') >> /dev/null 2>&1
docker rmi $(docker images | grep "2203" | awk '{print $3}') >> /dev/null 2>&1
exit 0

10
bin/tped.sh
View File

@ -1,13 +1,5 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
# set backtitle, get filename
myBACKTITLE="T-Pot Edition Selection Tool"
myYMLS=$(cd /opt/tpot/etc/compose/ && ls -1 *.yml)
@ -29,7 +21,7 @@ for i in $myYMLS;
do
myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) "
done
myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 18 50 1 $myITEMS 3>&1 1>&2 2>&3 3>&-)
myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 13 50 6 $myITEMS 3>&1 1>&2 2>&3 3>&-)
if [ "$myEDITION" == "" ];
then
echo "Have a nice day!"

19
bin/unlock_es.sh
View File

@ -1,19 +0,0 @@
#/bin/bash
# Unlock all ES indices for read / write mode
# Useful in cases where ES locked all indices after disk quota has been reached
# Make sure ES is available
myES="http://127.0.0.1:64298/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c "green\|yellow")
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
exit
else
echo "### Elasticsearch is available, now continuing."
echo
fi
echo "### Trying to unlock all ES indices for read / write operation: "
curl -XPUT -H "Content-Type: application/json" ''$myES'_all/_settings' -d '{"index.blocks.read_only_allow_delete": null}'
echo

73
bin/updateip.sh
View File

@ -2,88 +2,25 @@
# Let's add the first local ip to the /etc/issue and external ip to ews.ip file
# If the external IP cannot be detected, the internal IP will be inherited.
source /etc/environment
myCHECKIFSENSOR=$(head -n 1 /opt/tpot/etc/tpot.yml | grep "Sensor" | wc -l)
myUUID=$(lsblk -o MOUNTPOINT,UUID | grep "/" | awk '{ print $2 }')
myLOCALIP=$(hostname -I | awk '{ print $1 }')
myEXTIP=$(/opt/tpot/bin/myip.sh)
if [ "$myEXTIP" = "" ];
then
myEXTIP=$myLOCALIP
myEXTIP_LAT="49.865835022498125"
myEXTIP_LONG="8.62606472775735"
else
myEXTIP_LOC=$(curl -s ipinfo.io/$myEXTIP/loc)
myEXTIP_LAT=$(echo "$myEXTIP_LOC" | cut -f1 -d",")
myEXTIP_LONG=$(echo "$myEXTIP_LOC" | cut -f2 -d",")
fi
# Load Blackhole routes if enabled
myBLACKHOLE_FILE1="/etc/blackhole/mass_scanner.txt"
myBLACKHOLE_FILE2="/etc/blackhole/mass_scanner_cidr.txt"
if [ -f "$myBLACKHOLE_FILE1" ] || [ -f "$myBLACKHOLE_FILE2" ];
then
/opt/tpot/bin/blackhole.sh add
fi
myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
if [ "$myBLACKHOLE_STATUS" -gt "500" ];
then
myBLACKHOLE_STATUS="| BLACKHOLE: [ ENABLED ]"
else
myBLACKHOLE_STATUS="| BLACKHOLE: [ DISABLED ]"
fi
mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1)
# Export
export myUUID
export myLOCALIP
export myEXTIP
export myEXTIP_LAT
export myEXTIP_LONG
export myBLACKHOLE_STATUS
export mySSHUSER
# Build issue
echo "" > /etc/issue
toilet -f ivrit -F metal --filter border:metal "T-Pot 22.04" | sed 's/\\/\\\\/g' >> /etc/issue
echo >> /etc/issue
echo ",---- [ \n ] [ \d ] [ \t ]" >> /etc/issue
echo "|" >> /etc/issue
echo "| IP: $myLOCALIP ($myEXTIP)" >> /etc/issue
echo "| SSH: ssh -l tsec -p 64295 $myLOCALIP" >> /etc/issue
if [ "$myCHECKIFSENSOR" == "0" ];
then
echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue
fi
echo "| ADMIN: https://$myLOCALIP:64294" >> /etc/issue
echo "$myBLACKHOLE_STATUS" >> /etc/issue
echo "|" >> /etc/issue
echo "\`----" >> /etc/issue
echo >> /etc/issue
sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue
sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue
sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue
sed -i "s#ADMIN:.*#ADMIN: https://$myLOCALIP:64294#" /etc/issue
tee /data/ews/conf/ews.ip << EOF
[MAIN]
ip = $myEXTIP
EOF
tee /opt/tpot/etc/compose/elk_environment << EOF
HONEY_UUID=$myUUID
MY_EXTIP=$myEXTIP
MY_EXTIP_LAT=$myEXTIP_LAT
MY_EXTIP_LONG=$myEXTIP_LONG
MY_INTIP=$myLOCALIP
MY_HOSTNAME=$HOSTNAME
EOF
if [ -s "/data/elk/logstash/ls_environment" ];
then
source /data/elk/logstash/ls_environment
tee -a /opt/tpot/etc/compose/elk_environment << EOF
MY_TPOT_TYPE=$MY_TPOT_TYPE
MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
MY_HIVE_USERNAME=$MY_HIVE_USERNAME
MY_HIVE_IP=$MY_HIVE_IP
EOF
fi
chown tpot:tpot /data/ews/conf/ews.ip
chmod 770 /data/ews/conf/ews.ip
chmod 760 /data/ews/conf/ews.ip

10
cloud/.gitignore vendored
View File

@ -1,10 +0,0 @@
# Ansible
*.retry
# Terraform
**/.terraform
**/terraform.*
# OpenStack clouds
**/clouds.yaml
**/secure.yaml

257
cloud/ansible/README.md
View File

@ -1,257 +0,0 @@
# T-Pot Ansible
Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/).
It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box.
Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/scenario_guides/cloud_guides.html). Check out [Ansible Galaxy](https://galaxy.ansible.com/search?keywords=&order_by=-relevance&page=1&deprecated=false&type=collection&tags=cloud) for more cloud collections.
The Playbook first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them.
This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en).
# Table of contents
- [Preparation of Ansible Master](#ansible-master)
- [Ansible Installation](#ansible)
- [OpenStack Collection Installation](#collection)
- [Agent Forwarding](#agent-forwarding)
- [Preparations in Open Telekom Cloud Console](#preparation)
- [Create new project](#project)
- [Create API user](#api-user)
- [Import Key Pair](#key-pair)
- [Clone Git Repository](#clone-git)
- [Settings and recommended values](#settings)
- [clouds.yaml](#clouds-yaml)
- [Ansible remote user](#remote-user)
- [Number of instances to deploy](#number)
- [Instance settings](#instance-settings)
- [User password](#user-password)
- [Configure `tpot.conf.dist`](#tpot-conf)
- [Optional: Custom `ews.cfg`](#ews-cfg)
- [Optional: Custom HPFEEDS](#hpfeeds)
- [Deploying a T-Pot](#deploy)
- [Further documentation](#documentation)
<a name="ansible-master"></a>
# Preparation of Ansible Master
You can either run the Ansible Playbook locally on your Linux or macOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did.
I used Ubuntu 18.04 for my Ansible Master Server, but other OSes are fine too.
Ansible works over the SSH Port, so you don't have to add any special rules to your Security Group.
<a name="ansible"></a>
## Ansible Installation
:warning: Ansible 2.10 or newer is required!
Example for Ubuntu 18.04:
At first we update the system:
`sudo apt update`
`sudo apt dist-upgrade`
Then we need to add the repository and install Ansible:
`sudo apt-add-repository --yes --update ppa:ansible/ansible`
`sudo apt install ansible`
For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
If your OS does not offer a recent version of Ansible (>= 2.10) you should consider [installing Ansible with pip](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-with-pip).
In short (if you already have Python3/pip3 installed):
```
pip3 install ansible
```
<a name="collection"></a>
## OpenStack Collection Installation
For interacting with OpenStack resources in Ansible, you need to install the collection from Ansible Galaxy:
`ansible-galaxy collection install openstack.cloud`
<a name="agent-forwarding"></a>
## Agent Forwarding
If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines.
- On Linux or macOS:
- Create or edit `~/.ssh/config`
```
Host ANSIBLE_MASTER_IP
ForwardAgent yes
```
- On Windows using Putty:
![Putty Agent Forwarding](doc/putty_agent_forwarding.png)
<a name="preparation"></a>
# Preparations in Open Telekom Cloud Console
(You can skip this if you have already set up a project and an API account with key pair)
(Just make sure you know the naming for everything, as you need to configure the Ansible variables.)
Before we can start deploying, we have to prepare the Open Telekom Cloud tenant.
For that, go to the [Web Console](https://auth.otc.t-systems.com/authui/login) and log in with an admin user.
<a name="project"></a>
## Create new project
I strongly advise you to create a separate project for the T-Pots in your tenant.
In my case I named it `tpot`.
![Create new project](doc/otc_1_project.gif)
<a name="api-user"></a>
## Create API user
The next step is to create a new user account, which is restricted to the project.
This ensures that the API access is limited to that project.
![Create API user](doc/otc_2_user.gif)
<a name="key-pair"></a>
## Import Key Pair
:warning: Now log in with the newly created API user account and select your project.
![Login as API user](doc/otc_3_login.gif)
Import your SSH public key.
![Import SSH Public Key](doc/otc_4_import_key.gif)
<a name="clone-git"></a>
# Clone Git Repository
Clone the `tpotce` repository to your Ansible Master:
`git clone https://github.com/telekom-security/tpotce.git`
All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder.
<a name="settings"></a>
# Settings and recommended values
You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook:
<a name="clouds-yaml"></a>
## clouds.yaml
Located at [`openstack/clouds.yaml`](openstack/clouds.yaml).
Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name):
```
clouds:
open-telekom-cloud:
profile: otc
auth:
project_name: eu-de_your_project
username: your_api_user
password: your_password
user_domain_name: OTC-EU-DE-000000000010000XXXXX
```
You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary.
For more information have a look in the [openstack.cloud.server](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html) Ansible module documentation.
If you already have your own `clouds.yaml` file or have multiple clouds in there, you can specify which one to use in the `openstack/my_os_cloud.yaml` file:
```
# Enter the name of your cloud to use from clouds.yaml
cloud: open-telekom-cloud
```
<a name="remote-user"></a>
## Ansible remote user
You may have to adjust the `remote_user` in the Ansible Playbook under [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml) depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is `linux`).
<a name="number"></a>
## Number of instances to deploy
You can adjust the number of VMs/T-Pots that you want to create in [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml):
```
loop: "{{ range(0, 1) }}"
```
One instance is set as the default, increase to your liking.
<a name="instance-settings"></a>
## Instance settings
Located at [`openstack/roles/create_vm/vars/main.yaml`](openstack/roles/create_vm/vars/main.yaml).
Here you can customize your virtual machine specifications:
- Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html).
- Change the OS image (For T-Pot we need Debian)
- (Optional) Change the volume size
- Specify your key pair (:warning: Mandatory)
- (Optional) Change the instance type (flavor)
`s3.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.
A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html).
```
availability_zone: eu-de-03
image: Standard_Debian_10_latest
volume_size: 128
key_name: your-KeyPair
flavor: s3.medium.8
```
<a name="user-password"></a>
## User password
Located at [`openstack/roles/install/vars/main.yaml`](openstack/roles/install/vars/main.yaml).
Here you can set the password for your Debian user (**you should definitely change that**).
```
user_password: LiNuXuSeRPaSs#
```
<a name="tpot-conf"></a>
## Configure `tpot.conf.dist`
The file is located in [`iso/installer/tpot.conf.dist`](/iso/installer/tpot.conf.dist).
Here you can choose:
- between the various T-Pot editions
- a username for the web interface
- a password for the web interface (**you should definitely change that**)
<a name="ews-cfg"></a>
## Optional: Custom `ews.cfg`
Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
```
# - custom_ews
```
You can use a custom config file for `ewsposter`.
e.g. when you have your own credentials for delivering data to our [Sicherheitstacho](https://sicherheitstacho.eu/start/main).
You can find the `ews.cfg` template file here: [`openstack/roles/custom_ews/templates/ews.cfg`](openstack/roles/custom_ews/templates/ews.cfg) and adapt it for your needs.
For setting custom credentials, these settings would be relevant for you (the rest of the file can stay as is):
```
[MAIN]
...
contact = your_email_address
...
[EWS]
...
username = your_username
token = your_token
...
```
<a name="hpfeeds"></a>
## Optional: Custom HPFEEDS
Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
```
# - custom_hpfeeds
```
You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/files/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/files/hpfeeds.cfg).
That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN:
```
myENABLE=true
myHOST=hpfeeds.sissden.eu
myPORT=10000
myCHANNEL=t-pot.events
myCERT=/opt/ewsposter/sissden.pem
myIDENT=your_user
mySECRET=your_secret
myFORMAT=json
```
<a name="deploy"></a>
# Deploying a T-Pot :honey_pot::honeybee:
Now, after configuring everything, we can finally start deploying T-Pots!
Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:
`ansible-playbook deploy_tpot.yaml`
(Yes, it is as easy as that :smile:)
If you are running on a machine which asks for a sudo password, you can use:
`ansible-playbook --ask-become-pass deploy_tpot.yaml`
The Playbook will first install required packages on the Ansible Master and then deploy one (or more) new server instances.
After that, T-Pot gets installed and configured on them, optionally custom configs are applied and finally it reboots.
Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
<a name="documentation"></a>
# Further documentation
- [Ansible Documentation](https://docs.ansible.com/ansible/latest/)
- [openstack.cloud.server Create/Delete Compute Instances from OpenStack](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html)
- [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/)

BIN
cloud/ansible/doc/otc_1_project.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 204 KiB

BIN
cloud/ansible/doc/otc_2_user.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 883 KiB

BIN
cloud/ansible/doc/otc_3_login.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 148 KiB

BIN
cloud/ansible/doc/otc_4_import_key.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 193 KiB

BIN
cloud/ansible/doc/putty_agent_forwarding.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 23 KiB

6
cloud/ansible/openstack/ansible.cfg
View File

@ -1,6 +0,0 @@
[defaults]
host_key_checking = false
[ssh_connection]
scp_if_ssh = true
ssh_args = -o ServerAliveInterval=60

9
cloud/ansible/openstack/clouds.yaml
View File

@ -1,9 +0,0 @@
clouds:
open-telekom-cloud:
profile: otc
region_name: eu-de
auth:
project_name: eu-de_your_project
username: your_api_user
password: your_password
user_domain_name: OTC-EU-DE-000000000010000XXXXX

30
cloud/ansible/openstack/deploy_tpot.yaml
View File

@ -1,30 +0,0 @@
- name: Check host prerequisites
hosts: localhost
become: yes
roles:
- check
- name: Deploy instances
hosts: localhost
vars_files: my_os_cloud.yaml
tasks:
- name: Create security group and network
ansible.builtin.include_role:
name: create_net
- name: Create one or more instances
ansible.builtin.include_role:
name: create_vm
loop: "{{ range(0, 1) }}"
loop_control:
extended: yes
- name: Install T-Pot
hosts: tpot
remote_user: linux
become: yes
gather_facts: no
roles:
- install
# - custom_ews
# - custom_hpfeeds
- reboot

2
cloud/ansible/openstack/my_os_cloud.yaml
View File

@ -1,2 +0,0 @@
# Enter the name of your cloud to use from clouds.yaml
cloud: open-telekom-cloud

2
cloud/ansible/openstack/requirements.yaml
View File

@ -1,2 +0,0 @@
collections:
- name: openstack.cloud

19
cloud/ansible/openstack/roles/check/tasks/main.yaml
View File

@ -1,19 +0,0 @@
- name: Install dependencies
ansible.builtin.package:
name:
- gcc
- python3-dev
- python3-setuptools
- python3-pip
state: present
- name: Install openstacksdk
ansible.builtin.pip:
name: openstacksdk
executable: pip3
- name: Check if agent forwarding is enabled
ansible.builtin.fail:
msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
ignore_errors: yes
failed_when: lookup('env','SSH_AUTH_SOCK') == ""

33
cloud/ansible/openstack/roles/create_net/tasks/main.yaml
View File

@ -1,33 +0,0 @@
- name: Create security group
openstack.cloud.security_group:
cloud: "{{ cloud }}"
name: sg-tpot-ansible
description: Security Group for T-Pot
- name: Add rules to security group
openstack.cloud.security_group_rule:
cloud: "{{ cloud }}"
security_group: sg-tpot-ansible
remote_ip_prefix: 0.0.0.0/0
- name: Create network
openstack.cloud.network:
cloud: "{{ cloud }}"
name: network-tpot-ansible
- name: Create subnet
openstack.cloud.subnet:
cloud: "{{ cloud }}"
network_name: network-tpot-ansible
name: subnet-tpot-ansible
cidr: 192.168.0.0/24
dns_nameservers:
- 100.125.4.25
- 100.125.129.199
- name: Create router
openstack.cloud.router:
cloud: "{{ cloud }}"
name: router-tpot-ansible
interfaces:
- subnet-tpot-ansible

24
cloud/ansible/openstack/roles/create_vm/tasks/main.yaml
View File

@ -1,24 +0,0 @@
- name: Generate T-Pot name
ansible.builtin.set_fact:
tpot_name: "t-pot-ansible-{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=6') }}"
- name: Create instance {{ ansible_loop.index }} of {{ ansible_loop.length }}
openstack.cloud.server:
cloud: "{{ cloud }}"
name: "{{ tpot_name }}"
availability_zone: "{{ availability_zone }}"
image: "{{ image }}"
boot_from_volume: yes
volume_size: "{{ volume_size }}"
key_name: "{{ key_name }}"
auto_ip: yes
flavor: "{{ flavor }}"
security_groups: sg-tpot-ansible
network: network-tpot-ansible
register: tpot
- name: Add instance to inventory
ansible.builtin.add_host:
hostname: "{{ tpot_name }}"
ansible_host: "{{ tpot.server.public_v4 }}"
groups: tpot

5
cloud/ansible/openstack/roles/create_vm/vars/main.yaml
View File

@ -1,5 +0,0 @@
availability_zone: eu-de-03
image: Standard_Debian_10_latest
volume_size: 128
key_name: your-KeyPair
flavor: s3.medium.8

13
cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml
View File

@ -1,13 +0,0 @@
- name: Copy ews configuration file
ansible.builtin.template:
src: ews.cfg
dest: /data/ews/conf
owner: root
group: root
mode: 0644
- name: Patching tpot.yml with custom ews configuration file
ansible.builtin.lineinfile:
path: /opt/tpot/etc/tpot.yml
insertafter: "/opt/ewsposter/ews.ip"
line: " - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg"

8
cloud/ansible/openstack/roles/custom_hpfeeds/files/hpfeeds.cfg
View File

@ -1,8 +0,0 @@
myENABLE=false
myHOST=host
myPORT=port
myCHANNEL=channels
myCERT=false
myIDENT=user
mySECRET=secret
myFORMAT=json

12
cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml
View File

@ -1,12 +0,0 @@
- name: Copy hpfeeds configuration file
ansible.builtin.copy:
src: hpfeeds.cfg
dest: /data/ews/conf
owner: tpot
group: tpot
mode: 0770
register: config
- name: Applying hpfeeds settings
ansible.builtin.command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg
when: config.changed == true

48
cloud/ansible/openstack/roles/install/tasks/main.yaml
View File

@ -1,48 +0,0 @@
- name: Waiting for SSH connection
ansible.builtin.wait_for_connection:
- name: Gathering facts
ansible.builtin.setup:
- name: Cloning T-Pot install directory
ansible.builtin.git:
repo: "https://github.com/telekom-security/tpotce.git"
dest: /root/tpot
- name: Prepare to set user password
ansible.builtin.set_fact:
user_name: "{{ ansible_user }}"
user_salt: "s0mew1ck3dTpoT"
no_log: true
- name: Changing password for user {{ user_name }}
ansible.builtin.user:
name: "{{ ansible_user }}"
password: "{{ user_password | password_hash('sha512', user_salt) }}"
state: present
shell: /bin/bash
- name: Copy T-Pot configuration file
ansible.builtin.copy:
src: ../../../../../../iso/installer/tpot.conf.dist
dest: /root/tpot.conf
owner: root
group: root
mode: 0644
- name: Install T-Pot on instance - be patient, this might take 15 to 30 minutes depending on the connection speed.
ansible.builtin.command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
- name: Delete T-Pot configuration file
ansible.builtin.file:
path: /root/tpot.conf
state: absent
- name: Change unattended-upgrades to take default action
ansible.builtin.blockinfile:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
block: |
Dpkg::Options {
"--force-confdef";
"--force-confold";
}

1
cloud/ansible/openstack/roles/install/vars/main.yaml
View File

@ -1 +0,0 @@
user_password: LiNuXuSeRPaSs#

16
cloud/ansible/openstack/roles/reboot/tasks/main.yaml
View File

@ -1,16 +0,0 @@
- name: Finally rebooting T-Pot
ansible.builtin.command: shutdown -r now
async: 1
poll: 0
- name: Next login options
ansible.builtin.debug:
msg:
- "***** SSH Access:"
- "***** ssh {{ ansible_user }}@{{ ansible_host }} -p 64295"
- ""
- "***** Web UI:"
- "***** https://{{ ansible_host }}:64297"
- ""
- "***** Admin UI:"
- "***** https://{{ ansible_host }}:64294"

129
cloud/terraform/README.md
View File

@ -1,129 +0,0 @@
# T-Pot Terraform
This [Terraform](https://www.terraform.io/) configuration can be used to launch a virtual machine, bootstrap any dependencies and install T-Pot in a single step.
Configuration for Amazon Web Services (AWS) and Open Telekom Cloud (OTC) is currently included.
This can easily be extended to support other [Terraform providers](https://registry.terraform.io/browse/providers?category=public-cloud%2Ccloud-automation%2Cinfrastructure).
[Cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used to bootstrap the instance and install T-Pot on startup.
# Table of Contents
- [What get's created](#what-created)
- [Amazon Web Services (AWS)](#what-created-aws)
- [Open Telekom Cloud (OTC)](#what-created-otc)
- [Prerequisites](#pre)
- [Amazon Web Services (AWS)](#pre-aws)
- [Open Telekom Cloud (OTC)](#pre-otc)
- [Terraform Variables](#variables)
- [Common configuration items](#variables-common)
- [Amazon Web Services (AWS)](#variables-aws)
- [Open Telekom Cloud (OTC)](#variables-otc)
- [Initialising](#initialising)
- [Applying the Configuration](#applying)
- [Connecting to the Instance](#connecting)
<a name="what-created"></a>
## What get's created
<a name="what-created-aws"></a>
### Amazon Web Services (AWS)
* EC2 instance:
* t3.large (2 vCPUs, 8 GB RAM)
* 128 GB disk
* Debian 10
* Public IP
* Security Group:
* TCP/UDP ports <= 64000 open to the Internet
* TCP ports 64294, 64295 and 64297 open to a chosen administrative IP
<a name="what-created-otc"></a>
### Open Telekom Cloud (OTC)
* ECS instance:
* s3.medium.8 (1 vCPU, 8 GB RAM)
* 128 GB disk
* Debian 10
* Public EIP
* Security Group
* All TCP/UDP ports are open to the Internet
* Virtual Private Cloud (VPC) and Subnet
<a name="pre"></a>
## Prerequisites
* [Terraform](https://www.terraform.io/) 0.13
<a name="pre-aws"></a>
### Amazon Web Services (AWS)
* AWS Account
* Existing VPC: VPC ID needs to be specified in `aws/variables.tf`
* Existing subnet: Subnet ID needs to be specified in `aws/variables.tf`
* Existing SSH key pair: Key name needs to be specified in `aws/variables.tf`
* AWS Authentication credentials should be [set using environment variables](https://www.terraform.io/docs/providers/aws/index.html#environment-variables)
<a name="pre-otc"></a>
### Open Telekom Cloud (OTC)
* OTC Account
* Existing SSH key pair: Key name needs to be specified in `otc/variables.tf`
* OTC Authentication credentials (Username, Password, Project Name, User Domain Name) can be set in the `otc/clouds.yaml` file
<a name="variables"></a>
## Terraform Variables
<a name="variables-common"></a>
### Common configuration items
These variables exist in `aws/variables.tf` and `otc/variables.tf` respectively.
Settings for cloud-init:
* `timezone` - Set the Server's timezone
* `linux_password`- Set a password for the Linux Operating System user (which is also used on the Admin UI)
Settings for T-Pot:
* `tpot_flavor` - Set the flavor of the T-Pot (Available flavors are listed in the variable's description)
* `web_user` - Set a username for the T-Pot Kibana Dasboard
* `web_password` - Set a password for the T-Pot Kibana Dashboard
<a name="variables-aws"></a>
### Amazon Web Services (AWS)
In `aws/variables.tf`, you can change the additional variables:
* `admin_ip` - source IP address(es) that you will use to administer the system. Connections to TCP ports 64294, 64295 and 64297 will be allowed from this IP only. Multiple IPs or CIDR blocks can be specified in the format: `["127.0.0.1/32", "192.168.0.0/24"]`
* `ec2_vpc_id` - Specify an existing VPC ID
* `ec2_subnet_id` - Specify an existing Subnet ID
* `ec2_region`
* `ec2_ssh_key_name` - Specify an existing SSH key pair
* `ec2_instance_type`
<a name="variables-otc"></a>
### Open Telekom Cloud (OTC)
In `otc/variables.tf`, you can change the additional variables:
* `ecs_flavor`
* `ecs_disk_size`
* `availability_zone`
* `key_pair` - Specify an existing SSH key pair
* `eip_size`
... and some more, but these are the most relevant.
<a name="initialising"></a>
## Initialising
The [`terraform init`](https://www.terraform.io/docs/commands/init.html) command is used to initialize a working directory containing Terraform configuration files.
```
$ cd aws
$ terraform init
```
OR
```
$ cd otc
$ terraform init
```
<a name="applying"></a>
## Applying the Configuration
The [`terraform apply`](https://www.terraform.io/docs/commands/apply.html) command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a [`terraform plan`](https://www.terraform.io/docs/commands/plan.html) execution plan.
```
$ terraform apply
```
This will create your infrastructure and start a Cloud Server. On startup, the Server gets bootstrapped with cloud-init and will install T-Pot. Once this is done, the server will reboot.
If you want the remove the built infrastructure, you can run [`terraform destroy`](https://www.terraform.io/docs/commands/destroy.html) to delete it.
<a name="connecting"></a>
## Connecting to the Instance
When the installation is completed, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).

20
cloud/terraform/aws/.terraform.lock.hcl generated
View File

@ -1,20 +0,0 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "3.26.0"
constraints = "3.26.0"
hashes = [
"h1:0i78FItlPeiomd+4ThZrtm56P5K33k7/6dnEe4ZePI0=",
"zh:26043eed36d070ca032cf04bc980c654a25821a8abc0c85e1e570e3935bbfcbb",
"zh:2fe68f3f78d23830a04d7fac3eda550eef1f627dfc130486f70a65dc5c254300",
"zh:3d66484c608c64678e639db25d63872783ce60363a1246e30317f21c9c23b84b",
"zh:46ffd755cfd4cf94fe66342797b5afdcef010a24e126c67fee141b357d393535",
"zh:5e96f24357e945c9067cf5e032ad1d003609629c956c2f9f642fefe714e74587",
"zh:60c27aca36bb63bf3e865c2193be80ca83b376581d00f9c220af4b013e163c4d",
"zh:896f0f22d19d41e71b22f9240b261714c3915b165ddefeb771e7734d69dc47ea",
"zh:90de9966cb2fd3e2f326df291595e55d2dd2d90e7d6dd085c2c8691dce82bdb4",
"zh:ad05a91a88ceb1d6de5a568f7cc0b0e5bc0a79f3da70bc28c1e7f3750e362d58",
"zh:e8c63f59c6465329e1f3357498face3dd7ef10a033df3c366a33aa9e94b46c01",
]
}

66
cloud/terraform/aws/main.tf
View File

@ -1,66 +0,0 @@
provider "aws" {
region = var.ec2_region
}
resource "aws_security_group" "tpot" {
name = "T-Pot"
description = "T-Pot Honeypot"
vpc_id = var.ec2_vpc_id
ingress {
from_port = 0
to_port = 64000
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 0
to_port = 64000
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 64294
to_port = 64294
protocol = "tcp"
cidr_blocks = var.admin_ip
}
ingress {
from_port = 64295
to_port = 64295
protocol = "tcp"
cidr_blocks = var.admin_ip
}
ingress {
from_port = 64297
to_port = 64297
protocol = "tcp"
cidr_blocks = var.admin_ip
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "T-Pot"
}
}
resource "aws_instance" "tpot" {
ami = var.ec2_ami[var.ec2_region]
instance_type = var.ec2_instance_type
key_name = var.ec2_ssh_key_name
subnet_id = var.ec2_subnet_id
tags = {
Name = "T-Pot Honeypot"
}
root_block_device {
volume_type = "gp2"
volume_size = 128
delete_on_termination = true
}
user_data = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
vpc_security_group_ids = [aws_security_group.tpot.id]
associate_public_ip_address = true
}

12
cloud/terraform/aws/outputs.tf
View File

@ -1,12 +0,0 @@
output "Admin_UI" {
value = "https://${aws_instance.tpot.public_dns}:64294/"
}
output "SSH_Access" {
value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
}
output "Web_UI" {
value = "https://${aws_instance.tpot.public_dns}:64297/"
}

93
cloud/terraform/aws/variables.tf
View File

@ -1,93 +0,0 @@
variable "admin_ip" {
default = ["127.0.0.1/32"]
description = "admin IP addresses in CIDR format"
}
variable "ec2_vpc_id" {
description = "ID of AWS VPC"
default = "vpc-XXX"
}
variable "ec2_subnet_id" {
description = "ID of AWS VPC subnet"
default = "subnet-YYY"
}
variable "ec2_region" {
description = "AWS region to launch servers"
default = "eu-west-1"
}
variable "ec2_ssh_key_name" {
default = "default"
}
# https://aws.amazon.com/ec2/instance-types/
# t3.large = 2 vCPU, 8 GiB RAM
variable "ec2_instance_type" {
default = "t3.large"
}
# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
variable "ec2_ami" {
type = map(string)
default = {
"af-south-1" = "ami-0c372f041acae6d49"
"ap-east-1" = "ami-079b8d011d4655385"
"ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
"ap-northeast-2" = "ami-0269fe7d013b8e2dd"
"ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
"ap-south-1" = "ami-020d429f17c9f1d0a"
"ap-southeast-1" = "ami-09625a221230d9fe6"
"ap-southeast-2" = "ami-03cbc6cddb06af2c2"
"ca-central-1" = "ami-09125623b02302014"
"eu-central-1" = "ami-00c36c60f07e21791"
"eu-north-1" = "ami-052bea934e2d9dbfe"
"eu-south-1" = "ami-04e2bb16d37324719"
"eu-west-1" = "ami-0f87948fe2cf1b2a4"
"eu-west-2" = "ami-02ed1bc837487d535"
"eu-west-3" = "ami-080efd2add7e29430"
"me-south-1" = "ami-0dbde382c834c4a72"
"sa-east-1" = "ami-0a0792814cb068077"
"us-east-1" = "ami-05dd1b6e7ef6f8378"
"us-east-2" = "ami-04dd0542609808c50"
"us-west-1" = "ami-07af5f877b3db9f73"
"us-west-2" = "ami-0d0d8694ba492c02b"
}
}
## cloud-init configuration ##
variable "timezone" {
default = "UTC"
}
variable "linux_password" {
#default = "LiNuXuSeRPaSs#"
description = "Set a password for the default user"
validation {
condition = length(var.linux_password) > 0
error_message = "Please specify a password for the default user."
}
}
## These will go in the generated tpot.conf file ##
variable "tpot_flavor" {
default = "STANDARD"
description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
}
variable "web_user" {
default = "webuser"
description = "Set a username for the web user"
}
variable "web_password" {
#default = "w3b$ecret"
description = "Set a password for the web user"
validation {
condition = length(var.web_password) > 0
error_message = "Please specify a password for the web user."
}
}

9
cloud/terraform/aws/versions.tf
View File

@ -1,9 +0,0 @@
terraform {
required_version = ">= 0.13"
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.26.0"
}
}
}

9
cloud/terraform/aws_multi_region/_provider.tf
View File

@ -1,9 +0,0 @@
provider "aws" {
alias = "eu-west-2"
region = "eu-west-2"
}
provider "aws" {
alias = "us-west-1"
region = "us-west-1"
}

27
cloud/terraform/aws_multi_region/main.tf
View File

@ -1,27 +0,0 @@
module "eu-west-2" {
source = "./modules/multi-region"
ec2_vpc_id = "vpc-xxxxxxxx"
ec2_subnet_id = "subnet-xxxxxxxx"
ec2_region = "eu-west-2"
tpot_name = "T-Pot Honeypot"
linux_password = var.linux_password
web_password = var.web_password
providers = {
aws = aws.eu-west-2
}
}
module "us-west-1" {
source = "./modules/multi-region"
ec2_vpc_id = "vpc-xxxxxxxx"
ec2_subnet_id = "subnet-xxxxxxxx"
ec2_region = "us-west-1"
tpot_name = "T-Pot Honeypot"
linux_password = var.linux_password
web_password = var.web_password
providers = {
aws = aws.us-west-1
}
}

69
cloud/terraform/aws_multi_region/modules/multi-region/main.tf
View File

@ -1,69 +0,0 @@
variable "ec2_vpc_id" {}
variable "ec2_subnet_id" {}
variable "ec2_region" {}
variable "linux_password" {}
variable "web_password" {}
variable "tpot_name" {}
resource "aws_security_group" "tpot" {
name = "T-Pot"
description = "T-Pot Honeypot"
vpc_id = var.ec2_vpc_id
ingress {
from_port = 0
to_port = 64000
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 0
to_port = 64000
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 64294
to_port = 64294
protocol = "tcp"
cidr_blocks = var.admin_ip
}
ingress {
from_port = 64295
to_port = 64295
protocol = "tcp"
cidr_blocks = var.admin_ip
}
ingress {
from_port = 64297
to_port = 64297
protocol = "tcp"
cidr_blocks = var.admin_ip
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "T-Pot"
}
}
resource "aws_instance" "tpot" {
ami = var.ec2_ami[var.ec2_region]
instance_type = var.ec2_instance_type
key_name = var.ec2_ssh_key_name
subnet_id = var.ec2_subnet_id
tags = {
Name = var.tpot_name
}
root_block_device {
volume_type = "gp2"
volume_size = 128
delete_on_termination = true
}
user_data = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
vpc_security_group_ids = [aws_security_group.tpot.id]
associate_public_ip_address = true
}

12
cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf
View File

@ -1,12 +0,0 @@
output "Admin_UI" {
value = "https://${aws_instance.tpot.public_dns}:64294/"
}
output "SSH_Access" {
value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
}
output "Web_UI" {
value = "https://${aws_instance.tpot.public_dns}:64297/"
}

57
cloud/terraform/aws_multi_region/modules/multi-region/variables.tf
View File

@ -1,57 +0,0 @@
variable "admin_ip" {
default = ["127.0.0.1/32"]
description = "admin IP addresses in CIDR format"
}
variable "ec2_ssh_key_name" {
default = "default"
}
# https://aws.amazon.com/ec2/instance-types/
variable "ec2_instance_type" {
default = "t3.xlarge"
}
# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
variable "ec2_ami" {
type = map(string)
default = {
"af-south-1" = "ami-0c372f041acae6d49"
"ap-east-1" = "ami-079b8d011d4655385"
"ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
"ap-northeast-2" = "ami-0269fe7d013b8e2dd"
"ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
"ap-south-1" = "ami-020d429f17c9f1d0a"
"ap-southeast-1" = "ami-09625a221230d9fe6"
"ap-southeast-2" = "ami-03cbc6cddb06af2c2"
"ca-central-1" = "ami-09125623b02302014"
"eu-central-1" = "ami-00c36c60f07e21791"
"eu-north-1" = "ami-052bea934e2d9dbfe"
"eu-south-1" = "ami-04e2bb16d37324719"
"eu-west-1" = "ami-0f87948fe2cf1b2a4"
"eu-west-2" = "ami-02ed1bc837487d535"
"eu-west-3" = "ami-080efd2add7e29430"
"me-south-1" = "ami-0dbde382c834c4a72"
"sa-east-1" = "ami-0a0792814cb068077"
"us-east-1" = "ami-05dd1b6e7ef6f8378"
"us-east-2" = "ami-04dd0542609808c50"
"us-west-1" = "ami-07af5f877b3db9f73"
"us-west-2" = "ami-0d0d8694ba492c02b"
}
}
## cloud-init configuration ##
variable "timezone" {
default = "UTC"
}
## These will go in the generated tpot.conf file ##
variable "tpot_flavor" {
default = "STANDARD"
description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
}
variable "web_user" {
default = "webuser"
description = "Set a username for the web user"
}

9
cloud/terraform/aws_multi_region/modules/multi-region/versions.tf
View File

@ -1,9 +0,0 @@
terraform {
required_version = ">= 0.13"
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.72.0"
}
}
}

7
cloud/terraform/aws_multi_region/outputs.tf
View File

@ -1,7 +0,0 @@
output "eu-west-2_Web_UI" {
value = module.eu-west-2.Web_UI
}
output "us-west-1_Web_UI" {
value = module.us-west-1.Web_UI
}

19
cloud/terraform/aws_multi_region/variables.tf
View File

@ -1,19 +0,0 @@
variable "linux_password" {
#default = "LiNuXuSeRP4Ss!"
description = "Set a password for the default user"
validation {
condition = length(var.linux_password) > 0
error_message = "Please specify a password for the default user."
}
}
variable "web_password" {
#default = "w3b$ecret20"
description = "Set a password for the web user"
validation {
condition = length(var.web_password) > 0
error_message = "Please specify a password for the web user."
}
}

26
cloud/terraform/cloud-init.yaml
View File

@ -1,26 +0,0 @@
#cloud-config
timezone: ${timezone}
packages:
- git
runcmd:
- curl -sS --retry 5 https://github.com
- git clone https://github.com/telekom-security/tpotce /root/tpot
- /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
- rm /root/tpot.conf
- /sbin/shutdown -r now
password: ${password}
chpasswd:
expire: false
write_files:
- content: |
# tpot configuration file
myCONF_TPOT_FLAVOR='${tpot_flavor}'
myCONF_WEB_USER='${web_user}'
myCONF_WEB_PW='${web_password}'
owner: root:root
path: /root/tpot.conf
permissions: '0600'

38
cloud/terraform/otc/.terraform.lock.hcl generated
View File

@ -1,38 +0,0 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/random" {
version = "3.1.0"
constraints = "~> 3.1.0"
hashes = [
"h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
"zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
"zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
"zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
"zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
"zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
"zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
"zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
"zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
"zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
"zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
"zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
]
}
provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
version = "1.23.6"
constraints = "~> 1.23.4"
hashes = [
"h1:B/1Md957jWaDgFqsJDzmJc75KwL0eC/PCVuZ8HV5xSc=",
"zh:1aa79010869d082157fb44fc83c3bff4e40938ec0ca916f704d974c7f7ca39e4",
"zh:3155b8366828ce50231f69962b55df1e2261ed63c44bb64e2c950dd68769df1b",
"zh:4a909617aa96a6d8aead14f56996ad94e0a1cae9d28e8df1ddae19c2095ed337",
"zh:4f71046719632b4b90f88d29d8ba88915ee6ad66cd9d7ebe84a7459013e5003a",
"zh:67e4d10b2db79ad78ae2ec8d9dfac53c4721028f97f4436a7aa45e80b1beefd3",
"zh:7f12541fc5a3513e5522ff2bd5fee17d1e67bfe64f9ef59d03863fc7389e12ce",
"zh:86fadabfc8307cf6084a412ffc9c797ec94932d08bc663a3fcebf98101e951f6",
"zh:98744b39c2bfe3e8e6f929f750a689971071b257f3f066f669f93c8e0b76d179",
"zh:c363d41debb060804e2c6bd9cb50b4e8daa37362299e3ea74e187265cd85f2ca",
]
}

9
cloud/terraform/otc/clouds.yaml
View File

@ -1,9 +0,0 @@
clouds:
open-telekom-cloud:
region_name: eu-de
auth:
project_name: eu-de_your_project
username: your_api_user
password: your_password
user_domain_name: OTC-EU-DE-000000000010000XXXXX
auth_url: https://iam.eu-de.otc.t-systems.com/v3

68
cloud/terraform/otc/main.tf
View File

@ -1,68 +0,0 @@
data "opentelekomcloud_images_image_v2" "debian" {
name = "Standard_Debian_10_latest"
}
resource "opentelekomcloud_networking_secgroup_v2" "secgroup_1" {
name = var.secgroup_name
description = var.secgroup_desc
}
resource "opentelekomcloud_networking_secgroup_rule_v2" "secgroup_rule_1" {
direction = "ingress"
ethertype = "IPv4"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = opentelekomcloud_networking_secgroup_v2.secgroup_1.id
}
resource "opentelekomcloud_vpc_v1" "vpc_1" {
name = var.vpc_name
cidr = var.vpc_cidr
}
resource "opentelekomcloud_vpc_subnet_v1" "subnet_1" {
name = var.subnet_name
cidr = var.subnet_cidr
vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
gateway_ip = var.subnet_gateway_ip
dns_list = ["100.125.4.25", "100.125.129.199"]
}
resource "random_id" "tpot" {
byte_length = 6
prefix = var.ecs_prefix
}
resource "opentelekomcloud_ecs_instance_v1" "ecs_1" {
name = random_id.tpot.b64_url
image_id = data.opentelekomcloud_images_image_v2.debian.id
flavor = var.ecs_flavor
vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
nics {
network_id = opentelekomcloud_vpc_subnet_v1.subnet_1.id
}
system_disk_size = var.ecs_disk_size
system_disk_type = "SAS"
security_groups = [opentelekomcloud_networking_secgroup_v2.secgroup_1.id]
availability_zone = var.availability_zone
key_name = var.key_pair
user_data = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
}
resource "opentelekomcloud_vpc_eip_v1" "eip_1" {
publicip {
type = "5_bgp"
}
bandwidth {
name = "bandwidth-${random_id.tpot.b64_url}"
size = var.eip_size
share_type = "PER"
}
}
resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_1" {
floating_ip = opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address
instance_id = opentelekomcloud_ecs_instance_v1.ecs_1.id
}

11
cloud/terraform/otc/outputs.tf
View File

@ -1,11 +0,0 @@
output "Admin_UI" {
value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64294"
}
output "SSH_Access" {
value = "ssh -p 64295 linux@${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}"
}
output "Web_UI" {
value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64297"
}

3
cloud/terraform/otc/provider.tf
View File

@ -1,3 +0,0 @@
provider "opentelekomcloud" {
cloud = "open-telekom-cloud"
}

98
cloud/terraform/otc/variables.tf
View File

@ -1,98 +0,0 @@
## cloud-init configuration ##
variable "timezone" {
default = "UTC"
}
variable "linux_password" {
#default = "LiNuXuSeRPaSs#"
description = "Set a password for the default user"
validation {
condition = length(var.linux_password) > 0
error_message = "Please specify a password for the default user."
}
}
## Security Group ##
variable "secgroup_name" {
default = "sg-tpot"
}
variable "secgroup_desc" {
default = "Security Group for T-Pot"
}
## Virtual Private Cloud ##
variable "vpc_name" {
default = "vpc-tpot"
}
variable "vpc_cidr" {
default = "192.168.0.0/16"
}
## Subnet ##
variable "subnet_name" {
default = "subnet-tpot"
}
variable "subnet_cidr" {
default = "192.168.0.0/24"
}
variable "subnet_gateway_ip" {
default = "192.168.0.1"
}
## Elastic Cloud Server ##
variable "ecs_prefix" {
default = "tpot-"
}
variable "ecs_flavor" {
default = "s3.medium.8"
}
variable "ecs_disk_size" {
default = "128"
}
variable "availability_zone" {
default = "eu-de-03"
}
variable "key_pair" {
#default = ""
description = "Specify your SSH key pair"
validation {
condition = length(var.key_pair) > 0
error_message = "Please specify a Key Pair."
}
}
## Elastic IP ##
variable "eip_size" {
default = "100"
}
## These will go in the generated tpot.conf file ##
variable "tpot_flavor" {
default = "STANDARD"
description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
}
variable "web_user" {
default = "webuser"
description = "Set a username for the web user"
}
variable "web_password" {
#default = "w3b$ecret"
description = "Set a password for the web user"
validation {
condition = length(var.web_password) > 0
error_message = "Please specify a password for the web user."
}
}

13
cloud/terraform/otc/versions.tf
View File

@ -1,13 +0,0 @@
terraform {
required_version = ">= 0.13"
required_providers {
opentelekomcloud = {
source = "opentelekomcloud/opentelekomcloud"
version = "~> 1.23.4"
}
random = {
source = "hashicorp/random"
version = "~> 3.1.0"
}
}
}

BIN
doc/architecture.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 432 KiB

After

Width:  |  Height:  |  Size: 336 KiB

BIN
doc/attackmap.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 380 KiB

BIN
doc/cockpit1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 89 KiB

BIN
doc/cockpit2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
doc/cockpit3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
doc/cockpit_a.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 135 KiB

BIN
doc/cockpit_b.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 334 KiB

BIN
doc/cyberchef.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 117 KiB

After

Width:  |  Height:  |  Size: 58 KiB

BIN
doc/dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 594 KiB

BIN
doc/dockerui.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 87 KiB

BIN
doc/elasticvue.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 174 KiB

BIN
doc/headplugin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
doc/kibana.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 885 KiB

BIN
doc/kibana_a.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 464 KiB

BIN
doc/kibana_b.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 129 KiB

BIN
doc/kibana_c.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 213 KiB

BIN
doc/netdata.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 199 KiB

BIN
doc/spiderfoot.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 162 KiB

After

Width:  |  Height:  |  Size: 52 KiB

BIN
doc/t-pot_qr.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 92 KiB

BIN
doc/t-pot_wallpaper_19201080.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 252 KiB

BIN
doc/t-pot_wallpaper_4k.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 606 KiB

BIN
doc/tpotsocial.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 148 KiB

BIN
doc/tpotwebui.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 324 KiB

BIN
doc/webssh.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 148 KiB

43
docker/adbhoney/Dockerfile
View File

@ -1,36 +1,31 @@
FROM alpine:3.15
#
# Include dist
COPY dist/ /root/dist/
#
FROM alpine
# Install packages
RUN apk --no-cache -U add \
RUN apk -U --no-cache add \
git \
procps \
python3 && \
#
libcap \
python \
python-dev && \
# Install adbhoney from git
git clone https://github.com/huuck/ADBHoney /opt/adbhoney && \
cd /opt/adbhoney && \
# git checkout ad7c17e78d01f6860d58ba826a4b6a4e4f83acbd && \
git checkout 2417a7a982f4fd527b3a048048df9a23178767ad && \
cp /root/dist/adbhoney.cfg /opt/adbhoney && \
sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \
sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \
#
git clone --depth=1 https://github.com/huuck/ADBHoney /opt/adbhoney && \
sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/main.py && \
sed -i 's/dst_port/dest_port/' /opt/adbhoney/main.py && \
# Setup user, groups and configs
addgroup -g 2000 adbhoney && \
adduser -S -H -s /bin/ash -u 2000 -D -g 2000 adbhoney && \
chown -R adbhoney:adbhoney /opt/adbhoney && \
#
setcap cap_net_bind_service=+ep /usr/bin/python2.7 && \
# Clean up
apk del --purge git && \
rm -rf /root/* /opt/adbhoney/.git /var/cache/apk/*
#
apk del --purge git \
python-dev && \
rm -rf /root/* && \
rm -rf /var/cache/apk/*
# Set workdir and start adbhoney
STOPSIGNAL SIGINT
# Adbhoney sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings
HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi
USER adbhoney:adbhoney
WORKDIR /opt/adbhoney/
CMD /usr/bin/python3 run.py
CMD nohup /usr/bin/python main.py -l log/adbhoney.log -j log/adbhoney.json -d dl/

19
docker/adbhoney/dist/adbhoney.cfg vendored
View File

@ -1,19 +0,0 @@
[honeypot]
hostname = honeypot01
address = 0.0.0.0
port = 5555
download_dir = dl/
log_dir = log/
device_id = device::http://ro.product.name =starltexx;ro.product.model=SM-G960F;ro.product.device=starlte;features=cmd,stat_v2,shell_v2
[output_log]
enabled = true
log_file = adbhoney.log
log_level = info
[output_json]
enabled = true
log_file = adbhoney.json

4
docker/adbhoney/docker-compose.yml
View File

@ -10,13 +10,11 @@ services:
build: .
container_name: adbhoney
restart: always
# cpu_count: 1
# cpus: 0.25
networks:
- adbhoney_local
ports:
- "5555:5555"
image: "dtagdevsec/adbhoney:2204"
image: "dtagdevsec/adbhoney:1811"
read_only: true
volumes:
- /data/adbhoney/log:/opt/adbhoney/log

79
docker/builder.sh
View File

@ -1,79 +0,0 @@
#!/bin/bash
# Setup Vars
myPLATFORMS="linux/amd64,linux/arm64"
myHUBORG="dtagdevsec"
myTAG="2204"
myIMAGESBASE="adbhoney ciscoasa citrixhoneypot conpot cowrie ddospot dicompot dionaea elasticpot endlessh ewsposter fatt glutton hellpot heralding honeypots honeytrap ipphoney log4pot mailoney medpot nginx p0f redishoneypot sentrypeer spiderfoot suricata wordpot"
myIMAGESELK="elasticsearch kibana logstash map"
myIMAGESTANNER="phpox redis snare tanner"
myBUILDERLOG="builder.log"
myBUILDERERR="builder.err"
myBUILDCACHE="/buildcache"
# Got root?
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
# Check for Buildx
docker buildx > /dev/null 2>&1
if [ "$?" == "1" ];
then
echo "### Build environment not setup. Run bin/setup_builder.sh"
fi
# Only run with command switch
if [ "$1" == "" ]; then
echo "### T-Pot Multi Arch Image Builder."
echo "## Usage: builder.sh [build, push]"
echo "## build - Just build images, do not push."
echo "## push - Build and push images."
echo "## Pushing requires an active docker login."
exit
fi
fuBUILDIMAGES () {
local myPATH="$1"
local myIMAGELIST="$2"
local myPUSHOPTION="$3"
for myREPONAME in $myIMAGELIST;
do
echo -n "Now building: $myREPONAME in $myPATH$myREPONAME/."
docker buildx build --cache-from "type=local,src=$myBUILDCACHE" --cache-to "type=local,dest=$myBUILDCACHE" --platform $myPLATFORMS -t $myHUBORG/$myREPONAME:$myTAG $myPUSHOPTION $myPATH$myREPONAME/. >> $myBUILDERLOG 2>&1
if [ "$?" != "0" ];
then
echo " [ ERROR ] - Check logs!"
echo "Error building $myREPONAME" >> "$myBUILDERERR"
else
echo " [ OK ]"
fi
done
}
# Just build images
if [ "$1" == "build" ];
then
mkdir -p $myBUILDCACHE
rm -f "$myBUILDERLOG" "$myBUILDERERR"
echo "### Building images ..."
fuBUILDIMAGES "" "$myIMAGESBASE" ""
fuBUILDIMAGES "elk/" "$myIMAGESELK" ""
fuBUILDIMAGES "tanner/" "$myIMAGESTANNER" ""
fi
# Build and push images
if [ "$1" == "push" ];
then
mkdir -p $myBUILDCACHE
rm -f "$myBUILDERLOG" "$myBUILDERERR"
echo "### Building and pushing images ..."
fuBUILDIMAGES "" "$myIMAGESBASE" "--push"
fuBUILDIMAGES "elk/" "$myIMAGESELK" "--push"
fuBUILDIMAGES "tanner/" "$myIMAGESTANNER" "--push"
fi

Some files were not shown because too many files have changed in this diff Show More