telekom-security/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 01:27:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: telekom-security:22.04.0
Branches Tags
telekom-security:master telekom-security:24.04 telekom-security:alpha telekom-security:22.04 telekom-security:dev telekom-security:20.06 telekom-security:19.03 telekom-security:18.11
telekom-security:24.04.1 telekom-security:24.04.0 telekom-security:24.04.0beta telekom-security:22.04.0 telekom-security:20.06.2 telekom-security:20.06.1 telekom-security:20.06.0 telekom-security:19.03.3 telekom-security:19.03.1 telekom-security:19.03 telekom-security:19.03.beta telekom-security:18.11.1 telekom-security:18.11 telekom-security:17.10 telekom-security:17.10.beta telekom-security:17.10.alpha telekom-security:16.10.1 telekom-security:16.10
..
compare: telekom-security:19.03
Branches Tags
telekom-security:master telekom-security:24.04 telekom-security:alpha telekom-security:22.04 telekom-security:dev telekom-security:20.06 telekom-security:19.03 telekom-security:18.11
telekom-security:24.04.1 telekom-security:24.04.0 telekom-security:24.04.0beta telekom-security:22.04.0 telekom-security:20.06.2 telekom-security:20.06.1 telekom-security:20.06.0 telekom-security:19.03.3 telekom-security:19.03.1 telekom-security:19.03 telekom-security:19.03.beta telekom-security:18.11.1 telekom-security:18.11 telekom-security:17.10 telekom-security:17.10.beta telekom-security:17.10.alpha telekom-security:16.10.1 telekom-security:16.10

7 Commits
22.04.0 ... 19.03

Author SHA1 Message Date
listbot
198305fc57 listbot integration 2020-05-12 10:41:32 +00:00
Marco Ochse
c50d147926 Update capture-filter.bpf 2020-04-22 17:58:36 +02:00
Marco Ochse
0405a20402 Update update.sh 2020-04-22 17:47:57 +02:00
Marco Ochse
775ea76b98 Update Dockerfile 2020-04-22 17:46:55 +02:00
Marco Ochse
b98d9d352e Load listbot data from OTC 2020-04-22 17:11:54 +02:00
Marco Ochse
c277f313dc Update Dockerfile 2020-04-02 17:21:00 +02:00
Marco Ochse
b12cf0e418 offload listbot data from netlify CDN 2020-04-02 17:15:35 +02:00
362 changed files with 8321 additions and 11955 deletions
Expand all files Collapse all files

12
.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md → .github/ISSUE_TEMPLATE.md vendored
View File

@ -1,14 +1,6 @@
---
name: Bug report for T-Pot
about: Bug report for T-Pot
title: ''
labels: ''
assignees: ''
---
Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
# Issues
Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue:
- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).

20
.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md vendored
View File

@ -1,20 +0,0 @@
---
name: Feature request for T-Pot
about: Suggest an idea for T-Pot
title: ''
labels: ''
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

39
.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md vendored
View File

@ -1,39 +0,0 @@
---
name: General issue for T-Pot
about: General issue for T-Pot
title: ''
labels: ''
assignees: ''
---
🗨️ Please post your questions in [Discussions](https://github.com/telekom-security/tpotce/discussions) and keep the issues for **issues**. Thank you 😁.<br>
Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
- **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice**
<br>
<br>
<br>
<a name="info"></a>
## ⚠️ Basic support information (commands are expected to run as `root`)
- What version of the OS are you currently using `lsb_release -a` and `uname -a`?
- What T-Pot version are you currently using?
- What edition (Standard, Nextgen, etc.) of T-Pot are you running?
- What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.
- How long has your installation been running?
- Did you install upgrades, packages or use the update script?
- Did you modify any scripts or configs? If yes, please attach the changes.
- Please provide a screenshot of `glances` and `htop`.
- How much free disk space is available (`df -h`)?
- What is the current container status (`dps.sh`)?
- What is the status of the T-Pot service (`systemctl status tpot`)?
- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`
- If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

221
CHANGELOG.md
View File

@ -1,45 +1,188 @@
# Release Notes / Changelog
T-Pot 22.04.0 is probably the most feature rich release ever provided with long awaited (wanted!) features readily available after installation.
# Changelog
## New Features
* **Distributed** Installation with **HIVE** and **HIVE_SENSOR**
* **ARM64** support for all provided Docker images
* **GeoIP Attack Map** visualizing Live Attacks on a dedicated webpage
* **Kibana Live Attack Map** visualizing Live Attacks from different **HIVE_SENSORS**
* **Blackhole** is a script trying to avoid mass scanner detection
* **Elasticvue** a web front end for browsing and interacting with an Elastic Search cluster
* **Ddospot** a honeypot for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks
* **Endlessh** is a SSH tarpit that very slowly sends an endless, random SSH banner
* **HellPot** is an endless honeypot based on Heffalump that sends unruly HTTP bots to hell
* **qHoneypots** 25 honeypots in a single container for monitoring network traffic, bots activities, and username \ password credentials
* **Redishoneypot** is a honeypot mimicking some of the Redis' functions
* **SentryPeer** a dedicated SIP honeypot
* **Index Lifecycle Management** for Elasticseach indices is now being used
## 20200116
- **Bump ELK to latest 6.8.6**
- **Update ISO image to fix upstream bug of missing kernel modules**
- **Include dashboards for CitrixHoneypot**
- Please run `/opt/tpot/update.sh` for the necessary modifications, omit the reboot and run `/opt/tpot/bin/tped.sh` to (re-)select the NextGen installation type.
- This update requires the latest Kibana objects as well. Download the latest from https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/etc/objects/kibana_export.json.zip, unzip and import the objects within Kibana WebUI > Management > Saved Objects > Export / Import". All objects will be overwritten upon import, make sure to run an export first.
## Upgrades
* **Debian 11.x** is now being used for the T-Pot ISO images and required for post installs
* **Elastic Stack 8.x** is now provided as Docker images
## 20200115
- **Prepare integration of CitrixHoneypot**
- Prepare integration of [CitrixHoneypot](https://github.com/MalwareTech/CitrixHoneypot) by MalwareTech
- Integration into ELK is still open
- Please run `/opt/tpot/update.sh` for the necessary modifications, omit the reboot and run `/opt/tpot/bin/tped.sh` to (re-)select the NextGen installation type.
## Updates
* **Honeypots** and **tools** were updated to their latest masters and releases
* Updates will be provided continuously through Docker Images updates
## 20191224
- **Use pigz, optimize logrotate.conf**
- Use `pigz` for faster archiving, especially with regard to high volumes of logs - Thanks to @workandresearchgithub!
- Optimize `logrotate.conf` to improve archiving speed and get rid of multiple compression, also introduce `pigz`.
## Breaking Changes
* For security reasons all Py2.x honeypots with the need of PyPi packages have been removed: **HoneyPy**, **HoneySAP** and **RDPY**
* If you are upgrading from a previous version of T-Pot (20.06.x) you need to import the new Kibana objects or some of the functionality will be broken or will be unavailabe
* **Cyberchef** is now part of the Nginx Docker image, no longer as individual image
* **ElasticSearch Head** is superseded by **Elasticvue** and part the Nginx Docker image
* **Heimdall** is no longer supported and superseded with a new Bento based landing page
* **Elasticsearch Curator** is no longer supprted and superseded with **Index Lifecycle Policies** available through Kibana.
## 20191121
- **Bump ADBHoney to latest master**
- Use latest version of ADBHoney, which now fully support Python 3.x - Thanks to @huuck!
# Thanks & Credits
* @ghenry, for some fun late night debugging and of course SentryPeer!
* @giga-a, for adding much appreciated features (i.e. JSON logging,
X-Forwarded-For, etc.) and of course qHoneypots!
* @sp3t3rs, @trixam, for their backend and ews support!
* @tadashi-oya, for spotting some errors and propose fixes!
* @tmariuss, @shaderecker for their cloud contributions!
* @vorband, for much appreciated and helpful insights regarding the GeoIP Attack Map!
* @yunginnanet, on not giving up on squashing a bug and of course Hellpot!
## 20191113, 20191104, 20191103, 20191028
- **Switch to Debian 10 on OTC, Ansible Improvements**
- OTC now supporting Debian 10 - Thanks to @shaderecker!
... and many others from the T-Pot community by opening valued issues and discussions, suggesting ideas and thus helping to improve T-Pot!
## 20191028
- **Fix an issue with pip3, yq**
- `yq` needs rehashing.
## 20191026
- **Remove cockpit-pcp**
- `cockpit-pcp` floods swap for some reason - removing for now.
## 20191022
- **Bump Suricata to 5.0.0**
## 20191021
- **Bump Cowrie to 2.0.0**
## 20191016
- **Tweak installer, pip3, Heralding**
- Install `cockpit-pcp` right from the start for machine monitoring in cockpit.
- Move installer and update script to use pip3.
- Bump heralding to latest master (1.0.6) - Thanks @johnnykv!
## 20191015
- **Tweaking, Bump glutton, unlock ES script**
- Add `unlock.sh` to unlock ES indices in case of lockdown after disk quota has been reached.
- Prevent too much terminal logging from p0f and glutton since `daemon.log` was filled up.
- Bump glutton to latest master now supporting payload_hex. Thanks to @glaslos.
## 20191002
- **Merge**
- Support Debian Buster images for AWS #454
- Thank you @piffey
## 20190924
- **Bump EWSPoster**
- Supports Python 3.x
- Thank you @Trixam
## 20190919
- **Merge**
- Handle non-interactive shells #454
- Thank you @Oogy
## 20190907
- **Logo tweaking**
- Add QR logo
## 20190828
- **Upgrades and rebuilds**
- Bump Medpot, Nginx and Adbhoney to latest master
- Bump ELK stack to 6.8.2
- Rebuild Mailoney, Honeytrap, Elasticpot and Ciscoasa
- Add 1080p T-Pot wallpaper for download
## 20190824
- **Add some logo work**
- Thanks to @thehadilps's suggestion adjusted social preview
- Added 4k T-Pot wallpaper for download
## 20190823
- **Fix for broken Fuse package**
- Fuse package in upstream is broken
- Adjust installer as workaround, fixes #442
## 20190816
- **Upgrades and rebuilds**
- Adjust Dionaea to avoid nmap detection, fixes #435 (thanks @iukea1)
- Bump Tanner, Cyberchef, Spiderfoot and ES Head to latest master
## 20190815
- **Bump ELK stack to 6.7.2**
- Transition to 7.x must iterate slowly through previous versions to prevent changes breaking T-Pots
## 20190814
- **Logstash Translation Maps improvement**
- Download translation maps rather than running a git pull
- Translation maps will now be bzip2 compressed to reduce traffic to a minimum
- Fixes #432
## 20190802
- **Add support for Buster as base image**
- Install ISO is now based on Debian Buster
- Installation upon Debian Buster is now supported
## 20190701
- **Reworked Ansible T-Pot Deployment**
- Transitioned from bash script to all Ansible
- Reusable Ansible Playbook for OpenStack clouds
- Example Showcase with our Open Telekom Cloud
- Adaptable for other cloud providers
## 20190626
- **HPFEEDS Opt-In commandline option**
- Pass a hpfeeds config file as a commandline argument
- hpfeeds config is saved in `/data/ews/conf/hpfeeds.cfg`
- Update script restores hpfeeds config
## 20190604
- **Finalize Fatt support**
- Build visualizations, searches, dashboards
- Rebuild index patterns
- Some finishing touches
## 20190601
- **Start supporting Fatt, remove Glastopf**
- Build Dockerfile, Adjust logstash, installer, update and such.
- Glastopf is no longer supported within T-Pot
## 20190528+20190531
- **Increase total number of fields**
- Adjust total number of fileds for logstash templae from 1000 to 2000.
## 20190526
- **Fix build for Cowrie**
- Upstream changes required a new package `py-bcrypt`.
## 20190525
- **Fix build for RDPY**
- Building was prevented due to cache error which occurs lately on Alpine if `apk` is using `--no-ache' as options.
## 20190520
- **Adjust permissions for /data folder**
- Now it is possible to download files from `/data` using SCP, WINSCP or CyberDuck.
## 20190513
- **Added Ansible T-Pot Deployment on Open Telekom Cloud**
- Reusable Ansible Playbooks for all cloud providers
- Example Showcase with our Open Telekom Cloud
## 20190511
- **Add hptest script**
- Quickly test if the honeypots are working with `hptest.sh <[ip,host]>` based on nmap.
## 20190508
- **Add tsec / install user to tpot group**
- For users being able to easily download logs from the /data folder the installer now adds the `tpot` or the logged in user (`who am i`) via `usermod -a -G tpot <user>` to the tpot group. Also /data permissions will now be enforced to `770`, which is necessary for directory listings.
## 20190502
- **Fix KVPs**
- Some KVPs for Cowrie changed and the tagcloud was not showing any values in the Cowrie dashboard.
- New installations are not affected, however existing installations need to import the objects from /opt/tpot/etc/objects/kibana-objects.json.zip.
- **Makeiso**
- Move to Xorriso for building the ISO image.
- This allows to support most of the Debian based distros, i.e. Debian, MxLinux and Ubuntu.
## 20190428
- **Rebuild ISO**
- The install ISO needed a rebuilt after some changes in the Debian mirrors.
- **Disable Netselect**
- After some reports in the issues that some Debian mirrors were not fully synced and thus some packages were unavailable the netselect-apt feature was disabled.
## 20190406
- **Fix for SSH**
- In some situations the SSH Port was not written to a new line (thanks to @dpisano for reporting).
- **Fix race condition for apt-fast**
- Curl and wget need to be installed before apt-fast installation.
## 20190404
- **Fix #332**
- If T-Pot, opposed to the requirements, does not have full internet access netselect-apt fails to determine the fastest mirror as it needs ICMP and UDP outgoing. Should netselect-apt fail the default mirrors will be used.
- **Improve install speed with apt-fast**
- Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package.

1107
README.md
View File

File diff suppressed because it is too large Load Diff

77
bin/2fa.sh
View File

@ -1,77 +0,0 @@
#!/bin/bash
# Make sure script is started as non-root.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" = "root" ]
then
echo "Need to run as non-root ..."
echo ""
exit
fi
# set vars, check deps
myPAM_COCKPIT_FILE="/etc/pam.d/cockpit"
if ! [ -s "$myPAM_COCKPIT_FILE" ];
then
echo "### Cockpit PAM module config does not exist. Something went wrong."
echo ""
exit 1
fi
myPAM_COCKPIT_GA="
# google authenticator for two-factor
auth required pam_google_authenticator.so
"
myAUTHENTICATOR=$(which google-authenticator)
if [ "$myAUTHENTICATOR" == "" ];
then
echo "### Could not locate google-authenticator, trying to install (if asked provide root password)."
echo ""
sudo apt-get update
sudo apt-get install -y libpam-google-authenticator
exec "$1" "$2"
exit 1
fi
# write PAM changes
function fuWRITE_PAM_CHANGES {
myCHECK=$(cat $myPAM_COCKPIT_FILE | grep -c "google")
if ! [ "$myCHECK" == "0" ];
then
echo "### PAM config already enabled. Skipped."
echo ""
else
echo "### Updating PAM config for Cockpit (if asked provide root password)."
echo "$myPAM_COCKPIT_GA" | sudo tee -a $myPAM_COCKPIT_FILE
sudo systemctl restart cockpit
fi
}
# create 2fa
function fuGEN_TOKEN {
echo "### Now generating token for Google Authenticator."
echo ""
google-authenticator -t -d -r 3 -R 30 -w 17
}
# main
echo "### This script will enable Two Factor Authentication for Cockpit."
echo ""
echo "### Please download one of the many authenticator apps from the appstore of your choice."
echo ""
while true;
do
read -p "### Ready to start (y/n)? " myANSWER
case $myANSWER in
[Yy]* ) echo "### OK. Starting ..."; break;;
[Nn]* ) echo "### Exiting."; exit;;
esac
done
fuWRITE_PAM_CHANGES
fuGEN_TOKEN
echo "Done. Re-run this script by every user who needs Cockpit access."
echo ""

23
bin/backup_es_folders.sh
View File

@ -1,21 +1,12 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ];
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
if [ "$1" == "" ] || [ "$1" != "all" ] && [ "$1" != "base" ];
then
echo "Usage: backup_es_folders [all, base]"
echo " all = backup all ES folder"
echo " base = backup only Kibana index".
echo
exit
fi
# Backup all ES relevant folders
# Make sure ES is available
myES="http://127.0.0.1:64298/"
@ -34,7 +25,7 @@ myCOUNT=1
myDATE=$(date +%Y%m%d%H%M)
myELKPATH="/data/elk/data"
myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }')
myKIBANAINDEXPATH=$myELKPATH/indices/$myKIBANAINDEXNAME
myKIBANAINDEXPATH=$myELKPATH/nodes/0/indices/$myKIBANAINDEXNAME
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
@ -51,11 +42,5 @@ sleep 2
# Backup DB in 2 flavors
echo "### Now backing up Elasticsearch folders ..."
if [ "$1" == "all" ];
then
tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
elif [ "$1" == "base" ];
then
tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
fi
tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH

109
bin/blackhole.sh
View File

@ -1,109 +0,0 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "### Need to run as root ..."
echo
exit
fi
# Disclaimer
if [ "$1" == "" ];
then
echo "### Warning!"
echo "### This script will download and add blackhole routes for known mass scanners in an attempt to decrease the chance of detection."
echo "### IPs are neither curated or verified, use at your own risk!"
echo "###"
echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
echo
echo "Usage: blackhole.sh add (add blackhole routes)"
echo " blackhole.sh del (delete blackhole routes)"
echo
exit
fi
# QnD paths, files
mkdir -p /etc/blackhole
cd /etc/blackhole
myFILE="mass_scanner.txt"
myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"
myBASELINE="500"
# Alternatively, using less routes, but blocking complete /24 networks
#myFILE="mass_scanner_cidr.txt"
#myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner_cidr.txt"
# Calculate age of downloaded list, read IPs
if [ -f "$myFILE" ];
then
myNOW=$(date +%s)
myOLD=$(date +%s -r "$myFILE")
myDAYS=$(( ($myNOW-$myOLD) / (60*60*24) ))
echo "### Downloaded $myFILE list is $myDAYS days old."
myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
fi
# Let's load ip list
if [[ ! -f "$myFILE" && "$1" == "add" || "$myDAYS" -gt 30 ]];
then
echo "### Downloading $myFILE list."
aria2c --allow-overwrite -s16 -x 16 "$myURL" && \
myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
fi
myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w)
# Let's extract mass scanner IPs
if [ "$myCOUNT" -lt "$myBASELINE" ] && [ "$1" == "add" ];
then
echo "### Something went wrong. Please check contents of /etc/blackhole/$myFILE."
echo "### Aborting."
echo
exit
elif [ "$(ip r | grep 'blackhole' -c)" -gt "$myBASELINE" ] && [ "$1" == "add" ];
then
echo "### Blackhole already enabled."
echo "### Aborting."
echo
exit
fi
# Let's add blackhole routes for all mass scanner IPs
if [ "$1" == "add" ];
then
echo
echo -n "Now adding $myCOUNT IPs to blackhole."
for i in $myBLACKHOLE_IPS;
do
ip route add blackhole "$i"
echo -n "."
done
echo
echo "Added $(ip r | grep "blackhole" -c) IPs to blackhole."
echo
echo "### Remember!"
echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
echo
exit
fi
# Let's delete blackhole routes for all mass scanner IPs
if [ "$1" == "del" ] && [ "$myCOUNT" -gt "$myBASELINE" ];
then
echo
echo -n "Now deleting $myCOUNT IPs from blackhole."
for i in $myBLACKHOLE_IPS;
do
ip route del blackhole "$i"
echo -n "."
done
echo
echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole."
echo
rm "$myFILE"
else
echo "### Blackhole already disabled."
echo
fi

2
bin/change_ews_config.sh
View File

@ -60,7 +60,7 @@ fi
echo ""
echo "[+] Creating config file with API UserID '$apiUser' and API Token '$apiToken'."
echo "[+] Fetching config file from github. Outgoing https requests must be enabled!"
wget -q https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist
wget -q https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist
if [[ -f "ews.cfg.dist" ]]; then
echo "[+] Successfully downloaded ews.cfg from github."
else

96
bin/clean.sh
View File

@ -114,23 +114,6 @@ fuCOWRIE () {
chown tpot:tpot /data/cowrie -R
}
# Let's create a function to clean up and prepare ddospot data
fuDDOSPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
mkdir -p /data/ddospot/log
chmod 770 /data/ddospot -R
chown tpot:tpot /data/ddospot -R
}
# Let's create a function to clean up and prepare dicompot data
fuDICOMPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
mkdir -p /data/dicompot/log
mkdir -p /data/dicompot/images
chmod 770 /data/dicompot -R
chown tpot:tpot /data/dicompot -R
}
# Let's create a function to clean up and prepare dionaea data
fuDIONAEA () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi
@ -157,14 +140,6 @@ fuELK () {
chown tpot:tpot /data/elk -R
}
# Let's create a function to clean up and prepare endlessh data
fuENDLESSH () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
mkdir -p /data/endlessh/log
chmod 770 /data/endlessh -R
chown tpot:tpot /data/endlessh -R
}
# Let's create a function to clean up and prepare fatt data
fuFATT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
@ -181,14 +156,6 @@ fuGLUTTON () {
chown tpot:tpot /data/glutton -R
}
# Let's create a function to clean up and prepare hellpot data
fuHELLPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
mkdir -p /data/hellpot/log
chmod 770 /data/hellpot -R
chown tpot:tpot /data/hellpot -R
}
# Let's create a function to clean up and prepare heralding data
fuHERALDING () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
@ -197,20 +164,12 @@ fuHERALDING () {
chown tpot:tpot /data/heralding -R
}
# Let's create a function to clean up and prepare honeypots data
fuHONEYPOTS () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
mkdir -p /data/honeypots/log
chmod 770 /data/honeypots -R
chown tpot:tpot /data/honeypots -R
}
# Let's create a function to clean up and prepare honeysap data
fuHONEYSAP () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeysap/*; fi
mkdir -p /data/honeysap/log
chmod 770 /data/honeysap -R
chown tpot:tpot /data/honeysap -R
# Let's create a function to clean up and prepare honeypy data
fuHONEYPY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
mkdir -p /data/honeypy/log
chmod 770 /data/honeypy -R
chown tpot:tpot /data/honeypy -R
}
# Let's create a function to clean up and prepare honeytrap data
@ -221,22 +180,6 @@ fuHONEYTRAP () {
chown tpot:tpot /data/honeytrap/ -R
}
# Let's create a function to clean up and prepare ipphoney data
fuIPPHONEY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi
mkdir -p /data/ipphoney/log
chmod 770 /data/ipphoney -R
chown tpot:tpot /data/ipphoney -R
}
# Let's create a function to clean up and prepare log4pot data
fuLOG4POT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
mkdir -p /data/log4pot/log
chmod 770 /data/log4pot -R
chown tpot:tpot /data/log4pot -R
}
# Let's create a function to clean up and prepare mailoney data
fuMAILONEY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
@ -269,22 +212,6 @@ fuRDPY () {
chown tpot:tpot /data/rdpy/ -R
}
# Let's create a function to clean up and prepare redishoneypot data
fuREDISHONEYPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
mkdir -p /data/redishoneypot/log
chmod 770 /data/redishoneypot -R
chown tpot:tpot /data/redishoneypot -R
}
# Let's create a function to clean up and prepare sentrypeer data
fuSENTRYPEER () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi
mkdir -p /data/sentrypeer/log
chmod 770 /data/sentrypeer -R
chown tpot:tpot /data/sentrypeer -R
}
# Let's create a function to prepare spiderfoot db
fuSPIDERFOOT () {
mkdir -p /data/spiderfoot
@ -344,27 +271,18 @@ if [ "$myPERSISTENCE" = "on" ];
fuCITRIXHONEYPOT
fuCONPOT
fuCOWRIE
fuDDOSPOT
fuDICOMPOT
fuDIONAEA
fuELASTICPOT
fuELK
fuENDLESSH
fuFATT
fuGLUTTON
fuHERALDING
fuHELLPOT
fuHONEYSAP
fuHONEYPOTS
fuHONEYPY
fuHONEYTRAP
fuIPPHONEY
fuLOG4POT
fuMAILONEY
fuMEDPOT
fuNGINX
fuREDISHONEYPOT
fuRDPY
fuSENTRYPEER
fuSPIDERFOOT
fuSURICATA
fuP0F

182
bin/deploy.sh
View File

@ -1,182 +0,0 @@
#!/bin/bash
# Do we have root?
function fuGOT_ROOT {
echo
echo -n "### Checking for root: "
if [ "$(whoami)" != "root" ];
then
echo "[ NOT OK ]"
echo "### Please run as root."
echo "### Example: sudo $0"
exit
else
echo "[ OK ]"
fi
}
function fuDEPLOY_SENSOR () {
echo
echo "###############################"
echo "# Deploying to T-Pot Hive ... #"
echo "###############################"
echo
sshpass -e ssh -4 -t -T -l "$MY_TPOT_USERNAME" -p 64295 "$MY_HIVE_IP" << EOF
echo "$SSHPASS" | sudo -S bash -c 'useradd -m -s /sbin/nologin -G tpotlogs "$MY_HIVE_USERNAME";
mkdir -p /home/"$MY_HIVE_USERNAME"/.ssh;
echo "$MY_SENSOR_PUBLICKEY" >> /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
chmod 600 /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
chmod 755 /home/"$MY_HIVE_USERNAME"/.ssh;
chown "$MY_HIVE_USERNAME":"$MY_HIVE_USERNAME" -R /home/"$MY_HIVE_USERNAME"/.ssh'
EOF
echo
echo "###########################"
echo "# Done. Please reboot ... #"
echo "###########################"
echo
exit 0
}
# Check Hive availability
function fuCHECK_HIVE () {
echo
echo "############################################"
echo "# Checking for T-Pot Hive availability ... #"
echo "############################################"
echo
sshpass -e ssh -4 -t -l "$MY_TPOT_USERNAME" -p 64295 -f -N -L64305:127.0.0.1:64305 "$MY_HIVE_IP" -o "StrictHostKeyChecking=no"
if [ $? -eq 0 ];
then
echo
echo "#########################"
echo "# T-Pot Hive available! #"
echo "#########################"
echo
myHIVE_OK=$(curl -s http://127.0.0.1:64305)
if [ "$myHIVE_OK" == "ok" ];
then
echo
echo "##############################"
echo "# T-Pot Hive tunnel test OK! #"
echo "##############################"
echo
kill -9 $(pidof ssh)
else
echo
echo "######################################################"
echo "# T-Pot Hive tunnel test FAILED! #"
echo "# Tunneled port tcp/64305 unreachable on T-Pot Hive. #"
echo "# Aborting. #"
echo "######################################################"
echo
kill -9 $(pidof ssh)
rm $MY_SENSOR_PUBLICKEYFILE
rm $MY_SENSOR_PRIVATEKEYFILE
rm $MY_LS_ENVCONFIGFILE
exit 1
fi;
else
echo
echo "#################################################################"
echo "# Something went wrong, most likely T-Pot Hive was unreachable! #"
echo "# Aborting. #"
echo "#################################################################"
echo
rm $MY_SENSOR_PUBLICKEYFILE
rm $MY_SENSOR_PRIVATEKEYFILE
rm $MY_LS_ENVCONFIGFILE
exit 1
fi;
}
function fuGET_DEPLOY_DATA () {
echo
echo "### Please provide data from your T-Pot Hive installation."
echo "### This usually is the one running the 'T-Pot Hive' type."
echo "### You will be needing the OS user (typically 'tsec'), the users' password and the IP / FQDN."
echo "### Do not worry, the password will not be persisted!"
echo
read -p "Username: " MY_TPOT_USERNAME
read -s -p "Password: " SSHPASS
echo
export SSHPASS
read -p "IP / FQDN: " MY_HIVE_IP
MY_HIVE_USERNAME="$(hostname)"
MY_TPOT_TYPE="SENSOR"
MY_LS_ENVCONFIGFILE="/data/elk/logstash/ls_environment"
MY_SENSOR_PUBLICKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME.pub"
MY_SENSOR_PRIVATEKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME"
if ! [ -s "$MY_SENSOR_PRIVATEKEYFILE" ] && ! [ -s "$MY_SENSOR_PUBLICKEYFILE" ];
then
echo
echo "##############################"
echo "# Generating ssh keyfile ... #"
echo "##############################"
echo
mkdir -p /data/elk/logstash
ssh-keygen -f "$MY_SENSOR_PRIVATEKEYFILE" -N "" -C "$MY_HIVE_USERNAME"
MY_SENSOR_PUBLICKEY="$(cat "$MY_SENSOR_PUBLICKEYFILE")"
else
echo
echo "#############################################"
echo "# There is already a ssh keyfile. Aborting. #"
echo "#############################################"
echo
exit 1
fi
echo
echo "###########################################################"
echo "# Writing config to /data/elk/logstash/ls_environment. #"
echo "# If you make changes to this file, you need to reboot or #"
echo "# run /opt/tpot/bin/updateip.sh. #"
echo "###########################################################"
echo
tee $MY_LS_ENVCONFIGFILE << EOF
MY_TPOT_TYPE=$MY_TPOT_TYPE
MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
MY_HIVE_USERNAME=$MY_HIVE_USERNAME
MY_HIVE_IP=$MY_HIVE_IP
EOF
}
# Deploy Pot to Hive
fuGOT_ROOT
echo
echo "#################################"
echo "# Ship T-Pot Logs to T-Pot Hive #"
echo "#################################"
echo
echo "If you already have a T-Pot Hive installation running and"
echo "this T-Pot installation is running the type \"Pot\" the"
echo "script will automagically setup this T-Pot to ship and"
echo "prepare the Hive to receive logs from this T-Pot."
echo
echo
echo "###################################"
echo "# Deploy T-Pot Logs to T-Pot Hive #"
echo "###################################"
echo
echo "[c] - Continue deplyoment"
echo "[q] - Abort and exit"
echo
while [ 1 != 2 ]
do
read -s -n 1 -p "Your choice: " mySELECT
echo $mySELECT
case "$mySELECT" in
[c,C])
fuGET_DEPLOY_DATA
fuCHECK_HIVE
fuDEPLOY_SENSOR
break
;;
[q,Q])
echo "Aborted."
exit 0
;;
esac
done

122
bin/deprecated/hptest.sh
View File

@ -1,122 +0,0 @@
#!/bin/bash
myHOST="$1"
myPACKAGES="dcmtk netcat nmap"
myMEDPOTPACKET="
MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
EVN|A01|198808181123
PID|||PATID1234^5^M11^^AN||JONES^WILLIAM^A^III||19610615|M||2106-3|677 DELAWARE AVENUE^^EVERETT^MA^02149|GL|(919)379-1212|(919)271-3434~(919)277-3114||S||PATID12345001^2^M10^^ACSN|123456789|9-87654^NC
NK1|1|JONES^BARBARA^K|SPO|||||20011105
NK1|1|JONES^MICHAEL^A|FTH
PV1|1|I|2000^2012^01||||004777^LEBAUER^SIDNEY^J.|||SUR||-||ADM|A0
AL1|1||^PENICILLIN||CODE16~CODE17~CODE18
AL1|2||^CAT DANDER||CODE257
DG1|001|I9|1550|MAL NEO LIVER, PRIMARY|19880501103005|F
PR1|2234|M11|111^CODE151|COMMON PROCEDURES|198809081123
ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^SMITH^ELLEN|199505011201
GT1|1122|1519|BILL^GATES^A
IN1|001|A357|1234|BCMD|||||132987
IN2|ID1551001|SSN12345678
ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^ELLEN|199505011201"
function fuGOTROOT {
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
}
function fuCHECKDEPS {
myINST=""
for myDEPS in $myPACKAGES;
do
myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
if [ "$myOK" != "ok" ]
then
myINST=$(echo $myINST $myDEPS)
fi
done
if [ "$myINST" != "" ]
then
apt-get update -y
for myDEPS in $myINST;
do
apt-get install $myDEPS -y
done
fi
}
function fuCHECKFORARGS {
if [ "$myHOST" != "" ];
then
echo "All arguments met. Continuing."
else
echo "Usage: hp_test.sh <[host or ip]>"
exit
fi
}
function fuGETPORTS {
myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo "$i"; done)
echo "Found these ports enabled:"
echo "$myPORTS"
exit
}
function fuSCAN {
local myTIMEOUT="$1"
local mySCANPORT="$2"
local mySCANIP="$3"
local mySCANOPTS="$4"
timeout --foreground ${myTIMEOUT} nmap ${mySCANOPTS} -T4 -v -p ${mySCANPORT} ${mySCANIP} &
}
# Main
fuGOTROOT
fuCHECKDEPS
fuCHECKFORARGS
echo "Starting scans ..."
echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
curl -XGET "http://$myHOST:9200/logstash-*/_search" &
curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" &
echo "I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
findscu -P -k PatientName="*" $myHOST 11112 &
getscu -P -k PatientName="*" $myHOST 11112 &
telnet $myHOST 3299 &
fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"
fuSCAN "120" "22" "$myHOST" "--script=ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,sshv1 -sC -sS -sV"
fuSCAN "30" "22" "$myHOST" "--script=ssh-brute"
fuSCAN "120" "23,2323,2324" "$myHOST" "--script=telnet-encryption,telnet-ntlm-info -sC -sS -sV --version-light"
fuSCAN "120" "25" "$myHOST" "--script=smtp* -sC -sS -sV"
fuSCAN "180" "42" "$myHOST" "-sC -sS -sV"
fuSCAN "120" "69" "$myHOST" "--script=tftp-enum -sU"
fuSCAN "120" "80,81,8080,8443" "$myHOST" "-sC -sS -sV"
fuSCAN "120" "110,995" "$myHOST" "--script=pop3-capabilities,pop3-ntlm-info -sC -sS -sV --version-light"
fuSCAN "30" "110,995" "$myHOST" "--script=pop3-brute -sS"
fuSCAN "120" "143,993" "$myHOST" "--script=imap-capabilities,imap-ntlm-info -sC -sS -sV --version-light"
fuSCAN "30" "143,993" "$myHOST" "--script=imap-brute -sS"
fuSCAN "240" "445" "$myHOST" "--script=smb-vuln* -sS -sU"
fuSCAN "120" "502" "$myHOST" "--script=modbus-discover -sS -sU"
fuSCAN "120" "623" "$myHOST" "--script=ipmi-cipher-zero,ipmi-version,supermicro-ipmi -sS -sU"
fuSCAN "30" "623" "$myHOST" "--script=ipmi-brute -sS -sU"
fuSCAN "120" "1433" "$myHOST" "--script=ms-sql* -sS"
fuSCAN "120" "1723" "$myHOST" "--script=pptp-version -sS"
fuSCAN "120" "1883" "$myHOST" "--script=mqtt-subscribe -sS"
fuSCAN "120" "2404" "$myHOST" "--script=iec-identify -sS"
fuSCAN "120" "3306" "$myHOST" "--script=mysql-vuln* -sC -sS -sV"
fuSCAN "120" "3389" "$myHOST" "--script=rdp* -sC -sS -sV"
fuSCAN "120" "5000" "$myHOST" "--script=*upnp* -sS -sU"
fuSCAN "120" "5060,5061" "$myHOST" "--script=sip-call-spoof,sip-enum-users,sip-methods -sS -sU"
fuSCAN "120" "5900" "$myHOST" "--script=vnc-info,vnc-title,realvnc-auth-bypass -sS"
fuSCAN "120" "27017" "$myHOST" "--script=mongo* -sS"
fuSCAN "120" "47808" "$myHOST" "--script=bacnet* -sS"
wait
reset
echo "Done."

45
bin/dps.sh
View File

@ -8,14 +8,8 @@ if [ "$myWHOAMI" != "root" ]
exit
fi
myPARAM="$1"
if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
then
watch --color -n $myPARAM "dps.sh"
exit
fi
# Show current status of T-Pot containers
myPARAM="$1"
myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")"
myRED=""
myGREEN=""
@ -23,39 +17,19 @@ myBLUE=""
myWHITE=""
myMAGENTA=""
# Blackhole Status
myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
if [ "$myBLACKHOLE_STATUS" -gt "500" ];
then
myBLACKHOLE_STATUS="${myGREEN}ENABLED"
else
myBLACKHOLE_STATUS="${myRED}DISABLED"
fi
function fuGETTPOT_STATUS {
# T-Pot Status
myTPOT_STATUS=$(systemctl status tpot | grep "Active" | awk '{ print $2 }')
if [ "$myTPOT_STATUS" == "active" ];
then
echo "${myGREEN}ACTIVE"
else
echo "${myRED}INACTIVE"
fi
}
function fuGETSTATUS {
grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
}
function fuGETSYS {
printf "[ ========| System |======== ]\n"
printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "DATE: " "$(date)"
printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "UPTIME: " "$(grc --colour=on uptime)"
printf "${myMAGENTA}%+11s %-20s\n" "T-POT: " "$(fuGETTPOT_STATUS)"
printf "${myMAGENTA}%+11s %-20s\n" "BLACKHOLE: " "$myBLACKHOLE_STATUS${myWHITE}"
printf "========| System |========\n"
printf "%+10s %-20s\n" "Date: " "$(date)"
printf "%+10s %-20s\n" "Uptime: " "$(uptime | cut -b 2-)"
echo
}
while true
do
myDPS=$(fuGETSTATUS)
myDPSNAMES=$(echo "$myDPS" | awk '{ print $1 }' | sort)
fuGETSYS
@ -71,3 +45,10 @@ echo
printf "%-28s %-28s\n" "$myRED$i" "DOWN$myWHITE"
fi
done
if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
then
sleep "$myPARAM"
else
break
fi
done

34
bin/deprecated/export_kibana-objects.sh → bin/export_kibana-objects.sh
View File

@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit
else
echo "### Elasticsearch is available, now continuing."
@ -15,25 +15,24 @@ fi
# Set vars
myDATE=$(date +%Y%m%d%H%M)
myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep "scripted" | wc -w)
myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"')
myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myCONFIGS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=config&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
myCOL1=""
myCOL0=""
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
rm -rf patterns/ dashboards/ visualizations/ searches/
}
trap fuCLEANUP EXIT
# Export index patterns
mkdir -p patterns
echo $myCOL1"### Now exporting"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes, references}' > patterns/$myINDEXID.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes}' > patterns/$myINDEXID.json &
echo
# Export dashboards
@ -42,7 +41,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"das
for i in $myDASHBOARDS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes, references}' > dashboards/$i.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes}' > dashboards/$i.json &
done;
echo
@ -52,7 +51,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1
for i in $myVISUALIZATIONS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes, references}' > visualizations/$i.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes}' > visualizations/$i.json &
done;
echo
@ -62,17 +61,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searc
for i in $mySEARCHES;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes, references}' > searches/$i.json &
done;
echo
# Export configs
mkdir -p configs
echo $myCOL1"### Now exporting"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
for i in $myCONFIGS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/config/'$i'' | jq '. | {attributes, references}' > configs/$i.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes}' > searches/$i.json &
done;
echo
@ -81,7 +70,7 @@ wait
# Building tar archive
echo $myCOL1"### Now building archive"$myCOL0 "kibana-objects_"$myDATE".tgz"
tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches configs > /dev/null
tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches > /dev/null
# Stats
echo
@ -90,5 +79,4 @@ echo $myCOL1"###### Exported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myC
echo $myCOL1"###### Exported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
echo

21
bin/hpfeeds_optin.sh
View File

@ -10,6 +10,20 @@ fi
myTPOTYMLFILE="/opt/tpot/etc/tpot.yml"
function fuSISSDEN () {
echo
echo "You chose SISSDEN, you just need to provide ident and secret"
echo
myENABLE="true"
myHOST="hpfeeds.sissden.eu"
myPORT="10000"
myCHANNEL="t-pot.events"
myCERT="/opt/ewsposter/sissden.pem"
read -p "Ident: " myIDENT
read -p "Secret: " mySECRET
myFORMAT="json"
}
function fuGENERIC () {
echo
echo "You chose generic, please provide all the details of the broker"
@ -105,7 +119,8 @@ echo
echo
echo "Please choose your broker"
echo "---------------------------"
echo "[1] - Generic (enter details manually)"
echo "[1] - SISSDEN"
echo "[2] - Generic (enter details manually)"
echo "[0] - Opt out of HPFEEDS"
echo "[q] - Do not agree end exit"
echo
@ -115,6 +130,10 @@ while [ 1 != 2 ]
echo $mySELECT
case "$mySELECT" in
[1])
fuSISSDEN
break
;;
[2])
fuGENERIC
break
;;

84
bin/hptest.sh
View File

@ -1,8 +1,23 @@
#!/bin/bash
myHOST="$1"
myPACKAGES="nmap"
myDOCKERCOMPOSEYML="/opt/tpot/etc/tpot.yml"
myPACKAGES="netcat nmap"
myMEDPOTPACKET="
MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
EVN|A01|198808181123
PID|||PATID1234^5^M11^^AN||JONES^WILLIAM^A^III||19610615|M||2106-3|677 DELAWARE AVENUE^^EVERETT^MA^02149|GL|(919)379-1212|(919)271-3434~(919)277-3114||S||PATID12345001^2^M10^^ACSN|123456789|9-87654^NC
NK1|1|JONES^BARBARA^K|SPO|||||20011105
NK1|1|JONES^MICHAEL^A|FTH
PV1|1|I|2000^2012^01||||004777^LEBAUER^SIDNEY^J.|||SUR||-||ADM|A0
AL1|1||^PENICILLIN||CODE16~CODE17~CODE18
AL1|2||^CAT DANDER||CODE257
DG1|001|I9|1550|MAL NEO LIVER, PRIMARY|19880501103005|F
PR1|2234|M11|111^CODE151|COMMON PROCEDURES|198809081123
ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^SMITH^ELLEN|199505011201
GT1|1122|1519|BILL^GATES^A
IN1|001|A357|1234|BCMD|||||132987
IN2|ID1551001|SSN12345678
ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^ELLEN|199505011201"
function fuGOTROOT {
myWHOAMI=$(whoami)
@ -37,32 +52,67 @@ function fuCHECKFORARGS {
if [ "$myHOST" != "" ];
then
echo "All arguments met. Continuing."
echo
else
echo "Usage: hptest.sh <[host or ip]>"
echo
echo "Usage: hp_test.sh <[host or ip]>"
exit
fi
}
function fuGETPORTS {
myDOCKERCOMPOSEUDPPORTS=$(cat $myDOCKERCOMPOSEYML | grep "udp" | tr -d '"\|#\-' | cut -d ":" -f2 | cut -d "/" -f1 | sort -gu)
myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
myUDPPORTS=$(for i in $myDOCKERCOMPOSEUDPPORTS; do echo -n "U:$i,"; done)
myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo -n "T:$i,"; done)
myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo "$i"; done)
echo "Found these ports enabled:"
echo "$myPORTS"
exit
}
function fuSCAN {
local myTIMEOUT="$1"
local mySCANPORT="$2"
local mySCANIP="$3"
local mySCANOPTS="$4"
timeout --foreground ${myTIMEOUT} nmap ${mySCANOPTS} -T4 -v -p ${mySCANPORT} ${mySCANIP} &
}
# Main
fuGETPORTS
fuGOTROOT
fuCHECKDEPS
fuCHECKFORARGS
echo
echo "Starting scan on all UDP / TCP ports defined in /opt/tpot/etc/tpot.yml ..."
nmap -sV -sC -v -p $myPORTS $1 &
nmap -sU -sV -sC -v -p $myUDPPORTS $1 &
echo
wait
echo "Done."
echo
echo "Starting scans ..."
echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
curl -XGET "http://$myHOST:9200/logstash-*/_search" &
echo "I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"
fuSCAN "120" "22" "$myHOST" "--script=ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,sshv1 -sC -sS -sV"
fuSCAN "30" "22" "$myHOST" "--script=ssh-brute"
fuSCAN "120" "23,2323,2324" "$myHOST" "--script=telnet-encryption,telnet-ntlm-info -sC -sS -sV --version-light"
fuSCAN "120" "25" "$myHOST" "--script=smtp* -sC -sS -sV"
fuSCAN "180" "42" "$myHOST" "-sC -sS -sV"
fuSCAN "120" "69" "$myHOST" "--script=tftp-enum -sU"
fuSCAN "120" "80,81,8080,8443" "$myHOST" "-sC -sS -sV"
fuSCAN "120" "110,995" "$myHOST" "--script=pop3-capabilities,pop3-ntlm-info -sC -sS -sV --version-light"
fuSCAN "30" "110,995" "$myHOST" "--script=pop3-brute -sS"
fuSCAN "120" "143,993" "$myHOST" "--script=imap-capabilities,imap-ntlm-info -sC -sS -sV --version-light"
fuSCAN "30" "143,993" "$myHOST" "--script=imap-brute -sS"
fuSCAN "240" "445" "$myHOST" "--script=smb-vuln* -sS -sU"
fuSCAN "120" "502" "$myHOST" "--script=modbus-discover -sS -sU"
fuSCAN "120" "623" "$myHOST" "--script=ipmi-cipher-zero,ipmi-version,supermicro-ipmi -sS -sU"
fuSCAN "30" "623" "$myHOST" "--script=ipmi-brute -sS -sU"
fuSCAN "120" "1433" "$myHOST" "--script=ms-sql* -sS"
fuSCAN "120" "1723" "$myHOST" "--script=pptp-version -sS"
fuSCAN "120" "1883" "$myHOST" "--script=mqtt-subscribe -sS"
fuSCAN "120" "2404" "$myHOST" "--script=iec-identify -sS"
fuSCAN "120" "3306" "$myHOST" "--script=mysql-vuln* -sC -sS -sV"
fuSCAN "120" "3389" "$myHOST" "--script=rdp* -sC -sS -sV"
fuSCAN "120" "5000" "$myHOST" "--script=*upnp* -sS -sU"
fuSCAN "120" "5060,5061" "$myHOST" "--script=sip-call-spoof,sip-enum-users,sip-methods -sS -sU"
fuSCAN "120" "5900" "$myHOST" "--script=vnc-info,vnc-title,realvnc-auth-bypass -sS"
fuSCAN "120" "27017" "$myHOST" "--script=mongo* -sS"
fuSCAN "120" "47808" "$myHOST" "--script=bacnet* -sS"
wait
reset
echo "Done."

23
bin/deprecated/import_kibana-objects.sh → bin/import_kibana-objects.sh
View File

@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit
else
echo "### Elasticsearch is available, now continuing."
@ -20,7 +20,7 @@ myCOL0=""
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
rm -rf patterns/ dashboards/ visualizations/ searches/
}
trap fuCLEANUP EXIT
@ -43,7 +43,7 @@ tar xvfz $myDUMP > /dev/null
# Restore index patterns
myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev)
myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep "scripted" | wc -w)
echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
@ -98,22 +98,6 @@ for i in $mySEARCHES;
echo
wait
# Restore configs
myCONFIGS=$(ls configs/*.json | cut -c 9- | rev | cut -c 6- | rev)
echo $myCOL1"### Now importing "$myCOL0$(echo $myCONFIGS | wc -w)$myCOL1 "configs." $myCOL0
for i in $myCONFIGS;
do
curl -s -XDELETE ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null &
done;
wait
for i in $myCONFIGS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XPOST ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @configs/$i.json > /dev/null &
done;
echo
wait
# Stats
echo
echo $myCOL1"### Statistics"
@ -121,6 +105,5 @@ echo $myCOL1"###### Imported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myC
echo $myCOL1"###### Imported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
echo

27
bin/mytopips.sh
View File

@ -1,27 +0,0 @@
#!/bin/bash
# Make sure ES is available
myES="http://127.0.0.1:64298/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit 1
else
echo "### Elasticsearch is available, now continuing."
echo
fi
function fuMYTOPIPS {
curl -s -XGET $myES"_search" -H 'Content-Type: application/json' -d'
{
"aggs": {
"ips": {
"terms": { "field": "src_ip.keyword", "size": 100 }
}
},
"size" : 0
}'
}
echo "### Aggregating top 100 source IPs in ES"
fuMYTOPIPS | jq '.aggregations.ips.buckets[].key' | tr -d '"'

45
bin/setup_builder.sh
View File

@ -1,45 +0,0 @@
#!/bin/bash
# Got root?
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
# Only run with command switch
if [ "$1" != "-y" ]; then
echo "### Setting up docker for Multi Arch Builds."
echo "### Use on x64 only!"
echo "### Run with -y to install!"
echo
exit
fi
# Main
mkdir -p /root/.docker/cli-plugins/
cd /root/.docker/cli-plugins/
wget https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-amd64 -O docker-buildx
chmod +x docker-buildx
docker buildx ls
# We need to create a new builder as the default one cannot handle multi-arch builds
# https://docs.docker.com/desktop/multi-arch/
docker buildx create --name mybuilder
# Set as default
docker buildx use mybuilder
# We need to install emulators, arm64 should be fine for now
# https://github.com/tonistiigi/binfmt/
docker run --privileged --rm tonistiigi/binfmt --install arm64
# Check if everything is setup correctly
docker buildx inspect --bootstrap
echo
echo "### Done."
echo
echo "Example: docker buildx build --platform linux/amd64,linux/arm64 -t username/demo:latest --push ."
echo "Docs: https://docs.docker.com/desktop/multi-arch/"

29
bin/tpdclean.sh
View File

@ -1,29 +0,0 @@
#!/bin/bash
# T-Pot Compose and Container Cleaner
# Set colors
myRED=""
myGREEN=""
myWHITE=""
# Only run with command switch
if [ "$1" != "-y" ]; then
echo $myRED"### WARNING"$myWHITE
echo ""
echo $myRED"###### This script is only intended for the tpot.service."$myWHITE
echo $myRED"###### Run <systemctl stop tpot> first and then <tpdclean.sh -y>."$myWHITE
echo $myRED"###### Be aware, all T-Pot container volumes and images will be removed."$myWHITE
echo ""
echo $myRED"### WARNING "$myWHITE
echo
exit
fi
# Remove old containers, images and volumes
docker-compose -f /opt/tpot/etc/tpot.yml down -v >> /dev/null 2>&1
docker-compose -f /opt/tpot/etc/tpot.yml rm -v >> /dev/null 2>&1
docker network rm $(docker network ls -q) >> /dev/null 2>&1
docker volume rm $(docker volume ls -q) >> /dev/null 2>&1
docker rm -v $(docker ps -aq) >> /dev/null 2>&1
docker rmi $(docker images | grep "<none>" | awk '{print $3}') >> /dev/null 2>&1
docker rmi $(docker images | grep "2203" | awk '{print $3}') >> /dev/null 2>&1
exit 0

2
bin/tped.sh
View File

@ -29,7 +29,7 @@ for i in $myYMLS;
do
myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) "
done
myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 18 50 1 $myITEMS 3>&1 1>&2 2>&3 3>&-)
myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-)
if [ "$myEDITION" == "" ];
then
echo "Have a nice day!"

59
bin/updateip.sh
View File

@ -2,62 +2,22 @@
# Let's add the first local ip to the /etc/issue and external ip to ews.ip file
# If the external IP cannot be detected, the internal IP will be inherited.
source /etc/environment
myCHECKIFSENSOR=$(head -n 1 /opt/tpot/etc/tpot.yml | grep "Sensor" | wc -l)
myUUID=$(lsblk -o MOUNTPOINT,UUID | grep "/" | awk '{ print $2 }')
myLOCALIP=$(hostname -I | awk '{ print $1 }')
myEXTIP=$(/opt/tpot/bin/myip.sh)
if [ "$myEXTIP" = "" ];
then
myEXTIP=$myLOCALIP
myEXTIP_LAT="49.865835022498125"
myEXTIP_LONG="8.62606472775735"
else
myEXTIP_LOC=$(curl -s ipinfo.io/$myEXTIP/loc)
myEXTIP_LAT=$(echo "$myEXTIP_LOC" | cut -f1 -d",")
myEXTIP_LONG=$(echo "$myEXTIP_LOC" | cut -f2 -d",")
fi
# Load Blackhole routes if enabled
myBLACKHOLE_FILE1="/etc/blackhole/mass_scanner.txt"
myBLACKHOLE_FILE2="/etc/blackhole/mass_scanner_cidr.txt"
if [ -f "$myBLACKHOLE_FILE1" ] || [ -f "$myBLACKHOLE_FILE2" ];
then
/opt/tpot/bin/blackhole.sh add
fi
myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
if [ "$myBLACKHOLE_STATUS" -gt "500" ];
then
myBLACKHOLE_STATUS="| BLACKHOLE: [ ENABLED ]"
else
myBLACKHOLE_STATUS="| BLACKHOLE: [ DISABLED ]"
fi
mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1)
# Export
export myUUID
export myLOCALIP
export myEXTIP
export myEXTIP_LAT
export myEXTIP_LONG
export myBLACKHOLE_STATUS
export mySSHUSER
# Build issue
echo "" > /etc/issue
toilet -f ivrit -F metal --filter border:metal "T-Pot 22.04" | sed 's/\\/\\\\/g' >> /etc/issue
toilet -f ivrit -F metal --filter border:metal "T-Pot 19.03" | sed 's/\\/\\\\/g' >> /etc/issue
echo >> /etc/issue
echo ",---- [ \n ] [ \d ] [ \t ]" >> /etc/issue
echo "|" >> /etc/issue
echo "| IP: $myLOCALIP ($myEXTIP)" >> /etc/issue
echo "| SSH: ssh -l tsec -p 64295 $myLOCALIP" >> /etc/issue
if [ "$myCHECKIFSENSOR" == "0" ];
then
echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue
fi
echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue
echo "| ADMIN: https://$myLOCALIP:64294" >> /etc/issue
echo "$myBLACKHOLE_STATUS" >> /etc/issue
echo "|" >> /etc/issue
echo "\`----" >> /etc/issue
echo >> /etc/issue
@ -66,24 +26,9 @@ tee /data/ews/conf/ews.ip << EOF
ip = $myEXTIP
EOF
tee /opt/tpot/etc/compose/elk_environment << EOF
HONEY_UUID=$myUUID
MY_EXTIP=$myEXTIP
MY_EXTIP_LAT=$myEXTIP_LAT
MY_EXTIP_LONG=$myEXTIP_LONG
MY_INTIP=$myLOCALIP
MY_HOSTNAME=$HOSTNAME
EOF
if [ -s "/data/elk/logstash/ls_environment" ];
then
source /data/elk/logstash/ls_environment
tee -a /opt/tpot/etc/compose/elk_environment << EOF
MY_TPOT_TYPE=$MY_TPOT_TYPE
MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
MY_HIVE_USERNAME=$MY_HIVE_USERNAME
MY_HIVE_IP=$MY_HIVE_IP
EOF
fi
chown tpot:tpot /data/ews/conf/ews.ip
chmod 770 /data/ews/conf/ews.ip

10
cloud/.gitignore vendored
View File

@ -1,10 +0,0 @@
# Ansible
*.retry
# Terraform
**/.terraform
**/terraform.*
# OpenStack clouds
**/clouds.yaml
**/secure.yaml

2
cloud/ansible/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
# Ansible
*.retry

98
cloud/ansible/README.md
View File

@ -2,16 +2,15 @@
Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/).
It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box.
Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/scenario_guides/cloud_guides.html). Check out [Ansible Galaxy](https://galaxy.ansible.com/search?keywords=&order_by=-relevance&page=1&deprecated=false&type=collection&tags=cloud) for more cloud collections.
Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html) (e.g. AWS, Azure, Digital Ocean, Google).
The Playbook first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them.
The Playbook first creates all resources (security group, network, subnet, router), deploys a new server and then installs and configures T-Pot.
This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en).
# Table of contents
- [Preparation of Ansible Master](#ansible-master)
- [Ansible Installation](#ansible)
- [OpenStack Collection Installation](#collection)
- [Agent Forwarding](#agent-forwarding)
- [Preparations in Open Telekom Cloud Console](#preparation)
- [Create new project](#project)
@ -19,9 +18,8 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of
- [Import Key Pair](#key-pair)
- [Clone Git Repository](#clone-git)
- [Settings and recommended values](#settings)
- [clouds.yaml](#clouds-yaml)
- [OpenStack authentication variables](#os-auth)
- [Ansible remote user](#remote-user)
- [Number of instances to deploy](#number)
- [Instance settings](#instance-settings)
- [User password](#user-password)
- [Configure `tpot.conf.dist`](#tpot-conf)
@ -38,8 +36,6 @@ Ansible works over the SSH Port, so you don't have to add any special rules to y
<a name="ansible"></a>
## Ansible Installation
:warning: Ansible 2.10 or newer is required!
Example for Ubuntu 18.04:
At first we update the system:
@ -52,17 +48,6 @@ Then we need to add the repository and install Ansible:
For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
If your OS does not offer a recent version of Ansible (>= 2.10) you should consider [installing Ansible with pip](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-with-pip).
In short (if you already have Python3/pip3 installed):
```
pip3 install ansible
```
<a name="collection"></a>
## OpenStack Collection Installation
For interacting with OpenStack resources in Ansible, you need to install the collection from Ansible Galaxy:
`ansible-galaxy collection install openstack.cloud`
<a name="agent-forwarding"></a>
## Agent Forwarding
If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines.
@ -111,66 +96,52 @@ Import your SSH public key.
<a name="clone-git"></a>
# Clone Git Repository
Clone the `tpotce` repository to your Ansible Master:
`git clone https://github.com/telekom-security/tpotce.git`
All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder.
`git clone https://github.com/dtag-dev-sec/tpotce.git`
All Ansible related files are located in the [`cloud/ansible/openstack`](../../cloud/ansible/openstack) folder.
<a name="settings"></a>
# Settings and recommended values
You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook:
You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook.
The settings are located in the following Ansible vars files:
<a name="clouds-yaml"></a>
## clouds.yaml
Located at [`openstack/clouds.yaml`](openstack/clouds.yaml).
<a name="os-auth"></a>
## OpenStack authentication variables
Located at [`openstack/roles/deploy/vars/os_auth.yaml`](openstack/roles/deploy/vars/os_auth.yaml).
Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name):
```
clouds:
open-telekom-cloud:
profile: otc
auth:
project_name: eu-de_your_project
username: your_api_user
password: your_password
user_domain_name: OTC-EU-DE-000000000010000XXXXX
```
You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary.
For more information have a look in the [openstack.cloud.server](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html) Ansible module documentation.
If you already have your own `clouds.yaml` file or have multiple clouds in there, you can specify which one to use in the `openstack/my_os_cloud.yaml` file:
```
# Enter the name of your cloud to use from clouds.yaml
cloud: open-telekom-cloud
auth_url: https://iam.eu-de.otc.t-systems.com/v3
username: your_api_user
password: your_password
project_name: eu-de_your_project
os_user_domain_name: OTC-EU-DE-000000000010000XXXXX
```
You can also perform different authentication methods like sourcing your `.ostackrc` file or using the OpenStack `clouds.yaml` file.
For more information have a look in the [os_server](https://docs.ansible.com/ansible/latest/modules/os_server_module.html) Ansible module documentation.
<a name="remote-user"></a>
## Ansible remote user
You may have to adjust the `remote_user` in the Ansible Playbook under [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml) depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is `linux`).
<a name="number"></a>
## Number of instances to deploy
You can adjust the number of VMs/T-Pots that you want to create in [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml):
```
loop: "{{ range(0, 1) }}"
```
One instance is set as the default, increase to your liking.
<a name="instance-settings"></a>
## Instance settings
Located at [`openstack/roles/create_vm/vars/main.yaml`](openstack/roles/create_vm/vars/main.yaml).
Located at [`openstack/roles/deploy/vars/main.yaml`](openstack/roles/deploy/vars/main.yaml).
Here you can customize your virtual machine specifications:
- Specify the region name
- Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html).
- Change the OS image (For T-Pot we need Debian)
- (Optional) Change the volume size
- Specify your key pair (:warning: Mandatory)
- (Optional) Change the instance type (flavor)
`s3.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.
A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html).
`s2.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.
A full list of Open telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0035470096.html).
```
region_name: eu-de
availability_zone: eu-de-03
image: Standard_Debian_10_latest
volume_size: 128
key_name: your-KeyPair
flavor: s3.medium.8
flavor: s2.medium.8
```
<a name="user-password"></a>
@ -183,12 +154,20 @@ user_password: LiNuXuSeRPaSs#
<a name="tpot-conf"></a>
## Configure `tpot.conf.dist`
The file is located in [`iso/installer/tpot.conf.dist`](/iso/installer/tpot.conf.dist).
The file is located in [`iso/installer/tpot.conf.dist`](../../iso/installer/tpot.conf.dist).
Here you can choose:
- between the various T-Pot editions
- a username for the web interface
- a password for the web interface (**you should definitely change that**)
```
# tpot configuration file
# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]
myCONF_TPOT_FLAVOR='STANDARD'
myCONF_WEB_USER='webuser'
myCONF_WEB_PW='w3b$ecret'
```
<a name="ews-cfg"></a>
## Optional: Custom `ews.cfg`
Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
@ -221,7 +200,7 @@ Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_
# - custom_hpfeeds
```
You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/files/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/files/hpfeeds.cfg).
You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg).
That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN:
```
myENABLE=true
@ -237,7 +216,6 @@ myFORMAT=json
<a name="deploy"></a>
# Deploying a T-Pot :honey_pot::honeybee:
Now, after configuring everything, we can finally start deploying T-Pots!
Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:
`ansible-playbook deploy_tpot.yaml`
(Yes, it is as easy as that :smile:)
@ -245,13 +223,13 @@ Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:
If you are running on a machine which asks for a sudo password, you can use:
`ansible-playbook --ask-become-pass deploy_tpot.yaml`
The Playbook will first install required packages on the Ansible Master and then deploy one (or more) new server instances.
After that, T-Pot gets installed and configured on them, optionally custom configs are applied and finally it reboots.
Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
The Playbook will first install required packages on the Ansible Master and then deploy a new server instance.
After that, T-Pot gets installed and configured on the newly created host, optionally custom configs are applied and finally it reboots.
<a name="documentation"></a>
# Further documentation
- [Ansible Documentation](https://docs.ansible.com/ansible/latest/)
- [openstack.cloud.server Create/Delete Compute Instances from OpenStack](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html)
- [Cloud modules — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html)
- [os_server Create/Delete Compute Instances from OpenStack — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/os_server_module.html)
- [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/)
- [Open Telekom Cloud API Overview](https://docs.otc.t-systems.com/en-us/api/wp/en-us_topic_0052070394.html)

9
cloud/ansible/openstack/clouds.yaml
View File

@ -1,9 +0,0 @@
clouds:
open-telekom-cloud:
profile: otc
region_name: eu-de
auth:
project_name: eu-de_your_project
username: your_api_user
password: your_password
user_domain_name: OTC-EU-DE-000000000010000XXXXX

19
cloud/ansible/openstack/deploy_tpot.yaml
View File

@ -4,22 +4,13 @@
roles:
- check
- name: Deploy instances
- name: Deploy instance
hosts: localhost
vars_files: my_os_cloud.yaml
tasks:
- name: Create security group and network
ansible.builtin.include_role:
name: create_net
- name: Create one or more instances
ansible.builtin.include_role:
name: create_vm
loop: "{{ range(0, 1) }}"
loop_control:
extended: yes
roles:
- deploy
- name: Install T-Pot
hosts: tpot
- name: Install T-Pot on new instance
hosts: TPOT
remote_user: linux
become: yes
gather_facts: no

2
cloud/ansible/openstack/my_os_cloud.yaml
View File

@ -1,2 +0,0 @@
# Enter the name of your cloud to use from clouds.yaml
cloud: open-telekom-cloud

2
cloud/ansible/openstack/requirements.yaml
View File

@ -1,2 +0,0 @@
collections:
- name: openstack.cloud

16
cloud/ansible/openstack/roles/check/tasks/main.yaml
View File

@ -1,19 +1,17 @@
- name: Install dependencies
ansible.builtin.package:
package:
name:
- gcc
- python3-dev
- python3-setuptools
- python3-pip
- pwgen
- python-setuptools
- python-pip
state: present
- name: Install openstacksdk
ansible.builtin.pip:
pip:
name: openstacksdk
executable: pip3
- name: Check if agent forwarding is enabled
ansible.builtin.fail:
fail:
msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
ignore_errors: yes
failed_when: lookup('env','SSH_AUTH_SOCK') == ""
when: lookup('env','SSH_AUTH_SOCK') == ""

33
cloud/ansible/openstack/roles/create_net/tasks/main.yaml
View File

@ -1,33 +0,0 @@
- name: Create security group
openstack.cloud.security_group:
cloud: "{{ cloud }}"
name: sg-tpot-ansible
description: Security Group for T-Pot
- name: Add rules to security group
openstack.cloud.security_group_rule:
cloud: "{{ cloud }}"
security_group: sg-tpot-ansible
remote_ip_prefix: 0.0.0.0/0
- name: Create network
openstack.cloud.network:
cloud: "{{ cloud }}"
name: network-tpot-ansible
- name: Create subnet
openstack.cloud.subnet:
cloud: "{{ cloud }}"
network_name: network-tpot-ansible
name: subnet-tpot-ansible
cidr: 192.168.0.0/24
dns_nameservers:
- 100.125.4.25
- 100.125.129.199
- name: Create router
openstack.cloud.router:
cloud: "{{ cloud }}"
name: router-tpot-ansible
interfaces:
- subnet-tpot-ansible

24
cloud/ansible/openstack/roles/create_vm/tasks/main.yaml
View File

@ -1,24 +0,0 @@
- name: Generate T-Pot name
ansible.builtin.set_fact:
tpot_name: "t-pot-ansible-{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=6') }}"
- name: Create instance {{ ansible_loop.index }} of {{ ansible_loop.length }}
openstack.cloud.server:
cloud: "{{ cloud }}"
name: "{{ tpot_name }}"
availability_zone: "{{ availability_zone }}"
image: "{{ image }}"
boot_from_volume: yes
volume_size: "{{ volume_size }}"
key_name: "{{ key_name }}"
auto_ip: yes
flavor: "{{ flavor }}"
security_groups: sg-tpot-ansible
network: network-tpot-ansible
register: tpot
- name: Add instance to inventory
ansible.builtin.add_host:
hostname: "{{ tpot_name }}"
ansible_host: "{{ tpot.server.public_v4 }}"
groups: tpot

6
cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml
View File

@ -1,13 +1,13 @@
- name: Copy ews configuration file
ansible.builtin.template:
src: ews.cfg
template:
src: ../templates/ews.cfg
dest: /data/ews/conf
owner: root
group: root
mode: 0644
- name: Patching tpot.yml with custom ews configuration file
ansible.builtin.lineinfile:
lineinfile:
path: /opt/tpot/etc/tpot.yml
insertafter: "/opt/ewsposter/ews.ip"
line: " - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg"

6
cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml
View File

@ -1,6 +1,6 @@
- name: Copy hpfeeds configuration file
ansible.builtin.copy:
src: hpfeeds.cfg
copy:
src: ../files/hpfeeds.cfg
dest: /data/ews/conf
owner: tpot
group: tpot
@ -8,5 +8,5 @@
register: config
- name: Applying hpfeeds settings
ansible.builtin.command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg
command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg
when: config.changed == true

94
cloud/ansible/openstack/roles/deploy/tasks/main.yaml Normal file
View File

@ -0,0 +1,94 @@
- name: Create T-Pot name
shell: echo t-pot-ansible-$(pwgen -ns 6 -1)
register: tpot_name
- name: Import OpenStack authentication variables
include_vars:
file: roles/deploy/vars/os_auth.yaml
no_log: true
- name: Create security group
os_security_group:
auth:
auth_url: "{{ auth_url }}"
username: "{{ username }}"
password: "{{ password }}"
project_name: "{{ project_name }}"
os_user_domain_name: "{{ os_user_domain_name }}"
name: sg-tpot-any
description: tpot any-any
- name: Add rules to security group
os_security_group_rule:
auth:
auth_url: "{{ auth_url }}"
username: "{{ username }}"
password: "{{ password }}"
project_name: "{{ project_name }}"
os_user_domain_name: "{{ os_user_domain_name }}"
security_group: sg-tpot-any
remote_ip_prefix: 0.0.0.0/0
- name: Create network
os_network:
auth:
auth_url: "{{ auth_url }}"
username: "{{ username }}"
password: "{{ password }}"
project_name: "{{ project_name }}"
os_user_domain_name: "{{ os_user_domain_name }}"
name: network-tpot
- name: Create subnet
os_subnet:
auth:
auth_url: "{{ auth_url }}"
username: "{{ username }}"
password: "{{ password }}"
project_name: "{{ project_name }}"
os_user_domain_name: "{{ os_user_domain_name }}"
network_name: network-tpot
name: subnet-tpot
cidr: 192.168.0.0/24
dns_nameservers:
- 1.1.1.1
- 8.8.8.8
- name: Create router
os_router:
auth:
auth_url: "{{ auth_url }}"
username: "{{ username }}"
password: "{{ password }}"
project_name: "{{ project_name }}"
os_user_domain_name: "{{ os_user_domain_name }}"
name: router-tpot
interfaces:
- subnet-tpot
- name: Launch an instance
os_server:
auth:
auth_url: "{{ auth_url }}"
username: "{{ username }}"
password: "{{ password }}"
project_name: "{{ project_name }}"
os_user_domain_name: "{{ os_user_domain_name }}"
name: "{{ tpot_name.stdout }}"
region_name: "{{ region_name }}"
availability_zone: "{{ availability_zone }}"
image: "{{ image }}"
boot_from_volume: yes
volume_size: "{{ volume_size }}"
key_name: "{{ key_name }}"
timeout: 200
flavor: "{{ flavor }}"
security_groups: sg-tpot-any
network: network-tpot
register: tpot
- name: Add instance to inventory
add_host:
hostname: "{{ tpot_name.stdout }}"
ansible_host: "{{ tpot.server.public_v4 }}"
groups: TPOT

3
cloud/ansible/openstack/roles/create_vm/vars/main.yaml → cloud/ansible/openstack/roles/deploy/vars/main.yaml
View File

@ -1,5 +1,6 @@
region_name: eu-de
availability_zone: eu-de-03
image: Standard_Debian_10_latest
volume_size: 128
key_name: your-KeyPair
flavor: s3.medium.8
flavor: s2.medium.8

5
cloud/ansible/openstack/roles/deploy/vars/os_auth.yaml Normal file
View File

@ -0,0 +1,5 @@
auth_url: https://iam.eu-de.otc.t-systems.com/v3
username: your_api_user
password: your_password
project_name: eu-de_your_project
os_user_domain_name: OTC-EU-DE-000000000010000XXXXX

22
cloud/ansible/openstack/roles/install/tasks/main.yaml
View File

@ -1,29 +1,29 @@
- name: Waiting for SSH connection
ansible.builtin.wait_for_connection:
wait_for_connection:
- name: Gathering facts
ansible.builtin.setup:
setup:
- name: Cloning T-Pot install directory
ansible.builtin.git:
repo: "https://github.com/telekom-security/tpotce.git"
git:
repo: "https://github.com/dtag-dev-sec/tpotce.git"
dest: /root/tpot
- name: Prepare to set user password
ansible.builtin.set_fact:
- name: Prepare to set user password
set_fact:
user_name: "{{ ansible_user }}"
user_salt: "s0mew1ck3dTpoT"
no_log: true
- name: Changing password for user {{ user_name }}
ansible.builtin.user:
user:
name: "{{ ansible_user }}"
password: "{{ user_password | password_hash('sha512', user_salt) }}"
state: present
shell: /bin/bash
- name: Copy T-Pot configuration file
ansible.builtin.copy:
template:
src: ../../../../../../iso/installer/tpot.conf.dist
dest: /root/tpot.conf
owner: root
@ -31,15 +31,15 @@
mode: 0644
- name: Install T-Pot on instance - be patient, this might take 15 to 30 minutes depending on the connection speed.
ansible.builtin.command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
- name: Delete T-Pot configuration file
ansible.builtin.file:
file:
path: /root/tpot.conf
state: absent
- name: Change unattended-upgrades to take default action
ansible.builtin.blockinfile:
blockinfile:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
block: |
Dpkg::Options {

4
cloud/ansible/openstack/roles/reboot/tasks/main.yaml
View File

@ -1,10 +1,10 @@
- name: Finally rebooting T-Pot
ansible.builtin.command: shutdown -r now
command: shutdown -r now
async: 1
poll: 0
- name: Next login options
ansible.builtin.debug:
debug:
msg:
- "***** SSH Access:"
- "***** ssh {{ ansible_user }}@{{ ansible_host }} -p 64295"

2
cloud/terraform/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
**/.terraform
**/terraform.*

186
cloud/terraform/README.md
View File

@ -1,129 +1,131 @@
# T-Pot Terraform
This [Terraform](https://www.terraform.io/) configuration can be used to launch a virtual machine, bootstrap any dependencies and install T-Pot in a single step.
Configuration for Amazon Web Services (AWS) and Open Telekom Cloud (OTC) is currently included.
This can easily be extended to support other [Terraform providers](https://registry.terraform.io/browse/providers?category=public-cloud%2Ccloud-automation%2Cinfrastructure).
[Cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used to bootstrap the instance and install T-Pot on startup.
This [Terraform](https://www.terraform.io/) configuration can be used to provision a T-Pot instance in AWS in addition to all of the necessary pre-requisites. Specifically, the following resources will be created:
# Table of Contents
- [What get's created](#what-created)
- [Amazon Web Services (AWS)](#what-created-aws)
- [Open Telekom Cloud (OTC)](#what-created-otc)
- [Prerequisites](#pre)
- [Amazon Web Services (AWS)](#pre-aws)
- [Open Telekom Cloud (OTC)](#pre-otc)
- [Terraform Variables](#variables)
- [Common configuration items](#variables-common)
- [Amazon Web Services (AWS)](#variables-aws)
- [Open Telekom Cloud (OTC)](#variables-otc)
- [Initialising](#initialising)
- [Applying the Configuration](#applying)
- [Connecting to the Instance](#connecting)
<a name="what-created"></a>
## What get's created
<a name="what-created-aws"></a>
### Amazon Web Services (AWS)
* EC2 instance:
* t3.large (2 vCPUs, 8 GB RAM)
* 128 GB disk
* Debian 10
* Public IP
* Security Group:
* t3.large (2 vCPU, 8 GiB RAM)
* 128GB disk
* [Debian Stretch](https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch) (The T-Pot installation script will then upgrade this to Debian Sid)
* AWS Security Group:
* TCP/UDP ports <= 64000 open to the Internet
* TCP ports 64294, 64295 and 64297 open to a chosen administrative IP
<a name="what-created-otc"></a>
### Open Telekom Cloud (OTC)
* ECS instance:
* s3.medium.8 (1 vCPU, 8 GB RAM)
* 128 GB disk
* Debian 10
* Public EIP
* Security Group
* All TCP/UDP ports are open to the Internet
* Virtual Private Cloud (VPC) and Subnet
[Cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used to bootstrap the instance and install T-Pot on startup. Additional provisioning using Ansible etc. is not required.
<a name="pre"></a>
## Prerequisites
* [Terraform](https://www.terraform.io/) 0.13
The following resources are NOT automatically created and need to be specified in the configuration below:
<a name="pre-aws"></a>
### Amazon Web Services (AWS)
* VPC
* Subnet
## Pre-Requisites
* [Terraform](https://www.terraform.io/) 0.12
* AWS Account
* Existing VPC: VPC ID needs to be specified in `aws/variables.tf`
* Existing subnet: Subnet ID needs to be specified in `aws/variables.tf`
* Existing SSH key pair: Key name needs to be specified in `aws/variables.tf`
* Existing VPC. VPC ID should be specified in configuration below
* Existing subnet. Subnet ID should be specified in configuration below
* AWS Authentication credentials should be [set using environment variables](https://www.terraform.io/docs/providers/aws/index.html#environment-variables)
<a name="pre-otc"></a>
### Open Telekom Cloud (OTC)
* OTC Account
* Existing SSH key pair: Key name needs to be specified in `otc/variables.tf`
* OTC Authentication credentials (Username, Password, Project Name, User Domain Name) can be set in the `otc/clouds.yaml` file
## Required Configuration Changes
<a name="variables"></a>
## Terraform Variables
### Terraform Variables
<a name="variables-common"></a>
### Common configuration items
These variables exist in `aws/variables.tf` and `otc/variables.tf` respectively.
Settings for cloud-init:
* `timezone` - Set the Server's timezone
* `linux_password`- Set a password for the Linux Operating System user (which is also used on the Admin UI)
In `aws/variables.tf`, change the following variables to correspond to your existing EC2 infrastructure:
Settings for T-Pot:
* `tpot_flavor` - Set the flavor of the T-Pot (Available flavors are listed in the variable's description)
* `web_user` - Set a username for the T-Pot Kibana Dasboard
* `web_password` - Set a password for the T-Pot Kibana Dashboard
<a name="variables-aws"></a>
### Amazon Web Services (AWS)
In `aws/variables.tf`, you can change the additional variables:
* `admin_ip` - source IP address(es) that you will use to administer the system. Connections to TCP ports 64294, 64295 and 64297 will be allowed from this IP only. Multiple IPs or CIDR blocks can be specified in the format: `["127.0.0.1/32", "192.168.0.0/24"]`
* `ec2_vpc_id` - Specify an existing VPC ID
* `ec2_subnet_id` - Specify an existing Subnet ID
* `ec2_vpc_id`
* `ec2_subnet_id`
* `ec2_region`
* `ec2_ssh_key_name` - Specify an existing SSH key pair
* `ec2_instance_type`
<a name="variables-otc"></a>
### Open Telekom Cloud (OTC)
In `otc/variables.tf`, you can change the additional variables:
* `ecs_flavor`
* `ecs_disk_size`
* `availability_zone`
* `key_pair` - Specify an existing SSH key pair
* `eip_size`
### Admin Credentials
... and some more, but these are the most relevant.
In `tpot.conf`, change the following variables:
```
myCONF_WEB_USER='webuser'
myCONF_WEB_PW='w3b$ecret'
```
This will be used to configure credentials for the T-Pot Kibana interface. Refer to [Options](https://github.com/dtag-dev-sec/tpotce#options) for more information.
<a name="initialising"></a>
## Initialising
The [`terraform init`](https://www.terraform.io/docs/commands/init.html) command is used to initialize a working directory containing Terraform configuration files.
```
$ cd aws
$ terraform init
```
OR
```
$ cd otc
$ terraform init
Initializing the backend...
Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "aws" (terraform-providers/aws) 2.16.0...
The following providers do not have any version constraints in configuration,
so the latest version was installed.
To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.
* provider.aws: version = "~> 2.16"
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
```
<a name="applying"></a>
## Applying the Configuration
The [`terraform apply`](https://www.terraform.io/docs/commands/apply.html) command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a [`terraform plan`](https://www.terraform.io/docs/commands/plan.html) execution plan.
```
$ terraform apply
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_instance.tpot will be created
...
# aws_security_group.tpot will be created
...
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value:
```
This will create your infrastructure and start a Cloud Server. On startup, the Server gets bootstrapped with cloud-init and will install T-Pot. Once this is done, the server will reboot.
If you want the remove the built infrastructure, you can run [`terraform destroy`](https://www.terraform.io/docs/commands/destroy.html) to delete it.
This will perform the following actions:
1. Create EC2 security group
2. Start a Debian EC2 instance
3. Update all packages and reboot if necessary
4. Install T-Pot and required dependencies
5. Reboot
<a name="connecting"></a>
## Connecting to the Instance
When the installation is completed, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
### SSH
Prior to the final reboot, you will temporarily be able to SSH to port 22 as per standard. Following the reboot, port 22 is used for the honeypot. The *real* SSH server is listening on port **64295**
### Browser
https://www.example.com:64297/
Replace with the FQDN of your EC2 instance. Refer to the [T-POT documentation](https://github.com/dtag-dev-sec/tpotce#ssh-and-web-access) for further details.

20
cloud/terraform/aws/.terraform.lock.hcl generated
View File

@ -1,20 +0,0 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "3.26.0"
constraints = "3.26.0"
hashes = [
"h1:0i78FItlPeiomd+4ThZrtm56P5K33k7/6dnEe4ZePI0=",
"zh:26043eed36d070ca032cf04bc980c654a25821a8abc0c85e1e570e3935bbfcbb",
"zh:2fe68f3f78d23830a04d7fac3eda550eef1f627dfc130486f70a65dc5c254300",
"zh:3d66484c608c64678e639db25d63872783ce60363a1246e30317f21c9c23b84b",
"zh:46ffd755cfd4cf94fe66342797b5afdcef010a24e126c67fee141b357d393535",
"zh:5e96f24357e945c9067cf5e032ad1d003609629c956c2f9f642fefe714e74587",
"zh:60c27aca36bb63bf3e865c2193be80ca83b376581d00f9c220af4b013e163c4d",
"zh:896f0f22d19d41e71b22f9240b261714c3915b165ddefeb771e7734d69dc47ea",
"zh:90de9966cb2fd3e2f326df291595e55d2dd2d90e7d6dd085c2c8691dce82bdb4",
"zh:ad05a91a88ceb1d6de5a568f7cc0b0e5bc0a79f3da70bc28c1e7f3750e362d58",
"zh:e8c63f59c6465329e1f3357498face3dd7ef10a033df3c366a33aa9e94b46c01",
]
}

4
cloud/terraform/aws/main.tf
View File

@ -60,7 +60,7 @@ resource "aws_instance" "tpot" {
volume_size = 128
delete_on_termination = true
}
user_data = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
vpc_security_group_ids = [aws_security_group.tpot.id]
user_data = "${file("../cloud-init.yaml")} content: ${base64encode(file("../tpot.conf"))}"
vpc_security_group_ids = [aws_security_group.tpot.id]
associate_public_ip_address = true
}

77
cloud/terraform/aws/variables.tf
View File

@ -28,66 +28,27 @@ variable "ec2_instance_type" {
default = "t3.large"
}
# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Buster
variable "ec2_ami" {
type = map(string)
default = {
"af-south-1" = "ami-0c372f041acae6d49"
"ap-east-1" = "ami-079b8d011d4655385"
"ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
"ap-northeast-2" = "ami-0269fe7d013b8e2dd"
"ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
"ap-south-1" = "ami-020d429f17c9f1d0a"
"ap-southeast-1" = "ami-09625a221230d9fe6"
"ap-southeast-2" = "ami-03cbc6cddb06af2c2"
"ca-central-1" = "ami-09125623b02302014"
"eu-central-1" = "ami-00c36c60f07e21791"
"eu-north-1" = "ami-052bea934e2d9dbfe"
"eu-south-1" = "ami-04e2bb16d37324719"
"eu-west-1" = "ami-0f87948fe2cf1b2a4"
"eu-west-2" = "ami-02ed1bc837487d535"
"eu-west-3" = "ami-080efd2add7e29430"
"me-south-1" = "ami-0dbde382c834c4a72"
"sa-east-1" = "ami-0a0792814cb068077"
"us-east-1" = "ami-05dd1b6e7ef6f8378"
"us-east-2" = "ami-04dd0542609808c50"
"us-west-1" = "ami-07af5f877b3db9f73"
"us-west-2" = "ami-0d0d8694ba492c02b"
}
}
## cloud-init configuration ##
variable "timezone" {
default = "UTC"
}
variable "linux_password" {
#default = "LiNuXuSeRPaSs#"
description = "Set a password for the default user"
validation {
condition = length(var.linux_password) > 0
error_message = "Please specify a password for the default user."
}
}
## These will go in the generated tpot.conf file ##
variable "tpot_flavor" {
default = "STANDARD"
description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
}
variable "web_user" {
default = "webuser"
description = "Set a username for the web user"
}
variable "web_password" {
#default = "w3b$ecret"
description = "Set a password for the web user"
validation {
condition = length(var.web_password) > 0
error_message = "Please specify a password for the web user."
"ap-east-1" = "ami-b7d0abc6"
"ap-northeast-1" = "ami-01f4f0c9374675b99"
"ap-northeast-2" = "ami-0855cb0c55370c38c"
"ap-south-1" = "ami-00d7d1cbdcb087cf3"
"ap-southeast-1" = "ami-03779b1b2fbb3a9d4"
"ap-southeast-2" = "ami-0ce3a7c68c6b1678d"
"ca-central-1" = "ami-037099906a22f210f"
"eu-central-1" = "ami-0845c3902a6f2af32"
"eu-north-1" = "ami-e634bf98"
"eu-west-1" = "ami-06a53bf81914447b5"
"eu-west-2" = "ami-053d9f0770cd2e34c"
"eu-west-3" = "ami-060bf1f444f742af9"
"me-south-1" = "ami-04a9a536105c72d30"
"sa-east-1" = "ami-0a5fd18ed0b9c7f35"
"us-east-1" = "ami-01db78123b2b99496"
"us-east-2" = "ami-010ffea14ff17ebf5"
"us-west-1" = "ami-0ed1af421f2a3cf40"
"us-west-2" = "ami-030a304a76b181155"
}
}

8
cloud/terraform/aws/versions.tf
View File

@ -1,9 +1,3 @@
terraform {
required_version = ">= 0.13"
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.26.0"
}
}
required_version = ">= 0.12"
}

9
cloud/terraform/aws_multi_region/_provider.tf
View File

@ -1,9 +0,0 @@
provider "aws" {
alias = "eu-west-2"
region = "eu-west-2"
}
provider "aws" {
alias = "us-west-1"
region = "us-west-1"
}

27
cloud/terraform/aws_multi_region/main.tf
View File

@ -1,27 +0,0 @@
module "eu-west-2" {
source = "./modules/multi-region"
ec2_vpc_id = "vpc-xxxxxxxx"
ec2_subnet_id = "subnet-xxxxxxxx"
ec2_region = "eu-west-2"
tpot_name = "T-Pot Honeypot"
linux_password = var.linux_password
web_password = var.web_password
providers = {
aws = aws.eu-west-2
}
}
module "us-west-1" {
source = "./modules/multi-region"
ec2_vpc_id = "vpc-xxxxxxxx"
ec2_subnet_id = "subnet-xxxxxxxx"
ec2_region = "us-west-1"
tpot_name = "T-Pot Honeypot"
linux_password = var.linux_password
web_password = var.web_password
providers = {
aws = aws.us-west-1
}
}

69
cloud/terraform/aws_multi_region/modules/multi-region/main.tf
View File

@ -1,69 +0,0 @@
variable "ec2_vpc_id" {}
variable "ec2_subnet_id" {}
variable "ec2_region" {}
variable "linux_password" {}
variable "web_password" {}
variable "tpot_name" {}
resource "aws_security_group" "tpot" {
name = "T-Pot"
description = "T-Pot Honeypot"
vpc_id = var.ec2_vpc_id
ingress {
from_port = 0
to_port = 64000
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 0
to_port = 64000
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 64294
to_port = 64294
protocol = "tcp"
cidr_blocks = var.admin_ip
}
ingress {
from_port = 64295
to_port = 64295
protocol = "tcp"
cidr_blocks = var.admin_ip
}
ingress {
from_port = 64297
to_port = 64297
protocol = "tcp"
cidr_blocks = var.admin_ip
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "T-Pot"
}
}
resource "aws_instance" "tpot" {
ami = var.ec2_ami[var.ec2_region]
instance_type = var.ec2_instance_type
key_name = var.ec2_ssh_key_name
subnet_id = var.ec2_subnet_id
tags = {
Name = var.tpot_name
}
root_block_device {
volume_type = "gp2"
volume_size = 128
delete_on_termination = true
}
user_data = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
vpc_security_group_ids = [aws_security_group.tpot.id]
associate_public_ip_address = true
}

12
cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf
View File

@ -1,12 +0,0 @@
output "Admin_UI" {
value = "https://${aws_instance.tpot.public_dns}:64294/"
}
output "SSH_Access" {
value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
}
output "Web_UI" {
value = "https://${aws_instance.tpot.public_dns}:64297/"
}

57
cloud/terraform/aws_multi_region/modules/multi-region/variables.tf
View File

@ -1,57 +0,0 @@
variable "admin_ip" {
default = ["127.0.0.1/32"]
description = "admin IP addresses in CIDR format"
}
variable "ec2_ssh_key_name" {
default = "default"
}
# https://aws.amazon.com/ec2/instance-types/
variable "ec2_instance_type" {
default = "t3.xlarge"
}
# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
variable "ec2_ami" {
type = map(string)
default = {
"af-south-1" = "ami-0c372f041acae6d49"
"ap-east-1" = "ami-079b8d011d4655385"
"ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
"ap-northeast-2" = "ami-0269fe7d013b8e2dd"
"ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
"ap-south-1" = "ami-020d429f17c9f1d0a"
"ap-southeast-1" = "ami-09625a221230d9fe6"
"ap-southeast-2" = "ami-03cbc6cddb06af2c2"
"ca-central-1" = "ami-09125623b02302014"
"eu-central-1" = "ami-00c36c60f07e21791"
"eu-north-1" = "ami-052bea934e2d9dbfe"
"eu-south-1" = "ami-04e2bb16d37324719"
"eu-west-1" = "ami-0f87948fe2cf1b2a4"
"eu-west-2" = "ami-02ed1bc837487d535"
"eu-west-3" = "ami-080efd2add7e29430"
"me-south-1" = "ami-0dbde382c834c4a72"
"sa-east-1" = "ami-0a0792814cb068077"
"us-east-1" = "ami-05dd1b6e7ef6f8378"
"us-east-2" = "ami-04dd0542609808c50"
"us-west-1" = "ami-07af5f877b3db9f73"
"us-west-2" = "ami-0d0d8694ba492c02b"
}
}
## cloud-init configuration ##
variable "timezone" {
default = "UTC"
}
## These will go in the generated tpot.conf file ##
variable "tpot_flavor" {
default = "STANDARD"
description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
}
variable "web_user" {
default = "webuser"
description = "Set a username for the web user"
}

9
cloud/terraform/aws_multi_region/modules/multi-region/versions.tf
View File

@ -1,9 +0,0 @@
terraform {
required_version = ">= 0.13"
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.72.0"
}
}
}

7
cloud/terraform/aws_multi_region/outputs.tf
View File

@ -1,7 +0,0 @@
output "eu-west-2_Web_UI" {
value = module.eu-west-2.Web_UI
}
output "us-west-1_Web_UI" {
value = module.us-west-1.Web_UI
}

19
cloud/terraform/aws_multi_region/variables.tf
View File

@ -1,19 +0,0 @@
variable "linux_password" {
#default = "LiNuXuSeRP4Ss!"
description = "Set a password for the default user"
validation {
condition = length(var.linux_password) > 0
error_message = "Please specify a password for the default user."
}
}
variable "web_password" {
#default = "w3b$ecret20"
description = "Set a password for the web user"
validation {
condition = length(var.web_password) > 0
error_message = "Please specify a password for the web user."
}
}

25
cloud/terraform/cloud-init.yaml
View File

@ -1,26 +1,25 @@
#cloud-config
timezone: ${timezone}
timezone: UTC
package_update: true
package_upgrade: true
package_reboot_if_required: true
packages:
- git
runcmd:
- curl -sS --retry 5 https://github.com
- git clone https://github.com/telekom-security/tpotce /root/tpot
- git clone https://github.com/dtag-dev-sec/tpotce /root/tpot
- /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
- rm /root/tpot.conf
- /sbin/shutdown -r now
password: ${password}
chpasswd:
expire: false
- /sbin/shutdown -r +5
# The contents of tpot.conf will be base64 encoded and appended to this file
# via the terraform configuration in main.tf
#
# Make sure there are no trailing new lines after "permissions" below
write_files:
- content: |
# tpot configuration file
myCONF_TPOT_FLAVOR='${tpot_flavor}'
myCONF_WEB_USER='${web_user}'
myCONF_WEB_PW='${web_password}'
- encoding: b64
owner: root:root
path: /root/tpot.conf
permissions: '0600'

38
cloud/terraform/otc/.terraform.lock.hcl generated
View File

@ -1,38 +0,0 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/random" {
version = "3.1.0"
constraints = "~> 3.1.0"
hashes = [
"h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
"zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
"zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
"zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
"zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
"zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
"zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
"zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
"zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
"zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
"zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
"zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
]
}
provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
version = "1.23.6"
constraints = "~> 1.23.4"
hashes = [
"h1:B/1Md957jWaDgFqsJDzmJc75KwL0eC/PCVuZ8HV5xSc=",
"zh:1aa79010869d082157fb44fc83c3bff4e40938ec0ca916f704d974c7f7ca39e4",
"zh:3155b8366828ce50231f69962b55df1e2261ed63c44bb64e2c950dd68769df1b",
"zh:4a909617aa96a6d8aead14f56996ad94e0a1cae9d28e8df1ddae19c2095ed337",
"zh:4f71046719632b4b90f88d29d8ba88915ee6ad66cd9d7ebe84a7459013e5003a",
"zh:67e4d10b2db79ad78ae2ec8d9dfac53c4721028f97f4436a7aa45e80b1beefd3",
"zh:7f12541fc5a3513e5522ff2bd5fee17d1e67bfe64f9ef59d03863fc7389e12ce",
"zh:86fadabfc8307cf6084a412ffc9c797ec94932d08bc663a3fcebf98101e951f6",
"zh:98744b39c2bfe3e8e6f929f750a689971071b257f3f066f669f93c8e0b76d179",
"zh:c363d41debb060804e2c6bd9cb50b4e8daa37362299e3ea74e187265cd85f2ca",
]
}

9
cloud/terraform/otc/clouds.yaml
View File

@ -1,9 +0,0 @@
clouds:
open-telekom-cloud:
region_name: eu-de
auth:
project_name: eu-de_your_project
username: your_api_user
password: your_password
user_domain_name: OTC-EU-DE-000000000010000XXXXX
auth_url: https://iam.eu-de.otc.t-systems.com/v3

68
cloud/terraform/otc/main.tf
View File

@ -1,68 +0,0 @@
data "opentelekomcloud_images_image_v2" "debian" {
name = "Standard_Debian_10_latest"
}
resource "opentelekomcloud_networking_secgroup_v2" "secgroup_1" {
name = var.secgroup_name
description = var.secgroup_desc
}
resource "opentelekomcloud_networking_secgroup_rule_v2" "secgroup_rule_1" {
direction = "ingress"
ethertype = "IPv4"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = opentelekomcloud_networking_secgroup_v2.secgroup_1.id
}
resource "opentelekomcloud_vpc_v1" "vpc_1" {
name = var.vpc_name
cidr = var.vpc_cidr
}
resource "opentelekomcloud_vpc_subnet_v1" "subnet_1" {
name = var.subnet_name
cidr = var.subnet_cidr
vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
gateway_ip = var.subnet_gateway_ip
dns_list = ["100.125.4.25", "100.125.129.199"]
}
resource "random_id" "tpot" {
byte_length = 6
prefix = var.ecs_prefix
}
resource "opentelekomcloud_ecs_instance_v1" "ecs_1" {
name = random_id.tpot.b64_url
image_id = data.opentelekomcloud_images_image_v2.debian.id
flavor = var.ecs_flavor
vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
nics {
network_id = opentelekomcloud_vpc_subnet_v1.subnet_1.id
}
system_disk_size = var.ecs_disk_size
system_disk_type = "SAS"
security_groups = [opentelekomcloud_networking_secgroup_v2.secgroup_1.id]
availability_zone = var.availability_zone
key_name = var.key_pair
user_data = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
}
resource "opentelekomcloud_vpc_eip_v1" "eip_1" {
publicip {
type = "5_bgp"
}
bandwidth {
name = "bandwidth-${random_id.tpot.b64_url}"
size = var.eip_size
share_type = "PER"
}
}
resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_1" {
floating_ip = opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address
instance_id = opentelekomcloud_ecs_instance_v1.ecs_1.id
}

11
cloud/terraform/otc/outputs.tf
View File

@ -1,11 +0,0 @@
output "Admin_UI" {
value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64294"
}
output "SSH_Access" {
value = "ssh -p 64295 linux@${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}"
}
output "Web_UI" {
value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64297"
}

3
cloud/terraform/otc/provider.tf
View File

@ -1,3 +0,0 @@
provider "opentelekomcloud" {
cloud = "open-telekom-cloud"
}

98
cloud/terraform/otc/variables.tf
View File

@ -1,98 +0,0 @@
## cloud-init configuration ##
variable "timezone" {
default = "UTC"
}
variable "linux_password" {
#default = "LiNuXuSeRPaSs#"
description = "Set a password for the default user"
validation {
condition = length(var.linux_password) > 0
error_message = "Please specify a password for the default user."
}
}
## Security Group ##
variable "secgroup_name" {
default = "sg-tpot"
}
variable "secgroup_desc" {
default = "Security Group for T-Pot"
}
## Virtual Private Cloud ##
variable "vpc_name" {
default = "vpc-tpot"
}
variable "vpc_cidr" {
default = "192.168.0.0/16"
}
## Subnet ##
variable "subnet_name" {
default = "subnet-tpot"
}
variable "subnet_cidr" {
default = "192.168.0.0/24"
}
variable "subnet_gateway_ip" {
default = "192.168.0.1"
}
## Elastic Cloud Server ##
variable "ecs_prefix" {
default = "tpot-"
}
variable "ecs_flavor" {
default = "s3.medium.8"
}
variable "ecs_disk_size" {
default = "128"
}
variable "availability_zone" {
default = "eu-de-03"
}
variable "key_pair" {
#default = ""
description = "Specify your SSH key pair"
validation {
condition = length(var.key_pair) > 0
error_message = "Please specify a Key Pair."
}
}
## Elastic IP ##
variable "eip_size" {
default = "100"
}
## These will go in the generated tpot.conf file ##
variable "tpot_flavor" {
default = "STANDARD"
description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
}
variable "web_user" {
default = "webuser"
description = "Set a username for the web user"
}
variable "web_password" {
#default = "w3b$ecret"
description = "Set a password for the web user"
validation {
condition = length(var.web_password) > 0
error_message = "Please specify a password for the web user."
}
}

13
cloud/terraform/otc/versions.tf
View File

@ -1,13 +0,0 @@
terraform {
required_version = ">= 0.13"
required_providers {
opentelekomcloud = {
source = "opentelekomcloud/opentelekomcloud"
version = "~> 1.23.4"
}
random = {
source = "hashicorp/random"
version = "~> 3.1.0"
}
}
}

5
cloud/terraform/tpot.conf Normal file
View File

@ -0,0 +1,5 @@
# tpot configuration file
# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]
myCONF_TPOT_FLAVOR='STANDARD'
myCONF_WEB_USER='webuser'
myCONF_WEB_PW='w3b$ecret'

BIN
doc/architecture.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 432 KiB

After

Width:  |  Height:  |  Size: 258 KiB

BIN
doc/attackmap.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 380 KiB

BIN
doc/cockpit1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 89 KiB

BIN
doc/cockpit2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
doc/cockpit3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
doc/cockpit_a.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 135 KiB

BIN
doc/cockpit_b.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 334 KiB

BIN
doc/cyberchef.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 117 KiB

After

Width:  |  Height:  |  Size: 58 KiB

BIN
doc/dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 594 KiB

BIN
doc/dockerui.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 87 KiB

BIN
doc/elasticvue.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 174 KiB

BIN
doc/headplugin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
doc/kibana.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 885 KiB

BIN
doc/kibana_a.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 464 KiB

BIN
doc/kibana_b.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 129 KiB

BIN
doc/kibana_c.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 213 KiB

BIN
doc/netdata.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 199 KiB

BIN
doc/spiderfoot.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 162 KiB

After

Width:  |  Height:  |  Size: 52 KiB

BIN
doc/tpotwebui.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 324 KiB

BIN
doc/webssh.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 148 KiB

27
docker/adbhoney/Dockerfile
View File

@ -1,19 +1,17 @@
FROM alpine:3.15
FROM alpine
#
# Include dist
COPY dist/ /root/dist/
ADD dist/ /root/dist/
#
# Install packages
RUN apk --no-cache -U add \
RUN apk -U add \
git \
procps \
python3 && \
libcap \
python3 \
python3-dev && \
#
# Install adbhoney from git
git clone https://github.com/huuck/ADBHoney /opt/adbhoney && \
cd /opt/adbhoney && \
# git checkout ad7c17e78d01f6860d58ba826a4b6a4e4f83acbd && \
git checkout 2417a7a982f4fd527b3a048048df9a23178767ad && \
git clone --depth=1 https://github.com/huuck/ADBHoney /opt/adbhoney && \
cp /root/dist/adbhoney.cfg /opt/adbhoney && \
sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \
sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \
@ -22,15 +20,16 @@ RUN apk --no-cache -U add \
addgroup -g 2000 adbhoney && \
adduser -S -H -s /bin/ash -u 2000 -D -g 2000 adbhoney && \
chown -R adbhoney:adbhoney /opt/adbhoney && \
setcap cap_net_bind_service=+ep /usr/bin/python3.7 && \
#
# Clean up
apk del --purge git && \
rm -rf /root/* /opt/adbhoney/.git /var/cache/apk/*
apk del --purge git \
python3-dev && \
rm -rf /root/* && \
rm -rf /var/cache/apk/*
#
# Set workdir and start adbhoney
STOPSIGNAL SIGINT
# Adbhoney sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings
HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi
USER adbhoney:adbhoney
WORKDIR /opt/adbhoney/
CMD /usr/bin/python3 run.py
CMD nohup /usr/bin/python3 run.py

4
docker/adbhoney/docker-compose.yml
View File

@ -10,13 +10,11 @@ services:
build: .
container_name: adbhoney
restart: always
# cpu_count: 1
# cpus: 0.25
networks:
- adbhoney_local
ports:
- "5555:5555"
image: "dtagdevsec/adbhoney:2204"
image: "dtagdevsec/adbhoney:1903"
read_only: true
volumes:
- /data/adbhoney/log:/opt/adbhoney/log

79
docker/builder.sh
View File

@ -1,79 +0,0 @@
#!/bin/bash
# Setup Vars
myPLATFORMS="linux/amd64,linux/arm64"
myHUBORG="dtagdevsec"
myTAG="2204"
myIMAGESBASE="adbhoney ciscoasa citrixhoneypot conpot cowrie ddospot dicompot dionaea elasticpot endlessh ewsposter fatt glutton hellpot heralding honeypots honeytrap ipphoney log4pot mailoney medpot nginx p0f redishoneypot sentrypeer spiderfoot suricata wordpot"
myIMAGESELK="elasticsearch kibana logstash map"
myIMAGESTANNER="phpox redis snare tanner"
myBUILDERLOG="builder.log"
myBUILDERERR="builder.err"
myBUILDCACHE="/buildcache"
# Got root?
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
# Check for Buildx
docker buildx > /dev/null 2>&1
if [ "$?" == "1" ];
then
echo "### Build environment not setup. Run bin/setup_builder.sh"
fi
# Only run with command switch
if [ "$1" == "" ]; then
echo "### T-Pot Multi Arch Image Builder."
echo "## Usage: builder.sh [build, push]"
echo "## build - Just build images, do not push."
echo "## push - Build and push images."
echo "## Pushing requires an active docker login."
exit
fi
fuBUILDIMAGES () {
local myPATH="$1"
local myIMAGELIST="$2"
local myPUSHOPTION="$3"
for myREPONAME in $myIMAGELIST;
do
echo -n "Now building: $myREPONAME in $myPATH$myREPONAME/."
docker buildx build --cache-from "type=local,src=$myBUILDCACHE" --cache-to "type=local,dest=$myBUILDCACHE" --platform $myPLATFORMS -t $myHUBORG/$myREPONAME:$myTAG $myPUSHOPTION $myPATH$myREPONAME/. >> $myBUILDERLOG 2>&1
if [ "$?" != "0" ];
then
echo " [ ERROR ] - Check logs!"
echo "Error building $myREPONAME" >> "$myBUILDERERR"
else
echo " [ OK ]"
fi
done
}
# Just build images
if [ "$1" == "build" ];
then
mkdir -p $myBUILDCACHE
rm -f "$myBUILDERLOG" "$myBUILDERERR"
echo "### Building images ..."
fuBUILDIMAGES "" "$myIMAGESBASE" ""
fuBUILDIMAGES "elk/" "$myIMAGESELK" ""
fuBUILDIMAGES "tanner/" "$myIMAGESTANNER" ""
fi
# Build and push images
if [ "$1" == "push" ];
then
mkdir -p $myBUILDCACHE
rm -f "$myBUILDERLOG" "$myBUILDERERR"
echo "### Building and pushing images ..."
fuBUILDIMAGES "" "$myIMAGESBASE" "--push"
fuBUILDIMAGES "elk/" "$myIMAGESELK" "--push"
fuBUILDIMAGES "tanner/" "$myIMAGESTANNER" "--push"
fi

16
docker/ciscoasa/Dockerfile
View File

@ -1,18 +1,16 @@
FROM alpine:3.15
FROM alpine
#
# Include dist
COPY dist/ /root/dist/
ADD dist/ /root/dist/
#
# Setup env and apt
RUN apk --no-cache -U upgrade && \
apk --no-cache add build-base \
RUN apk -U upgrade && \
apk add build-base \
git \
libffi \
libffi-dev \
openssl \
openssl-dev \
py3-cryptography \
py3-pip \
python3 \
python3-dev && \
#
@ -23,10 +21,9 @@ RUN apk --no-cache -U upgrade && \
# Get and install packages
mkdir -p /opt/ && \
cd /opt/ && \
git clone https://github.com/cymmetria/ciscoasa_honeypot && \
git clone --depth=1 https://github.com/cymmetria/ciscoasa_honeypot && \
cd ciscoasa_honeypot && \
git checkout d6e91f1aab7fe6fc01fabf2046e76b68dd6dc9e2 && \
sed -i "s/git+git/git+https/g" requirements.txt && \
pip3 install --no-cache-dir --upgrade pip && \
pip3 install --no-cache-dir -r requirements.txt && \
cp /root/dist/asa_server.py /opt/ciscoasa_honeypot && \
chown -R ciscoasa:ciscoasa /opt/ciscoasa_honeypot && \
@ -38,7 +35,6 @@ RUN apk --no-cache -U upgrade && \
openssl-dev \
python3-dev && \
rm -rf /root/* && \
rm -rf /opt/ciscoasa_honeypot/.git && \
rm -rf /var/cache/apk/*
#
# Start ciscoasa

15
docker/ciscoasa/README.md Normal file
View File

@ -0,0 +1,15 @@
[![](https://images.microbadger.com/badges/version/dtagdevsec/ciscoasa:1903.svg)](https://microbadger.com/images/dtagdevsec/ciscoasa:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/ciscoasa:1903.svg)](https://microbadger.com/images/dtagdevsec/ciscoasa:1903 "Get your own image badge on microbadger.com")
# ciscoasa
[Ciscoasa](https://github.com/cymmetria/ciscoasa_honeypot) is a low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability
This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG.
The `Dockerfile` contains the blueprint for the dockerized ciscoasa and will be used to setup the docker image.
The `docker-compose.yml` contains the necessary settings to test conpot using `docker-compose`. This will ensure to start the docker container with the appropriate permissions and port mappings.
# Ciscoasa Dashboard
![Ciscoasa Dashboard](doc/dashboard.png)

BIN
docker/ciscoasa/doc/dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 982 KiB

7
docker/ciscoasa/docker-compose.yml
View File

@ -9,14 +9,11 @@ services:
restart: always
tmpfs:
- /tmp/ciscoasa:uid=2000,gid=2000
# cpu_count: 1
# cpus: 0.25
networks:
- ciscoasa_local
network_mode: "host"
ports:
- "5000:5000/udp"
- "8443:8443"
image: "dtagdevsec/ciscoasa:2204"
image: "dtagdevsec/ciscoasa:1903"
read_only: true
volumes:
- /data/ciscoasa/log:/var/log/ciscoasa

20
docker/citrixhoneypot/Dockerfile
View File

@ -1,19 +1,19 @@
FROM alpine:3.15
FROM alpine
#
# Install packages
RUN apk --no-cache -U add \
RUN apk -U add \
git \
libcap \
openssl \
py3-pip \
python3 && \
python3 \
python3-dev && \
#
pip3 install --no-cache-dir python-json-logger && \
#
# Install CitrixHoneypot from GitHub
git clone https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
cd /opt/citrixhoneypot && \
git checkout f59ad7320dc5bbb8c23c8baa5f111b52c52fbef3 && \
# git clone --depth=1 https://github.com/malwaretech/citrixhoneypot /opt/citrixhoneypot && \
# git clone --depth=1 https://github.com/vorband/CitrixHoneypot /opt/citrixhoneypot && \
git clone --depth=1 https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \
#
# Setup user, groups and configs
mkdir -p /opt/citrixhoneypot/logs /opt/citrixhoneypot/ssl && \
@ -28,13 +28,13 @@ RUN apk --no-cache -U add \
addgroup -g 2000 citrixhoneypot && \
adduser -S -H -s /bin/ash -u 2000 -D -g 2000 citrixhoneypot && \
chown -R citrixhoneypot:citrixhoneypot /opt/citrixhoneypot && \
setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
#
# Clean up
apk del --purge git \
openssl && \
openssl \
python3-dev && \
rm -rf /root/* && \
rm -rf /opt/citrixhoneypot/.git && \
rm -rf /var/cache/apk/*
#
# Set workdir and start citrixhoneypot

4
docker/citrixhoneypot/docker-compose.yml
View File

@ -10,13 +10,11 @@ services:
build: .
container_name: citrixhoneypot
restart: always
# cpu_count: 1
# cpus: 0.25
networks:
- citrixhoneypot_local
ports:
- "443:443"
image: "dtagdevsec/citrixhoneypot:2204"
image: "dtagdevsec/citrixhoneypot:1903"
read_only: true
volumes:
- /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs

71
docker/conpot/Dockerfile
View File

@ -1,74 +1,54 @@
FROM alpine:3.15
FROM alpine:3.10
#
# Include dist
COPY dist/ /root/dist/
ADD dist/ /root/dist/
#
# Setup apt
RUN apk --no-cache -U add \
RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
apk -U add \
build-base \
cython \
file \
git \
libev \
libtool \
libcap \
libffi-dev \
libxslt \
libxslt-dev \
mariadb-dev \
pkgconfig \
procps \
python3 \
python3-dev \
py3-cffi \
py3-cryptography \
py3-freezegun \
py3-gevent \
py3-lxml \
py3-natsort \
py3-pip \
py3-ply \
py3-psutil \
py3-pycryptodomex \
py3-pytest \
py3-requests \
py3-pyserial \
py3-setuptools \
py3-slugify \
py3-snmp \
py3-sphinx \
py3-wheel \
py3-zope-event \
py3-zope-interface \
py-cffi \
py-cryptography \
tcpdump \
wget && \
#
# Setup ConPot
git clone https://github.com/mushorg/conpot /opt/conpot && \
git clone --depth=1 https://github.com/mushorg/conpot /opt/conpot && \
cd /opt/conpot/ && \
git checkout b3740505fd26d82473c0d7be405b372fa0f82575 && \
#git checkout 1c2382ea290b611fdc6a0a5f9572c7504bcb616e && \
# Patch to accept ENV for MIB path
sed -i "s/tmp_mib_dir = tempfile.mkdtemp()/tmp_mib_dir = tempfile.mkdtemp(dir=os.environ['CONPOT_TMP'])/" /opt/conpot/conpot/protocols/snmp/snmp_server.py && \
# Change template default ports if <1024
sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \
sed -i 's/port="8800"/port="80"/' /opt/conpot/conpot/templates/default/http/http.xml && \
sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/default/ipmi/ipmi.xml && \
sed -i 's/port="5020"/port="502"/' /opt/conpot/conpot/templates/default/modbus/modbus.xml && \
sed -i 's/port="10201"/port="102"/' /opt/conpot/conpot/templates/default/s7comm/s7comm.xml && \
sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/default/snmp/snmp.xml && \
sed -i 's/port="6969"/port="69"/' /opt/conpot/conpot/templates/default/tftp/tftp.xml && \
sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/IEC104/snmp/snmp.xml && \
sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/ipmi/ipmi/ipmi.xml && \
cp /root/dist/requirements.txt . && \
pip3 install --no-cache-dir --upgrade pip && \
sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \
sed -i 's/port="8800"/port="80"/' /opt/conpot/conpot/templates/default/http/http.xml && \
sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/default/ipmi/ipmi.xml && \
sed -i 's/port="5020"/port="502"/' /opt/conpot/conpot/templates/default/modbus/modbus.xml && \
sed -i 's/port="10201"/port="102"/' /opt/conpot/conpot/templates/default/s7comm/s7comm.xml && \
sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/default/snmp/snmp.xml && \
sed -i 's/port="6969"/port="69"/' /opt/conpot/conpot/templates/default/tftp/tftp.xml && \
sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/IEC104/snmp/snmp.xml && \
sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/ipmi/ipmi/ipmi.xml && \
pip3 install --no-cache-dir -U setuptools && \
pip3 install --no-cache-dir . && \
cd / && \
rm -rf /opt/conpot /tmp/* /var/tmp/* && \
setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
#
setcap cap_net_bind_service=+ep /usr/bin/python3.7 && \
#
# Get wireshark manuf db for scapy, setup configs, user, groups
mkdir -p /etc/conpot /var/log/conpot /usr/share/wireshark && \
wget https://github.com/wireshark/wireshark/raw/master/manuf -o /usr/share/wireshark/manuf && \
cp /root/dist/conpot.cfg /etc/conpot/conpot.cfg && \
cp -R /root/dist/templates /usr/lib/python3.9/site-packages/conpot/ && \
cp -R /root/dist/templates /usr/lib/python3.7/site-packages/conpot/ && \
addgroup -g 2000 conpot && \
adduser -S -s /bin/ash -u 2000 -D -g 2000 conpot && \
#
@ -84,6 +64,7 @@ RUN apk --no-cache -U add \
mariadb-dev \
pkgconfig \
python3-dev \
py-cffi \
wget && \
rm -rf /root/* && \
rm -rf /tmp/* && \
@ -91,7 +72,5 @@ RUN apk --no-cache -U add \
#
# Start conpot
STOPSIGNAL SIGINT
# Conpot sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings
HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi
USER conpot:conpot
CMD exec /usr/bin/conpot --mibcache $CONPOT_TMP --temp_dir $CONPOT_TMP --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG
CMD exec /usr/bin/conpot --temp_dir $CONPOT_TMP --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

15
docker/conpot/README.md Normal file
View File

@ -0,0 +1,15 @@
[![](https://images.microbadger.com/badges/version/dtagdevsec/conpot:1903.svg)](https://microbadger.com/images/dtagdevsec/conpot:1903 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/conpot:1903.svg)](https://microbadger.com/images/dtagdevsec/conpot:1903 "Get your own image badge on microbadger.com")
# conpot
[ConPot](http://conpot.org/) is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of common industrial control protocols we created the basics to build your own system, capable to emulate complex infrastructures to convince an adversary that he just found a huge industrial complex. To improve the deceptive capabilities, we also provided the possibility to server a custom human machine interface to increase the honeypots attack surface. The response times of the services can be artificially delayed to mimic the behavior of a system under constant load. Because we are providing complete stacks of the protocols, Conpot can be accessed with productive HMI's or extended with real hardware. Conpot is developed under the umbrella of the [Honeynet Project](https://www.honeynet.org/) and on the shoulders of a couple of very big giants.
This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG.
The `Dockerfile` contains the blueprint for the dockerized conpot and will be used to setup the docker image.
The `docker-compose.yml` contains the necessary settings to test conpot using `docker-compose`. This will ensure to start the docker container with the appropriate permissions and port mappings.
# ConPot Dashboard
![ConPot Dashboard](doc/dashboard.png)

1123
docker/conpot/dist/command_responder.py vendored Normal file
View File

File diff suppressed because it is too large Load Diff

2
docker/conpot/dist/conpot.cfg vendored
View File

@ -3,7 +3,7 @@ sensorid = conpot
[virtual_file_system]
data_fs_url = %(CONPOT_TMP)s
fs_url = tar:///usr/lib/python3.9/site-packages/conpot/data.tar
fs_url = tar:///usr/lib/python3.7/site-packages/conpot/data.tar
[session]
timeout = 30

20
docker/conpot/dist/requirements.txt vendored
View File

@ -1,20 +0,0 @@
pysnmp-mibs
pysmi
libtaxii>=1.1.0
crc16
scapy==2.4.3rc1
hpfeeds3
modbus-tk
stix-validator
stix
cybox
bacpypes==0.17.0
pyghmi==1.4.1
mixbox
modbus-tk
cpppo
fs==2.3.0
tftpy
# some freezegun versions broken
pycrypto
sphinx_rtd_theme

22
docker/conpot/dist/templates/IEC104/template.xml vendored
View File

@ -70,7 +70,7 @@
<value type="value">100000000</value>
</key>
<key name="ifPhysAddress">
<value type="value">"0x000e8c29c51a"</value>
<value type="value">"\x00\x0e\x8c\x29\xc5\x1a"</value>
</key>
<key name="ifAdminStatus">
<value type="value">1</value>
@ -91,19 +91,19 @@
<value type="value">1</value>
</key>
<key name="ifInOctets">
<value type="function">conpot.emulators.misc.sysinfo.BytesRecv</value>
<value type="value">1618895</value>
</key>
<key name="ifInUcastPkts">
<value type="function">conpot.emulators.misc.sysinfo.PacketsRecv</value>
<value type="value">7018</value>
</key>
<key name="ifInNUcastPkts">
<value type="value">291</value>
</key>
<key name="ifOutOctets">
<value type="function">conpot.emulators.misc.sysinfo.BytesSent</value>
<value type="value">455107</value>
</key>
<key name="ifOutUcastPkts">
<value type="function">conpot.emulators.misc.sysinfo.PacketsSent</value>
<value type="value">872264</value>
</key>
<key name="ifOutUNcastPkts">
<value type="value">143</value>
@ -168,7 +168,7 @@
<value type="value">0</value>
</key>
<key name="ipAdEntAddr">
<value type="function">conpot.emulators.misc.sysinfo.LocalIP</value>
<value type="value">"217.172.190.137"</value>
</key>
<key name="ipAdEntIfIndex">
<value type="value">1</value>
@ -290,7 +290,7 @@
<value type="value">45</value>
</key>
<key name="tcpCurrEstab">
<value type="function">conpot.emulators.misc.sysinfo.TcpCurrEstab</value>
<value type="value">0</value>
</key>
<key name="tcpInSegs">
<value type="value">30321</value>
@ -305,7 +305,7 @@
<value type="value">2</value>
</key>
<key name="tcpConnLocalAddress">
<value type="function">conpot.emulators.misc.sysinfo.LocalIP</value>
<value type="value">"217.172.190.137"</value>
</key>
<key name="tcpConnLocalPort">
<value type="value">2404</value>
@ -336,7 +336,7 @@
<value type="value">47</value>
</key>
<key name="udpLocalAddress">
<value type="value">"163.172.189.137"</value>
<value type="value">"217.172.190.137"</value>
</key>
<key name="udpLocalPort">
<value type="value">161</value>
@ -347,10 +347,6 @@
<!-- IEC104 Protocol parameter -->
<!-- Common (Object) Address, aka COA, Station Address -->
<key name="CommonAddress">
<value type="value">"0x1e28"</value>
</key>
<!-- Timeout of connection establishment -->
<key name="T_0">
<value type="value">30</value>

2
docker/conpot/dist/templates/kamstrup_382/template.xml vendored
View File

@ -11,7 +11,7 @@
<!-- Core value that can be retrieved from the databus by key -->
<key_value_mappings>
<key name="power_simulator">
<value type="function">conpot.emulators.kamstrup.usage_simulator.UsageSimulator</value>
<value type="function">conpot.protocols.kamstrup.usage_simulator.UsageSimulator</value>
</key>
<key name="register_1024">
<value type="value">0</value>

BIN
docker/conpot/doc/dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 919 KiB

36
docker/conpot/docker-compose.yml
View File

@ -23,27 +23,26 @@ services:
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
# cpu_count: 1
# cpus: 0.25
networks:
- conpot_local_default
ports:
# - "69:69/udp"
# - "69:69"
- "80:80"
- "102:102"
- "161:161/udp"
- "161:161"
- "502:502"
# - "623:623/udp"
# - "623:623"
- "2121:21"
- "44818:44818"
- "47808:47808/udp"
image: "dtagdevsec/conpot:2204"
- "47808:47808"
image: "dtagdevsec/conpot:1903"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot IEC104 service
conpot_IEC104:
build: .
container_name: conpot_IEC104
restart: always
environment:
@ -54,20 +53,19 @@ services:
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
# cpu_count: 1
# cpus: 0.25
networks:
- conpot_local_IEC104
ports:
# - "161:161/udp"
# - "161:161"
- "2404:2404"
image: "dtagdevsec/conpot:2204"
image: "dtagdevsec/conpot:1903"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
build: .
container_name: conpot_guardian_ast
restart: always
environment:
@ -78,19 +76,18 @@ services:
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
# cpu_count: 1
# cpus: 0.25
networks:
- conpot_local_guardian_ast
ports:
- "10001:10001"
image: "dtagdevsec/conpot:2204"
image: "dtagdevsec/conpot:1903"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
build: .
container_name: conpot_ipmi
restart: always
environment:
@ -101,19 +98,18 @@ services:
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
# cpu_count: 1
# cpus: 0.25
networks:
- conpot_local_ipmi
ports:
- "623:623/udp"
image: "dtagdevsec/conpot:2204"
- "623:623"
image: "dtagdevsec/conpot:1903"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
build: .
container_name: conpot_kamstrup_382
restart: always
environment:
@ -124,14 +120,12 @@ services:
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
# cpu_count: 1
# cpus: 0.25
networks:
- conpot_local_kamstrup_382
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:2204"
image: "dtagdevsec/conpot:1903"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot

Some files were not shown because too many files have changed in this diff Show More