tpotce/iso/installer/install.sh

811 lines
27 KiB
Bash
Raw Normal View History

#!/bin/bash
2018-06-19 08:58:20 +00:00
# T-Pot Universal Installer
##################################
# Extract command line arguments #
##################################
2019-02-15 10:29:39 +00:00
# Check for LSB command
myLSBCMD=$(which lsb_release)
if [ "$myLSBCHECK" = "" ];
then
apt-get -y update
apt-get -y install lsb-release
fi
# Check for Debian release
2019-02-12 15:56:43 +00:00
myLSB=$(lsb_release -c | awk '{ print $2 }')
myLSB_STABLE_SUPPORTED="stretch"
myLSB_TESTING_SUPPORTED="sid"
2018-06-19 08:58:20 +00:00
myINFO="\
2019-02-12 15:56:43 +00:00
###########################################
### T-Pot Installer for Debian unstable ###
###########################################
2018-06-19 08:58:20 +00:00
Disclaimer:
This script will install T-Pot on this system, by running the script you know what you are doing:
1. SSH will be reconfigured to tcp/64295
2. Some packages will be installed, some will be upgraded
3. Please ensure other means of access to this system in case something goes wrong.
4. At best this script well be executed on the console instead through a SSH session.
2019-02-02 16:10:47 +00:00
##########################################
2018-06-19 08:58:20 +00:00
Usage:
$0 --help - Help.
2018-06-23 23:55:41 +00:00
Example:
2018-06-19 08:58:20 +00:00
$0 --type=user - Best option for most users."
2018-06-23 23:55:41 +00:00
2019-02-02 16:10:47 +00:00
if [ "$myLSB" != "$myLSB_STABLE_SUPPORTED" ] && [ "$myLSB" != "$myLSB_TESTING_SUPPORTED" ];
2018-06-19 08:58:20 +00:00
then
2019-01-28 20:52:55 +00:00
echo "Aborting. Debian $myLSB is not supported."
2018-06-19 08:58:20 +00:00
exit
fi
if [ "$1" == "" ];
then
echo "$myINFO"
exit
fi
for i in "$@"
do
case $i in
--conf=*)
myTPOT_CONF_FILE="${i#*=}"
shift
;;
--type=user)
myTPOT_DEPLOYMENT_TYPE="${i#*=}"
shift
;;
--type=auto)
myTPOT_DEPLOYMENT_TYPE="${i#*=}"
shift
;;
--type=iso)
myTPOT_DEPLOYMENT_TYPE="${i#*=}"
shift
;;
--help)
echo "Usage: $0 <options>"
echo
echo "--conf=<Path to \"tpot.conf\">"
2018-06-21 15:16:33 +00:00
echo " Use this if you want to automatically deploy a T-Pot instance (--type=auto implied)."
2018-06-19 08:58:20 +00:00
echo " A configuration example is available in \"tpotce/iso/installer/tpot.conf.dist\"."
echo
echo "--type=<[user, auto, iso]>"
2019-01-28 20:52:55 +00:00
echo " user, use this if you want to manually install a T-Pot on a Debian (testing) machine."
2018-06-21 15:16:33 +00:00
echo " auto, implied if a configuration file is passed as an argument for automatic deployment."
2018-06-19 08:58:20 +00:00
echo " iso, use this if you are a T-Pot developer and want to install a T-Pot from a pre-compiled iso."
echo
exit
;;
*)
echo "$myINFO"
exit
;;
esac
done
###################################################
# Validate command line arguments and load config #
###################################################
# If a valid config file exists, set deployment type to "auto" and load the configuration
if [ "$myTPOT_DEPLOYMENT_TYPE" == "auto" ] && [ "$myTPOT_CONF_FILE" == "" ];
then
echo "Aborting. No configuration file given."
exit
fi
if [ -s "$myTPOT_CONF_FILE" ] && [ "$myTPOT_CONF_FILE" != "" ];
then
myTPOT_DEPLOYMENT_TYPE="auto"
if [ "$(head -n 1 $myTPOT_CONF_FILE | grep -c "# tpot")" == "1" ];
then
source "$myTPOT_CONF_FILE"
else
echo "Aborting. Config file \"$myTPOT_CONF_FILE\" not a T-Pot configuration file."
exit
fi
elif ! [ -s "$myTPOT_CONF_FILE" ] && [ "$myTPOT_CONF_FILE" != "" ];
2018-06-23 23:55:41 +00:00
then
2018-06-19 08:58:20 +00:00
echo "Aborting. Config file \"$myTPOT_CONF_FILE\" not found."
exit
2018-06-23 23:55:41 +00:00
fi
2018-06-19 08:58:20 +00:00
#######################
# Prepare environment #
#######################
# Got root?
function fuGOT_ROOT {
echo
echo -n "### Checking for root: "
if [ "$(whoami)" != "root" ];
then
echo "[ NOT OK ]"
2018-06-21 15:16:33 +00:00
echo "### Please run as root."
echo "### Example: sudo $0"
2018-06-19 08:58:20 +00:00
exit
else
echo "[ OK ]"
fi
}
# Let's check if all dependencies are met
function fuGET_DEPS {
2019-02-15 09:27:42 +00:00
local myPACKAGES="apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux curl debconf-utils dialog dnsutils docker.io docker-compose dstat ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 lm-sensors man mosh multitail net-tools npm ntp openssh-server openssl pass prips software-properties-common syslinux psmisc pv python-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
2019-02-02 16:10:47 +00:00
export DEBIAN_FRONTEND=noninteractive
2018-11-19 22:45:47 +00:00
apt-get -y update
2019-02-02 16:10:47 +00:00
apt-get -y install libpq-dev software-properties-common
2019-02-15 09:27:42 +00:00
tee /etc/apt/sources.list <<EOF
2019-02-12 11:24:42 +00:00
deb http://deb.debian.org/debian unstable main contrib non-free
deb-src http://deb.debian.org/debian unstable main contrib non-free
2019-01-30 16:32:30 +00:00
EOF
2018-06-19 08:58:20 +00:00
echo
echo "### Getting update information."
echo
apt-get -y update
echo
echo "### Upgrading packages."
echo
2018-10-29 17:05:02 +00:00
# Downlaod and upgrade packages, but silently keep existing configs
echo "docker.io docker.io/restart boolean true" | debconf-set-selections -v
echo "debconf debconf/frontend select noninteractive" | debconf-set-selections -v
2018-11-19 22:45:47 +00:00
apt-get -y dist-upgrade -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes
2018-06-19 08:58:20 +00:00
echo
echo "### Installing T-Pot dependencies."
echo
apt-get -y install $myPACKAGES
2019-01-30 10:44:17 +00:00
# Remove exim4
apt-get -y purge exim4-base
apt-get -y autoremove
2018-06-19 08:58:20 +00:00
}
2018-06-22 14:57:38 +00:00
# Let's check for other services
function fuCHECK_PORTS {
if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
then
echo
echo "### Checking for active services."
echo
grc netstat -tulpen
echo
echo "### Please review your running services."
echo "### We will take care of SSH (22), but other services i.e. FTP (21), TELNET (23), SMTP (25), HTTP (80), HTTPS (443), etc."
echo "### might collide with T-Pot's honeypots and prevent T-Pot from starting successfully."
echo
while [ 1 != 2 ]
do
read -s -n 1 -p "Continue [y/n]? " mySELECT
echo
case "$mySELECT" in
[y,Y])
break
;;
[n,N])
exit
;;
esac
done
fi
}
2019-02-13 12:33:53 +00:00
#!/bin/bash
function fuBANNER {
2019-02-15 13:11:45 +00:00
#toilet -f ivrit -F metal "$1" | pv -qL 3000
toilet -f ivrit "$1"
2019-02-13 12:33:53 +00:00
}
2018-06-22 14:57:38 +00:00
2018-06-19 08:58:20 +00:00
# Prepare running the installer
2018-06-22 14:57:38 +00:00
echo "$myINFO" | head -n 3
2018-06-19 08:58:20 +00:00
fuGOT_ROOT
fuGET_DEPS
2018-06-22 14:57:38 +00:00
fuCHECK_PORTS
2018-06-19 08:58:20 +00:00
2018-06-23 22:05:46 +00:00
2018-06-20 16:29:18 +00:00
#############
# Installer #
#############
2019-02-12 15:56:43 +00:00
# Set TERM
export TERM=linux
2018-06-20 16:29:18 +00:00
#######################
# Global vars section #
#######################
myBACKTITLE="T-Pot-Installer"
myCONF_FILE="/root/installer/iso.conf"
2018-06-20 16:29:18 +00:00
myPROGRESSBOXCONF=" --backtitle "$myBACKTITLE" --progressbox 24 80"
2019-01-28 20:52:55 +00:00
mySITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org"
2018-06-20 16:29:18 +00:00
myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml"
#####################
# Functions section #
#####################
fuRANDOMWORD () {
local myWORDFILE="$1"
2019-02-12 15:56:43 +00:00
local myLINES=$(cat $myWORDFILE | wc -l)
local myRANDOM=$((RANDOM % $myLINES))
local myNUM=$((myRANDOM * myRANDOM % $myLINES + 1))
echo -n $(sed -n "$myNUM p" $myWORDFILE | tr -d \' | tr A-Z a-z)
}
2018-06-20 16:29:18 +00:00
# If this is a ISO installation we need to wait a few seconds to avoid interference with service messages
if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ];
then
sleep 5
2019-02-12 15:56:43 +00:00
dialog --keep-window --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Wait to avoid interference with service messages ]" --pause "" 6 80 7
2018-06-20 16:29:18 +00:00
fi
2019-02-12 15:56:43 +00:00
# Let' s load the iso config file if there is one
if [ -f $myCONF_FILE ];
then
2019-02-12 15:56:43 +00:00
dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Found personalized iso.config ]" --msgbox "\nYour personalized settings will be applied!" 7 47
source $myCONF_FILE
else
# dialog logic considers 1=false, 0=true
myCONF_PROXY_USE="1"
myCONF_PFX_USE="1"
myCONF_NTP_USE="1"
fi
2018-06-20 16:29:18 +00:00
### <--- Begin proxy setup
# If a proxy is set in iso.conf it needs to be setup.
# However, none of the other installation types will automatically take care of a proxy.
# Please open a feature request if you think this is something worth considering.
myPROXY="http://$myCONF_PROXY_IP:$myCONF_PROXY_PORT"
myPROXY_ENV="export http_proxy=$myPROXY
export https_proxy=$myPROXY
export HTTP_PROXY=$myPROXY
export HTTPS_PROXY=$myPROXY
export no_proxy=localhost,127.0.0.1,.sock
"
myPROXY_APT="Acquire::http::Proxy \"$myPROXY\";
Acquire::https::Proxy \"$myPROXY\";
"
myPROXY_DOCKER="http_proxy=$myPROXY
https_proxy=$myPROXY
HTTP_PROXY=$myPROXY
HTTPS_PROXY=$myPROXY
no_proxy=localhost,127.0.0.1,.sock
"
if [ "$myCONF_PROXY_USE" == "0" ];
then
# Let's setup proxy for the environment
2019-02-12 15:56:43 +00:00
echo "$myPROXY_ENV" 2>&1 | tee -a /etc/environment | dialog --keep-window --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF
source /etc/environment
# Let's setup the proxy for apt
2019-02-12 15:56:43 +00:00
echo "$myPROXY_APT" 2>&1 | tee /etc/apt/apt.conf | dialog --keep-window --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF
# Let's add proxy settings to docker defaults
2019-02-12 15:56:43 +00:00
echo "$myPROXY_DOCKER" 2>&1 | tee -a /etc/default/docker | dialog --keep-window --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF
# Let's restart docker for proxy changes to take effect
2019-02-12 15:56:43 +00:00
systemctl stop docker 2>&1 | dialog --keep-window --title "[ Stop docker service ]" $myPROGRESSBOXCONF
systemctl start docker 2>&1 | dialog --keep-window --title "[ Start docker service ]" $myPROGRESSBOXCONF
fi
2018-06-20 16:29:18 +00:00
### ---> End proxy setup
# Let's test the internet connection
2018-06-21 15:16:33 +00:00
if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
then
mySITESCOUNT=$(echo $mySITES | wc -w)
j=0
for i in $mySITES;
do
curl --connect-timeout 30 -IsS $i 2>&1>/dev/null | dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \
--gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT)
2018-06-21 15:16:33 +00:00
if [ $? -ne 0 ];
then
2019-02-12 15:56:43 +00:00
dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nInternet connection test failed. This might indicate some problems with your connection. You can continue, but the installation might fail." 10 50
2018-06-21 15:16:33 +00:00
if [ $? = 1 ];
then
2019-02-12 15:56:43 +00:00
dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Abort ]" --msgbox "\nInstallation aborted. Exiting the installer." 7 50
2018-06-21 15:16:33 +00:00
exit
else
break;
fi;
fi;
let j+=1
2019-02-12 15:56:43 +00:00
echo 2>&1>/dev/null | dialog --keep-window --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \
--gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT)
2018-06-21 15:16:33 +00:00
done;
fi
2018-06-20 16:29:18 +00:00
2018-06-22 14:57:38 +00:00
####################
# User interaction #
####################
2018-06-20 16:29:18 +00:00
# Let's ask the user for install flavor
if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
then
2019-02-12 15:56:43 +00:00
myCONF_TPOT_FLAVOR=$(dialog --keep-window --no-cancel --backtitle "$myBACKTITLE" --title "[ Choose Your T-Pot NG Edition ]" --menu \
2018-06-20 16:29:18 +00:00
"\nRequired: 6GB RAM, 128GB SSD\nRecommended: 8GB RAM, 256GB SSD" 15 70 7 \
"STANDARD" "Honeypots, ELK, NSM & Tools" \
"SENSOR" "Just Honeypots, EWS Poster & NSM" \
"INDUSTRIAL" "Conpot, RDPY, Vnclowpot, ELK, NSM & Tools" \
"COLLECTOR" "Heralding, ELK, NSM & Tools" \
2018-11-23 22:30:25 +00:00
"NEXTGEN" "NextGen (Glutton instead of Honeytrap)" \
2018-06-20 16:29:18 +00:00
"LEGACY" "Standard Edition from previous release" 3>&1 1>&2 2>&3 3>&-)
fi
2018-06-21 15:16:33 +00:00
# Let's ask for a secure tsec password if installation type is iso
if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ];
then
myCONF_TPOT_USER="tsec"
myPASS1="pass1"
myPASS2="pass2"
mySECURE="0"
while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ]
do
2018-06-21 15:16:33 +00:00
while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ]
do
2019-02-12 15:56:43 +00:00
myPASS1=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \
2018-06-21 15:16:33 +00:00
--title "[ Enter password for console user (tsec) ]" \
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
done
2019-02-12 15:56:43 +00:00
myPASS2=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \
2018-06-21 15:16:33 +00:00
--title "[ Repeat password for console user (tsec) ]" \
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
if [ "$myPASS1" != "$myPASS2" ];
then
2019-02-12 15:56:43 +00:00
dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \
2018-06-21 15:16:33 +00:00
--msgbox "\nPlease re-enter your password." 7 60
myPASS1="pass1"
myPASS2="pass2"
fi
2018-06-21 15:16:33 +00:00
mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK")
if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ];
then
2019-02-12 15:56:43 +00:00
dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50
2018-06-21 15:16:33 +00:00
myOK=$?
if [ "$myOK" == "1" ];
then
myPASS1="pass1"
myPASS2="pass2"
fi
fi
done
printf "%s" "$myCONF_TPOT_USER:$myPASS1" | chpasswd
fi
2019-01-28 20:52:55 +00:00
# Let's ask for web user credentials if deployment type is iso or user
2018-06-21 15:16:33 +00:00
# In case of auto, credentials are created from config values
# Skip this step entirely if SENSOR flavor
if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
then
myOK="1"
myCONF_WEB_USER="webuser"
myCONF_WEB_PW="pass1"
myCONF_WEB_PW2="pass2"
mySECURE="0"
while [ 1 != 2 ]
do
2019-02-12 15:56:43 +00:00
myCONF_WEB_USER=$(dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-)
2018-06-21 15:16:33 +00:00
myCONF_WEB_USER=$(echo $myCONF_WEB_USER | tr -cd "[:alnum:]_.-")
2019-02-12 15:56:43 +00:00
dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myCONF_WEB_USER" 7 50
2018-06-21 15:16:33 +00:00
myOK=$?
if [ "$myOK" = "0" ] && [ "$myCONF_WEB_USER" != "tsec" ] && [ "$myCONF_WEB_USER" != "" ];
then
break
fi
done
2018-06-21 15:16:33 +00:00
while [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2" ] && [ "$mySECURE" == "0" ]
do
while [ "$myCONF_WEB_PW" == "pass1" ] || [ "$myCONF_WEB_PW" == "" ]
do
2019-02-12 15:56:43 +00:00
myCONF_WEB_PW=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \
2018-06-21 15:16:33 +00:00
--title "[ Enter password for your web user ]" \
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
done
2019-02-12 15:56:43 +00:00
myCONF_WEB_PW2=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \
--title "[ Repeat password for your web user ]" \
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
2018-06-21 15:16:33 +00:00
if [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2" ];
then
2019-02-12 15:56:43 +00:00
dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \
2018-06-21 15:16:33 +00:00
--msgbox "\nPlease re-enter your password." 7 60
myCONF_WEB_PW="pass1"
myCONF_WEB_PW2="pass2"
fi
2018-06-21 15:16:33 +00:00
mySECURE=$(printf "%s" "$myCONF_WEB_PW" | cracklib-check | grep -c "OK")
if [ "$mySECURE" == "0" ] && [ "$myCONF_WEB_PW" == "$myCONF_WEB_PW2" ];
then
2019-02-12 15:56:43 +00:00
dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50
2018-06-21 15:16:33 +00:00
myOK=$?
if [ "$myOK" == "1" ];
then
myCONF_WEB_PW="pass1"
myCONF_WEB_PW2="pass2"
fi
fi
done
fi
# If flavor is SENSOR do not write credentials
if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
then
mkdir -p /data/nginx/conf 2>&1
2019-02-12 15:56:43 +00:00
htpasswd -b -c /data/nginx/conf/nginxpasswd "$myCONF_WEB_USER" "$myCONF_WEB_PW" 2>&1 | dialog --keep-window --title "[ Setting up user and password ]" $myPROGRESSBOXCONF;
2018-06-21 15:16:33 +00:00
fi
2019-02-13 12:33:53 +00:00
dialog --clear
2018-06-21 15:16:33 +00:00
2018-06-22 14:57:38 +00:00
########################
# Installation section #
########################
2019-02-15 09:27:42 +00:00
exec 2> >(tee "/install.err")
exec > >(tee "/install.log")
fuBANNER "Installing ..."
2019-02-13 12:33:53 +00:00
2018-06-21 15:16:33 +00:00
# Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway)
if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
2018-06-24 00:59:28 +00:00
then
2019-02-13 12:33:53 +00:00
fuBANNER "NGINX Certificate"
mkdir -p /data/nginx/cert
openssl req \
-nodes \
-x509 \
-sha512 \
-newkey rsa:8192 \
-keyout "/data/nginx/cert/nginx.key" \
-out "/data/nginx/cert/nginx.crt" \
-days 3650 \
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd'
2018-06-21 15:16:33 +00:00
fi
# Let's setup the ntp server
if [ "$myCONF_NTP_USE" == "0" ];
then
2019-02-13 12:33:53 +00:00
fuBANNER "Setup NTP"
cp $myCONF_NTP_CONF_FILE /etc/ntp.conf
fi
# Let's setup 802.1x networking
myNETWORK_INTERFACES="
wpa-driver wired
wpa-conf /etc/wpa_supplicant/wired8021x.conf
### Example wireless config for 802.1x
### This configuration was tested with the IntelNUC series
### If problems occur you can try and change wpa-driver to \"iwlwifi\"
### Do not forget to enter a ssid in /etc/wpa_supplicant/wireless8021x.conf
### The Intel NUC uses wlpXsY notation instead of wlanX
#
#auto wlp2s0
#iface wlp2s0 inet dhcp
# wpa-driver wext
# wpa-conf /etc/wpa_supplicant/wireless8021x.conf
"
myNETWORK_WIRED8021x="ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
eapol_version=1
ap_scan=1
network={
key_mgmt=IEEE8021X
eap=TLS
identity=\"host/$myCONF_PFX_HOST_ID\"
private_key=\"/etc/wpa_supplicant/8021x.pfx\"
private_key_passwd=\"$myCONF_PFX_PW\"
}
"
myNETWORK_WLAN8021x="ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
eapol_version=1
ap_scan=1
network={
2019-02-15 09:27:42 +00:00
ssid=\"<your_ssid_here_without_brackets>\"
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP
eap=TLS
2019-02-15 09:27:42 +00:00
identity=\"host/$myCONF_PFX_HOST_ID\"
private_key=\"/etc/wpa_supplicant/8021x.pfx\"
private_key_passwd=\"$myCONF_PFX_PW\"
}
"
2019-01-28 20:52:55 +00:00
if [ "myCONF_PFX_USE" == "0" ];
then
2019-02-13 12:33:53 +00:00
fuBANNER "Setup 802.1x"
cp $myCONF_PFX_FILE /etc/wpa_supplicant/
2019-02-15 09:27:42 +00:00
echo "$myNETWORK_INTERFACES" | tee -a /etc/network/interfaces
2019-01-28 20:52:55 +00:00
2019-02-15 09:27:42 +00:00
echo "$myNETWORK_WIRED8021x" | tee /etc/wpa_supplicant/wired8021x.conf
2019-01-28 20:52:55 +00:00
2019-02-15 09:27:42 +00:00
echo "$myNETWORK_WLAN8021x" | tee /etc/wpa_supplicant/wireless8021x.conf
2019-01-28 20:52:55 +00:00
fi
# Let's provide a wireless example config ...
myNETWORK_WLANEXAMPLE="
### Example static ip config
### Replace <eth0> with the name of your physical interface name
#
#auto eth0
#iface eth0 inet static
# address 192.168.1.1
# netmask 255.255.255.0
# network 192.168.1.0
# broadcast 192.168.1.255
# gateway 192.168.1.1
# dns-nameservers 192.168.1.1
### Example wireless config without 802.1x
### This configuration was tested with the IntelNUC series
### If problems occur you can try and change wpa-driver to "iwlwifi"
#
#auto wlan0
#iface wlan0 inet dhcp
# wpa-driver wext
# wpa-ssid <your_ssid_here_without_brackets>
# wpa-ap-scan 1
# wpa-proto RSN
# wpa-pairwise CCMP
# wpa-group CCMP
# wpa-key-mgmt WPA-PSK
# wpa-psk \"<your_password_here_without_brackets>\"
"
2019-02-13 12:33:53 +00:00
fuBANNER "Example config"
2019-02-15 09:27:42 +00:00
echo "$myNETWORK_WLANEXAMPLE" | tee -a /etc/network/interfaces
# Let's make sure SSH roaming is turned off (CVE-2016-0777, CVE-2016-0778)
2019-02-13 12:33:53 +00:00
fuBANNER "SSH roaming off"
2019-02-15 09:27:42 +00:00
echo "UseRoaming no" | tee -a /etc/ssh/ssh_config
2018-06-22 14:57:38 +00:00
# Installing ctop, elasticdump, tpot, yq
2019-02-13 16:09:23 +00:00
fuBANNER "Installing pkgs"
2019-02-13 12:33:53 +00:00
npm install https://github.com/taskrabbit/elasticsearch-dump -g
pip install --upgrade pip
hash -r
pip install elasticsearch-curator yq
# Cloning T-Pot from GitHub
fuBANNER "Cloning T-Pot"
git clone https://github.com/dtag-dev-sec/tpotce -b debian /opt/tpot
2018-06-21 15:16:33 +00:00
# Let's create the T-Pot user
2019-02-13 12:33:53 +00:00
fuBANNER "Create user"
addgroup --gid 2000 tpot
adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot
# Let's set the hostname
a=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/a.txt)
n=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/n.txt)
myHOST=$a$n
2019-02-13 12:33:53 +00:00
fuBANNER "Set hostname"
hostnamectl set-hostname $myHOST
sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts
# Let's patch cockpit.socket, sshd_config
2019-02-13 16:09:23 +00:00
fuBANNER "Adjust ports"
2019-02-13 12:33:53 +00:00
sed -i 's#ListenStream=9090#ListenStream=64294#' /lib/systemd/system/cockpit.socket
sed -i '/^port/Id' /etc/ssh/sshd_config
echo "Port 64295" >> /etc/ssh/sshd_config
2018-06-20 16:29:18 +00:00
# Let's make sure only myCONF_TPOT_FLAVOR images will be downloaded and started
case $myCONF_TPOT_FLAVOR in
STANDARD)
2019-02-15 13:11:45 +00:00
fuBANNER "STANDARD"
2019-02-15 09:27:42 +00:00
ln -s /opt/tpot/etc/compose/standard.yml $myTPOTCOMPOSE
2018-03-29 21:27:20 +00:00
;;
SENSOR)
2019-02-15 13:11:45 +00:00
fuBANNER "SENSOR"
2019-02-15 09:27:42 +00:00
ln -s /opt/tpot/etc/compose/sensor.yml $myTPOTCOMPOSE
;;
INDUSTRIAL)
2019-02-15 13:11:45 +00:00
fuBANNER "INDUSTRIAL"
2019-02-15 09:27:42 +00:00
ln -s /opt/tpot/etc/compose/industrial.yml $myTPOTCOMPOSE
;;
COLLECTOR)
2019-02-15 13:11:45 +00:00
fuBANNER "COLLECTOR"
2019-02-15 09:27:42 +00:00
ln -s /opt/tpot/etc/compose/collector.yml $myTPOTCOMPOSE
;;
2018-11-23 22:30:25 +00:00
NEXTGEN)
2019-02-15 13:11:45 +00:00
fuBANNER "NEXTGEN"
2019-02-15 09:27:42 +00:00
ln -s /opt/tpot/etc/compose/nextgen.yml $myTPOTCOMPOSE
;;
LEGACY)
2019-02-15 13:11:45 +00:00
fuBANNER "LEGACY"
2019-02-15 09:27:42 +00:00
ln -s /opt/tpot/etc/compose/legacy.yml $myTPOTCOMPOSE
;;
esac
# Let's load docker images in parallel
function fuPULLIMAGES {
2018-06-24 00:38:41 +00:00
for name in $(cat $myTPOTCOMPOSE | grep -v '#' | grep image | cut -d'"' -f2 | uniq)
do
docker pull $name &
done
wait
}
2019-02-13 12:33:53 +00:00
fuBANNER "Pull images"
fuPULLIMAGES
# Let's add the daily update check with a weekly clean interval
2018-06-30 13:19:47 +00:00
myUPDATECHECK="APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Download-Upgradeable-Packages \"0\";
APT::Periodic::AutocleanInterval \"7\";
"
2019-02-13 16:09:23 +00:00
fuBANNER "Modify checks"
2019-02-13 12:33:53 +00:00
echo "$myUPDATECHECK" | tee /etc/apt/apt.conf.d/10periodic
# Let's make sure to reboot the system after a kernel panic
2018-06-30 13:19:47 +00:00
mySYSCTLCONF="
# Reboot after kernel panic, check via /proc/sys/kernel/panic[_on_oops]
# Set required map count for ELK
kernel.panic = 1
kernel.panic_on_oops = 1
vm.max_map_count = 262144
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
2018-06-30 13:19:47 +00:00
"
2019-02-13 16:09:23 +00:00
fuBANNER "Tweak sysctl"
2019-02-13 12:33:53 +00:00
echo "$mySYSCTLCONF" | tee -a /etc/sysctl.conf
2018-06-22 16:14:39 +00:00
# Let's setup fail2ban config
2018-06-30 13:19:47 +00:00
myFAIL2BANCONF="[DEFAULT]
ignore-ip = 127.0.0.1/8
2018-06-22 16:14:39 +00:00
bantime = 3600
findtime = 600
maxretry = 5
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = 64297
logpath = /data/nginx/log/error.log
[pam-generic]
enabled = true
port = 64294
filter = pam-generic
logpath = /var/log/auth.log
2018-06-22 16:14:39 +00:00
[sshd]
enabled = true
port = 64295
filter = sshd
logpath = /var/log/auth.log
2018-06-30 13:19:47 +00:00
"
2019-02-13 12:33:53 +00:00
fuBANNER "Setup fail2ban"
echo "$myFAIL2BANCONF" | tee /etc/fail2ban/jail.d/tpot.conf
2018-06-22 16:14:39 +00:00
# Fix systemd error https://github.com/systemd/systemd/issues/3374
2018-06-30 13:19:47 +00:00
mySYSTEMDFIX="[Link]
NamePolicy=kernel database onboard slot path
MACAddressPolicy=none
2018-06-30 13:19:47 +00:00
"
2019-02-13 12:33:53 +00:00
fuBANNER "Systemd fix"
echo "$mySYSTEMDFIX" | tee /etc/systemd/network/99-default.link
# Let's add some cronjobs
2018-06-30 13:19:47 +00:00
myCRONJOBS="
# Check if updated images are available and download them
2017-10-17 09:03:43 +00:00
27 1 * * * root docker-compose -f /opt/tpot/etc/tpot.yml pull
# Delete elasticsearch logstash indices older than 90 days
2017-10-17 09:03:43 +00:00
27 4 * * * root curator --config /opt/tpot/etc/curator/curator.yml /opt/tpot/etc/curator/actions.yml
# Uploaded binaries are not supposed to be downloaded
*/1 * * * * root mv --backup=numbered /data/dionaea/roots/ftp/* /data/dionaea/binaries/
# Daily reboot
2018-11-08 16:19:18 +00:00
27 3 * * * root systemctl stop tpot && docker stop \$(docker ps -aq) || docker rm \$(docker ps -aq) || reboot
# Check for updated packages every sunday, upgrade and reboot
27 16 * * 0 root apt-get autoclean -y && apt-get autoremove -y && apt-get update -y && apt-get upgrade -y && sleep 10 && reboot
2018-06-30 13:19:47 +00:00
"
2019-02-15 09:27:42 +00:00
fuBANNER "Add cronjobs"
2019-02-13 12:33:53 +00:00
echo "$myCRONJOBS" | tee -a /etc/crontab
# Let's create some files and folders
2019-02-13 16:09:23 +00:00
fuBANNER "Files & folders"
2018-12-05 16:59:08 +00:00
mkdir -p /data/adbhoney/downloads /data/adbhoney/log \
/data/ciscoasa/log \
2018-03-25 18:35:32 +00:00
/data/conpot/log \
/data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/ \
/data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp \
/data/elasticpot/log \
/data/elk/data /data/elk/log \
/data/glastopf/log /data/glastopf/db \
/data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \
2018-04-16 22:05:16 +00:00
/data/glutton/log \
2018-03-25 18:35:32 +00:00
/data/heralding/log \
/data/mailoney/log \
2018-09-09 18:38:47 +00:00
/data/medpot/log \
2018-02-16 14:42:53 +00:00
/data/nginx/log \
/data/emobility/log \
/data/ews/conf \
/data/rdpy/log \
/data/spiderfoot \
/data/suricata/log /home/tsec/.ssh/ \
2018-05-28 21:46:51 +00:00
/data/tanner/log /data/tanner/files \
2019-02-13 12:33:53 +00:00
/data/p0f/log
touch /data/spiderfoot/spiderfoot.db
touch /data/nginx/log/error.log
# Let's copy some files
2019-02-13 12:33:53 +00:00
fuBANNER "Copy configs"
tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C /
cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/
systemctl enable tpot
# Let's take care of some files and permissions
2019-02-13 16:09:23 +00:00
fuBANNER "Permissions"
2019-02-13 12:33:53 +00:00
chmod 760 -R /data
chown tpot:tpot -R /data
chmod 644 -R /data/nginx/conf
chmod 644 -R /data/nginx/cert
# Let's replace "quiet splash" options, set a console font for more screen canvas and update grub
2019-02-13 16:09:23 +00:00
fuBANNER "Options"
2019-02-13 12:33:53 +00:00
sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet"#GRUB_CMDLINE_LINUX_DEFAULT="quiet consoleblank=0"#' /etc/default/grub
sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"#' /etc/default/grub
2019-02-15 09:27:42 +00:00
update-grub
2019-02-13 12:33:53 +00:00
fuBANNER "Setup console"
cp /usr/share/consolefonts/Uni2-Terminus12x6.psf.gz /etc/console-setup/
gunzip /etc/console-setup/Uni2-Terminus12x6.psf.gz
sed -i 's#FONTFACE=".*#FONTFACE="Terminus"#' /etc/default/console-setup
sed -i 's#FONTSIZE=".*#FONTSIZE="12x6"#' /etc/default/console-setup
2019-02-13 12:33:53 +00:00
update-initramfs -u
sed -i 's#After=.*#After=systemd-tmpfiles-setup.service console-screen.service kbd.service local-fs.target#' /etc/systemd/system/multi-user.target.wants/console-setup.service
# Let's enable a color prompt and add /opt/tpot/bin to path
2019-02-13 16:09:23 +00:00
fuBANNER "Setup prompt"
myROOTPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;1m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;1m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"'
myUSERPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;2m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;2m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"'
2019-01-30 14:18:25 +00:00
myROOTCOLORS="export LS_OPTIONS='--color=auto'
eval \"\`dircolors\`\"
alias ls='ls \$LS_OPTIONS'
alias ll='ls \$LS_OPTIONS -l'
alias l='ls \$LS_OPTIONS -lA'"
2019-02-13 12:33:53 +00:00
tee -a /root/.bashrc <<EOF
$myROOTPROMPT
2019-01-30 14:18:25 +00:00
$myROOTCOLORS
PATH="$PATH:/opt/tpot/bin"
EOF
for i in $(ls -d /home/*/)
do
2019-02-13 12:33:53 +00:00
tee -a $i.bashrc <<EOF
$myUSERPROMPT
PATH="$PATH:/opt/tpot/bin"
EOF
done
# Let's create ews.ip before reboot and prevent race condition for first start
2019-02-13 12:33:53 +00:00
fuBANNER "Update IP"
/opt/tpot/bin/updateip.sh
2018-06-21 15:16:33 +00:00
# Let's clean up apt
2019-02-13 12:33:53 +00:00
fuBANNER "Clean up"
apt-get autoclean -y
apt-get autoremove -y
2018-06-21 15:16:33 +00:00
# Final steps
2019-02-15 09:27:42 +00:00
cp /opt/tpot/host/etc/rc.local /etc/rc.local && \
rm -rf /root/installer && \
rm -rf /etc/issue.d/cockpit.issue && \
rm -rf /etc/motd.d/cockpit && \
rm -rf /etc/issue.net && \
rm -rf /etc/motd && \
2019-02-15 13:57:41 +00:00
systemctl restart console-setup.service
2018-10-29 17:05:02 +00:00
if [ "$myTPOT_DEPLOYMENT_TYPE" == "auto" ];
then
echo "Done. Please reboot."
else
2019-02-15 13:57:41 +00:00
fuBANNER "Rebooting ..."
2019-02-15 14:10:18 +00:00
sleep 2
2018-10-29 17:05:02 +00:00
reboot
fi