telekom-security/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 01:27:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: telekom-security:dev
Branches Tags
telekom-security:master telekom-security:24.04 telekom-security:alpha telekom-security:22.04 telekom-security:dev telekom-security:20.06 telekom-security:19.03 telekom-security:18.11
telekom-security:24.04.1 telekom-security:24.04.0 telekom-security:24.04.0beta telekom-security:22.04.0 telekom-security:20.06.2 telekom-security:20.06.1 telekom-security:20.06.0 telekom-security:19.03.3 telekom-security:19.03.1 telekom-security:19.03 telekom-security:19.03.beta telekom-security:18.11.1 telekom-security:18.11 telekom-security:17.10 telekom-security:17.10.beta telekom-security:17.10.alpha telekom-security:16.10.1 telekom-security:16.10
..
compare: telekom-security:19.03
Branches Tags
telekom-security:master telekom-security:24.04 telekom-security:alpha telekom-security:22.04 telekom-security:dev telekom-security:20.06 telekom-security:19.03 telekom-security:18.11
telekom-security:24.04.1 telekom-security:24.04.0 telekom-security:24.04.0beta telekom-security:22.04.0 telekom-security:20.06.2 telekom-security:20.06.1 telekom-security:20.06.0 telekom-security:19.03.3 telekom-security:19.03.1 telekom-security:19.03 telekom-security:19.03.beta telekom-security:18.11.1 telekom-security:18.11 telekom-security:17.10 telekom-security:17.10.beta telekom-security:17.10.alpha telekom-security:16.10.1 telekom-security:16.10

7 Commits
dev ... 19.03

Author SHA1 Message Date
listbot
198305fc57 listbot integration 2020-05-12 10:41:32 +00:00
Marco Ochse
c50d147926 Update capture-filter.bpf 2020-04-22 17:58:36 +02:00
Marco Ochse
0405a20402 Update update.sh 2020-04-22 17:47:57 +02:00
Marco Ochse
775ea76b98 Update Dockerfile 2020-04-22 17:46:55 +02:00
Marco Ochse
b98d9d352e Load listbot data from OTC 2020-04-22 17:11:54 +02:00
Marco Ochse
c277f313dc Update Dockerfile 2020-04-02 17:21:00 +02:00
Marco Ochse
b12cf0e418 offload listbot data from netlify CDN 2020-04-02 17:15:35 +02:00
467 changed files with 8506 additions and 26747 deletions
Expand all files Collapse all files

121
.env
View File

@ -1,121 +0,0 @@
# T-Pot config file. Do not remove.
###############################################
# T-Pot Base Settings - Adjust to your needs. #
###############################################
# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd.
# Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
# Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
# Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
WEB_USER='change:me'
# T-Pot Blackhole
# ENABLED: T-Pot will download a db of known mass scanners and nullroute them
# Be aware, this will put T-Pot off the map for stealth reasons and
# you will get less traffic. Routes will active until reboot and will
# be re-added with every T-Pot start until disabled.
# DISABLED: This is the default and no stealth efforts are in place.
TPOT_BLACKHOLE=DISABLED
# T-Pot Persistence
# on: This is the default. T-Pot will keep the honeypot logfiles and rotate
# with logrotate for 30 days.
# off: This is recommended for Raspberry Pi or setups with weaker CPUs or
# if you just do not need any of the logfiles.
TPOT_PERSISTENCE=on
# T-Pot Type
# HIVE: This is the default and offers everything to connect T-Pot sensors.
# SENSOR: This needs to be used when running a sensor. Be aware to adjust all other
# settings as well.
# 1. You will need to copy compose/sensor.yml to ./docker-comopose.yml
# 2. From HIVE host you will need to copy ~/tpotce/data/nginx/cert/nginx.crt to
# your SENSOR host to ~/tpotce/data/hive.crt
# 3. On HIVE: Create a web user per SENSOR on HIVE and provide credentials below
# Create credentials with 'htpasswd ~/tpotce/data/nginx/conf/lswebpasswd <username>'
# 4. On SENSOR: Provide username / password from (3) for TPOT_HIVE_USER as base64 encoded string:
# "echo -n 'username:password' | base64"
TPOT_TYPE=HIVE
# T-Pot Hive User (only relevant for SENSOR deployment)
# <empty>: This is empty by default.
# <base64 encoded string>: Provide a base64 encoded string "echo -n 'username:password' | base64"
# i.e. TPOT_HIVE_USER='dXNlcm5hbWU6cGFzc3dvcmQ='
TPOT_HIVE_USER=
# T-Pot Hive IP (only relevant for SENSOR deployment)
# <empty>: This is empty by default.
# <IP, FQDN>: This can be either a IP (i.e. 192.168.1.1) or a FQDN (i.e. foo.bar.local)
TPOT_HIVE_IP=
# T-Pot AttackMap Text Output
# ENABLED: This is the default and the docker container map_data will print events to the console.
# DISABLED: Printing events to the console is disabled.
TPOT_ATTACKMAP_TEXT=ENABLED
# T-Pot AttackMap Text Output Timezone
# UTC: (T-Pot default) This is usually the best option.
# Continent/City: In Linux you can check our timezone with `readlink` /etc/localtime or
# see the full list here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
# Examples: America/New_York, Asia/Taipei, Australia/Melbourne, Europe/Athens, Europe/Berlin
TPOT_ATTACKMAP_TEXT_TIMEZONE=UTC
###################################################################################
# Honeypots / Tools settings
###################################################################################
# Some services / tools offer adjustments using ENVs which can be adjusted here.
###################################################################################
# SentryPeer P2P mode
# Exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
# the bad actors in its logs. Therefore this option is opt-in based.
# 0: This is the default, P2P mode is disabled.
# 1: Enable P2P mode.
SENTRYPEER_PEER_TO_PEER=0
# Suricata ET Pro ruleset
# OPEN: This is the default and will the ET Open ruleset
# OINKCODE: Replace OPEN with your Oinkcode to use the ET Pro ruleset
OINKCODE=OPEN
###################################################################################
# NEVER MAKE CHANGES TO THIS SECTION UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!!! #
###################################################################################
# T-Pot Landing page provides Cockpit Link
COCKPIT=false
# docker.sock Path
TPOT_DOCKER_SOCK=/var/run/docker.sock
# docker compose .env
TPOT_DOCKER_ENV=./.env
# Docker-Compose file
TPOT_DOCKER_COMPOSE=./docker-compose.yml
# T-Pot Repo
# Depending on where you are located you may choose between DockerHub and GHCR
# dtagdevsec: This will use the DockerHub image registry
# ghcr.io/telekom-security: This will use the GitHub container registry
TPOT_REPO=ghcr.io/telekom-security
# T-Pot Version Tag
TPOT_VERSION=dev
# T-Pot Pull Policy
# always: (T-Pot default) Compose implementations SHOULD always pull the image from the registry.
# never: Compose implementations SHOULD NOT pull the image from a registry and SHOULD rely on the platform cached image.
# missing: Compose implementations SHOULD pull the image only if it's not available in the platform cache.
# build: Compose implementations SHOULD build the image. Compose implementations SHOULD rebuild the image if already present.
TPOT_PULL_POLICY=always
# T-Pot Data Path
TPOT_DATA_PATH=./data
# OSType (linux, mac, win)
# Most docker features are available on linux
TPOT_OSTYPE=linux

12
.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md → .github/ISSUE_TEMPLATE.md vendored
View File

@ -1,14 +1,6 @@
---
name: Bug report for T-Pot
about: Bug report for T-Pot
title: ''
labels: ''
assignees: ''
---
Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
# Issues
Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue:
- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).

20
.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md vendored
View File

@ -1,20 +0,0 @@
---
name: Feature request for T-Pot
about: Suggest an idea for T-Pot
title: ''
labels: ''
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

39
.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md vendored
View File

@ -1,39 +0,0 @@
---
name: General issue for T-Pot
about: General issue for T-Pot
title: ''
labels: ''
assignees: ''
---
🗨️ Please post your questions in [Discussions](https://github.com/telekom-security/tpotce/discussions) and keep the issues for **issues**. Thank you 😁.<br>
Before you post your issue make sure it has not been answered yet and provide `basic support information` if you come to the conclusion it is a new issue.
- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
- 🧐 Check our [WIKI](https://github.com/dtag-dev-sec/tpotce/wiki)
- 📚 Consult the documentation of 💻 [Debian](https://www.debian.org/doc/), 🐳 [Docker](https://docs.docker.com/), the 🦌 [ELK stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
- **⚠️ Provide [basic support information](#info) or similiar information with regard to your issue or we can not help you and will close the issue without further notice**
<br>
<br>
<br>
<a name="info"></a>
## ⚠️ Basic support information (commands are expected to run as `root`)
- What version of the OS are you currently using `lsb_release -a` and `uname -a`?
- What T-Pot version are you currently using?
- What edition (Standard, Nextgen, etc.) of T-Pot are you running?
- What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
- Did you have any problems during the install? If yes, please attach `/install.log` `/install.err`.
- How long has your installation been running?
- Did you install upgrades, packages or use the update script?
- Did you modify any scripts or configs? If yes, please attach the changes.
- Please provide a screenshot of `glances` and `htop`.
- How much free disk space is available (`df -h`)?
- What is the current container status (`dps.sh`)?
- What is the status of the T-Pot service (`systemctl status tpot`)?
- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `netstat -tulpen`
- If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

4
.gitignore vendored
View File

@ -1,4 +0,0 @@
# Ignore data folder
data/
**/.DS_Store
.idea

221
CHANGELOG.md
View File

@ -1,45 +1,188 @@
# Release Notes / Changelog
T-Pot 22.04.0 is probably the most feature rich release ever provided with long awaited (wanted!) features readily available after installation.
# Changelog
## New Features
* **Distributed** Installation with **HIVE** and **HIVE_SENSOR**
* **ARM64** support for all provided Docker images
* **GeoIP Attack Map** visualizing Live Attacks on a dedicated webpage
* **Kibana Live Attack Map** visualizing Live Attacks from different **HIVE_SENSORS**
* **Blackhole** is a script trying to avoid mass scanner detection
* **Elasticvue** a web front end for browsing and interacting with an Elastic Search cluster
* **Ddospot** a honeypot for tracking and monitoring UDP-based Distributed Denial of Service (DDoS) attacks
* **Endlessh** is a SSH tarpit that very slowly sends an endless, random SSH banner
* **HellPot** is an endless honeypot based on Heffalump that sends unruly HTTP bots to hell
* **qHoneypots** 25 honeypots in a single container for monitoring network traffic, bots activities, and username \ password credentials
* **Redishoneypot** is a honeypot mimicking some of the Redis' functions
* **SentryPeer** a dedicated SIP honeypot
* **Index Lifecycle Management** for Elasticseach indices is now being used
## 20200116
- **Bump ELK to latest 6.8.6**
- **Update ISO image to fix upstream bug of missing kernel modules**
- **Include dashboards for CitrixHoneypot**
- Please run `/opt/tpot/update.sh` for the necessary modifications, omit the reboot and run `/opt/tpot/bin/tped.sh` to (re-)select the NextGen installation type.
- This update requires the latest Kibana objects as well. Download the latest from https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/etc/objects/kibana_export.json.zip, unzip and import the objects within Kibana WebUI > Management > Saved Objects > Export / Import". All objects will be overwritten upon import, make sure to run an export first.
## Upgrades
* **Debian 11.x** is now being used for the T-Pot ISO images and required for post installs
* **Elastic Stack 8.x** is now provided as Docker images
## 20200115
- **Prepare integration of CitrixHoneypot**
- Prepare integration of [CitrixHoneypot](https://github.com/MalwareTech/CitrixHoneypot) by MalwareTech
- Integration into ELK is still open
- Please run `/opt/tpot/update.sh` for the necessary modifications, omit the reboot and run `/opt/tpot/bin/tped.sh` to (re-)select the NextGen installation type.
## Updates
* **Honeypots** and **tools** were updated to their latest masters and releases
* Updates will be provided continuously through Docker Images updates
## 20191224
- **Use pigz, optimize logrotate.conf**
- Use `pigz` for faster archiving, especially with regard to high volumes of logs - Thanks to @workandresearchgithub!
- Optimize `logrotate.conf` to improve archiving speed and get rid of multiple compression, also introduce `pigz`.
## Breaking Changes
* For security reasons all Py2.x honeypots with the need of PyPi packages have been removed: **HoneyPy**, **HoneySAP** and **RDPY**
* If you are upgrading from a previous version of T-Pot (20.06.x) you need to import the new Kibana objects or some of the functionality will be broken or will be unavailabe
* **Cyberchef** is now part of the Nginx Docker image, no longer as individual image
* **ElasticSearch Head** is superseded by **Elasticvue** and part the Nginx Docker image
* **Heimdall** is no longer supported and superseded with a new Bento based landing page
* **Elasticsearch Curator** is no longer supprted and superseded with **Index Lifecycle Policies** available through Kibana.
## 20191121
- **Bump ADBHoney to latest master**
- Use latest version of ADBHoney, which now fully support Python 3.x - Thanks to @huuck!
# Thanks & Credits
* @ghenry, for some fun late night debugging and of course SentryPeer!
* @giga-a, for adding much appreciated features (i.e. JSON logging,
X-Forwarded-For, etc.) and of course qHoneypots!
* @sp3t3rs, @trixam, for their backend and ews support!
* @tadashi-oya, for spotting some errors and propose fixes!
* @tmariuss, @shaderecker for their cloud contributions!
* @vorband, for much appreciated and helpful insights regarding the GeoIP Attack Map!
* @yunginnanet, on not giving up on squashing a bug and of course Hellpot!
## 20191113, 20191104, 20191103, 20191028
- **Switch to Debian 10 on OTC, Ansible Improvements**
- OTC now supporting Debian 10 - Thanks to @shaderecker!
... and many others from the T-Pot community by opening valued issues and discussions, suggesting ideas and thus helping to improve T-Pot!
## 20191028
- **Fix an issue with pip3, yq**
- `yq` needs rehashing.
## 20191026
- **Remove cockpit-pcp**
- `cockpit-pcp` floods swap for some reason - removing for now.
## 20191022
- **Bump Suricata to 5.0.0**
## 20191021
- **Bump Cowrie to 2.0.0**
## 20191016
- **Tweak installer, pip3, Heralding**
- Install `cockpit-pcp` right from the start for machine monitoring in cockpit.
- Move installer and update script to use pip3.
- Bump heralding to latest master (1.0.6) - Thanks @johnnykv!
## 20191015
- **Tweaking, Bump glutton, unlock ES script**
- Add `unlock.sh` to unlock ES indices in case of lockdown after disk quota has been reached.
- Prevent too much terminal logging from p0f and glutton since `daemon.log` was filled up.
- Bump glutton to latest master now supporting payload_hex. Thanks to @glaslos.
## 20191002
- **Merge**
- Support Debian Buster images for AWS #454
- Thank you @piffey
## 20190924
- **Bump EWSPoster**
- Supports Python 3.x
- Thank you @Trixam
## 20190919
- **Merge**
- Handle non-interactive shells #454
- Thank you @Oogy
## 20190907
- **Logo tweaking**
- Add QR logo
## 20190828
- **Upgrades and rebuilds**
- Bump Medpot, Nginx and Adbhoney to latest master
- Bump ELK stack to 6.8.2
- Rebuild Mailoney, Honeytrap, Elasticpot and Ciscoasa
- Add 1080p T-Pot wallpaper for download
## 20190824
- **Add some logo work**
- Thanks to @thehadilps's suggestion adjusted social preview
- Added 4k T-Pot wallpaper for download
## 20190823
- **Fix for broken Fuse package**
- Fuse package in upstream is broken
- Adjust installer as workaround, fixes #442
## 20190816
- **Upgrades and rebuilds**
- Adjust Dionaea to avoid nmap detection, fixes #435 (thanks @iukea1)
- Bump Tanner, Cyberchef, Spiderfoot and ES Head to latest master
## 20190815
- **Bump ELK stack to 6.7.2**
- Transition to 7.x must iterate slowly through previous versions to prevent changes breaking T-Pots
## 20190814
- **Logstash Translation Maps improvement**
- Download translation maps rather than running a git pull
- Translation maps will now be bzip2 compressed to reduce traffic to a minimum
- Fixes #432
## 20190802
- **Add support for Buster as base image**
- Install ISO is now based on Debian Buster
- Installation upon Debian Buster is now supported
## 20190701
- **Reworked Ansible T-Pot Deployment**
- Transitioned from bash script to all Ansible
- Reusable Ansible Playbook for OpenStack clouds
- Example Showcase with our Open Telekom Cloud
- Adaptable for other cloud providers
## 20190626
- **HPFEEDS Opt-In commandline option**
- Pass a hpfeeds config file as a commandline argument
- hpfeeds config is saved in `/data/ews/conf/hpfeeds.cfg`
- Update script restores hpfeeds config
## 20190604
- **Finalize Fatt support**
- Build visualizations, searches, dashboards
- Rebuild index patterns
- Some finishing touches
## 20190601
- **Start supporting Fatt, remove Glastopf**
- Build Dockerfile, Adjust logstash, installer, update and such.
- Glastopf is no longer supported within T-Pot
## 20190528+20190531
- **Increase total number of fields**
- Adjust total number of fileds for logstash templae from 1000 to 2000.
## 20190526
- **Fix build for Cowrie**
- Upstream changes required a new package `py-bcrypt`.
## 20190525
- **Fix build for RDPY**
- Building was prevented due to cache error which occurs lately on Alpine if `apk` is using `--no-ache' as options.
## 20190520
- **Adjust permissions for /data folder**
- Now it is possible to download files from `/data` using SCP, WINSCP or CyberDuck.
## 20190513
- **Added Ansible T-Pot Deployment on Open Telekom Cloud**
- Reusable Ansible Playbooks for all cloud providers
- Example Showcase with our Open Telekom Cloud
## 20190511
- **Add hptest script**
- Quickly test if the honeypots are working with `hptest.sh <[ip,host]>` based on nmap.
## 20190508
- **Add tsec / install user to tpot group**
- For users being able to easily download logs from the /data folder the installer now adds the `tpot` or the logged in user (`who am i`) via `usermod -a -G tpot <user>` to the tpot group. Also /data permissions will now be enforced to `770`, which is necessary for directory listings.
## 20190502
- **Fix KVPs**
- Some KVPs for Cowrie changed and the tagcloud was not showing any values in the Cowrie dashboard.
- New installations are not affected, however existing installations need to import the objects from /opt/tpot/etc/objects/kibana-objects.json.zip.
- **Makeiso**
- Move to Xorriso for building the ISO image.
- This allows to support most of the Debian based distros, i.e. Debian, MxLinux and Ubuntu.
## 20190428
- **Rebuild ISO**
- The install ISO needed a rebuilt after some changes in the Debian mirrors.
- **Disable Netselect**
- After some reports in the issues that some Debian mirrors were not fully synced and thus some packages were unavailable the netselect-apt feature was disabled.
## 20190406
- **Fix for SSH**
- In some situations the SSH Port was not written to a new line (thanks to @dpisano for reporting).
- **Fix race condition for apt-fast**
- Curl and wget need to be installed before apt-fast installation.
## 20190404
- **Fix #332**
- If T-Pot, opposed to the requirements, does not have full internet access netselect-apt fails to determine the fastest mirror as it needs ICMP and UDP outgoing. Should netselect-apt fail the default mirrors will be used.
- **Improve install speed with apt-fast**
- Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package.

43
CITATION.cff
View File

@ -1,43 +0,0 @@
# This CITATION.cff file was generated with cffinit.
# Visit https://bit.ly/cffinit to generate yours today!
cff-version: 1.2.0
title: T-Pot DEV
message: >-
If you use this software, please cite it using the
metadata from this file.
type: software
authors:
- name: Deutsche Telekom Security GmbH
address: Bonner Talweg 100
city: Bonn
country: DE
post-code: '53113'
website: 'https://github.com/telekom-security'
- given-names: Marco
family-names: Ochse
affiliation: Deutsche Telekom Security GmbH
identifiers:
- type: url
value: >-
https://github.com/telekom-security/tpotce/releases/tag/22.04.0
description: T-Pot Release 22.04.0
repository-code: 'https://github.com/telekom-security/tpotce'
abstract: >-
T-Pot is the all in one, optionally distributed, multiarch
(amd64, arm64) honeypot plattform, supporting 20+
honeypots and countless visualization options using the
Elastic Stack, animated live attack maps and lots of
security tools to further improve the deception
experience.
keywords:
- honeypot
- deception
- t-pot
- telekom security
- docker
- elk
license: GPL-3.0
commit: unreleased, under heavy development
version: 2x.yy.z
date-released: '202x-yy-zz'

205
PREVIEW.md
View File

@ -1,205 +0,0 @@
# T-Pot - Dev Preview
T-Pot will be turning 10 years next year and this milestone will be celebrated when the time comes, which brings us today to the best time to reflect on how technology advanced, what this means for the project and how we can ensure T-Pot will meet the current and future requirements of the community.
<br><br>
# TL;DR
1. [Download](#choose-your-distro) or use a running, supported distribution
2. Install the ISO with as minimal packages / services as possible (SSH required!)
3. Install curl: `$ sudo [apt, dnf, zypper] install curl` if not installed already
4. Run installer as non-root:
```
/bin/bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/dev/install.sh)"
```
* Follow instructions, read messages, check for possible port conflicts and reboot
5. [Start](#start-t-pot) T-Pot as non-root for the first time:
```
cd tpotce/preview/
docker compose up
```
# Table of Contents
- [Disclaimer](#disclaimer)
- [Last Time Departed](#last-time-departed)
- [Present Time](#present-time)
- [Destination Time](#destination-time)
- [Technical Preview](#technical-preview)
- [Architecture](#architecture)
- [Installation](#installation)
- [Choose your distro](#choose-your-distro)
- [Get and Install T-Pot](#get-and-install-t-pot)
- [T-Pot Config File](#t-pot-config-file)
- [macOS & Windows](#macos--windows)
- [Start T-Pot](#start-t-pot)
- [Stop T-Pot](#stop-t-pot)
- [Uninstall T-Pot](#uninstall-t-pot)
- [Feedback](#uninstall-t-pot)
<br><br>
# Disclaimer
- This is a Technical Preview, a very very early stage in the development T-Pot. You have been warned - there will be dragons steering flying time machines possibly causing paradoxes.
- The T-Pot [disclaimer](https://github.com/telekom-security/tpotce/blob/master/README.md#disclaimer) and [documentation](https://github.com/telekom-security/tpotce/blob/master/README.md) apply.
<br><br>
# Last Time Departed
Jumping back to 2014 T-Pot was born as the direct ancestor of our Raspberry Pi images we used to offer for download (which probably by now only insiders will remember 😅). Docker was just the new kid on the block with the shiny new container engine everyone desperately unknowingly waited for and thus taking the dev-world by storm. At that point we wanted to ensure that T-Pot was something tangible, tethered to a physical device (Hello NUC my old friend 👋) while using latest technologies ensuring an easy transition should we ever leave hardware based installations (or VMs for that matter). And Oh-My-Zsh as you all know that day came faster than anticipated! (Special thanks @vorband, @shaderecker and @tmariuss for all of their contributions!)
<br><br>
# Present Time
Flash Forward to today, T-Pot offers support for Debian, both as an ISO based installation or a post installation method (install your own Debian Server), support for OTC, AWS and other clouds through Ansible and Terraform Support. All of this in many different flavors and even a distributed installation. At the same time we are still relying on the same base concept we originally started with which does not seem fit for the foreseeable future.<br>
In the last couple of years being independent of a certain platform was the one feature that stood out by far. The reason for this, until today, is the simple fact that T-Pot, although relying heavily on Docker, still relies on a fully controlled environment. This has its advantages but can not meet a demand where cloud based installations need different settings than we can provide (we can only run limited platform tests), companies follow different guidelines for allowed distributions or hosters simply offer Debian images slightly adjusted to their environments causing issues with the setting T-Pot relies on. Roll the dice or ask the Magic-8-Ball.
<br><br>
# Destination Time
Back to the future of T-Pot. For a brief time we had the idea of T-Pot Light which should compensate for the missing platform support. A concept was whipped up to support all of T-Pot's dockered services on minimal installations of Debian, Fedora, OpenSuse and Ubuntu Server. And it worked! It worked so good that we have almost achieved feature parity for this Technical Preview and decided that this is the best candidate for the future of the development of T-Pot<br>
We are thrilled to share this now, so you can test, provide us with feedback, open issues and discussions and give us the chance to make the next T-Pot the best T-Pot we have ever released!
<br><br>
## Technical Preview
For the purpose of the Technical Preview T-Pot will still use the 22.04 images and for a great part rely on the 22.04 release. This will lay the groundwork though for the next T-Pot release by just relying on the latest Docker package repositories (yes, the distros mostly do not offer Docker's bleeding edge features), some tiny modifications on the host (installer and uninstaller provided!) and move all of T-Pot's core in its own Docker image with a simple, user adjustable, configuration.<br>
<br><br>
## Architecture
While the basic architecture still remains, the Technical Preview of T-Pot is mostly independent of the underlying OS with only some basic requirements:
1. Underlying OS is available as supported distribution:
* Only the bare minimum of services and packages are installed to avoid possible port conflicts with T-Pot's services
* Debian, Fedora, OpenSuse and Ubuntu Server are currently supported, others might follow if the requirements will be met
2. Latest Docker Engine from Docker's repositories is supported
* Only the latest Docker Engine packages offer all the features needed for T-Pot
* Docker Desktop does not offer host network capabilities and thus only a limited T-Pot experience (not available for the Technical Preview, but planned to even get started faster!)
3. Changes to the host
* Some changes to the host are necessary but will be kept as minimalistic as possible, just enough T-Pot will be able to run
* There are uninstallers available this time 😁
<br><br>
# System Requirements
The known T-Pot hardware (CPU, RAM, SSD) requirements and recommendations still apply.
<br><br>
# Installation
[Download](#choose-your-distro) one of the supported Linux distro images, `git clone` the T-Pot repository and run the installer specific to your system. Running T-Pot on top of a running and supported Linux system is possible, but a clean installation is recommended to avoid port conflicts with running services.
<br><br>
## Choose your distro
Choose a supported distro of your choice. It is recommended to use the minimum / netiso installers linked below and only install a minimalistic set of packages. SSH is mandatory or you will not be able to connect to the machine remotely.
| Distribution Name | x64 | arm64
|:-----------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------|:--------------
| [AlmaLinux](https://almalinux.org) | [download](https://mirrors.almalinux.org/isos/x86_64/9.2.html) | [download](https://mirrors.almalinux.org/isos/aarch64/9.2.html)
| [Debian](https://www.debian.org/index.en.html) | [download](https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.0.0-amd64-netinst.iso) | [download](https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-12.0.0-arm64-netinst.iso)
| [DietPi](https://dietpi.com/#home) | | [download](https://dietpi.com/downloads/images/DietPi_RPi-ARMv8-Bookworm.7z)
| [Fedora](https://fedoraproject.org) | [download](https://download.fedoraproject.org/pub/fedora/linux/releases/38/Server/x86_64/iso/Fedora-Server-netinst-x86_64-38-1.6.iso) | [download](https://download.fedoraproject.org/pub/fedora/linux/releases/38/Server/aarch64/iso/Fedora-Server-netinst-aarch64-38-1.6.iso)
| [OpenSuse](https://www.opensuse.org) | [download](https://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-NET-x86_64-Current.iso) | [download](https://download.opensuse.org/ports/aarch64/tumbleweed/iso/openSUSE-Tumbleweed-NET-aarch64-Current.iso)
| [Rocky Linux](https://rockylinux.org) | [download](https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.2-x86_64-minimal.iso) | [download](https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.2-aarch64-minimal.iso)
| [Ubuntu](https://ubuntu.com) | [download](https://releases.ubuntu.com/22.04.2/ubuntu-22.04.2-live-server-amd64.iso) | [download](https://cdimage.ubuntu.com/releases/22.04/release/ubuntu-22.04.2-live-server-arm64.iso)
## Raspberry Pi 4 (8GB) Support
| Distribution Name | arm64 | Notes
|:-----------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|:--------------
| [DietPi](https://dietpi.com/#home) | [download](https://dietpi.com/downloads/images/DietPi_RPi-ARMv8-Bookworm.7z) | In DietPi config you need to choose OpenSSH instead of Dropbear or T-Pot will fail to install
| [Raspberry Pi OS](https://www.raspberrypi.com) | [download](https://downloads.raspberrypi.org/raspios_lite_arm64/images/raspios_lite_arm64-2023-05-03/2023-05-03-raspios-bullseye-arm64-lite.img.xz) | Recommended, everything incl. Wifi works as expected right away (when using Raspberry Pi Imager)
<br><br>
## Get and install T-Pot
1. Clone the GitHub repository: `$ git clone https://github.com/telekom-security/tpotce`
2. Change into the **tpotce/preview/installer** folder: `$ cd tpotce/preview/installer`
3. Locate your distribution, i.e. `fedora`: `$ cd fedora`
4. Run the installer as non-root: `$ ./install.sh`:
* ⚠️ ***Depending on your Linux distribution of choice the installer will:***
* Change the SSH port to `tcp/64295`
* Disable the DNS Stub Listener to avoid port conflicts with honeypots
* Set SELinux to Monitor Mode
* Set the firewall target for the public zone to ACCEPT
* Add Docker's repository and install Docker
* Install recommended packages
* Remove package known to cause issues
* Add the current user to the docker group (allow docker interaction without `sudo`)
* Add `dps` and `dpsw` aliases (`grc docker ps -a`, `watch -c "grc --colour=on docker ps -a`)
* Display open ports on the host (compare with T-Pot [required](https://github.com/telekom-security/tpotce#required-ports) ports)
5. Follow the installer instructions, you will have to enter your password at least once
6. Check the installer messages for errors and open ports that might cause port conflicts
7. Reboot: `$ sudo reboot`
<br><br>
## T-Pot Config File
T-Pot offers a configuration file providing environment variables not only for the docker services (i.e. honeypots and tools) but also for the docker compose environment. The configuration file is hidden in the `preview` folder and is called `.env`. There is however an example file (`env.example`) which holds the default configuration.<br> Before the first start set the `WEB_USER` and `WEB_PW`. Once T-Pot was initialized it is recommended to remove the password and set `WEB_PW=<changeme>`. Other settings are available also, these however should only be changed if you are comfortable with possible errors 🫠 as some of the features are not fully integrated and tested yet.
```
# T-Pot config file. Do not remove.
# Set Web username and password here, only required for first run
# Removing the password after first run is recommended
# You can always add or remove users as you see fit using htpasswd:
# htpasswd -b -c /<data_folder>/nginx/conf/nginxpasswd <username> <password>
WEB_USER=<changeme>
WEB_PW=<changeme>
# T-Pot Blackhole
# ENABLED: T-Pot will download a db of known mass scanners and nullroute them
# Be aware, this will put T-Pot off the map for stealth reasons and
# you will get less traffic. Routes will active until reboot and will
# be re-added with every T-Pot start until disabled.
# DISABLED: This is the default and no stealth efforts are in place.
TPOT_BLACKHOLE=DISABLED
```
## macOS & Windows
Sometimes it is just nice if you can spin up a T-Pot instance on macOS or Windows, i.e. for development, testing or just the fun of it. While Docker Desktop is rather limited not all honeypot types or T-Pot features are supported. Also remember, by default the macOS and Windows firewall are blocking access from remote, so testing is limited to the host. For production it is recommended to run T-Pot on Linux.<br>
To get things up and running just follow these steps:
1. Install Docker Desktop for [macOS](https://docs.docker.com/desktop/install/mac-install/) or [Windows](https://docs.docker.com/desktop/install/windows-install/)
2. Clone the GitHub repository: `$ git clone https://github.com/telekom-security/tpotce`
2. Change into the **tpotce/preview/compose** folder: `$ cd tpotce/preview/compose`
3. Copy **mac_win.yml** to the **tpotce/preview** folder by overwriting **docker-compose.yml**: `$ cp mac_win.yml ../docker-compose.yml`
4. Adjust the **.env** file by changing **TPOT_OSTYPE** to either **mac** or **win**:
```
# OSType (linux, mac, win)
# Most docker features are available on linux
TPOT_OSTYPE=mac
```
5. You have to ensure on your own there are no port conflicts keeping T-Pot from starting up.
You can follow the README on how to [Start T-Pot](#start-t-pot), however you may skip the **crontab**.
# Start T-Pot
1. Change into the **tpotce/preview/** folder: `$ cd tpotce/preview/`
2. Run: `$ docker compose up` (notice the missing dash, `docker-compose` no longer exists with the latest Docker installation)
* You can also run `$ docker compose -f /<path_to_tpot>/tpotce/preview/docker-compose.yml up` directly if you want to avoid to change into the `preview` folder or add an alias of your choice.
3. `docker compose` will now download all the necessary images to run the T-Pot Docker containers
4. On the first run T-Pot (`tpotinit`) will initialize and create the `data` folder in the path specified (by default it is located in `tpotce/preview/data/`):
* It takes about 2-3 minutes to bring all the containers up (should port conflicts arise `docker compose` will simply abort)
* Once all containers have started successfully for the first time you can access T-Pot as described [here](https://github.com/telekom-security/tpotce#remote-access-and-tools) or cancel with `CTRL-C` ...
5. ... and run T-Pot in the background: `$ docker compose up -d`
* Unless you run `docker compose down -v` T-Pot's Docker service will remain persistent and restart with a reboot
* You can however add a crontab entry with `crontab -e` which will also add some container and image management.
```
@reboot docker compose -f /<path_to_tpot_>/tpotce/preview/docker-compose.yml down -v; \
docker container prune -f; \
docker image prune -f; \
docker compose -f /<path_to_tpot_>/tpotce/preview/docker-compose.yml up -d
```
6. By default Docker will always check if the local and remote docker images match, if not, Docker will either revert to a fitting locally cached image or download the image from remote. This ensures T-Pot images will always be up-to-date
# Stop T-Pot
1. Change into the **tpotce/preview/** folder: `$ cd tpotce/preview/`
2. Run: `$ docker compose down -v` (notice the missing dash, `docker-compose` no longer exists with the latest docker installation)
3. Docker will now stop all running T-Pot containers and disable reboot persistence (unless you made a [crontab entry](#start-t-pot)
* You can also run `$ docker compose -f /<path_to_tpot>/tpotce/preview/docker-compose.yml down -v` directly if you want to avoid to change into the `preview` folder or add an alias of your choice.
# Uninstall T-Pot
1. Change into the **tpotce/preview/uninstaller/** folder: `$ cd tpotce/preview/uninstaller/`
2. Locate your distribution, i.e. `fedora`: `$ cd fedora`
3. Run the installer as non-root: `$ ./uninstall.sh`:
* The uninstaller will reverse the installation steps
4. Follow the uninstaller instructions, you will have to enter your password at least once
5. Check the uninstaller messages for errors
6. Reboot: `$ sudo reboot`
<br><br>
# Feedback
To ensure the next T-Pot release will be everything we and you - The T-Pot Community - have in mind please feel free to leave comments in the `Technical Preview` [discussion](https://github.com/telekom-security/tpotce/discussions/1325) pinned on our GitHub [Discussions](https://github.com/telekom-security/tpotce/discussions) section. Please bear in mind that this Technical Preview is made public in the earliest stage of the T-Pot development process at your convenience for ***your*** valuable input.
<br><br>
Thank you for testing 💖
Special thanks to all the [contributors](https://github.com/telekom-security/tpotce/graphs/contributors) and [developers](https://github.com/telekom-security/tpotce#credits) making this project possible!

1126
README.md
View File

File diff suppressed because it is too large Load Diff

20
SECURITY.md
View File

@ -1,20 +0,0 @@
# Security Policy
## Supported Versions
| Version | Supported |
|---------| ------------------ |
| 23.12.x | :white_check_mark: |
## Reporting a Vulnerability
We take security of T-Pot very seriously. If one of T-Pot's components is affected, it is most likely that a upstream component we rely on is involved, such as a honeypot, docker image, tool or package. Together we will find the best possible way to remedy the situation.
Before you submit a possible vulnerability, please ensure you have done the following:
1. You have checked the documentation, issues and discussions if the detected behavior is typical and does not revolve around other issues. I.e. Cowrie will be detected with outgoing conncection requests or T-Pot opening all possible TCP ports which Honeytrap enabled install flavors will do as a feature.
2. You have identified the vulnerable component and isolated your finding (honeypot, docker image, tool, package, etc.).
3. You have a detailed description including log files, possibly debug files, with all steps necessary for us to reproduce / trigger the behaviour or vulnerability. At best you already have a possible solution, hotfix, fix or patch to remedy the situation and want to submit a PR.
4. You have checked if the possible vulnerability is known upstream. If a fix / patch is already available, please provide the necessary info.
We will get back to you as fast as possible. In case you think this is an emergency for the whole T-Pot community feel free to speed things up by **responsibly** informing our [CERT](https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/introducing-deutsche-telekom-cert-358316).

77
_deprecated/bin/2fa.sh
View File

@ -1,77 +0,0 @@
#!/bin/bash
# Make sure script is started as non-root.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" = "root" ]
then
echo "Need to run as non-root ..."
echo ""
exit
fi
# set vars, check deps
myPAM_COCKPIT_FILE="/etc/pam.d/cockpit"
if ! [ -s "$myPAM_COCKPIT_FILE" ];
then
echo "### Cockpit PAM module config does not exist. Something went wrong."
echo ""
exit 1
fi
myPAM_COCKPIT_GA="
# google authenticator for two-factor
auth required pam_google_authenticator.so
"
myAUTHENTICATOR=$(which google-authenticator)
if [ "$myAUTHENTICATOR" == "" ];
then
echo "### Could not locate google-authenticator, trying to install (if asked provide root password)."
echo ""
sudo apt-get update
sudo apt-get install -y libpam-google-authenticator
exec "$1" "$2"
exit 1
fi
# write PAM changes
function fuWRITE_PAM_CHANGES {
myCHECK=$(cat $myPAM_COCKPIT_FILE | grep -c "google")
if ! [ "$myCHECK" == "0" ];
then
echo "### PAM config already enabled. Skipped."
echo ""
else
echo "### Updating PAM config for Cockpit (if asked provide root password)."
echo "$myPAM_COCKPIT_GA" | sudo tee -a $myPAM_COCKPIT_FILE
sudo systemctl restart cockpit
fi
}
# create 2fa
function fuGEN_TOKEN {
echo "### Now generating token for Google Authenticator."
echo ""
google-authenticator -t -d -r 3 -R 30 -w 17
}
# main
echo "### This script will enable Two Factor Authentication for Cockpit."
echo ""
echo "### Please download one of the many authenticator apps from the appstore of your choice."
echo ""
while true;
do
read -p "### Ready to start (y/n)? " myANSWER
case $myANSWER in
[Yy]* ) echo "### OK. Starting ..."; break;;
[Nn]* ) echo "### Exiting."; exit;;
esac
done
fuWRITE_PAM_CHANGES
fuGEN_TOKEN
echo "Done. Re-run this script by every user who needs Cockpit access."
echo ""

109
_deprecated/bin/blackhole.sh
View File

@ -1,109 +0,0 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "### Need to run as root ..."
echo
exit
fi
# Disclaimer
if [ "$1" == "" ];
then
echo "### Warning!"
echo "### This script will download and add blackhole routes for known mass scanners in an attempt to decrease the chance of detection."
echo "### IPs are neither curated or verified, use at your own risk!"
echo "###"
echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
echo
echo "Usage: blackhole.sh add (add blackhole routes)"
echo " blackhole.sh del (delete blackhole routes)"
echo
exit
fi
# QnD paths, files
mkdir -p /etc/blackhole
cd /etc/blackhole
myFILE="mass_scanner.txt"
myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"
myBASELINE="500"
# Alternatively, using less routes, but blocking complete /24 networks
#myFILE="mass_scanner_cidr.txt"
#myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner_cidr.txt"
# Calculate age of downloaded list, read IPs
if [ -f "$myFILE" ];
then
myNOW=$(date +%s)
myOLD=$(date +%s -r "$myFILE")
myDAYS=$(( ($myNOW-$myOLD) / (60*60*24) ))
echo "### Downloaded $myFILE list is $myDAYS days old."
myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
fi
# Let's load ip list
if [[ ! -f "$myFILE" && "$1" == "add" || "$myDAYS" -gt 30 ]];
then
echo "### Downloading $myFILE list."
aria2c --allow-overwrite -s16 -x 16 "$myURL" && \
myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
fi
myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w)
# Let's extract mass scanner IPs
if [ "$myCOUNT" -lt "$myBASELINE" ] && [ "$1" == "add" ];
then
echo "### Something went wrong. Please check contents of /etc/blackhole/$myFILE."
echo "### Aborting."
echo
exit
elif [ "$(ip r | grep 'blackhole' -c)" -gt "$myBASELINE" ] && [ "$1" == "add" ];
then
echo "### Blackhole already enabled."
echo "### Aborting."
echo
exit
fi
# Let's add blackhole routes for all mass scanner IPs
if [ "$1" == "add" ];
then
echo
echo -n "Now adding $myCOUNT IPs to blackhole."
for i in $myBLACKHOLE_IPS;
do
ip route add blackhole "$i"
echo -n "."
done
echo
echo "Added $(ip r | grep "blackhole" -c) IPs to blackhole."
echo
echo "### Remember!"
echo "### As long as <blackhole.sh del> is not executed the routes will be re-added on T-Pot start through </opt/tpot/bin/updateip.sh>."
echo "### Check with <ip r> or <dps.sh> if blackhole is enabled."
echo
exit
fi
# Let's delete blackhole routes for all mass scanner IPs
if [ "$1" == "del" ] && [ "$myCOUNT" -gt "$myBASELINE" ];
then
echo
echo -n "Now deleting $myCOUNT IPs from blackhole."
for i in $myBLACKHOLE_IPS;
do
ip route del blackhole "$i"
echo -n "."
done
echo
echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole."
echo
rm "$myFILE"
else
echo "### Blackhole already disabled."
echo
fi

89
_deprecated/bin/change_ews_config.sh
View File

@ -1,89 +0,0 @@
#!/bin/bash
echo """
##############################
# T-POT DTAG Data Submission #
# Contact: #
# cert@telekom.de #
##############################
"""
# Got root?
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
sudo ./$0
exit
fi
printf "[*] Enter your API UserID: "
read apiUser
printf "[*] Enter your API Token: "
read apiToken
printf "[*] If you have multiple T-Pots running, give them each a unique NUMBER, e.g. '2' for your second T-Pot installation. Enter unique number for THIS T-Pot: "
read indexNumber
if ! [[ "$indexNumber" =~ ^[0-9]+$ ]]
then
echo "Sorry integers only. You have to start over..."
exit 1
fi
apiURL="https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage"
printf "[*] Currently, your honeypot is configured to transmit data the default backend at 'https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage'. Do you want to change this API endpoint? Only do this if you run your own PEBA backend instance? (N/y): "
read replyAPI
if [[ $replyAPI =~ ^[Yy]$ ]]
then
printf "[*] Enter your API endpoint URL and make sure it contains the full path, e.g. 'https://myDomain.local:9922/ews-0.1/alert/postSimpleMessage': "
read apiURL
fi
echo ""
echo "[*] Recap! You defined: "
echo "############################"
echo "API User: " $apiUser
echo "API Token: " $apiToken
echo "API URL: " $apiURL
echo "Unique numeric ID for your T-Pot Installation: " $indexNumber
echo "Specific honeypot-IDs will look like : <honeypotType>-"$apiUser"-"$indexNumber
echo "############################"
echo ""
printf "[*] Is the above correct (y/N)? "
read reply
if [[ ! $reply =~ ^[Yy]$ ]]
then
echo "OK, then run this again..."
exit 1
fi
echo ""
echo "[+] Creating config file with API UserID '$apiUser' and API Token '$apiToken'."
echo "[+] Fetching config file from github. Outgoing https requests must be enabled!"
wget -q https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist
if [[ -f "ews.cfg.dist" ]]; then
echo "[+] Successfully downloaded ews.cfg from github."
else
echo "[+] Could not download ews.cfg from github."
exit 1
fi
echo "[+] Patching ews.cfg API Credentials."
sed 's/community-01-user/'$apiUser'/' ews.cfg.dist > ews.cfg
sed -i 's/foth{a5maiCee8fineu7/'$apiToken'/' ews.cfg
echo "[+] Patching ews.cfg API Url."
apiURL=${apiURL////\\/};
sed -i 's/https:\/\/community.sicherheitstacho.eu\/ews-0.1\/alert\/postSimpleMessage/'$apiURL'/' ews.cfg
echo "[+] Patching ews.cfg honeypot IDs."
sed -i 's/community-01/'$apiUser'-'$indexNumber'/' ews.cfg
rm ews.cfg.dist
echo "[+] Changing tpot.yml to include new ews.cfg."
cp ews.cfg /data/ews/conf/ews.cfg
cp /opt/tpot/etc/tpot.yml /opt/tpot/etc/tpot.yml.bak
sed -i '/- \/data\/ews\/conf\/ews.ip:\/opt\/ewsposter\/ews.ip/a\ \ \ - \/data\/ews\/conf\/ews.cfg:\/opt\/ewsposter\/ews.cfg' /opt/tpot/etc/tpot.yml
echo "[+] Restarting T-Pot."
systemctl restart tpot
echo "[+] Done."

182
_deprecated/bin/deploy.sh
View File

@ -1,182 +0,0 @@
#!/bin/bash
# Do we have root?
function fuGOT_ROOT {
echo
echo -n "### Checking for root: "
if [ "$(whoami)" != "root" ];
then
echo "[ NOT OK ]"
echo "### Please run as root."
echo "### Example: sudo $0"
exit
else
echo "[ OK ]"
fi
}
function fuDEPLOY_SENSOR () {
echo
echo "###############################"
echo "# Deploying to T-Pot Hive ... #"
echo "###############################"
echo
sshpass -e ssh -4 -t -T -l "$MY_TPOT_USERNAME" -p 64295 "$MY_HIVE_IP" << EOF
echo "$SSHPASS" | sudo -S bash -c 'useradd -m -s /sbin/nologin -G tpotlogs "$MY_HIVE_USERNAME";
mkdir -p /home/"$MY_HIVE_USERNAME"/.ssh;
echo "$MY_SENSOR_PUBLICKEY" >> /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
chmod 600 /home/"$MY_HIVE_USERNAME"/.ssh/authorized_keys;
chmod 755 /home/"$MY_HIVE_USERNAME"/.ssh;
chown "$MY_HIVE_USERNAME":"$MY_HIVE_USERNAME" -R /home/"$MY_HIVE_USERNAME"/.ssh'
EOF
echo
echo "###########################"
echo "# Done. Please reboot ... #"
echo "###########################"
echo
exit 0
}
# Check Hive availability
function fuCHECK_HIVE () {
echo
echo "############################################"
echo "# Checking for T-Pot Hive availability ... #"
echo "############################################"
echo
sshpass -e ssh -4 -t -l "$MY_TPOT_USERNAME" -p 64295 -f -N -L64305:127.0.0.1:64305 "$MY_HIVE_IP" -o "StrictHostKeyChecking=no"
if [ $? -eq 0 ];
then
echo
echo "#########################"
echo "# T-Pot Hive available! #"
echo "#########################"
echo
myHIVE_OK=$(curl -s http://127.0.0.1:64305)
if [ "$myHIVE_OK" == "ok" ];
then
echo
echo "##############################"
echo "# T-Pot Hive tunnel test OK! #"
echo "##############################"
echo
kill -9 $(pidof ssh)
else
echo
echo "######################################################"
echo "# T-Pot Hive tunnel test FAILED! #"
echo "# Tunneled port tcp/64305 unreachable on T-Pot Hive. #"
echo "# Aborting. #"
echo "######################################################"
echo
kill -9 $(pidof ssh)
rm $MY_SENSOR_PUBLICKEYFILE
rm $MY_SENSOR_PRIVATEKEYFILE
rm $MY_LS_ENVCONFIGFILE
exit 1
fi;
else
echo
echo "#################################################################"
echo "# Something went wrong, most likely T-Pot Hive was unreachable! #"
echo "# Aborting. #"
echo "#################################################################"
echo
rm $MY_SENSOR_PUBLICKEYFILE
rm $MY_SENSOR_PRIVATEKEYFILE
rm $MY_LS_ENVCONFIGFILE
exit 1
fi;
}
function fuGET_DEPLOY_DATA () {
echo
echo "### Please provide data from your T-Pot Hive installation."
echo "### This usually is the one running the 'T-Pot Hive' type."
echo "### You will be needing the OS user (typically 'tsec'), the users' password and the IP / FQDN."
echo "### Do not worry, the password will not be persisted!"
echo
read -p "Username: " MY_TPOT_USERNAME
read -s -p "Password: " SSHPASS
echo
export SSHPASS
read -p "IP / FQDN: " MY_HIVE_IP
MY_HIVE_USERNAME="$(hostname)"
MY_TPOT_TYPE="SENSOR"
MY_LS_ENVCONFIGFILE="/data/elk/logstash/ls_environment"
MY_SENSOR_PUBLICKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME.pub"
MY_SENSOR_PRIVATEKEYFILE="/data/elk/logstash/$MY_HIVE_USERNAME"
if ! [ -s "$MY_SENSOR_PRIVATEKEYFILE" ] && ! [ -s "$MY_SENSOR_PUBLICKEYFILE" ];
then
echo
echo "##############################"
echo "# Generating ssh keyfile ... #"
echo "##############################"
echo
mkdir -p /data/elk/logstash
ssh-keygen -f "$MY_SENSOR_PRIVATEKEYFILE" -N "" -C "$MY_HIVE_USERNAME"
MY_SENSOR_PUBLICKEY="$(cat "$MY_SENSOR_PUBLICKEYFILE")"
else
echo
echo "#############################################"
echo "# There is already a ssh keyfile. Aborting. #"
echo "#############################################"
echo
exit 1
fi
echo
echo "###########################################################"
echo "# Writing config to /data/elk/logstash/ls_environment. #"
echo "# If you make changes to this file, you need to reboot or #"
echo "# run /opt/tpot/bin/updateip.sh. #"
echo "###########################################################"
echo
tee $MY_LS_ENVCONFIGFILE << EOF
MY_TPOT_TYPE=$MY_TPOT_TYPE
MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
MY_HIVE_USERNAME=$MY_HIVE_USERNAME
MY_HIVE_IP=$MY_HIVE_IP
EOF
}
# Deploy Pot to Hive
fuGOT_ROOT
echo
echo "#################################"
echo "# Ship T-Pot Logs to T-Pot Hive #"
echo "#################################"
echo
echo "If you already have a T-Pot Hive installation running and"
echo "this T-Pot installation is running the type \"Pot\" the"
echo "script will automagically setup this T-Pot to ship and"
echo "prepare the Hive to receive logs from this T-Pot."
echo
echo
echo "###################################"
echo "# Deploy T-Pot Logs to T-Pot Hive #"
echo "###################################"
echo
echo "[c] - Continue deplyoment"
echo "[q] - Abort and exit"
echo
while [ 1 != 2 ]
do
read -s -n 1 -p "Your choice: " mySELECT
echo $mySELECT
case "$mySELECT" in
[c,C])
fuGET_DEPLOY_DATA
fuCHECK_HIVE
fuDEPLOY_SENSOR
break
;;
[q,Q])
echo "Aborted."
exit 0
;;
esac
done

94
_deprecated/bin/deprecated/export_kibana-objects.sh
View File

@ -1,94 +0,0 @@
#!/bin/bash
# Export all Kibana objects through Kibana Saved Objects API
# Make sure ES is available
myES="http://127.0.0.1:64298/"
myKIBANA="http://127.0.0.1:64296/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
exit
else
echo "### Elasticsearch is available, now continuing."
echo
fi
# Set vars
myDATE=$(date +%Y%m%d%H%M)
myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"')
myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myCONFIGS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=config&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myCOL1=""
myCOL0=""
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
}
trap fuCLEANUP EXIT
# Export index patterns
mkdir -p patterns
echo $myCOL1"### Now exporting"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes, references}' > patterns/$myINDEXID.json &
echo
# Export dashboards
mkdir -p dashboards
echo $myCOL1"### Now exporting"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
for i in $myDASHBOARDS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes, references}' > dashboards/$i.json &
done;
echo
# Export visualizations
mkdir -p visualizations
echo $myCOL1"### Now exporting"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
for i in $myVISUALIZATIONS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes, references}' > visualizations/$i.json &
done;
echo
# Export searches
mkdir -p searches
echo $myCOL1"### Now exporting"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
for i in $mySEARCHES;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes, references}' > searches/$i.json &
done;
echo
# Export configs
mkdir -p configs
echo $myCOL1"### Now exporting"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
for i in $myCONFIGS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/config/'$i'' | jq '. | {attributes, references}' > configs/$i.json &
done;
echo
# Wait for background exports to finish
wait
# Building tar archive
echo $myCOL1"### Now building archive"$myCOL0 "kibana-objects_"$myDATE".tgz"
tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches configs > /dev/null
# Stats
echo
echo $myCOL1"### Statistics"
echo $myCOL1"###### Exported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
echo

122
_deprecated/bin/deprecated/hptest.sh
View File

@ -1,122 +0,0 @@
#!/bin/bash
myHOST="$1"
myPACKAGES="dcmtk netcat nmap"
myMEDPOTPACKET="
MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
EVN|A01|198808181123
PID|||PATID1234^5^M11^^AN||JONES^WILLIAM^A^III||19610615|M||2106-3|677 DELAWARE AVENUE^^EVERETT^MA^02149|GL|(919)379-1212|(919)271-3434~(919)277-3114||S||PATID12345001^2^M10^^ACSN|123456789|9-87654^NC
NK1|1|JONES^BARBARA^K|SPO|||||20011105
NK1|1|JONES^MICHAEL^A|FTH
PV1|1|I|2000^2012^01||||004777^LEBAUER^SIDNEY^J.|||SUR||-||ADM|A0
AL1|1||^PENICILLIN||CODE16~CODE17~CODE18
AL1|2||^CAT DANDER||CODE257
DG1|001|I9|1550|MAL NEO LIVER, PRIMARY|19880501103005|F
PR1|2234|M11|111^CODE151|COMMON PROCEDURES|198809081123
ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^SMITH^ELLEN|199505011201
GT1|1122|1519|BILL^GATES^A
IN1|001|A357|1234|BCMD|||||132987
IN2|ID1551001|SSN12345678
ROL|45^RECORDER^ROLE MASTER LIST|AD|RO|KATE^ELLEN|199505011201"
function fuGOTROOT {
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
}
function fuCHECKDEPS {
myINST=""
for myDEPS in $myPACKAGES;
do
myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
if [ "$myOK" != "ok" ]
then
myINST=$(echo $myINST $myDEPS)
fi
done
if [ "$myINST" != "" ]
then
apt-get update -y
for myDEPS in $myINST;
do
apt-get install $myDEPS -y
done
fi
}
function fuCHECKFORARGS {
if [ "$myHOST" != "" ];
then
echo "All arguments met. Continuing."
else
echo "Usage: hp_test.sh <[host or ip]>"
exit
fi
}
function fuGETPORTS {
myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo "$i"; done)
echo "Found these ports enabled:"
echo "$myPORTS"
exit
}
function fuSCAN {
local myTIMEOUT="$1"
local mySCANPORT="$2"
local mySCANIP="$3"
local mySCANOPTS="$4"
timeout --foreground ${myTIMEOUT} nmap ${mySCANOPTS} -T4 -v -p ${mySCANPORT} ${mySCANIP} &
}
# Main
fuGOTROOT
fuCHECKDEPS
fuCHECKFORARGS
echo "Starting scans ..."
echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
curl -XGET "http://$myHOST:9200/logstash-*/_search" &
curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" &
echo "I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
findscu -P -k PatientName="*" $myHOST 11112 &
getscu -P -k PatientName="*" $myHOST 11112 &
telnet $myHOST 3299 &
fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"
fuSCAN "120" "22" "$myHOST" "--script=ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,ssh-publickey-acceptance,sshv1 -sC -sS -sV"
fuSCAN "30" "22" "$myHOST" "--script=ssh-brute"
fuSCAN "120" "23,2323,2324" "$myHOST" "--script=telnet-encryption,telnet-ntlm-info -sC -sS -sV --version-light"
fuSCAN "120" "25" "$myHOST" "--script=smtp* -sC -sS -sV"
fuSCAN "180" "42" "$myHOST" "-sC -sS -sV"
fuSCAN "120" "69" "$myHOST" "--script=tftp-enum -sU"
fuSCAN "120" "80,81,8080,8443" "$myHOST" "-sC -sS -sV"
fuSCAN "120" "110,995" "$myHOST" "--script=pop3-capabilities,pop3-ntlm-info -sC -sS -sV --version-light"
fuSCAN "30" "110,995" "$myHOST" "--script=pop3-brute -sS"
fuSCAN "120" "143,993" "$myHOST" "--script=imap-capabilities,imap-ntlm-info -sC -sS -sV --version-light"
fuSCAN "30" "143,993" "$myHOST" "--script=imap-brute -sS"
fuSCAN "240" "445" "$myHOST" "--script=smb-vuln* -sS -sU"
fuSCAN "120" "502" "$myHOST" "--script=modbus-discover -sS -sU"
fuSCAN "120" "623" "$myHOST" "--script=ipmi-cipher-zero,ipmi-version,supermicro-ipmi -sS -sU"
fuSCAN "30" "623" "$myHOST" "--script=ipmi-brute -sS -sU"
fuSCAN "120" "1433" "$myHOST" "--script=ms-sql* -sS"
fuSCAN "120" "1723" "$myHOST" "--script=pptp-version -sS"
fuSCAN "120" "1883" "$myHOST" "--script=mqtt-subscribe -sS"
fuSCAN "120" "2404" "$myHOST" "--script=iec-identify -sS"
fuSCAN "120" "3306" "$myHOST" "--script=mysql-vuln* -sC -sS -sV"
fuSCAN "120" "3389" "$myHOST" "--script=rdp* -sC -sS -sV"
fuSCAN "120" "5000" "$myHOST" "--script=*upnp* -sS -sU"
fuSCAN "120" "5060,5061" "$myHOST" "--script=sip-call-spoof,sip-enum-users,sip-methods -sS -sU"
fuSCAN "120" "5900" "$myHOST" "--script=vnc-info,vnc-title,realvnc-auth-bypass -sS"
fuSCAN "120" "27017" "$myHOST" "--script=mongo* -sS"
fuSCAN "120" "47808" "$myHOST" "--script=bacnet* -sS"
wait
reset
echo "Done."

126
_deprecated/bin/deprecated/import_kibana-objects.sh
View File

@ -1,126 +0,0 @@
#!/bin/bash
# Import Kibana objects
# Make sure ES is available
myES="http://127.0.0.1:64298/"
myKIBANA="http://127.0.0.1:64296/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
exit
else
echo "### Elasticsearch is available, now continuing."
echo
fi
# Set vars
myDUMP=$1
myCOL1=""
myCOL0=""
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
}
trap fuCLEANUP EXIT
# Check if parameter is given and file exists
if [ "$myDUMP" = "" ];
then
echo $myCOL1"### Please provide a backup file name."$myCOL0
echo $myCOL1"### import_kibana-objects.sh <kibana-objects.tgz>"$myCOL0
echo
exit
fi
if ! [ -a $myDUMP ];
then
echo $myCOL1"### File not found."$myCOL0
exit
fi
# Unpack tar
tar xvfz $myDUMP > /dev/null
# Restore index patterns
myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev)
myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
curl -s -XPOST ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @patterns/$myINDEXID.json > /dev/null &
echo
# Restore dashboards
myDASHBOARDS=$(ls dashboards/*.json | cut -c 12- | rev | cut -c 6- | rev)
echo $myCOL1"### Now importing "$myCOL0$(echo $myDASHBOARDS | wc -w)$myCOL1 "dashboards." $myCOL0
for i in $myDASHBOARDS;
do
curl -s -XDELETE ''$myKIBANA'api/saved_objects/dashboard/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null &
done;
wait
for i in $myDASHBOARDS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XPOST ''$myKIBANA'api/saved_objects/dashboard/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @dashboards/$i.json > /dev/null &
done;
wait
echo
# Restore visualizations
myVISUALIZATIONS=$(ls visualizations/*.json | cut -c 16- | rev | cut -c 6- | rev)
echo $myCOL1"### Now importing "$myCOL0$(echo $myVISUALIZATIONS | wc -w)$myCOL1 "visualizations." $myCOL0
for i in $myVISUALIZATIONS;
do
curl -s -XDELETE ''$myKIBANA'api/saved_objects/visualization/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null &
done;
wait
for i in $myVISUALIZATIONS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XPOST ''$myKIBANA'api/saved_objects/visualization/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @visualizations/$i.json > /dev/null &
done;
wait
echo
# Restore searches
mySEARCHES=$(ls searches/*.json | cut -c 10- | rev | cut -c 6- | rev)
echo $myCOL1"### Now importing "$myCOL0$(echo $mySEARCHES | wc -w)$myCOL1 "searches." $myCOL0
for i in $mySEARCHES;
do
curl -s -XDELETE ''$myKIBANA'api/saved_objects/search/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null &
done;
wait
for i in $mySEARCHES;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XPOST ''$myKIBANA'api/saved_objects/search/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @searches/$i.json > /dev/null &
done;
echo
wait
# Restore configs
myCONFIGS=$(ls configs/*.json | cut -c 9- | rev | cut -c 6- | rev)
echo $myCOL1"### Now importing "$myCOL0$(echo $myCONFIGS | wc -w)$myCOL1 "configs." $myCOL0
for i in $myCONFIGS;
do
curl -s -XDELETE ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null &
done;
wait
for i in $myCONFIGS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XPOST ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @configs/$i.json > /dev/null &
done;
echo
wait
# Stats
echo
echo $myCOL1"### Statistics"
echo $myCOL1"###### Imported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
echo

134
_deprecated/bin/hpfeeds_optin.sh
View File

@ -1,134 +0,0 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
myTPOTYMLFILE="/opt/tpot/etc/tpot.yml"
function fuGENERIC () {
echo
echo "You chose generic, please provide all the details of the broker"
echo
myENABLE="true"
read -p "Host URL: " myHOST
read -p "Port: " myPORT
read -p "Channel: " myCHANNEL
echo "For generic providers set this to 'false'"
echo "If you received a CA certficate mount it into the ewsposter container by modifying $myTPOTYMLFILE"
read -p "TLS - 'false' or path to CA in container: " myCERT
read -p "Ident: " myIDENT
read -p "Secret: " mySECRET
read -p "Format ews (xml) or json: " myFORMAT
}
function fuOPTOUT () {
echo
while [ 1 != 2 ]
do
read -s -n 1 -p "You chose to opt out (y/n)? " mySELECT
echo $mySELECT
case "$mySELECT" in
[y,Y])
echo "Opt out."
break
;;
[n,N])
echo "Aborted."
exit
;;
esac
done
myENABLE="false"
myHOST="host"
myPORT="port"
myCHANNEL="channels"
myCERT="false"
myIDENT="user"
mySECRET="secret"
myFORMAT="json"
}
function fuWRITETOFILE () {
if [ -f '/data/ews/conf/hpfeeds.cfg' ]; then
echo "Creating backup of current config in /data/ews/conf/hpfeeds.cfg.old"
mv /data/ews/conf/hpfeeds.cfg /data/ews/conf/hpfeeds.cfg.old
fi
echo "Storing new config in /data/ews/conf/hpfeeds.cfg"
cat >> /data/ews/conf/hpfeeds.cfg <<EOF
myENABLE=$myENABLE
myHOST=$myHOST
myPORT=$myPORT
myCHANNEL=$myCHANNEL
myCERT=$myCERT
myIDENT=$myIDENT
mySECRET=$mySECRET
myFORMAT=$myFORMAT
EOF
}
function fuAPPLY () {
echo "Now stopping T-Pot ..."
systemctl stop tpot
echo "Applying your settings to tpot.yml ... "
sed --follow-symlinks -i "s/EWS_HPFEEDS_ENABLE.*/EWS_HPFEEDS_ENABLE=${myENABLE}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_HOST.*/EWS_HPFEEDS_HOST=${myHOST}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_PORT.*/EWS_HPFEEDS_PORT=${myPORT}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_CHANNELS.*/EWS_HPFEEDS_CHANNELS=${myCHANNEL}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s#EWS_HPFEEDS_TLSCERT.*#EWS_HPFEEDS_TLSCERT=${myCERT}#g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_IDENT.*/EWS_HPFEEDS_IDENT=${myIDENT}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_SECRET.*/EWS_HPFEEDS_SECRET=${mySECRET}/g" "$myTPOTYMLFILE"
sed --follow-symlinks -i "s/EWS_HPFEEDS_FORMAT.*/EWS_HPFEEDS_FORMAT=${myFORMAT}/g" "$myTPOTYMLFILE"
echo "Now starting T-Pot ..."
systemctl start tpot
echo "You can always change or review your settings in /data/ews/conf/hpfeeds.cfg and apply changes by"
echo "running \"./hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg\""
echo "Done."
}
# Check for cmdline argument and parse config file
filename=$(echo $@ | cut -d= -f2)
if [ $# == 1 ] && echo $@ | grep '\-\-conf=' > /dev/null && [ ! -z $filename ] && [ -f $filename ]
then
source $filename
else
# Proceed with interactive setup when no config file is found
echo "HPFEEDS Delivery Opt-In for T-Pot"
echo "---------------------------------"
echo "By running this script you agree to share your data with a 3rd party and agree to their corresponding sharing terms."
echo
echo
echo "Please choose your broker"
echo "---------------------------"
echo "[1] - Generic (enter details manually)"
echo "[0] - Opt out of HPFEEDS"
echo "[q] - Do not agree end exit"
echo
while [ 1 != 2 ]
do
read -s -n 1 -p "Your choice: " mySELECT
echo $mySELECT
case "$mySELECT" in
[1])
fuGENERIC
break
;;
[0])
fuOPTOUT
break
;;
[q,Q])
echo "Aborted."
exit
;;
esac
done
fi
fuWRITETOFILE
fuAPPLY

68
_deprecated/bin/hptest.sh
View File

@ -1,68 +0,0 @@
#!/bin/bash
myHOST="$1"
myPACKAGES="nmap"
myDOCKERCOMPOSEYML="/opt/tpot/etc/tpot.yml"
function fuGOTROOT {
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
}
function fuCHECKDEPS {
myINST=""
for myDEPS in $myPACKAGES;
do
myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
if [ "$myOK" != "ok" ]
then
myINST=$(echo $myINST $myDEPS)
fi
done
if [ "$myINST" != "" ]
then
apt-get update -y
for myDEPS in $myINST;
do
apt-get install $myDEPS -y
done
fi
}
function fuCHECKFORARGS {
if [ "$myHOST" != "" ];
then
echo "All arguments met. Continuing."
echo
else
echo "Usage: hptest.sh <[host or ip]>"
echo
exit
fi
}
function fuGETPORTS {
myDOCKERCOMPOSEUDPPORTS=$(cat $myDOCKERCOMPOSEYML | grep "udp" | tr -d '"\|#\-' | cut -d ":" -f2 | cut -d "/" -f1 | sort -gu)
myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' | grep -v "6429\|6430" | sort -gu)
myUDPPORTS=$(for i in $myDOCKERCOMPOSEUDPPORTS; do echo -n "U:$i,"; done)
myPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo -n "T:$i,"; done)
}
# Main
fuGETPORTS
fuGOTROOT
fuCHECKDEPS
fuCHECKFORARGS
echo
echo "Starting scan on all UDP / TCP ports defined in /opt/tpot/etc/tpot.yml ..."
nmap -sV -sC -v -p $myPORTS $1 &
nmap -sU -sV -sC -v -p $myUDPPORTS $1 &
echo
wait
echo "Done."
echo

27
_deprecated/bin/mytopips.sh
View File

@ -1,27 +0,0 @@
#!/bin/bash
# Make sure ES is available
myES="http://127.0.0.1:64298/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit 1
else
echo "### Elasticsearch is available, now continuing."
echo
fi
function fuMYTOPIPS {
curl -s -XGET $myES"_search" -H 'Content-Type: application/json' -d'
{
"aggs": {
"ips": {
"terms": { "field": "src_ip.keyword", "size": 100 }
}
},
"size" : 0
}'
}
echo "### Aggregating top 100 source IPs in ES"
fuMYTOPIPS | jq '.aggregations.ips.buckets[].key' | tr -d '"'

29
_deprecated/bin/tpdclean.sh
View File

@ -1,29 +0,0 @@
#!/bin/bash
# T-Pot Compose and Container Cleaner
# Set colors
myRED=""
myGREEN=""
myWHITE=""
# Only run with command switch
if [ "$1" != "-y" ]; then
echo $myRED"### WARNING"$myWHITE
echo ""
echo $myRED"###### This script is only intended for the tpot.service."$myWHITE
echo $myRED"###### Run <systemctl stop tpot> first and then <tpdclean.sh -y>."$myWHITE
echo $myRED"###### Be aware, all T-Pot container volumes and images will be removed."$myWHITE
echo ""
echo $myRED"### WARNING "$myWHITE
echo
exit
fi
# Remove old containers, images and volumes
docker-compose -f /opt/tpot/etc/tpot.yml down -v >> /dev/null 2>&1
docker-compose -f /opt/tpot/etc/tpot.yml rm -v >> /dev/null 2>&1
docker network rm $(docker network ls -q) >> /dev/null 2>&1
docker volume rm $(docker volume ls -q) >> /dev/null 2>&1
docker rm -v $(docker ps -aq) >> /dev/null 2>&1
docker rmi $(docker images | grep "<none>" | awk '{print $3}') >> /dev/null 2>&1
docker rmi $(docker images | grep "2203" | awk '{print $3}') >> /dev/null 2>&1
exit 0

89
_deprecated/bin/updateip.sh
View File

@ -1,89 +0,0 @@
#!/bin/bash
# Let's add the first local ip to the /etc/issue and external ip to ews.ip file
# If the external IP cannot be detected, the internal IP will be inherited.
source /etc/environment
myCHECKIFSENSOR=$(head -n 1 /opt/tpot/etc/tpot.yml | grep "Sensor" | wc -l)
myUUID=$(lsblk -o MOUNTPOINT,UUID | grep -e "^/ " | awk '{ print $2 }')
myLOCALIP=$(hostname -I | awk '{ print $1 }')
myEXTIP=$(/opt/tpot/bin/myip.sh)
if [ "$myEXTIP" = "" ];
then
myEXTIP=$myLOCALIP
myEXTIP_LAT="49.865835022498125"
myEXTIP_LONG="8.62606472775735"
else
myEXTIP_LOC=$(curl -s ipinfo.io/$myEXTIP/loc)
myEXTIP_LAT=$(echo "$myEXTIP_LOC" | cut -f1 -d",")
myEXTIP_LONG=$(echo "$myEXTIP_LOC" | cut -f2 -d",")
fi
# Load Blackhole routes if enabled
myBLACKHOLE_FILE1="/etc/blackhole/mass_scanner.txt"
myBLACKHOLE_FILE2="/etc/blackhole/mass_scanner_cidr.txt"
if [ -f "$myBLACKHOLE_FILE1" ] || [ -f "$myBLACKHOLE_FILE2" ];
then
/opt/tpot/bin/blackhole.sh add
fi
myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
if [ "$myBLACKHOLE_STATUS" -gt "500" ];
then
myBLACKHOLE_STATUS="| BLACKHOLE: [ ENABLED ]"
else
myBLACKHOLE_STATUS="| BLACKHOLE: [ DISABLED ]"
fi
mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1)
# Export
export myUUID
export myLOCALIP
export myEXTIP
export myEXTIP_LAT
export myEXTIP_LONG
export myBLACKHOLE_STATUS
export mySSHUSER
# Build issue
echo "" > /etc/issue
toilet -f ivrit -F metal --filter border:metal "T-Pot 22.04" | sed 's/\\/\\\\/g' >> /etc/issue
echo >> /etc/issue
echo ",---- [ \n ] [ \d ] [ \t ]" >> /etc/issue
echo "|" >> /etc/issue
echo "| IP: $myLOCALIP ($myEXTIP)" >> /etc/issue
echo "| SSH: ssh -l tsec -p 64295 $myLOCALIP" >> /etc/issue
if [ "$myCHECKIFSENSOR" == "0" ];
then
echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue
fi
echo "| ADMIN: https://$myLOCALIP:64294" >> /etc/issue
echo "$myBLACKHOLE_STATUS" >> /etc/issue
echo "|" >> /etc/issue
echo "\`----" >> /etc/issue
echo >> /etc/issue
tee /data/ews/conf/ews.ip << EOF
[MAIN]
ip = $myEXTIP
EOF
tee /opt/tpot/etc/compose/elk_environment << EOF
HONEY_UUID=$myUUID
MY_EXTIP=$myEXTIP
MY_EXTIP_LAT=$myEXTIP_LAT
MY_EXTIP_LONG=$myEXTIP_LONG
MY_INTIP=$myLOCALIP
MY_HOSTNAME=$HOSTNAME
EOF
if [ -s "/data/elk/logstash/ls_environment" ];
then
source /data/elk/logstash/ls_environment
tee -a /opt/tpot/etc/compose/elk_environment << EOF
MY_TPOT_TYPE=$MY_TPOT_TYPE
MY_SENSOR_PRIVATEKEYFILE=$MY_SENSOR_PRIVATEKEYFILE
MY_HIVE_USERNAME=$MY_HIVE_USERNAME
MY_HIVE_IP=$MY_HIVE_IP
EOF
fi
chown tpot:tpot /data/ews/conf/ews.ip
chmod 770 /data/ews/conf/ews.ip

10
_deprecated/cloud/.gitignore vendored
View File

@ -1,10 +0,0 @@
# Ansible
*.retry
# Terraform
**/.terraform
**/terraform.*
# OpenStack clouds
**/clouds.yaml
**/secure.yaml

30
_deprecated/cloud/ansible/openstack/deploy_tpot.yaml
View File

@ -1,30 +0,0 @@
- name: Check host prerequisites
hosts: localhost
become: yes
roles:
- check
- name: Deploy instances
hosts: localhost
vars_files: my_os_cloud.yaml
tasks:
- name: Create security group and network
ansible.builtin.include_role:
name: create_net
- name: Create one or more instances
ansible.builtin.include_role:
name: create_vm
loop: "{{ range(0, 1) }}"
loop_control:
extended: yes
- name: Install T-Pot
hosts: tpot
remote_user: linux
become: yes
gather_facts: no
roles:
- install
# - custom_ews
# - custom_hpfeeds
- reboot

2
_deprecated/cloud/ansible/openstack/my_os_cloud.yaml
View File

@ -1,2 +0,0 @@
# Enter the name of your cloud to use from clouds.yaml
cloud: open-telekom-cloud

2
_deprecated/cloud/ansible/openstack/requirements.yaml
View File

@ -1,2 +0,0 @@
collections:
- name: openstack.cloud

33
_deprecated/cloud/ansible/openstack/roles/create_net/tasks/main.yaml
View File

@ -1,33 +0,0 @@
- name: Create security group
openstack.cloud.security_group:
cloud: "{{ cloud }}"
name: sg-tpot-ansible
description: Security Group for T-Pot
- name: Add rules to security group
openstack.cloud.security_group_rule:
cloud: "{{ cloud }}"
security_group: sg-tpot-ansible
remote_ip_prefix: 0.0.0.0/0
- name: Create network
openstack.cloud.network:
cloud: "{{ cloud }}"
name: network-tpot-ansible
- name: Create subnet
openstack.cloud.subnet:
cloud: "{{ cloud }}"
network_name: network-tpot-ansible
name: subnet-tpot-ansible
cidr: 192.168.0.0/24
dns_nameservers:
- 100.125.4.25
- 100.125.129.199
- name: Create router
openstack.cloud.router:
cloud: "{{ cloud }}"
name: router-tpot-ansible
interfaces:
- subnet-tpot-ansible

24
_deprecated/cloud/ansible/openstack/roles/create_vm/tasks/main.yaml
View File

@ -1,24 +0,0 @@
- name: Generate T-Pot name
ansible.builtin.set_fact:
tpot_name: "t-pot-ansible-{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=6') }}"
- name: Create instance {{ ansible_loop.index }} of {{ ansible_loop.length }}
openstack.cloud.server:
cloud: "{{ cloud }}"
name: "{{ tpot_name }}"
availability_zone: "{{ availability_zone }}"
image: "{{ image }}"
boot_from_volume: yes
volume_size: "{{ volume_size }}"
key_name: "{{ key_name }}"
auto_ip: yes
flavor: "{{ flavor }}"
security_groups: sg-tpot-ansible
network: network-tpot-ansible
register: tpot
- name: Add instance to inventory
ansible.builtin.add_host:
hostname: "{{ tpot_name }}"
ansible_host: "{{ tpot.server.public_v4 }}"
groups: tpot

129
_deprecated/cloud/terraform/README.md
View File

@ -1,129 +0,0 @@
# T-Pot Terraform
This [Terraform](https://www.terraform.io/) configuration can be used to launch a virtual machine, bootstrap any dependencies and install T-Pot in a single step.
Configuration for Amazon Web Services (AWS) and Open Telekom Cloud (OTC) is currently included.
This can easily be extended to support other [Terraform providers](https://registry.terraform.io/browse/providers?category=public-cloud%2Ccloud-automation%2Cinfrastructure).
[Cloud-init](https://cloudinit.readthedocs.io/en/latest/) is used to bootstrap the instance and install T-Pot on startup.
# Table of Contents
- [What get's created](#what-created)
- [Amazon Web Services (AWS)](#what-created-aws)
- [Open Telekom Cloud (OTC)](#what-created-otc)
- [Prerequisites](#pre)
- [Amazon Web Services (AWS)](#pre-aws)
- [Open Telekom Cloud (OTC)](#pre-otc)
- [Terraform Variables](#variables)
- [Common configuration items](#variables-common)
- [Amazon Web Services (AWS)](#variables-aws)
- [Open Telekom Cloud (OTC)](#variables-otc)
- [Initialising](#initialising)
- [Applying the Configuration](#applying)
- [Connecting to the Instance](#connecting)
<a name="what-created"></a>
## What get's created
<a name="what-created-aws"></a>
### Amazon Web Services (AWS)
* EC2 instance:
* t3.large (2 vCPUs, 8 GB RAM)
* 128 GB disk
* Debian 10
* Public IP
* Security Group:
* TCP/UDP ports <= 64000 open to the Internet
* TCP ports 64294, 64295 and 64297 open to a chosen administrative IP
<a name="what-created-otc"></a>
### Open Telekom Cloud (OTC)
* ECS instance:
* s3.medium.8 (1 vCPU, 8 GB RAM)
* 128 GB disk
* Debian 10
* Public EIP
* Security Group
* All TCP/UDP ports are open to the Internet
* Virtual Private Cloud (VPC) and Subnet
<a name="pre"></a>
## Prerequisites
* [Terraform](https://www.terraform.io/) 0.13
<a name="pre-aws"></a>
### Amazon Web Services (AWS)
* AWS Account
* Existing VPC: VPC ID needs to be specified in `aws/variables.tf`
* Existing subnet: Subnet ID needs to be specified in `aws/variables.tf`
* Existing SSH key pair: Key name needs to be specified in `aws/variables.tf`
* AWS Authentication credentials should be [set using environment variables](https://www.terraform.io/docs/providers/aws/index.html#environment-variables)
<a name="pre-otc"></a>
### Open Telekom Cloud (OTC)
* OTC Account
* Existing SSH key pair: Key name needs to be specified in `otc/variables.tf`
* OTC Authentication credentials (Username, Password, Project Name, User Domain Name) can be set in the `otc/clouds.yaml` file
<a name="variables"></a>
## Terraform Variables
<a name="variables-common"></a>
### Common configuration items
These variables exist in `aws/variables.tf` and `otc/variables.tf` respectively.
Settings for cloud-init:
* `timezone` - Set the Server's timezone
* `linux_password`- Set a password for the Linux Operating System user (which is also used on the Admin UI)
Settings for T-Pot:
* `tpot_flavor` - Set the flavor of the T-Pot (Available flavors are listed in the variable's description)
* `web_user` - Set a username for the T-Pot Kibana Dasboard
* `web_password` - Set a password for the T-Pot Kibana Dashboard
<a name="variables-aws"></a>
### Amazon Web Services (AWS)
In `aws/variables.tf`, you can change the additional variables:
* `admin_ip` - source IP address(es) that you will use to administer the system. Connections to TCP ports 64294, 64295 and 64297 will be allowed from this IP only. Multiple IPs or CIDR blocks can be specified in the format: `["127.0.0.1/32", "192.168.0.0/24"]`
* `ec2_vpc_id` - Specify an existing VPC ID
* `ec2_subnet_id` - Specify an existing Subnet ID
* `ec2_region`
* `ec2_ssh_key_name` - Specify an existing SSH key pair
* `ec2_instance_type`
<a name="variables-otc"></a>
### Open Telekom Cloud (OTC)
In `otc/variables.tf`, you can change the additional variables:
* `ecs_flavor`
* `ecs_disk_size`
* `availability_zone`
* `key_pair` - Specify an existing SSH key pair
* `eip_size`
... and some more, but these are the most relevant.
<a name="initialising"></a>
## Initialising
The [`terraform init`](https://www.terraform.io/docs/commands/init.html) command is used to initialize a working directory containing Terraform configuration files.
```
$ cd aws
$ terraform init
```
OR
```
$ cd otc
$ terraform init
```
<a name="applying"></a>
## Applying the Configuration
The [`terraform apply`](https://www.terraform.io/docs/commands/apply.html) command is used to apply the changes required to reach the desired state of the configuration, or the pre-determined set of actions generated by a [`terraform plan`](https://www.terraform.io/docs/commands/plan.html) execution plan.
```
$ terraform apply
```
This will create your infrastructure and start a Cloud Server. On startup, the Server gets bootstrapped with cloud-init and will install T-Pot. Once this is done, the server will reboot.
If you want the remove the built infrastructure, you can run [`terraform destroy`](https://www.terraform.io/docs/commands/destroy.html) to delete it.
<a name="connecting"></a>
## Connecting to the Instance
When the installation is completed, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).

20
_deprecated/cloud/terraform/aws/.terraform.lock.hcl generated
View File

@ -1,20 +0,0 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "3.26.0"
constraints = "3.26.0"
hashes = [
"h1:0i78FItlPeiomd+4ThZrtm56P5K33k7/6dnEe4ZePI0=",
"zh:26043eed36d070ca032cf04bc980c654a25821a8abc0c85e1e570e3935bbfcbb",
"zh:2fe68f3f78d23830a04d7fac3eda550eef1f627dfc130486f70a65dc5c254300",
"zh:3d66484c608c64678e639db25d63872783ce60363a1246e30317f21c9c23b84b",
"zh:46ffd755cfd4cf94fe66342797b5afdcef010a24e126c67fee141b357d393535",
"zh:5e96f24357e945c9067cf5e032ad1d003609629c956c2f9f642fefe714e74587",
"zh:60c27aca36bb63bf3e865c2193be80ca83b376581d00f9c220af4b013e163c4d",
"zh:896f0f22d19d41e71b22f9240b261714c3915b165ddefeb771e7734d69dc47ea",
"zh:90de9966cb2fd3e2f326df291595e55d2dd2d90e7d6dd085c2c8691dce82bdb4",
"zh:ad05a91a88ceb1d6de5a568f7cc0b0e5bc0a79f3da70bc28c1e7f3750e362d58",
"zh:e8c63f59c6465329e1f3357498face3dd7ef10a033df3c366a33aa9e94b46c01",
]
}

93
_deprecated/cloud/terraform/aws/variables.tf
View File

@ -1,93 +0,0 @@
variable "admin_ip" {
default = ["127.0.0.1/32"]
description = "admin IP addresses in CIDR format"
}
variable "ec2_vpc_id" {
description = "ID of AWS VPC"
default = "vpc-XXX"
}
variable "ec2_subnet_id" {
description = "ID of AWS VPC subnet"
default = "subnet-YYY"
}
variable "ec2_region" {
description = "AWS region to launch servers"
default = "eu-west-1"
}
variable "ec2_ssh_key_name" {
default = "default"
}
# https://aws.amazon.com/ec2/instance-types/
# t3.large = 2 vCPU, 8 GiB RAM
variable "ec2_instance_type" {
default = "t3.large"
}
# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
variable "ec2_ami" {
type = map(string)
default = {
"af-south-1" = "ami-0c372f041acae6d49"
"ap-east-1" = "ami-079b8d011d4655385"
"ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
"ap-northeast-2" = "ami-0269fe7d013b8e2dd"
"ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
"ap-south-1" = "ami-020d429f17c9f1d0a"
"ap-southeast-1" = "ami-09625a221230d9fe6"
"ap-southeast-2" = "ami-03cbc6cddb06af2c2"
"ca-central-1" = "ami-09125623b02302014"
"eu-central-1" = "ami-00c36c60f07e21791"
"eu-north-1" = "ami-052bea934e2d9dbfe"
"eu-south-1" = "ami-04e2bb16d37324719"
"eu-west-1" = "ami-0f87948fe2cf1b2a4"
"eu-west-2" = "ami-02ed1bc837487d535"
"eu-west-3" = "ami-080efd2add7e29430"
"me-south-1" = "ami-0dbde382c834c4a72"
"sa-east-1" = "ami-0a0792814cb068077"
"us-east-1" = "ami-05dd1b6e7ef6f8378"
"us-east-2" = "ami-04dd0542609808c50"
"us-west-1" = "ami-07af5f877b3db9f73"
"us-west-2" = "ami-0d0d8694ba492c02b"
}
}
## cloud-init configuration ##
variable "timezone" {
default = "UTC"
}
variable "linux_password" {
#default = "LiNuXuSeRPaSs#"
description = "Set a password for the default user"
validation {
condition = length(var.linux_password) > 0
error_message = "Please specify a password for the default user."
}
}
## These will go in the generated tpot.conf file ##
variable "tpot_flavor" {
default = "STANDARD"
description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
}
variable "web_user" {
default = "webuser"
description = "Set a username for the web user"
}
variable "web_password" {
#default = "w3b$ecret"
description = "Set a password for the web user"
validation {
condition = length(var.web_password) > 0
error_message = "Please specify a password for the web user."
}
}

9
_deprecated/cloud/terraform/aws/versions.tf
View File

@ -1,9 +0,0 @@
terraform {
required_version = ">= 0.13"
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.26.0"
}
}
}

9
_deprecated/cloud/terraform/aws_multi_region/_provider.tf
View File

@ -1,9 +0,0 @@
provider "aws" {
alias = "eu-west-2"
region = "eu-west-2"
}
provider "aws" {
alias = "us-west-1"
region = "us-west-1"
}

27
_deprecated/cloud/terraform/aws_multi_region/main.tf
View File

@ -1,27 +0,0 @@
module "eu-west-2" {
source = "./modules/multi-region"
ec2_vpc_id = "vpc-xxxxxxxx"
ec2_subnet_id = "subnet-xxxxxxxx"
ec2_region = "eu-west-2"
tpot_name = "T-Pot Honeypot"
linux_password = var.linux_password
web_password = var.web_password
providers = {
aws = aws.eu-west-2
}
}
module "us-west-1" {
source = "./modules/multi-region"
ec2_vpc_id = "vpc-xxxxxxxx"
ec2_subnet_id = "subnet-xxxxxxxx"
ec2_region = "us-west-1"
tpot_name = "T-Pot Honeypot"
linux_password = var.linux_password
web_password = var.web_password
providers = {
aws = aws.us-west-1
}
}

69
_deprecated/cloud/terraform/aws_multi_region/modules/multi-region/main.tf
View File

@ -1,69 +0,0 @@
variable "ec2_vpc_id" {}
variable "ec2_subnet_id" {}
variable "ec2_region" {}
variable "linux_password" {}
variable "web_password" {}
variable "tpot_name" {}
resource "aws_security_group" "tpot" {
name = "T-Pot"
description = "T-Pot Honeypot"
vpc_id = var.ec2_vpc_id
ingress {
from_port = 0
to_port = 64000
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 0
to_port = 64000
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 64294
to_port = 64294
protocol = "tcp"
cidr_blocks = var.admin_ip
}
ingress {
from_port = 64295
to_port = 64295
protocol = "tcp"
cidr_blocks = var.admin_ip
}
ingress {
from_port = 64297
to_port = 64297
protocol = "tcp"
cidr_blocks = var.admin_ip
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "T-Pot"
}
}
resource "aws_instance" "tpot" {
ami = var.ec2_ami[var.ec2_region]
instance_type = var.ec2_instance_type
key_name = var.ec2_ssh_key_name
subnet_id = var.ec2_subnet_id
tags = {
Name = var.tpot_name
}
root_block_device {
volume_type = "gp2"
volume_size = 128
delete_on_termination = true
}
user_data = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
vpc_security_group_ids = [aws_security_group.tpot.id]
associate_public_ip_address = true
}

12
_deprecated/cloud/terraform/aws_multi_region/modules/multi-region/outputs.tf
View File

@ -1,12 +0,0 @@
output "Admin_UI" {
value = "https://${aws_instance.tpot.public_dns}:64294/"
}
output "SSH_Access" {
value = "ssh -i {private_key_file} -p 64295 admin@${aws_instance.tpot.public_dns}"
}
output "Web_UI" {
value = "https://${aws_instance.tpot.public_dns}:64297/"
}

57
_deprecated/cloud/terraform/aws_multi_region/modules/multi-region/variables.tf
View File

@ -1,57 +0,0 @@
variable "admin_ip" {
default = ["127.0.0.1/32"]
description = "admin IP addresses in CIDR format"
}
variable "ec2_ssh_key_name" {
default = "default"
}
# https://aws.amazon.com/ec2/instance-types/
variable "ec2_instance_type" {
default = "t3.xlarge"
}
# Refer to https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye
variable "ec2_ami" {
type = map(string)
default = {
"af-south-1" = "ami-0c372f041acae6d49"
"ap-east-1" = "ami-079b8d011d4655385"
"ap-northeast-1" = "ami-08dbbf1c0485a4aa8"
"ap-northeast-2" = "ami-0269fe7d013b8e2dd"
"ap-northeast-3" = "ami-0848d1e5fb6e3e3da"
"ap-south-1" = "ami-020d429f17c9f1d0a"
"ap-southeast-1" = "ami-09625a221230d9fe6"
"ap-southeast-2" = "ami-03cbc6cddb06af2c2"
"ca-central-1" = "ami-09125623b02302014"
"eu-central-1" = "ami-00c36c60f07e21791"
"eu-north-1" = "ami-052bea934e2d9dbfe"
"eu-south-1" = "ami-04e2bb16d37324719"
"eu-west-1" = "ami-0f87948fe2cf1b2a4"
"eu-west-2" = "ami-02ed1bc837487d535"
"eu-west-3" = "ami-080efd2add7e29430"
"me-south-1" = "ami-0dbde382c834c4a72"
"sa-east-1" = "ami-0a0792814cb068077"
"us-east-1" = "ami-05dd1b6e7ef6f8378"
"us-east-2" = "ami-04dd0542609808c50"
"us-west-1" = "ami-07af5f877b3db9f73"
"us-west-2" = "ami-0d0d8694ba492c02b"
}
}
## cloud-init configuration ##
variable "timezone" {
default = "UTC"
}
## These will go in the generated tpot.conf file ##
variable "tpot_flavor" {
default = "STANDARD"
description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
}
variable "web_user" {
default = "webuser"
description = "Set a username for the web user"
}

9
_deprecated/cloud/terraform/aws_multi_region/modules/multi-region/versions.tf
View File

@ -1,9 +0,0 @@
terraform {
required_version = ">= 0.13"
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.72.0"
}
}
}

7
_deprecated/cloud/terraform/aws_multi_region/outputs.tf
View File

@ -1,7 +0,0 @@
output "eu-west-2_Web_UI" {
value = module.eu-west-2.Web_UI
}
output "us-west-1_Web_UI" {
value = module.us-west-1.Web_UI
}

19
_deprecated/cloud/terraform/aws_multi_region/variables.tf
View File

@ -1,19 +0,0 @@
variable "linux_password" {
#default = "LiNuXuSeRP4Ss!"
description = "Set a password for the default user"
validation {
condition = length(var.linux_password) > 0
error_message = "Please specify a password for the default user."
}
}
variable "web_password" {
#default = "w3b$ecret20"
description = "Set a password for the web user"
validation {
condition = length(var.web_password) > 0
error_message = "Please specify a password for the web user."
}
}

26
_deprecated/cloud/terraform/cloud-init.yaml
View File

@ -1,26 +0,0 @@
#cloud-config
timezone: ${timezone}
packages:
- git
runcmd:
- curl -sS --retry 5 https://github.com
- git clone https://github.com/telekom-security/tpotce /root/tpot
- /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
- rm /root/tpot.conf
- /sbin/shutdown -r now
password: ${password}
chpasswd:
expire: false
write_files:
- content: |
# tpot configuration file
myCONF_TPOT_FLAVOR='${tpot_flavor}'
myCONF_WEB_USER='${web_user}'
myCONF_WEB_PW='${web_password}'
owner: root:root
path: /root/tpot.conf
permissions: '0600'

38
_deprecated/cloud/terraform/otc/.terraform.lock.hcl generated
View File

@ -1,38 +0,0 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/random" {
version = "3.1.0"
constraints = "~> 3.1.0"
hashes = [
"h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
"zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
"zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
"zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
"zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
"zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
"zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
"zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
"zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
"zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
"zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
"zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
]
}
provider "registry.terraform.io/opentelekomcloud/opentelekomcloud" {
version = "1.23.6"
constraints = "~> 1.23.4"
hashes = [
"h1:B/1Md957jWaDgFqsJDzmJc75KwL0eC/PCVuZ8HV5xSc=",
"zh:1aa79010869d082157fb44fc83c3bff4e40938ec0ca916f704d974c7f7ca39e4",
"zh:3155b8366828ce50231f69962b55df1e2261ed63c44bb64e2c950dd68769df1b",
"zh:4a909617aa96a6d8aead14f56996ad94e0a1cae9d28e8df1ddae19c2095ed337",
"zh:4f71046719632b4b90f88d29d8ba88915ee6ad66cd9d7ebe84a7459013e5003a",
"zh:67e4d10b2db79ad78ae2ec8d9dfac53c4721028f97f4436a7aa45e80b1beefd3",
"zh:7f12541fc5a3513e5522ff2bd5fee17d1e67bfe64f9ef59d03863fc7389e12ce",
"zh:86fadabfc8307cf6084a412ffc9c797ec94932d08bc663a3fcebf98101e951f6",
"zh:98744b39c2bfe3e8e6f929f750a689971071b257f3f066f669f93c8e0b76d179",
"zh:c363d41debb060804e2c6bd9cb50b4e8daa37362299e3ea74e187265cd85f2ca",
]
}

68
_deprecated/cloud/terraform/otc/main.tf
View File

@ -1,68 +0,0 @@
data "opentelekomcloud_images_image_v2" "debian" {
name = "Standard_Debian_10_latest"
}
resource "opentelekomcloud_networking_secgroup_v2" "secgroup_1" {
name = var.secgroup_name
description = var.secgroup_desc
}
resource "opentelekomcloud_networking_secgroup_rule_v2" "secgroup_rule_1" {
direction = "ingress"
ethertype = "IPv4"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = opentelekomcloud_networking_secgroup_v2.secgroup_1.id
}
resource "opentelekomcloud_vpc_v1" "vpc_1" {
name = var.vpc_name
cidr = var.vpc_cidr
}
resource "opentelekomcloud_vpc_subnet_v1" "subnet_1" {
name = var.subnet_name
cidr = var.subnet_cidr
vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
gateway_ip = var.subnet_gateway_ip
dns_list = ["100.125.4.25", "100.125.129.199"]
}
resource "random_id" "tpot" {
byte_length = 6
prefix = var.ecs_prefix
}
resource "opentelekomcloud_ecs_instance_v1" "ecs_1" {
name = random_id.tpot.b64_url
image_id = data.opentelekomcloud_images_image_v2.debian.id
flavor = var.ecs_flavor
vpc_id = opentelekomcloud_vpc_v1.vpc_1.id
nics {
network_id = opentelekomcloud_vpc_subnet_v1.subnet_1.id
}
system_disk_size = var.ecs_disk_size
system_disk_type = "SAS"
security_groups = [opentelekomcloud_networking_secgroup_v2.secgroup_1.id]
availability_zone = var.availability_zone
key_name = var.key_pair
user_data = templatefile("../cloud-init.yaml", { timezone = var.timezone, password = var.linux_password, tpot_flavor = var.tpot_flavor, web_user = var.web_user, web_password = var.web_password })
}
resource "opentelekomcloud_vpc_eip_v1" "eip_1" {
publicip {
type = "5_bgp"
}
bandwidth {
name = "bandwidth-${random_id.tpot.b64_url}"
size = var.eip_size
share_type = "PER"
}
}
resource "opentelekomcloud_compute_floatingip_associate_v2" "fip_1" {
floating_ip = opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address
instance_id = opentelekomcloud_ecs_instance_v1.ecs_1.id
}

11
_deprecated/cloud/terraform/otc/outputs.tf
View File

@ -1,11 +0,0 @@
output "Admin_UI" {
value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64294"
}
output "SSH_Access" {
value = "ssh -p 64295 linux@${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}"
}
output "Web_UI" {
value = "https://${opentelekomcloud_vpc_eip_v1.eip_1.publicip.0.ip_address}:64297"
}

3
_deprecated/cloud/terraform/otc/provider.tf
View File

@ -1,3 +0,0 @@
provider "opentelekomcloud" {
cloud = "open-telekom-cloud"
}

98
_deprecated/cloud/terraform/otc/variables.tf
View File

@ -1,98 +0,0 @@
## cloud-init configuration ##
variable "timezone" {
default = "UTC"
}
variable "linux_password" {
#default = "LiNuXuSeRPaSs#"
description = "Set a password for the default user"
validation {
condition = length(var.linux_password) > 0
error_message = "Please specify a password for the default user."
}
}
## Security Group ##
variable "secgroup_name" {
default = "sg-tpot"
}
variable "secgroup_desc" {
default = "Security Group for T-Pot"
}
## Virtual Private Cloud ##
variable "vpc_name" {
default = "vpc-tpot"
}
variable "vpc_cidr" {
default = "192.168.0.0/16"
}
## Subnet ##
variable "subnet_name" {
default = "subnet-tpot"
}
variable "subnet_cidr" {
default = "192.168.0.0/24"
}
variable "subnet_gateway_ip" {
default = "192.168.0.1"
}
## Elastic Cloud Server ##
variable "ecs_prefix" {
default = "tpot-"
}
variable "ecs_flavor" {
default = "s3.medium.8"
}
variable "ecs_disk_size" {
default = "128"
}
variable "availability_zone" {
default = "eu-de-03"
}
variable "key_pair" {
#default = ""
description = "Specify your SSH key pair"
validation {
condition = length(var.key_pair) > 0
error_message = "Please specify a Key Pair."
}
}
## Elastic IP ##
variable "eip_size" {
default = "100"
}
## These will go in the generated tpot.conf file ##
variable "tpot_flavor" {
default = "STANDARD"
description = "Specify your tpot flavor [STANDARD, HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]"
}
variable "web_user" {
default = "webuser"
description = "Set a username for the web user"
}
variable "web_password" {
#default = "w3b$ecret"
description = "Set a password for the web user"
validation {
condition = length(var.web_password) > 0
error_message = "Please specify a password for the web user."
}
}

13
_deprecated/cloud/terraform/otc/versions.tf
View File

@ -1,13 +0,0 @@
terraform {
required_version = ">= 0.13"
required_providers {
opentelekomcloud = {
source = "opentelekomcloud/opentelekomcloud"
version = "~> 1.23.4"
}
random = {
source = "hashicorp/random"
version = "~> 3.1.0"
}
}
}

260
_deprecated/etc/compose/collector.yml
View File

@ -1,260 +0,0 @@
# T-Pot (Collector)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
heralding_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
- "21:21"
- "22:22"
- "23:23"
- "25:25"
- "80:80"
- "110:110"
- "143:143"
- "443:443"
- "465:465"
- "993:993"
- "995:995"
- "1080:1080"
- "3306:3306"
- "3389:3389"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:2204"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:2204"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:2204"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:2204"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2204"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:2204"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:2204"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:2204"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:2204"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:2204"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:2204"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:2204"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
# ports:
# - "64297:64297"
# - "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:2204"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:2204"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

141
_deprecated/etc/compose/hive.yml
View File

@ -1,141 +0,0 @@
# T-Pot (Hive)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
spiderfoot_local:
services:
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
# mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:2204"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
# mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:2204"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms2048m -Xmx2048m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
ports:
- "127.0.0.1:64305:64305"
# mem_limit: 2g
image: "dtagdevsec/logstash:2204"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:2204"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:2204"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:2204"
#### /ELK
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
# ports:
# - "64297:64297"
# - "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:2204"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:2204"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

548
_deprecated/etc/compose/hive_sensor.yml
View File

@ -1,548 +0,0 @@
# T-Pot (Hive_Sensor)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
adbhoney_local:
ciscoasa_local:
citrixhoneypot_local:
conpot_local_IEC104:
conpot_local_guardian_ast:
conpot_local_ipmi:
conpot_local_kamstrup_382:
cowrie_local:
ddospot_local:
dicompot_local:
dionaea_local:
elasticpot_local:
heralding_local:
ipphoney_local:
mailoney_local:
medpot_local:
redishoneypot_local:
tanner_local:
ewsposter_local:
sentrypeer_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Adbhoney service
adbhoney:
container_name: adbhoney
restart: always
networks:
- adbhoney_local
ports:
- "5555:5555"
image: "dtagdevsec/adbhoney:2204"
read_only: true
volumes:
- /data/adbhoney/log:/opt/adbhoney/log
- /data/adbhoney/downloads:/opt/adbhoney/dl
# Ciscoasa service
ciscoasa:
container_name: ciscoasa
restart: always
tmpfs:
- /tmp/ciscoasa:uid=2000,gid=2000
networks:
- ciscoasa_local
ports:
- "5000:5000/udp"
- "8443:8443"
image: "dtagdevsec/ciscoasa:2204"
read_only: true
volumes:
- /data/ciscoasa/log:/var/log/ciscoasa
# CitrixHoneypot service
citrixhoneypot:
container_name: citrixhoneypot
restart: always
networks:
- citrixhoneypot_local
ports:
- "443:443"
image: "dtagdevsec/citrixhoneypot:2204"
read_only: true
volumes:
- /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
# Conpot IEC104 service
conpot_IEC104:
container_name: conpot_iec104
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
- CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
- CONPOT_TEMPLATE=IEC104
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_IEC104
ports:
- "161:161/udp"
- "2404:2404"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
- CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
- CONPOT_TEMPLATE=guardian_ast
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_guardian_ast
ports:
- "10001:10001"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
container_name: conpot_ipmi
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
- CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
- CONPOT_TEMPLATE=ipmi
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_ipmi
ports:
- "623:623/udp"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
container_name: conpot_kamstrup_382
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
- CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
- CONPOT_TEMPLATE=kamstrup_382
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_kamstrup_382
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Cowrie service
cowrie:
container_name: cowrie
restart: always
tmpfs:
- /tmp/cowrie:uid=2000,gid=2000
- /tmp/cowrie/data:uid=2000,gid=2000
networks:
- cowrie_local
ports:
- "22:22"
- "23:23"
image: "dtagdevsec/cowrie:2204"
read_only: true
volumes:
- /data/cowrie/downloads:/home/cowrie/cowrie/dl
- /data/cowrie/keys:/home/cowrie/cowrie/etc
- /data/cowrie/log:/home/cowrie/cowrie/log
- /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
# Ddospot service
ddospot:
container_name: ddospot
restart: always
networks:
- ddospot_local
ports:
- "19:19/udp"
- "53:53/udp"
- "123:123/udp"
# - "161:161/udp"
- "1900:1900/udp"
image: "dtagdevsec/ddospot:2204"
read_only: true
volumes:
- /data/ddospot/log:/opt/ddospot/ddospot/logs
- /data/ddospot/bl:/opt/ddospot/ddospot/bl
- /data/ddospot/db:/opt/ddospot/ddospot/db
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:2204"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Dionaea service
dionaea:
container_name: dionaea
stdin_open: true
tty: true
restart: always
networks:
- dionaea_local
ports:
- "20:20"
- "21:21"
- "42:42"
- "69:69/udp"
- "81:81"
- "135:135"
# - "443:443"
- "445:445"
- "1433:1433"
- "1723:1723"
- "1883:1883"
- "3306:3306"
# - "5060:5060"
# - "5060:5060/udp"
# - "5061:5061"
- "27017:27017"
image: "dtagdevsec/dionaea:2204"
read_only: true
volumes:
- /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
- /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
- /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
- /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
- /data/dionaea:/opt/dionaea/var/dionaea
- /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
- /data/dionaea/log:/opt/dionaea/var/log
- /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
# ElasticPot service
elasticpot:
container_name: elasticpot
restart: always
networks:
- elasticpot_local
ports:
- "9200:9200"
image: "dtagdevsec/elasticpot:2204"
read_only: true
volumes:
- /data/elasticpot/log:/opt/elasticpot/log
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
- "110:110"
- "143:143"
# - "443:443"
- "465:465"
- "993:993"
- "995:995"
# - "3306:3306"
# - "3389:3389"
- "1080:1080"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:2204"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:2204"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
# Ipphoney service
ipphoney:
container_name: ipphoney
restart: always
networks:
- ipphoney_local
ports:
- "631:631"
image: "dtagdevsec/ipphoney:2204"
read_only: true
volumes:
- /data/ipphoney/log:/opt/ipphoney/log
# Mailoney service
mailoney:
container_name: mailoney
restart: always
environment:
- HPFEEDS_SERVER=
- HPFEEDS_IDENT=user
- HPFEEDS_SECRET=pass
- HPFEEDS_PORT=20000
- HPFEEDS_CHANNELPREFIX=prefix
networks:
- mailoney_local
ports:
- "25:25"
image: "dtagdevsec/mailoney:2204"
read_only: true
volumes:
- /data/mailoney/log:/opt/mailoney/logs
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:2204"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
# Redishoneypot service
redishoneypot:
container_name: redishoneypot
restart: always
networks:
- redishoneypot_local
ports:
- "6379:6379"
image: "dtagdevsec/redishoneypot:2204"
read_only: true
volumes:
- /data/redishoneypot/log:/var/log/redishoneypot
# SentryPeer service
sentrypeer:
container_name: sentrypeer
restart: always
# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
# the bad actors in its logs. Therefore this option is opt-in based.
# environment:
# - SENTRYPEER_PEER_TO_PEER=0
networks:
- sentrypeer_local
ports:
# - "4222:4222/udp"
- "5060:5060/udp"
# - "127.0.0.1:8082:8082"
image: "dtagdevsec/sentrypeer:2204"
read_only: true
volumes:
- /data/sentrypeer/log:/var/log/sentrypeer
#### Snare / Tanner
## Tanner Redis Service
tanner_redis:
container_name: tanner_redis
restart: always
tty: true
networks:
- tanner_local
image: "dtagdevsec/redis:2204"
read_only: true
## PHP Sandbox service
tanner_phpox:
container_name: tanner_phpox
restart: always
tty: true
networks:
- tanner_local
image: "dtagdevsec/phpox:2204"
read_only: true
## Tanner API Service
tanner_api:
container_name: tanner_api
restart: always
tmpfs:
- /tmp/tanner:uid=2000,gid=2000
tty: true
networks:
- tanner_local
image: "dtagdevsec/tanner:2204"
read_only: true
volumes:
- /data/tanner/log:/var/log/tanner
command: tannerapi
depends_on:
- tanner_redis
## Tanner Service
tanner:
container_name: tanner
restart: always
tmpfs:
- /tmp/tanner:uid=2000,gid=2000
tty: true
networks:
- tanner_local
image: "dtagdevsec/tanner:2204"
command: tanner
read_only: true
volumes:
- /data/tanner/log:/var/log/tanner
- /data/tanner/files:/opt/tanner/files
depends_on:
- tanner_api
# - tanner_web
- tanner_phpox
## Snare Service
snare:
container_name: snare
restart: always
tty: true
networks:
- tanner_local
ports:
- "80:80"
image: "dtagdevsec/snare:2204"
depends_on:
- tanner
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:2204"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:2204"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2204"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:2204"
volumes:
- /data:/data
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:2204"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip

431
_deprecated/etc/compose/industrial.yml
View File

@ -1,431 +0,0 @@
# T-Pot (Industrial)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
conpot_local_default:
conpot_local_IEC104:
conpot_local_guardian_ast:
conpot_local_ipmi:
conpot_local_kamstrup_382:
cowrie_local:
dicompot_local:
heralding_local:
medpot_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Conpot default service
conpot_default:
container_name: conpot_default
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_default.json
- CONPOT_LOG=/var/log/conpot/conpot_default.log
- CONPOT_TEMPLATE=default
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_default
ports:
- "69:69/udp"
- "80:80"
- "102:102"
- "161:161/udp"
- "502:502"
# - "623:623/udp"
- "21:21"
- "44818:44818"
- "47808:47808/udp"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot IEC104 service
conpot_IEC104:
container_name: conpot_iec104
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
- CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
- CONPOT_TEMPLATE=IEC104
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_IEC104
ports:
# - "161:161/udp"
- "2404:2404"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
- CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
- CONPOT_TEMPLATE=guardian_ast
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_guardian_ast
ports:
- "10001:10001"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
container_name: conpot_ipmi
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
- CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
- CONPOT_TEMPLATE=ipmi
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_ipmi
ports:
- "623:623/udp"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
container_name: conpot_kamstrup_382
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
- CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
- CONPOT_TEMPLATE=kamstrup_382
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_kamstrup_382
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Cowrie service
cowrie:
container_name: cowrie
restart: always
tmpfs:
- /tmp/cowrie:uid=2000,gid=2000
- /tmp/cowrie/data:uid=2000,gid=2000
networks:
- cowrie_local
ports:
- "22:22"
- "23:23"
image: "dtagdevsec/cowrie:2204"
read_only: true
volumes:
- /data/cowrie/downloads:/home/cowrie/cowrie/dl
- /data/cowrie/keys:/home/cowrie/cowrie/etc
- /data/cowrie/log:/home/cowrie/cowrie/log
- /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:2204"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
# - "110:110"
# - "143:143"
# - "443:443"
# - "465:465"
# - "993:993"
# - "995:995"
# - "3306:3306"
# - "3389:3389"
# - "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:2204"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:2204"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:2204"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:2204"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:2204"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2204"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:2204"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:2204"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:2204"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:2204"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:2204"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:2204"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:2204"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
# ports:
# - "64297:64297"
# - "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:2204"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:2204"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

250
_deprecated/etc/compose/log4j.yml
View File

@ -1,250 +0,0 @@
# T-Pot (Log4j)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
log4pot_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Log4pot service
log4pot:
container_name: log4pot
restart: always
tmpfs:
- /tmp:uid=2000,gid=2000
networks:
- log4pot_local
ports:
- "80:8080"
- "443:8080"
- "8080:8080"
- "9200:8080"
- "25565:8080"
image: "dtagdevsec/log4pot:2204"
read_only: true
volumes:
- /data/log4pot/log:/var/log/log4pot/log
- /data/log4pot/payloads:/var/log/log4pot/payloads
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:2204"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:2204"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:2204"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2204"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:2204"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:2204"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:2204"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:2204"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:2204"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:2204"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:2204"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
# ports:
# - "64297:64297"
# - "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:2204"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:2204"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

244
_deprecated/etc/compose/medical.yml
View File

@ -1,244 +0,0 @@
# T-Pot (Medical)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
dicompot_local:
medpot_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:2204"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:2204"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:2204"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:2204"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2204"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:2204"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:2204"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:2204"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:2204"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:2204"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:2204"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:2204"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
# ports:
# - "64297:64297"
# - "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:2204"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:2204"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

271
_deprecated/etc/compose/mini.yml
View File

@ -1,271 +0,0 @@
# T-Pot (Mini)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
honeypots_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# qHoneypots service
honeypots:
container_name: honeypots
stdin_open: true
tty: true
restart: always
tmpfs:
- /tmp:uid=2000,gid=2000
networks:
- honeypots_local
ports:
- "21:21"
- "22:22"
- "23:23"
- "25:25"
- "53:53/udp"
- "80:80"
- "110:110"
- "123:123"
- "143:143"
- "161:161"
- "389:389"
- "443:443"
- "445:445"
- "1080:1080"
- "1433:1433"
- "1521:1521"
- "3306:3306"
- "5060:5060"
- "5432:5432"
- "5900:5900"
- "6379:6379"
- "6667:6667"
- "8080:8080"
- "9200:9200"
- "11211:11211"
image: "dtagdevsec/honeypots:2204"
read_only: true
volumes:
- /data/honeypots/log:/var/log/honeypots
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:2204"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:2204"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:2204"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2204"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:2204"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:2204"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:2204"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:2204"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:2204"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:2204"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:2204"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
# ports:
# - "64297:64297"
# - "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:2204"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:2204"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

575
_deprecated/etc/compose/nextgen.yml
View File

@ -1,575 +0,0 @@
# T-Pot (NextGen)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
adbhoney_local:
ciscoasa_local:
citrixhoneypot_local:
conpot_local_IEC104:
conpot_local_guardian_ast:
conpot_local_ipmi:
conpot_local_kamstrup_382:
ddospot_local:
dicompot_local:
dionaea_local:
elasticpot_local:
endlessh_local:
hellpot_local:
heralding_local:
ipphoney_local:
mailoney_local:
medpot_local:
redishoneypot_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Adbhoney service
adbhoney:
container_name: adbhoney
restart: always
networks:
- adbhoney_local
ports:
- "5555:5555"
image: "dtagdevsec/adbhoney:2204"
read_only: true
volumes:
- /data/adbhoney/log:/opt/adbhoney/log
- /data/adbhoney/downloads:/opt/adbhoney/dl
# Ciscoasa service
ciscoasa:
container_name: ciscoasa
restart: always
tmpfs:
- /tmp/ciscoasa:uid=2000,gid=2000
networks:
- ciscoasa_local
ports:
- "5000:5000/udp"
- "8443:8443"
image: "dtagdevsec/ciscoasa:2204"
read_only: true
volumes:
- /data/ciscoasa/log:/var/log/ciscoasa
# CitrixHoneypot service
citrixhoneypot:
container_name: citrixhoneypot
restart: always
networks:
- citrixhoneypot_local
ports:
- "443:443"
image: "dtagdevsec/citrixhoneypot:2204"
read_only: true
volumes:
- /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
# Conpot IEC104 service
conpot_IEC104:
container_name: conpot_iec104
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
- CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
- CONPOT_TEMPLATE=IEC104
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_IEC104
ports:
- "161:161/udp"
- "2404:2404"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
- CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
- CONPOT_TEMPLATE=guardian_ast
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_guardian_ast
ports:
- "10001:10001"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
container_name: conpot_ipmi
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
- CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
- CONPOT_TEMPLATE=ipmi
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_ipmi
ports:
- "623:623/udp"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
container_name: conpot_kamstrup_382
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
- CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
- CONPOT_TEMPLATE=kamstrup_382
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_kamstrup_382
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Ddospot service
ddospot:
container_name: ddospot
restart: always
networks:
- ddospot_local
ports:
- "19:19/udp"
- "53:53/udp"
- "123:123/udp"
# - "161:161/udp"
- "1900:1900/udp"
image: "dtagdevsec/ddospot:2204"
read_only: true
volumes:
- /data/ddospot/log:/opt/ddospot/ddospot/logs
- /data/ddospot/bl:/opt/ddospot/ddospot/bl
- /data/ddospot/db:/opt/ddospot/ddospot/db
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:2204"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Dionaea service
dionaea:
container_name: dionaea
stdin_open: true
tty: true
restart: always
networks:
- dionaea_local
ports:
- "20:20"
- "21:21"
- "42:42"
- "69:69/udp"
- "81:81"
- "135:135"
# - "443:443"
- "445:445"
- "1433:1433"
- "1723:1723"
- "1883:1883"
- "3306:3306"
# - "5060:5060"
# - "5060:5060/udp"
# - "5061:5061"
- "27017:27017"
image: "dtagdevsec/dionaea:2204"
read_only: true
volumes:
- /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
- /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
- /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
- /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
- /data/dionaea:/opt/dionaea/var/dionaea
- /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
- /data/dionaea/log:/opt/dionaea/var/log
- /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
# ElasticPot service
elasticpot:
container_name: elasticpot
restart: always
networks:
- elasticpot_local
ports:
- "9200:9200"
image: "dtagdevsec/elasticpot:2204"
read_only: true
volumes:
- /data/elasticpot/log:/opt/elasticpot/log
# Endlessh service
endlessh:
container_name: endlessh
restart: always
networks:
- endlessh_local
ports:
- "22:2222"
image: "dtagdevsec/endlessh:2204"
read_only: true
volumes:
- /data/endlessh/log:/var/log/endlessh
# Glutton service
glutton:
container_name: glutton
restart: always
tmpfs:
- /var/lib/glutton:uid=2000,gid=2000
- /run:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/glutton:2204"
read_only: true
volumes:
- /data/glutton/log:/var/log/glutton
# - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
- "110:110"
- "143:143"
# - "443:443"
- "465:465"
- "993:993"
- "995:995"
# - "3306:3306"
# - "3389:3389"
- "1080:1080"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:2204"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Ipphoney service
ipphoney:
container_name: ipphoney
restart: always
networks:
- ipphoney_local
ports:
- "631:631"
image: "dtagdevsec/ipphoney:2204"
read_only: true
volumes:
- /data/ipphoney/log:/opt/ipphoney/log
# Mailoney service
mailoney:
container_name: mailoney
restart: always
environment:
- HPFEEDS_SERVER=
- HPFEEDS_IDENT=user
- HPFEEDS_SECRET=pass
- HPFEEDS_PORT=20000
- HPFEEDS_CHANNELPREFIX=prefix
networks:
- mailoney_local
ports:
- "25:25"
image: "dtagdevsec/mailoney:2204"
read_only: true
volumes:
- /data/mailoney/log:/opt/mailoney/logs
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:2204"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
# Redishoneypot service
redishoneypot:
container_name: redishoneypot
restart: always
networks:
- redishoneypot_local
ports:
- "6379:6379"
image: "dtagdevsec/redishoneypot:2204"
read_only: true
volumes:
- /data/redishoneypot/log:/var/log/redishoneypot
# Hellpot service
hellpot:
container_name: hellpot
restart: always
networks:
- hellpot_local
ports:
- "80:8080"
image: "dtagdevsec/hellpot:2204"
read_only: true
volumes:
- /data/hellpot/log:/var/log/hellpot
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:2204"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:2204"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2204"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:2204"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:2204"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:2204"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:2204"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:2204"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:2204"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:2204"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
# ports:
# - "64297:64297"
# - "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:2204"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:2204"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

662
_deprecated/etc/compose/standard.yml
View File

@ -1,662 +0,0 @@
# T-Pot (Standard)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
adbhoney_local:
ciscoasa_local:
citrixhoneypot_local:
conpot_local_IEC104:
conpot_local_guardian_ast:
conpot_local_ipmi:
conpot_local_kamstrup_382:
cowrie_local:
ddospot_local:
dicompot_local:
dionaea_local:
elasticpot_local:
heralding_local:
ipphoney_local:
mailoney_local:
medpot_local:
redishoneypot_local:
tanner_local:
ewsposter_local:
sentrypeer_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Adbhoney service
adbhoney:
container_name: adbhoney
restart: always
networks:
- adbhoney_local
ports:
- "5555:5555"
image: "dtagdevsec/adbhoney:2204"
read_only: true
volumes:
- /data/adbhoney/log:/opt/adbhoney/log
- /data/adbhoney/downloads:/opt/adbhoney/dl
# Ciscoasa service
ciscoasa:
container_name: ciscoasa
restart: always
tmpfs:
- /tmp/ciscoasa:uid=2000,gid=2000
networks:
- ciscoasa_local
ports:
- "5000:5000/udp"
- "8443:8443"
image: "dtagdevsec/ciscoasa:2204"
read_only: true
volumes:
- /data/ciscoasa/log:/var/log/ciscoasa
# CitrixHoneypot service
citrixhoneypot:
container_name: citrixhoneypot
restart: always
networks:
- citrixhoneypot_local
ports:
- "443:443"
image: "dtagdevsec/citrixhoneypot:2204"
read_only: true
volumes:
- /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
# Conpot IEC104 service
conpot_IEC104:
container_name: conpot_iec104
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
- CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
- CONPOT_TEMPLATE=IEC104
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_IEC104
ports:
- "161:161/udp"
- "2404:2404"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
- CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
- CONPOT_TEMPLATE=guardian_ast
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_guardian_ast
ports:
- "10001:10001"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
container_name: conpot_ipmi
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
- CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
- CONPOT_TEMPLATE=ipmi
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_ipmi
ports:
- "623:623/udp"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
container_name: conpot_kamstrup_382
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
- CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
- CONPOT_TEMPLATE=kamstrup_382
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_kamstrup_382
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:2204"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Cowrie service
cowrie:
container_name: cowrie
restart: always
tmpfs:
- /tmp/cowrie:uid=2000,gid=2000
- /tmp/cowrie/data:uid=2000,gid=2000
networks:
- cowrie_local
ports:
- "22:22"
- "23:23"
image: "dtagdevsec/cowrie:2204"
read_only: true
volumes:
- /data/cowrie/downloads:/home/cowrie/cowrie/dl
- /data/cowrie/keys:/home/cowrie/cowrie/etc
- /data/cowrie/log:/home/cowrie/cowrie/log
- /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
# Ddospot service
ddospot:
container_name: ddospot
restart: always
networks:
- ddospot_local
ports:
- "19:19/udp"
- "53:53/udp"
- "123:123/udp"
# - "161:161/udp"
- "1900:1900/udp"
image: "dtagdevsec/ddospot:2204"
read_only: true
volumes:
- /data/ddospot/log:/opt/ddospot/ddospot/logs
- /data/ddospot/bl:/opt/ddospot/ddospot/bl
- /data/ddospot/db:/opt/ddospot/ddospot/db
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:2204"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Dionaea service
dionaea:
container_name: dionaea
stdin_open: true
tty: true
restart: always
networks:
- dionaea_local
ports:
- "20:20"
- "21:21"
- "42:42"
- "69:69/udp"
- "81:81"
- "135:135"
# - "443:443"
- "445:445"
- "1433:1433"
- "1723:1723"
- "1883:1883"
- "3306:3306"
# - "5060:5060"
# - "5060:5060/udp"
# - "5061:5061"
- "27017:27017"
image: "dtagdevsec/dionaea:2204"
read_only: true
volumes:
- /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
- /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
- /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
- /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
- /data/dionaea:/opt/dionaea/var/dionaea
- /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
- /data/dionaea/log:/opt/dionaea/var/log
- /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
# ElasticPot service
elasticpot:
container_name: elasticpot
restart: always
networks:
- elasticpot_local
ports:
- "9200:9200"
image: "dtagdevsec/elasticpot:2204"
read_only: true
volumes:
- /data/elasticpot/log:/opt/elasticpot/log
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
- "110:110"
- "143:143"
# - "443:443"
- "465:465"
- "993:993"
- "995:995"
# - "3306:3306"
# - "3389:3389"
- "1080:1080"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:2204"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:2204"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
# Ipphoney service
ipphoney:
container_name: ipphoney
restart: always
networks:
- ipphoney_local
ports:
- "631:631"
image: "dtagdevsec/ipphoney:2204"
read_only: true
volumes:
- /data/ipphoney/log:/opt/ipphoney/log
# Mailoney service
mailoney:
container_name: mailoney
restart: always
environment:
- HPFEEDS_SERVER=
- HPFEEDS_IDENT=user
- HPFEEDS_SECRET=pass
- HPFEEDS_PORT=20000
- HPFEEDS_CHANNELPREFIX=prefix
networks:
- mailoney_local
ports:
- "25:25"
image: "dtagdevsec/mailoney:2204"
read_only: true
volumes:
- /data/mailoney/log:/opt/mailoney/logs
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:2204"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
# Redishoneypot service
redishoneypot:
container_name: redishoneypot
restart: always
networks:
- redishoneypot_local
ports:
- "6379:6379"
image: "dtagdevsec/redishoneypot:2204"
read_only: true
volumes:
- /data/redishoneypot/log:/var/log/redishoneypot
# SentryPeer service
sentrypeer:
container_name: sentrypeer
restart: always
# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
# the bad actors in its logs. Therefore this option is opt-in based.
# environment:
# - SENTRYPEER_PEER_TO_PEER=0
networks:
- sentrypeer_local
ports:
# - "4222:4222/udp"
- "5060:5060/udp"
# - "127.0.0.1:8082:8082"
image: "dtagdevsec/sentrypeer:2204"
read_only: true
volumes:
- /data/sentrypeer/log:/var/log/sentrypeer
#### Snare / Tanner
## Tanner Redis Service
tanner_redis:
container_name: tanner_redis
restart: always
tty: true
networks:
- tanner_local
image: "dtagdevsec/redis:2204"
read_only: true
## PHP Sandbox service
tanner_phpox:
container_name: tanner_phpox
restart: always
tty: true
networks:
- tanner_local
image: "dtagdevsec/phpox:2204"
read_only: true
## Tanner API Service
tanner_api:
container_name: tanner_api
restart: always
tmpfs:
- /tmp/tanner:uid=2000,gid=2000
tty: true
networks:
- tanner_local
image: "dtagdevsec/tanner:2204"
read_only: true
volumes:
- /data/tanner/log:/var/log/tanner
command: tannerapi
depends_on:
- tanner_redis
## Tanner Service
tanner:
container_name: tanner
restart: always
tmpfs:
- /tmp/tanner:uid=2000,gid=2000
tty: true
networks:
- tanner_local
image: "dtagdevsec/tanner:2204"
command: tanner
read_only: true
volumes:
- /data/tanner/log:/var/log/tanner
- /data/tanner/files:/opt/tanner/files
depends_on:
- tanner_api
# - tanner_web
- tanner_phpox
## Snare Service
snare:
container_name: snare
restart: always
tty: true
networks:
- tanner_local
ports:
- "80:80"
image: "dtagdevsec/snare:2204"
depends_on:
- tanner
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:2204"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:2204"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2204"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:2204"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:2204"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:2204"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:2204"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:2204"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:2204"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:2204"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
# ports:
# - "64297:64297"
# - "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:2204"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:2204"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

287
_deprecated/etc/compose/tarpit.yml
View File

@ -1,287 +0,0 @@
# T-Pot (Tarpit)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
endlessh_local:
hellpot_local:
heralding_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Endlessh service
endlessh:
container_name: endlessh
restart: always
networks:
- endlessh_local
ports:
- "22:2222"
image: "dtagdevsec/endlessh:2204"
read_only: true
volumes:
- /data/endlessh/log:/var/log/endlessh
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
- "110:110"
- "143:143"
# - "443:443"
- "465:465"
- "993:993"
- "995:995"
# - "3306:3306"
# - "3389:3389"
- "1080:1080"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:2204"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:2204"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
# Hellpot service
hellpot:
container_name: hellpot
restart: always
networks:
- hellpot_local
ports:
- "80:8080"
image: "dtagdevsec/hellpot:2204"
read_only: true
volumes:
- /data/hellpot/log:/var/log/hellpot
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:2204"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:2204"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2204"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:2204"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:2204"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:2204"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:2204"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:2204"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:2204"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:2204"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
# ports:
# - "64297:64297"
# - "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:2204"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:2204"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

BIN
_deprecated/etc/objects/elkbase.tgz
View File

Binary file not shown.

BIN
_deprecated/etc/objects/kibana_export.ndjson.zip
View File

Binary file not shown.

3
_deprecated/host/etc/rc.local
View File

@ -1,3 +0,0 @@
#!/bin/bash
/opt/tpot/bin/updateip.sh
exit 0

3
_deprecated/install.sh
View File

@ -1,3 +0,0 @@
#!/bin/bash
cd iso/installer
./install.sh "$@"

77
_deprecated/installer/debian/install.sh
View File

@ -1,77 +0,0 @@
#!/bin/bash
# Needs to run as non-root
myWHOAMI=$(whoami)
if [ "$myWHOAMI" == "root" ]
then
echo "Need to run as user ..."
exit
fi
# Check if running on Debian
if ! grep -q 'ID=debian' /etc/os-release; then
echo "This script is designed to run on Debian. Aborting."
exit 1
fi
if [ -f /var/log/debian-install-lock ]; then
echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
exit 1
fi
# Create installer lock file
sudo touch /var/log/debian-install-lock
# Update SSH config
echo "Updating SSH config..."
sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config'
# Install recommended packages
echo "Installing recommended packages..."
sudo apt-get -y update
sudo apt-get -y install bash-completion git grc neovim net-tools
# Remove old Docker
echo "Removing old docker packages..."
sudo apt-get -y remove docker docker-engine docker.io containerd runc
# Add Docker to repositories, install latest docker
echo "Adding Docker to repositories and installing..."
sudo apt-get -y update
sudo apt-get -y install ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get -y update
sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo systemctl enable docker
sudo systemctl stop docker
sudo systemctl start docker
# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
echo "Creating T-Pot group and user ..."
addgroup --gid 2000 tpot
adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot
# Add user to Docker, T-Pot group
echo "Adding $(whoami) to Docker group..."
sudo usermod -aG docker $(whoami)
echo "Adding $(whoami) to T-Pot group..."
sudo usermod -aG tpot $(whoami)
# Add aliases
echo "Adding aliases..."
echo "alias dps='grc docker ps -a'" >> ~/.bashrc
echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
# Show running services
sudo grc netstat -tulpen
echo "Please review for possible honeypot port conflicts."
echo "While SSH is taken care of, other services such as"
echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
echo "Done. Please reboot and re-connect via SSH on tcp/64295."

10
_deprecated/installer/debian/sudo-install.sh
View File

@ -1,10 +0,0 @@
#!/bin/bash
if ! command -v sudo &> /dev/null
then
echo "sudo is not installed. Installing now..."
su -c "apt-get -y update && apt-get -y install sudo"
su -c "/usr/sbin/usermod -aG sudo $(whoami)"
else
echo "sudo is already installed."
fi

59
_deprecated/installer/debian/uninstall.sh
View File

@ -1,59 +0,0 @@
#!/bin/bash
# Needs to run as non-root
myWHOAMI=$(whoami)
if [ "$myWHOAMI" == "root" ]
then
echo "Need to run as user ..."
exit
fi
# Check if running on Debian
if ! grep -q 'ID=debian' /etc/os-release; then
echo "This script is designed to run on Debian. Aborting."
exit 1
fi
# Check if installer lock file exists
if [ ! -f /var/log/debian-install-lock ]; then
echo "Error: The installer has not been run on this system. Aborting."
exit 1
fi
# Remove SSH config changes
echo "Removing SSH config changes..."
sudo sed -i '/Port 64295/d' /etc/ssh/sshd_config
# Uninstall Docker
echo "Stopping and removing all containers ..."
docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
echo "Uninstalling Docker..."
sudo systemctl stop docker
sudo systemctl disable docker
sudo apt-get -y remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo apt-get -y autoremove
sudo rm -rf /etc/apt/sources.list.d/docker.list
sudo rm -rf /etc/apt/keyrings/docker.gpg
# Remove user from Docker, T-Pot group
echo "Removing $(whoami) from T-Pot group..."
sudo deluser $(whoami) tpot
echo "Removing $(whoami) from Docker group..."
sudo deluser $(whoami) docker
# Remove T-Pot user and group
echo "Removing T-Pot user..."
sudo deluser tpot
echo "Removing T-Pot group..."
sudo delgroup tpot
# Remove aliases
echo "Removing aliases..."
sed -i '/alias dps=/d' ~/.bashrc
sed -i '/alias dpsw=/d' ~/.bashrc
# Remove installer lock file
sudo rm -f /var/log/debian-install-lock
echo "Done. Please reboot and re-connect via SSH on tcp/22"

85
_deprecated/installer/fedora/install.sh
View File

@ -1,85 +0,0 @@
#!/bin/bash
# Needs to run as non-root
myWHOAMI=$(whoami)
if [ "$myWHOAMI" == "root" ]
then
echo "Need to run as user ..."
exit
fi
# Check if running on Fedora
if ! grep -q 'ID=fedora' /etc/os-release; then
echo "This script is designed to run on Fedora. Aborting."
exit 1
fi
if [ -f /var/log/fedora-install-lock ]; then
echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
exit 1
fi
# Create installer lock file
sudo touch /var/log/fedora-install-lock
# Update SSH config
echo "Updating SSH config..."
sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config'
# Update DNS config
echo "Updating DNS config..."
sudo bash -c "sed -i 's/^.*DNSStubListener=.*/DNSStubListener=no/' /etc/systemd/resolved.conf"
sudo systemctl restart systemd-resolved.service
# Update SELinux config
echo "Updating SELinux config..."
sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config
# Update Firewall rules
echo "Updating Firewall rules..."
sudo firewall-cmd --permanent --add-port=64295/tcp
sudo firewall-cmd --permanent --zone=public --set-target=ACCEPT
#sudo firewall-cmd --reload
sudo firewall-cmd --list-all
# Load kernel modules
echo "Loading kernel modules..."
sudo modprobe -v iptable_filter
echo "iptable_filter" | sudo tee /etc/modules-load.d/iptables.conf
# Add Docker to repositories, install latest docker
echo "Adding Docker to repositories and installing..."
sudo dnf -y update
sudo dnf -y install dnf-plugins-core
sudo dnf -y config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
sudo dnf -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo systemctl enable docker
sudo systemctl start docker
# Install recommended packages
echo "Installing recommended packages..."
sudo dnf -y install bash-completion git grc net-tools
# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
echo "Creating T-Pot group and user..."
sudo groupadd -g 2000 tpot
sudo useradd -r -u 2000 -g 2000 -M -s /sbin/nologin tpot
# Add user to Docker, T-Pot group
echo "Adding $(whoami) to Docker group..."
sudo usermod -aG docker $(whoami)
echo "Adding $(whoami) to T-Pot group..."
sudo usermod -aG tpot $(whoami)
# Add aliases
echo "Adding aliases..."
echo "alias dps='grc docker ps -a'" >> ~/.bashrc
echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
# Show running services
sudo grc netstat -tulpen
echo "Please review for possible honeypot port conflicts."
echo "While SSH is taken care of, other services such as"
echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
echo "Done. Please reboot and re-connect via SSH on tcp/64295."

78
_deprecated/installer/fedora/uninstall.sh
View File

@ -1,78 +0,0 @@
#!/bin/bash
# Needs to run as non-root
myWHOAMI=$(whoami)
if [ "$myWHOAMI" == "root" ]
then
echo "Need to run as user ..."
exit
fi
# Check if running on Fedora
if ! grep -q 'ID=fedora' /etc/os-release; then
echo "This script is designed to run on Fedora. Aborting."
exit 1
fi
if [ ! -f /var/log/fedora-install-lock ]; then
echo "Error: The installer has not been run on this system. Aborting uninstallation."
exit 1
fi
# Remove SSH config changes
echo "Removing SSH config changes..."
sudo sed -i '/Port 64295/d' /etc/ssh/sshd_config
# Remove DNS config changes
echo "Updating DNS config..."
sudo bash -c "sed -i 's/^.*DNSStubListener=.*/#DNSStubListener=yes/' /etc/systemd/resolved.conf"
sudo systemctl restart systemd-resolved.service
# Restore SELinux config
echo "Restoring SELinux config..."
sudo sed -i s/SELINUX=permissive/SELINUX=enforcing/g /etc/selinux/config
# Remove Firewall rules
echo "Removing Firewall rules..."
sudo firewall-cmd --permanent --remove-port=64295/tcp
sudo firewall-cmd --permanent --zone=public --set-target=default
#sudo firewall-cmd --reload
sudo firewall-cmd --list-all
# Unload kernel modules
echo "Unloading kernel modules..."
sudo modprobe -rv iptable_filter
sudo rm /etc/modules-load.d/iptables.conf
# Uninstall Docker
echo "Stopping and removing all containers ..."
docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
echo "Uninstalling Docker..."
sudo systemctl stop docker
sudo systemctl disable docker
sudo dnf -y remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo dnf config-manager --disable docker-ce-stable
sudo rm /etc/yum.repos.d/docker-ce.repo
# Remove user from Docker, T-Pot group
echo "Removing $(whoami) from T-Pot group..."
sudo gpasswd -d $(whoami) tpot
echo "Removing $(whoami) from Docker group..."
sudo gpasswd -d $(whoami) docker
# Remove T-Pot user and group
echo "Removing T-Pot user..."
sudo userdel tpot
echo "Removing T-Pot group..."
sudo groupdel tpot
# Remove aliases
echo "Removing aliases..."
sed -i '/alias dps=/d' ~/.bashrc
sed -i '/alias dpsw=/d' ~/.bashrc
# Remove installer lock file
sudo rm /var/log/fedora-install-lock
echo "Done. Please reboot and re-connect via SSH on tcp/22"

70
_deprecated/installer/suse/install.sh
View File

@ -1,70 +0,0 @@
#!/bin/bash
# Needs to run as non-root
myWHOAMI=$(whoami)
if [ "$myWHOAMI" == "root" ]
then
echo "Need to run as user ..."
exit
fi
# Check if running on OpenSuse Tumbleweed
if ! grep -q 'ID="opensuse-tumbleweed"' /etc/os-release; then
echo "This script is designed to run on OpenSuse Tumbleweed. Aborting."
exit 1
fi
if [ -f /var/log/suse-install-lock ]; then
echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
exit 1
fi
# Create installer lock file
sudo touch /var/log/suse-install-lock
# Update SSH config
echo "Updating SSH config..."
sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config.d/port.conf'
# Update Firewall rules
echo "Updating Firewall rules..."
sudo firewall-cmd --permanent --add-port=64295/tcp
sudo firewall-cmd --permanent --zone=public --set-target=ACCEPT
#sudo firewall-cmd --reload
sudo firewall-cmd --list-all
# Install docker and recommended packages
echo "Installing recommended packages..."
sudo zypper -n update
sudo zypper -n remove cups net-tools postfix yast2-auth-client yast2-auth-server
sudo zypper -n install bash-completion docker docker-compose git grc busybox-net-tools
# Enable and start docker
echo "Enabling and starting docker..."
systemctl enable docker
systemctl start docker
# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
echo "Creating T-Pot group and user ..."
sudo groupadd -g 2000 tpot
sudo useradd -r -u 2000 -g 2000 -s /sbin/nologin tpot
# Add user to Docker, T-Pot group
echo "Adding $(whoami) to Docker group..."
sudo usermod -a -G docker $(whoami)
echo "Adding $(whoami) to T-Pot group..."
sudo usermod -a -G tpot $(whoami)
# Add aliases
echo "Adding aliases..."
echo "alias dps='grc docker ps -a'" >> ~/.bashrc
echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
# Show running services
sudo grc netstat -tulpen
echo "Please review for possible honeypot port conflicts."
echo "While SSH is taken care of, other services such as"
echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
echo "Done. Please reboot and re-connect via SSH on tcp/64295."

63
_deprecated/installer/suse/uninstall.sh
View File

@ -1,63 +0,0 @@
#!/bin/bash
# Needs to run as non-root
myWHOAMI=$(whoami)
if [ "$myWHOAMI" == "root" ]
then
echo "Need to run as user ..."
exit
fi
# Check if running on OpenSuse Tumbleweed
if ! grep -q 'ID="opensuse-tumbleweed"' /etc/os-release; then
echo "This script is designed to run on OpenSuse Tumbleweed. Aborting."
exit 1
fi
if [ ! -f /var/log/suse-install-lock ]; then
echo "Error: The installer has not been run on this system. Aborting uninstallation."
exit 1
fi
# Remove SSH config changes
echo "Removing SSH config changes..."
sudo sed -i '/Port 64295/d' /etc/ssh/sshd_config.d/port.conf
# Remove Firewall rules
echo "Removing Firewall rules..."
sudo firewall-cmd --permanent --remove-port=64295/tcp
sudo firewall-cmd --permanent --zone=public --set-target=default
#sudo firewall-cmd --reload
sudo firewall-cmd --list-all
# Uninstall Docker
echo "Stopping and removing all containers ..."
docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
echo "Uninstalling Docker..."
sudo systemctl stop docker
sudo systemctl disable docker
sudo zypper -n remove docker docker-compose
sudo zypper -n install cups postfix
# Remove user from Docker, T-Pot group
echo "Removing $(whoami) from T-Pot group..."
sudo gpasswd -d $(whoami) tpot
echo "Removing $(whoami) from Docker group..."
sudo gpasswd -d $(whoami) docker
# Remove T-Pot user and group
echo "Removing T-Pot user..."
sudo userdel tpot
echo "Removing T-Pot group..."
sudo groupdel tpot
# Remove aliases
echo "Removing aliases..."
sed -i '/alias dps=/d' ~/.bashrc
sed -i '/alias dpsw=/d' ~/.bashrc
# Remove installer lock file
sudo rm /var/log/suse-install-lock
echo "Done. Please reboot and re-connect via SSH on tcp/22"

85
_deprecated/installer/ubuntu/install.sh
View File

@ -1,85 +0,0 @@
#!/bin/bash
# Needs to run as non-root
myWHOAMI=$(whoami)
if [ "$myWHOAMI" == "root" ]
then
echo "Need to run as user ..."
exit
fi
# Check if running on Ubuntu
if ! grep -q 'ID=ubuntu' /etc/os-release; then
echo "This script is designed to run on Ubuntu. Aborting."
exit 1
fi
if [ -f /var/log/ubuntu-install-lock ]; then
echo "Error: The installer has already been run on this system. If you wish to run it again, please run the uninstall.sh first."
exit 1
fi
# Create installer lock file
sudo touch /var/log/ubuntu-install-lock
# Update SSH config
echo "Updating SSH config..."
sudo bash -c 'echo "Port 64295" >> /etc/ssh/sshd_config'
sudo systemctl disable ssh.socket
sudo rm /etc/systemd/system/ssh.service.d/00-socket.conf
sudo systemctl enable ssh.service
# Update DNS config
echo "Updating DNS config..."
sudo bash -c "sed -i 's/^.*DNSStubListener=.*/DNSStubListener=no/' /etc/systemd/resolved.conf"
sudo systemctl restart systemd-resolved.service
# Install recommended packages
echo "Installing recommended packages..."
sudo apt-get -y update
sudo apt-get -y install bash-completion git grc net-tools vim
# Remove old Docker
echo "Removing old docker packages..."
sudo apt-get -y remove docker docker-engine docker.io containerd runc
# Add Docker to repositories, install latest docker
echo "Adding Docker to repositories and installing..."
sudo apt-get -y update
sudo apt-get -y install ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get -y update
sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo systemctl enable docker
sudo systemctl stop docker
sudo systemctl start docker
# Add T-Pot user and group to avoid any permission denied on the data folder while keeping permissions 770
echo "Creating T-Pot group and user ..."
addgroup --gid 2000 tpot
adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot
# Add user to Docker, T-Pot group
echo "Adding $(whoami) to Docker group..."
sudo usermod -aG docker $(whoami)
echo "Adding $(whoami) to T-Pot group..."
sudo usermod -aG tpot $(whoami)
# Add aliases
echo "Adding aliases..."
echo "alias dps='grc docker ps -a'" >> ~/.bashrc
echo "alias dpsw='watch -c \"grc --colour=on docker ps -a\"'" >> ~/.bashrc
# Show running services
sudo grc netstat -tulpen
echo "Please review for possible honeypot port conflicts."
echo "While SSH is taken care of, other services such as"
echo "SMTP, HTTP, etc. might prevent T-Pot from starting."
echo "Done. Please reboot and re-connect via SSH on tcp/64295."

66
_deprecated/installer/ubuntu/uninstall.sh
View File

@ -1,66 +0,0 @@
#!/bin/bash
# Needs to run as non-root
myWHOAMI=$(whoami)
if [ "$myWHOAMI" == "root" ]
then
echo "Need to run as user ..."
exit
fi
# Check if running on Ubuntu
if ! grep -q 'ID=ubuntu' /etc/os-release; then
echo "This script is designed to run on Ubuntu. Aborting."
exit 1
fi
# Check if installer lock file exists
if [ ! -f /var/log/ubuntu-install-lock ]; then
echo "Error: The installer has not been run on this system. Aborting."
exit 1
fi
# Remove SSH config changes
echo "Removing SSH config changes..."
sudo sed -i '/Port 64295/d' /etc/ssh/sshd_config
sudo systemctl disable ssh.service
sudo systemctl enable ssh.socket
# Remove DNS config changes
echo "Updating DNS config..."
sudo bash -c "sed -i 's/^.*DNSStubListener=.*/#DNSStubListener=yes/' /etc/systemd/resolved.conf"
sudo systemctl restart systemd-resolved.service
# Uninstall Docker
echo "Stopping and removing all containers ..."
docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
echo "Uninstalling Docker..."
sudo systemctl stop docker
sudo systemctl disable docker
sudo apt-get -y remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo apt-get -y autoremove
sudo rm -rf /etc/apt/sources.list.d/docker.list
sudo rm -rf /etc/apt/keyrings/docker.gpg
# Remove user from Docker, T-Pot group
echo "Removing $(whoami) from T-Pot group..."
sudo deluser $(whoami) tpot
echo "Removing $(whoami) from Docker group..."
sudo deluser $(whoami) docker
# Remove T-Pot user and group
echo "Removing T-Pot user..."
sudo deluser tpot
echo "Removing T-Pot group..."
sudo delgroup tpot
# Remove aliases
echo "Removing aliases..."
sed -i '/alias dps=/d' ~/.bashrc
sed -i '/alias dpsw=/d' ~/.bashrc
# Remove installer lock file
sudo rm -f /var/log/ubuntu-install-lock
echo "Done. Please reboot and re-connect via SSH on tcp/22"

107
_deprecated/iso/preseed/tpot_arm64.seed
View File

@ -1,107 +0,0 @@
##############################################
### T-Pot Preseed Configuration File by mo ###
##############################################
####################
### Locale Selection
####################
#d-i debian-installer/country string DE
d-i debian-installer/language string en
d-i debian-installer/locale string en_US.UTF-8
d-i localechooser/preferred-locale string en_US.UTF-8
######################
### Keyboard Selection
######################
d-i console-setup/ask_detect boolean true
#d-i keyboard-configuration/layoutcode string de
d-i console-setup/detected note
#############################
### Unmount Active Partitions
#############################
#d-i preseed/early_command string umount /media || :
#########################
### Network Configuration
#########################
d-i netcfg/choose_interface select auto
d-i netcfg/dhcp_timeout string 60
d-i netcfg/get_hostname string t-pot
d-i netcfg/get_domain string
######################
### User Configuration
######################
d-i passwd/root-login boolean false
d-i passwd/make-user boolean true
d-i passwd/user-fullname string tsec
d-i passwd/username string tsec
d-i passwd/user-password-crypted password $1$jAw1TW8v$a2WFamxQJfpPYZmn4qJT71
d-i user-setup/encrypt-home boolean false
########################################
### Country Mirror & Proxy Configuration
########################################
#d-i mirror/country string manual
#d-i mirror/http/hostname string deb.debian.org
#d-i mirror/http/directory string /debian
#d-i mirror/http/proxy string
###################
# Suite to install
###################
#d-i mirror/suite string unstable
#d-i mirror/suite string testing
#d-i mirror/udeb/suite string testing
######################
### Time Configuration
######################
#d-i time/zone string Europe/Berlin
d-i clock-setup/utc boolean true
d-i time/zone string UTC
d-i clock-setup/ntp boolean true
d-i clock-setup/ntp-server string debian.pool.ntp.org
##################
### Package Groups
##################
tasksel tasksel/first multiselect ssh-server
########################
### Package Installation
########################
d-i pkgsel/include string apache2-utils cracklib-runtime curl dialog figlet git grc libcrack2 libpq-dev lsb-release net-tools software-properties-common toilet
popularity-contest popularity-contest/participate boolean false
#################
### Update Policy
#################
d-i pkgsel/update-policy select unattended-upgrades
###############
### Boot Splash
###############
d-i debian-installer/quiet boolean false
d-i debian-installer/splash boolean false
#########################################
### Post install (Grub & T-Pot Installer)
#########################################
d-i preseed/late_command string \
cp /opt/installer -R /target/root; \
### DEV
in-target git clone --depth=1 https://github.com/telekom-security/tpotce /opt/tpot; \
in-target sed -i 's/allow-hotplug/auto/g' /etc/network/interfaces; \
#in-target apt-get -y remove exim4-base; \
#in-target apt-get -y autoremove; \
cp /target/opt/tpot/iso/installer/rc.local.install /target/etc/rc.local; \
cp /target/opt/tpot/iso/installer -R /target/root/;
##########
### Reboot
##########
d-i nobootloader/confirmation_common note
d-i finish-install/reboot_in_progress note
d-i cdrom-detect/eject boolean true

61
_deprecated/packages.txt
View File

@ -1,61 +0,0 @@
aria2
apache2-utils
apparmor
apt-transport-https
bash-completion
bat
build-essential
ca-certificates
cgroupfs-mount
cockpit conntrack
console-setup
console-setup-linux
cracklib-runtime
curl
debconf-utils
dialog
dnsutils
docker.io
docker-compose
ethtool
fail2ban
figlet
fuse
genisoimage
git
grc
haveged
html2text
htop
iptables
iw
jq
kbd
libcrack2
libltdl7
libpam-google-authenticator
libpq-dev
lsb-release
man
mosh
multitail
net-tools
neovim
npm
openssh-server
openssl
pass
pigz
prips
software-properties-common
sshpass
psmisc
pv
python3-pip
systemd-timesyncd
toilet
unattended-upgrades
unzip
wget
wireless-tools
wpasupplicant

23
_deprecated/bin/backup_es_folders.sh → bin/backup_es_folders.sh
View File

@ -1,21 +1,12 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ];
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
if [ "$1" == "" ] || [ "$1" != "all" ] && [ "$1" != "base" ];
then
echo "Usage: backup_es_folders [all, base]"
echo " all = backup all ES folder"
echo " base = backup only Kibana index".
echo
exit
fi
# Backup all ES relevant folders
# Make sure ES is available
myES="http://127.0.0.1:64298/"
@ -34,7 +25,7 @@ myCOUNT=1
myDATE=$(date +%Y%m%d%H%M)
myELKPATH="/data/elk/data"
myKIBANAINDEXNAME=$(curl -s -XGET ''$myES'_cat/indices/.kibana' | awk '{ print $4 }')
myKIBANAINDEXPATH=$myELKPATH/indices/$myKIBANAINDEXNAME
myKIBANAINDEXPATH=$myELKPATH/nodes/0/indices/$myKIBANAINDEXNAME
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
@ -51,11 +42,5 @@ sleep 2
# Backup DB in 2 flavors
echo "### Now backing up Elasticsearch folders ..."
if [ "$1" == "all" ];
then
tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
elif [ "$1" == "base" ];
then
tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH
fi
tar cvfz "elkall_"$myDATE".tgz" $myELKPATH
tar cvfz "elkbase_"$myDATE".tgz" $myKIBANAINDEXPATH

2
docker/tpotinit/dist/bin/deprecated/change_ews_config.sh → bin/change_ews_config.sh
View File

@ -60,7 +60,7 @@ fi
echo ""
echo "[+] Creating config file with API UserID '$apiUser' and API Token '$apiToken'."
echo "[+] Fetching config file from github. Outgoing https requests must be enabled!"
wget -q https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist
wget -q https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/docker/ews/dist/ews.cfg -O ews.cfg.dist
if [[ -f "ews.cfg.dist" ]]; then
echo "[+] Successfully downloaded ews.cfg from github."
else

96
_deprecated/bin/clean.sh → bin/clean.sh
View File

@ -114,23 +114,6 @@ fuCOWRIE () {
chown tpot:tpot /data/cowrie -R
}
# Let's create a function to clean up and prepare ddospot data
fuDDOSPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
mkdir -p /data/ddospot/bl /data/ddospot/db /data/ddospot/log
chmod 770 /data/ddospot -R
chown tpot:tpot /data/ddospot -R
}
# Let's create a function to clean up and prepare dicompot data
fuDICOMPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
mkdir -p /data/dicompot/log
mkdir -p /data/dicompot/images
chmod 770 /data/dicompot -R
chown tpot:tpot /data/dicompot -R
}
# Let's create a function to clean up and prepare dionaea data
fuDIONAEA () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi
@ -157,14 +140,6 @@ fuELK () {
chown tpot:tpot /data/elk -R
}
# Let's create a function to clean up and prepare endlessh data
fuENDLESSH () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
mkdir -p /data/endlessh/log
chmod 770 /data/endlessh -R
chown tpot:tpot /data/endlessh -R
}
# Let's create a function to clean up and prepare fatt data
fuFATT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
@ -181,14 +156,6 @@ fuGLUTTON () {
chown tpot:tpot /data/glutton -R
}
# Let's create a function to clean up and prepare hellpot data
fuHELLPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
mkdir -p /data/hellpot/log
chmod 770 /data/hellpot -R
chown tpot:tpot /data/hellpot -R
}
# Let's create a function to clean up and prepare heralding data
fuHERALDING () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
@ -197,20 +164,12 @@ fuHERALDING () {
chown tpot:tpot /data/heralding -R
}
# Let's create a function to clean up and prepare honeypots data
fuHONEYPOTS () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
mkdir -p /data/honeypots/log
chmod 770 /data/honeypots -R
chown tpot:tpot /data/honeypots -R
}
# Let's create a function to clean up and prepare honeysap data
fuHONEYSAP () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeysap/*; fi
mkdir -p /data/honeysap/log
chmod 770 /data/honeysap -R
chown tpot:tpot /data/honeysap -R
# Let's create a function to clean up and prepare honeypy data
fuHONEYPY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
mkdir -p /data/honeypy/log
chmod 770 /data/honeypy -R
chown tpot:tpot /data/honeypy -R
}
# Let's create a function to clean up and prepare honeytrap data
@ -221,22 +180,6 @@ fuHONEYTRAP () {
chown tpot:tpot /data/honeytrap/ -R
}
# Let's create a function to clean up and prepare ipphoney data
fuIPPHONEY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi
mkdir -p /data/ipphoney/log
chmod 770 /data/ipphoney -R
chown tpot:tpot /data/ipphoney -R
}
# Let's create a function to clean up and prepare log4pot data
fuLOG4POT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
mkdir -p /data/log4pot/log
chmod 770 /data/log4pot -R
chown tpot:tpot /data/log4pot -R
}
# Let's create a function to clean up and prepare mailoney data
fuMAILONEY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
@ -269,22 +212,6 @@ fuRDPY () {
chown tpot:tpot /data/rdpy/ -R
}
# Let's create a function to clean up and prepare redishoneypot data
fuREDISHONEYPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
mkdir -p /data/redishoneypot/log
chmod 770 /data/redishoneypot -R
chown tpot:tpot /data/redishoneypot -R
}
# Let's create a function to clean up and prepare sentrypeer data
fuSENTRYPEER () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi
mkdir -p /data/sentrypeer/log
chmod 770 /data/sentrypeer -R
chown tpot:tpot /data/sentrypeer -R
}
# Let's create a function to prepare spiderfoot db
fuSPIDERFOOT () {
mkdir -p /data/spiderfoot
@ -344,27 +271,18 @@ if [ "$myPERSISTENCE" = "on" ];
fuCITRIXHONEYPOT
fuCONPOT
fuCOWRIE
fuDDOSPOT
fuDICOMPOT
fuDIONAEA
fuELASTICPOT
fuELK
fuENDLESSH
fuFATT
fuGLUTTON
fuHERALDING
fuHELLPOT
fuHONEYSAP
fuHONEYPOTS
fuHONEYPY
fuHONEYTRAP
fuIPPHONEY
fuLOG4POT
fuMAILONEY
fuMEDPOT
fuNGINX
fuREDISHONEYPOT
fuRDPY
fuSENTRYPEER
fuSPIDERFOOT
fuSURICATA
fuP0F

45
_deprecated/bin/dps.sh → bin/dps.sh
View File

@ -8,14 +8,8 @@ if [ "$myWHOAMI" != "root" ]
exit
fi
myPARAM="$1"
if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
then
watch --color -n $myPARAM "$0"
exit
fi
# Show current status of T-Pot containers
myPARAM="$1"
myCONTAINERS="$(cat /opt/tpot/etc/tpot.yml | grep -v '#' | grep container_name | cut -d: -f2 | sort | tr -d " ")"
myRED=""
myGREEN=""
@ -23,39 +17,19 @@ myBLUE=""
myWHITE=""
myMAGENTA=""
# Blackhole Status
myBLACKHOLE_STATUS=$(ip r | grep "blackhole" -c)
if [ "$myBLACKHOLE_STATUS" -gt "500" ];
then
myBLACKHOLE_STATUS="${myGREEN}ENABLED"
else
myBLACKHOLE_STATUS="${myRED}DISABLED"
fi
function fuGETTPOT_STATUS {
# T-Pot Status
myTPOT_STATUS=$(systemctl status tpot | grep "Active" | awk '{ print $2 }')
if [ "$myTPOT_STATUS" == "active" ];
then
echo "${myGREEN}ACTIVE"
else
echo "${myRED}INACTIVE"
fi
}
function fuGETSTATUS {
grc --colour=on docker ps -f status=running -f status=exited --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep -v "NAME" | sort
}
function fuGETSYS {
printf "[ ========| System |======== ]\n"
printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "DATE: " "$(date)"
printf "${myBLUE}%+11s ${myWHITE}%-20s\n" "UPTIME: " "$(grc --colour=on uptime)"
printf "${myMAGENTA}%+11s %-20s\n" "T-POT: " "$(fuGETTPOT_STATUS)"
printf "${myMAGENTA}%+11s %-20s\n" "BLACKHOLE: " "$myBLACKHOLE_STATUS${myWHITE}"
printf "========| System |========\n"
printf "%+10s %-20s\n" "Date: " "$(date)"
printf "%+10s %-20s\n" "Uptime: " "$(uptime | cut -b 2-)"
echo
}
while true
do
myDPS=$(fuGETSTATUS)
myDPSNAMES=$(echo "$myDPS" | awk '{ print $1 }' | sort)
fuGETSYS
@ -71,3 +45,10 @@ echo
printf "%-28s %-28s\n" "$myRED$i" "DOWN$myWHITE"
fi
done
if [[ $myPARAM =~ ^([1-9]|[1-9][0-9]|[1-9][0-9][0-9])$ ]];
then
sleep "$myPARAM"
else
break
fi
done

0
_deprecated/bin/dump_es.sh → bin/dump_es.sh
View File

34
docker/tpotinit/dist/bin/export_kibana-objects.sh → bin/export_kibana-objects.sh
View File

@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit
else
echo "### Elasticsearch is available, now continuing."
@ -15,25 +15,24 @@ fi
# Set vars
myDATE=$(date +%Y%m%d%H%M)
myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
myINDEXCOUNT=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].attributes' | tr '\\' '\n' | grep "scripted" | wc -w)
myINDEXID=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=index-pattern' | jq '.saved_objects[].id' | tr -d '"')
myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myCONFIGS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=config&per_page=500' | jq '.saved_objects[].id' | tr -d '"')
myDASHBOARDS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=dashboard&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
myVISUALIZATIONS=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=visualization&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
mySEARCHES=$(curl -s -XGET ''$myKIBANA'api/saved_objects/_find?type=search&per_page=300' | jq '.saved_objects[].id' | tr -d '"')
myCOL1=""
myCOL0=""
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
rm -rf patterns/ dashboards/ visualizations/ searches/
}
trap fuCLEANUP EXIT
# Export index patterns
mkdir -p patterns
echo $myCOL1"### Now exporting"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes, references}' > patterns/$myINDEXID.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' | jq '. | {attributes}' > patterns/$myINDEXID.json &
echo
# Export dashboards
@ -42,7 +41,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"das
for i in $myDASHBOARDS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes, references}' > dashboards/$i.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/dashboard/'$i'' | jq '. | {attributes}' > dashboards/$i.json &
done;
echo
@ -52,7 +51,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1
for i in $myVISUALIZATIONS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes, references}' > visualizations/$i.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/visualization/'$i'' | jq '. | {attributes}' > visualizations/$i.json &
done;
echo
@ -62,17 +61,7 @@ echo $myCOL1"### Now exporting"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searc
for i in $mySEARCHES;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes, references}' > searches/$i.json &
done;
echo
# Export configs
mkdir -p configs
echo $myCOL1"### Now exporting"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
for i in $myCONFIGS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XGET ''$myKIBANA'api/saved_objects/config/'$i'' | jq '. | {attributes, references}' > configs/$i.json &
curl -s -XGET ''$myKIBANA'api/saved_objects/search/'$i'' | jq '. | {attributes}' > searches/$i.json &
done;
echo
@ -81,7 +70,7 @@ wait
# Building tar archive
echo $myCOL1"### Now building archive"$myCOL0 "kibana-objects_"$myDATE".tgz"
tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches configs > /dev/null
tar cvfz kibana-objects_$myDATE.tgz patterns dashboards visualizations searches > /dev/null
# Stats
echo
@ -90,5 +79,4 @@ echo $myCOL1"###### Exported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myC
echo $myCOL1"###### Exported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
echo $myCOL1"###### Exported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
echo

21
docker/tpotinit/dist/bin/deprecated/hpfeeds_optin.sh → bin/hpfeeds_optin.sh
View File

@ -10,6 +10,20 @@ fi
myTPOTYMLFILE="/opt/tpot/etc/tpot.yml"
function fuSISSDEN () {
echo
echo "You chose SISSDEN, you just need to provide ident and secret"
echo
myENABLE="true"
myHOST="hpfeeds.sissden.eu"
myPORT="10000"
myCHANNEL="t-pot.events"
myCERT="/opt/ewsposter/sissden.pem"
read -p "Ident: " myIDENT
read -p "Secret: " mySECRET
myFORMAT="json"
}
function fuGENERIC () {
echo
echo "You chose generic, please provide all the details of the broker"
@ -105,7 +119,8 @@ echo
echo
echo "Please choose your broker"
echo "---------------------------"
echo "[1] - Generic (enter details manually)"
echo "[1] - SISSDEN"
echo "[2] - Generic (enter details manually)"
echo "[0] - Opt out of HPFEEDS"
echo "[q] - Do not agree end exit"
echo
@ -115,6 +130,10 @@ while [ 1 != 2 ]
echo $mySELECT
case "$mySELECT" in
[1])
fuSISSDEN
break
;;
[2])
fuGENERIC
break
;;

6
docker/tpotinit/dist/bin/deprecated/hptest.sh → bin/hptest.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
myHOST="$1"
myPACKAGES="dcmtk netcat nmap"
myPACKAGES="netcat nmap"
myMEDPOTPACKET="
MSH|^~\&|ADT1|MCM|LABADT|MCM|198808181126|SECURITY|ADT^A01|MSG00001-|P|2.6
EVN|A01|198808181123
@ -83,11 +83,7 @@ fuCHECKFORARGS
echo "Starting scans ..."
echo "$myMEDPOTPACKET" | nc "$myHOST" 2575 &
curl -XGET "http://$myHOST:9200/logstash-*/_search" &
curl -XPOST -H "Content-Type: application/json" -d '{"name":"test","email":"test@test.com"}' "http://$myHOST:9200/test" &
echo "I20100" | timeout --foreground 3 nc "$myHOST" 10001 &
findscu -P -k PatientName="*" $myHOST 11112 &
getscu -P -k PatientName="*" $myHOST 11112 &
telnet $myHOST 3299 &
fuSCAN "180" "7,8,102,135,161,1025,1080,5000,9200" "$myHOST" "-sC -sS -sU -sV"
fuSCAN "180" "2048,4096,5432" "$myHOST" "-sC -sS -sU -sV --version-light"
fuSCAN "120" "20,21" "$myHOST" "--script=ftp* -sC -sS -sV"

23
docker/tpotinit/dist/bin/import_kibana-objects.sh → bin/import_kibana-objects.sh
View File

@ -6,7 +6,7 @@ myKIBANA="http://127.0.0.1:64296/"
myESSTATUS=$(curl -s -XGET ''$myES'_cluster/health' | jq '.' | grep -c green)
if ! [ "$myESSTATUS" = "1" ]
then
echo "### Elasticsearch is not available, try starting via 'systemctl start tpot'."
echo "### Elasticsearch is not available, try starting via 'systemctl start elk'."
exit
else
echo "### Elasticsearch is available, now continuing."
@ -20,7 +20,7 @@ myCOL0=""
# Let's ensure normal operation on exit or if interrupted ...
function fuCLEANUP {
rm -rf patterns/ dashboards/ visualizations/ searches/ configs/
rm -rf patterns/ dashboards/ visualizations/ searches/
}
trap fuCLEANUP EXIT
@ -43,7 +43,7 @@ tar xvfz $myDUMP > /dev/null
# Restore index patterns
myINDEXID=$(ls patterns/*.json | cut -c 10- | rev | cut -c 6- | rev)
myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep -E "scripted|url" | wc -w)
myINDEXCOUNT=$(cat patterns/$myINDEXID.json | tr '\\' '\n' | grep "scripted" | wc -w)
echo $myCOL1"### Now importing"$myCOL0 $myINDEXCOUNT $myCOL1"index pattern fields." $myCOL0
curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/logstash-*' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
curl -s -XDELETE ''$myKIBANA'api/saved_objects/index-pattern/'$myINDEXID'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null
@ -98,22 +98,6 @@ for i in $mySEARCHES;
echo
wait
# Restore configs
myCONFIGS=$(ls configs/*.json | cut -c 9- | rev | cut -c 6- | rev)
echo $myCOL1"### Now importing "$myCOL0$(echo $myCONFIGS | wc -w)$myCOL1 "configs." $myCOL0
for i in $myCONFIGS;
do
curl -s -XDELETE ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" > /dev/null &
done;
wait
for i in $myCONFIGS;
do
echo $myCOL1"###### "$i $myCOL0
curl -s -XPOST ''$myKIBANA'api/saved_objects/configs/'$i'' -H "Content-Type: application/json" -H "kbn-xsrf: true" -d @configs/$i.json > /dev/null &
done;
echo
wait
# Stats
echo
echo $myCOL1"### Statistics"
@ -121,6 +105,5 @@ echo $myCOL1"###### Imported"$myCOL0 $myINDEXCOUNT $myCOL1"index patterns." $myC
echo $myCOL1"###### Imported"$myCOL0 $(echo $myDASHBOARDS | wc -w) $myCOL1"dashboards." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $myVISUALIZATIONS | wc -w) $myCOL1"visualizations." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $mySEARCHES | wc -w) $myCOL1"searches." $myCOL0
echo $myCOL1"###### Imported"$myCOL0 $(echo $myCONFIGS | wc -w) $myCOL1"configs." $myCOL0
echo

0
_deprecated/bin/myip.sh → bin/myip.sh
View File

0
_deprecated/bin/restore_es.sh → bin/restore_es.sh
View File

2
_deprecated/bin/rules.sh → bin/rules.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
### Vars, Ports for Standard services
myHOSTPORTS="7634 64294 64295 64297 64304"
myHOSTPORTS="7634 64294 64295"
myDOCKERCOMPOSEYML="$1"
myRULESFUNCTION="$2"

2
_deprecated/bin/tped.sh → bin/tped.sh
View File

@ -29,7 +29,7 @@ for i in $myYMLS;
do
myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) "
done
myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 18 50 1 $myITEMS 3>&1 1>&2 2>&3 3>&-)
myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-)
if [ "$myEDITION" == "" ];
then
echo "Have a nice day!"

0
_deprecated/bin/unlock_es.sh → bin/unlock_es.sh
View File

34
bin/updateip.sh Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
# Let's add the first local ip to the /etc/issue and external ip to ews.ip file
# If the external IP cannot be detected, the internal IP will be inherited.
source /etc/environment
myLOCALIP=$(hostname -I | awk '{ print $1 }')
myEXTIP=$(/opt/tpot/bin/myip.sh)
if [ "$myEXTIP" = "" ];
then
myEXTIP=$myLOCALIP
fi
mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1)
echo "" > /etc/issue
toilet -f ivrit -F metal --filter border:metal "T-Pot 19.03" | sed 's/\\/\\\\/g' >> /etc/issue
echo >> /etc/issue
echo ",---- [ \n ] [ \d ] [ \t ]" >> /etc/issue
echo "|" >> /etc/issue
echo "| IP: $myLOCALIP ($myEXTIP)" >> /etc/issue
echo "| SSH: ssh -l tsec -p 64295 $myLOCALIP" >> /etc/issue
echo "| WEB: https://$myLOCALIP:64297" >> /etc/issue
echo "| ADMIN: https://$myLOCALIP:64294" >> /etc/issue
echo "|" >> /etc/issue
echo "\`----" >> /etc/issue
echo >> /etc/issue
tee /data/ews/conf/ews.ip << EOF
[MAIN]
ip = $myEXTIP
EOF
tee /opt/tpot/etc/compose/elk_environment << EOF
MY_EXTIP=$myEXTIP
MY_INTIP=$myLOCALIP
MY_HOSTNAME=$HOSTNAME
EOF
chown tpot:tpot /data/ews/conf/ews.ip
chmod 770 /data/ews/conf/ews.ip

2
cloud/ansible/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
# Ansible
*.retry

98
_deprecated/cloud/ansible/README.md → cloud/ansible/README.md
View File

@ -2,16 +2,15 @@
Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/).
It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box.
Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/scenario_guides/cloud_guides.html). Check out [Ansible Galaxy](https://galaxy.ansible.com/search?keywords=&order_by=-relevance&page=1&deprecated=false&type=collection&tags=cloud) for more cloud collections.
Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html) (e.g. AWS, Azure, Digital Ocean, Google).
The Playbook first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them.
The Playbook first creates all resources (security group, network, subnet, router), deploys a new server and then installs and configures T-Pot.
This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en).
# Table of contents
- [Preparation of Ansible Master](#ansible-master)
- [Ansible Installation](#ansible)
- [OpenStack Collection Installation](#collection)
- [Agent Forwarding](#agent-forwarding)
- [Preparations in Open Telekom Cloud Console](#preparation)
- [Create new project](#project)
@ -19,9 +18,8 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of
- [Import Key Pair](#key-pair)
- [Clone Git Repository](#clone-git)
- [Settings and recommended values](#settings)
- [clouds.yaml](#clouds-yaml)
- [OpenStack authentication variables](#os-auth)
- [Ansible remote user](#remote-user)
- [Number of instances to deploy](#number)
- [Instance settings](#instance-settings)
- [User password](#user-password)
- [Configure `tpot.conf.dist`](#tpot-conf)
@ -38,8 +36,6 @@ Ansible works over the SSH Port, so you don't have to add any special rules to y
<a name="ansible"></a>
## Ansible Installation
:warning: Ansible 2.10 or newer is required!
Example for Ubuntu 18.04:
At first we update the system:
@ -52,17 +48,6 @@ Then we need to add the repository and install Ansible:
For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html).
If your OS does not offer a recent version of Ansible (>= 2.10) you should consider [installing Ansible with pip](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible-with-pip).
In short (if you already have Python3/pip3 installed):
```
pip3 install ansible
```
<a name="collection"></a>
## OpenStack Collection Installation
For interacting with OpenStack resources in Ansible, you need to install the collection from Ansible Galaxy:
`ansible-galaxy collection install openstack.cloud`
<a name="agent-forwarding"></a>
## Agent Forwarding
If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines.
@ -111,66 +96,52 @@ Import your SSH public key.
<a name="clone-git"></a>
# Clone Git Repository
Clone the `tpotce` repository to your Ansible Master:
`git clone https://github.com/telekom-security/tpotce.git`
All Ansible related files are located in the [`cloud/ansible/openstack`](openstack) folder.
`git clone https://github.com/dtag-dev-sec/tpotce.git`
All Ansible related files are located in the [`cloud/ansible/openstack`](../../cloud/ansible/openstack) folder.
<a name="settings"></a>
# Settings and recommended values
You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook:
You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook.
The settings are located in the following Ansible vars files:
<a name="clouds-yaml"></a>
## clouds.yaml
Located at [`openstack/clouds.yaml`](openstack/clouds.yaml).
<a name="os-auth"></a>
## OpenStack authentication variables
Located at [`openstack/roles/deploy/vars/os_auth.yaml`](openstack/roles/deploy/vars/os_auth.yaml).
Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name):
```
clouds:
open-telekom-cloud:
profile: otc
auth:
project_name: eu-de_your_project
username: your_api_user
password: your_password
user_domain_name: OTC-EU-DE-000000000010000XXXXX
```
You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary.
For more information have a look in the [openstack.cloud.server](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html) Ansible module documentation.
If you already have your own `clouds.yaml` file or have multiple clouds in there, you can specify which one to use in the `openstack/my_os_cloud.yaml` file:
```
# Enter the name of your cloud to use from clouds.yaml
cloud: open-telekom-cloud
auth_url: https://iam.eu-de.otc.t-systems.com/v3
username: your_api_user
password: your_password
project_name: eu-de_your_project
os_user_domain_name: OTC-EU-DE-000000000010000XXXXX
```
You can also perform different authentication methods like sourcing your `.ostackrc` file or using the OpenStack `clouds.yaml` file.
For more information have a look in the [os_server](https://docs.ansible.com/ansible/latest/modules/os_server_module.html) Ansible module documentation.
<a name="remote-user"></a>
## Ansible remote user
You may have to adjust the `remote_user` in the Ansible Playbook under [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml) depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is `linux`).
<a name="number"></a>
## Number of instances to deploy
You can adjust the number of VMs/T-Pots that you want to create in [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml):
```
loop: "{{ range(0, 1) }}"
```
One instance is set as the default, increase to your liking.
<a name="instance-settings"></a>
## Instance settings
Located at [`openstack/roles/create_vm/vars/main.yaml`](openstack/roles/create_vm/vars/main.yaml).
Located at [`openstack/roles/deploy/vars/main.yaml`](openstack/roles/deploy/vars/main.yaml).
Here you can customize your virtual machine specifications:
- Specify the region name
- Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html).
- Change the OS image (For T-Pot we need Debian)
- (Optional) Change the volume size
- Specify your key pair (:warning: Mandatory)
- (Optional) Change the instance type (flavor)
`s3.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.
A full list of Open Telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0177512565.html).
`s2.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.
A full list of Open telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0035470096.html).
```
region_name: eu-de
availability_zone: eu-de-03
image: Standard_Debian_10_latest
volume_size: 128
key_name: your-KeyPair
flavor: s3.medium.8
flavor: s2.medium.8
```
<a name="user-password"></a>
@ -183,12 +154,20 @@ user_password: LiNuXuSeRPaSs#
<a name="tpot-conf"></a>
## Configure `tpot.conf.dist`
The file is located in [`iso/installer/tpot.conf.dist`](/iso/installer/tpot.conf.dist).
The file is located in [`iso/installer/tpot.conf.dist`](../../iso/installer/tpot.conf.dist).
Here you can choose:
- between the various T-Pot editions
- a username for the web interface
- a password for the web interface (**you should definitely change that**)
```
# tpot configuration file
# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN]
myCONF_TPOT_FLAVOR='STANDARD'
myCONF_WEB_USER='webuser'
myCONF_WEB_PW='w3b$ecret'
```
<a name="ews-cfg"></a>
## Optional: Custom `ews.cfg`
Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook.
@ -221,7 +200,7 @@ Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_
# - custom_hpfeeds
```
You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/files/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/files/hpfeeds.cfg).
You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg).
That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN:
```
myENABLE=true
@ -237,7 +216,6 @@ myFORMAT=json
<a name="deploy"></a>
# Deploying a T-Pot :honey_pot::honeybee:
Now, after configuring everything, we can finally start deploying T-Pots!
Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:
`ansible-playbook deploy_tpot.yaml`
(Yes, it is as easy as that :smile:)
@ -245,13 +223,13 @@ Go to the [`openstack`](openstack) folder and run the Ansible Playbook with:
If you are running on a machine which asks for a sudo password, you can use:
`ansible-playbook --ask-become-pass deploy_tpot.yaml`
The Playbook will first install required packages on the Ansible Master and then deploy one (or more) new server instances.
After that, T-Pot gets installed and configured on them, optionally custom configs are applied and finally it reboots.
Once this is done, you can proceed with connecting/logging in to the T-Pot according to the [documentation](https://github.com/telekom-security/tpotce#ssh-and-web-access).
The Playbook will first install required packages on the Ansible Master and then deploy a new server instance.
After that, T-Pot gets installed and configured on the newly created host, optionally custom configs are applied and finally it reboots.
<a name="documentation"></a>
# Further documentation
- [Ansible Documentation](https://docs.ansible.com/ansible/latest/)
- [openstack.cloud.server Create/Delete Compute Instances from OpenStack](https://docs.ansible.com/ansible/latest/collections/openstack/cloud/server_module.html)
- [Cloud modules — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html)
- [os_server Create/Delete Compute Instances from OpenStack — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/os_server_module.html)
- [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/)
- [Open Telekom Cloud API Overview](https://docs.otc.t-systems.com/en-us/api/wp/en-us_topic_0052070394.html)

0
_deprecated/cloud/ansible/doc/otc_1_project.gif → cloud/ansible/doc/otc_1_project.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 204 KiB

After

Width:  |  Height:  |  Size: 204 KiB

0
_deprecated/cloud/ansible/doc/otc_2_user.gif → cloud/ansible/doc/otc_2_user.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 883 KiB

After

Width:  |  Height:  |  Size: 883 KiB

0
_deprecated/cloud/ansible/doc/otc_3_login.gif → cloud/ansible/doc/otc_3_login.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 148 KiB

After

Width:  |  Height:  |  Size: 148 KiB

0
_deprecated/cloud/ansible/doc/otc_4_import_key.gif → cloud/ansible/doc/otc_4_import_key.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 193 KiB

After

Width:  |  Height:  |  Size: 193 KiB

0
_deprecated/cloud/ansible/doc/putty_agent_forwarding.png → cloud/ansible/doc/putty_agent_forwarding.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 23 KiB

0
_deprecated/cloud/ansible/openstack/ansible.cfg → cloud/ansible/openstack/ansible.cfg
View File

21
cloud/ansible/openstack/deploy_tpot.yaml Normal file
View File

@ -0,0 +1,21 @@
- name: Check host prerequisites
hosts: localhost
become: yes
roles:
- check
- name: Deploy instance
hosts: localhost
roles:
- deploy
- name: Install T-Pot on new instance
hosts: TPOT
remote_user: linux
become: yes
gather_facts: no
roles:
- install
# - custom_ews
# - custom_hpfeeds
- reboot

16
_deprecated/cloud/ansible/openstack/roles/check/tasks/main.yaml → cloud/ansible/openstack/roles/check/tasks/main.yaml
View File

@ -1,19 +1,17 @@
- name: Install dependencies
ansible.builtin.package:
package:
name:
- gcc
- python3-dev
- python3-setuptools
- python3-pip
- pwgen
- python-setuptools
- python-pip
state: present
- name: Install openstacksdk
ansible.builtin.pip:
pip:
name: openstacksdk
executable: pip3
- name: Check if agent forwarding is enabled
ansible.builtin.fail:
fail:
msg: Please enable agent forwarding to allow Ansible to connect to the remote host!
ignore_errors: yes
failed_when: lookup('env','SSH_AUTH_SOCK') == ""
when: lookup('env','SSH_AUTH_SOCK') == ""

6
_deprecated/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml → cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml
View File

@ -1,13 +1,13 @@
- name: Copy ews configuration file
ansible.builtin.template:
src: ews.cfg
template:
src: ../templates/ews.cfg
dest: /data/ews/conf
owner: root
group: root
mode: 0644
- name: Patching tpot.yml with custom ews configuration file
ansible.builtin.lineinfile:
lineinfile:
path: /opt/tpot/etc/tpot.yml
insertafter: "/opt/ewsposter/ews.ip"
line: " - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg"

0
_deprecated/cloud/ansible/openstack/roles/custom_ews/templates/ews.cfg → cloud/ansible/openstack/roles/custom_ews/templates/ews.cfg
View File

0
_deprecated/cloud/ansible/openstack/roles/custom_hpfeeds/files/hpfeeds.cfg → cloud/ansible/openstack/roles/custom_hpfeeds/files/hpfeeds.cfg
View File

Some files were not shown because too many files have changed in this diff Show More