Merge pull request #1536 from t3chn0m4g3/master

Adjust T-Pot for Docker Desktop for Windows with WSL2
2025-07-01 12:32:12 +00:00 · 2024-05-06 19:42:56 +02:00 · 2024-05-06 19:42:56 +02:00 · 0b1281d40f
commit 0b1281d40f
parent 0451cd9acd 3f087b0182
5 changed files with 103 additions and 77 deletions
--- a/README.md
+++ b/README.md
@ -327,10 +327,10 @@ Choose a supported distro of your choice. It is recommended to use the minimum /
 Sometimes it is just nice if you can spin up a T-Pot instance on macOS or Windows, i.e. for development, testing or just the fun of it. As Docker Desktop is rather limited not all honeypot types or T-Pot features are supported. Also remember, by default the macOS and Windows firewall are blocking access from remote, so testing is limited to the host. For production it is recommended to run T-Pot on [Linux](#choose-your-distro).<br>
 To get things up and running just follow these steps:
 1. Install Docker Desktop for [macOS](https://docs.docker.com/desktop/install/mac-install/) or [Windows](https://docs.docker.com/desktop/install/windows-install/).
-2. Clone the GitHub repository: `git clone https://github.com/telekom-security/tpotce`
+2. Clone the GitHub repository: `git clone https://github.com/telekom-security/tpotce` (in Windows make sure the code is checked out with `LF` instead of `CRLF`!)
 3. Go to: `cd ~/tpotce`
 4. Copy `cp compose/mac_win.yml ./docker-compose.yml`
-5. Create a `WEB_USER` by running `~/tpotce/genuser.sh`
+5. Create a `WEB_USER` by running `~/tpotce/genuser.sh` (macOS) or `~/tpotce/genuserwin.ps1` (Windows)
 6. Adjust the `.env` file by changing `TPOT_OSTYPE=linux` to either `mac` or `win`:
   ```
   # OSType (linux, mac, win)
--- a/compose/mac_win.yml
+++ b/compose/mac_win.yml
@ -53,6 +53,7 @@ services:
     - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
     - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
     - ${TPOT_DATA_PATH}:/data
+     - /var/run/docker.sock:/var/run/docker.sock:ro


 ##################
@ -190,32 +191,6 @@ services:
    volumes:
     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot

-# Conpot kamstrup_382
-  conpot_kamstrup_382:
-    container_name: conpot_kamstrup_382
-    restart: always
-    depends_on:
-      tpotinit:
-        condition: service_healthy
-    environment:
-     - CONPOT_CONFIG=/etc/conpot/conpot.cfg
-     - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
-     - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
-     - CONPOT_TEMPLATE=kamstrup_382
-     - CONPOT_TMP=/tmp/conpot
-    tmpfs:
-     - /tmp/conpot:uid=2000,gid=2000
-    networks:
-     - conpot_local_kamstrup_382
-    ports:
-     - "1025:1025"
-     - "50100:50100"
-    image: ${TPOT_REPO}/conpot:${TPOT_VERSION}
-    pull_policy: ${TPOT_PULL_POLICY}
-    read_only: true
-    volumes:
-     - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot
-
 # Cowrie service
  cowrie:
    container_name: cowrie
@ -303,7 +278,7 @@ services:
     - "81:81"
     - "135:135"
     # - "443:443"
-     - "445:445"
+     # - "445:445"
     - "1433:1433"
     - "1723:1723"
     - "1883:1883"
--- a/docker/tpotinit/dist/entrypoint.sh
+++ b/docker/tpotinit/dist/entrypoint.sh
@ -7,14 +7,17 @@ exec > >(tee /data/tpotinit.log) 2>&1
 cleanup() {
  echo "# SIGTERM received, cleaning up ..."
  echo
-  echo "## ... removing firewall rules."
-  /opt/tpot/bin/rules.sh ${COMPOSE} unset
-  echo
-  if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ];
+  if [ "${TPOT_OSTYPE}" = "linux" ];
    then
-      echo "## ... removing Blackhole routes."
-      /opt/tpot/bin/blackhole.sh del
+      echo "## ... removing firewall rules."
+      /opt/tpot/bin/rules.sh ${COMPOSE} unset
      echo
+      if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ];
+        then
+          echo "## ... removing Blackhole routes."
+          /opt/tpot/bin/blackhole.sh del
+          echo
+      fi
  fi
  kill -TERM "$PID"
  rm -f /tmp/success
@ -29,7 +32,7 @@ check_var() {
    local var_value=$(eval echo \$$var_name)

    # Check if variable is set and not empty
-    if [[ -z "$var_value" ]]; 
+    if [[ -z "$var_value" ]];
      then
        echo "# Error: $var_name is not set or empty. Please check T-Pot .env config."
        echo
@ -44,7 +47,7 @@ check_safety() {
    local var_value=$(eval echo \$$var_name)

    # General safety check for most variables
-    if [[ $var_value =~ [^a-zA-Z0-9_/.:-] ]]; 
+    if [[ $var_value =~ [^a-zA-Z0-9_/.:-] ]];
      then
        echo "# Error: Unsafe characters detected in $var_name. Please check T-Pot .env config."
        echo
@ -78,7 +81,7 @@ validate_format() {

    case "$var_name" in
        TPOT_BLACKHOLE|TPOT_PERSISTENCE|TPOT_ATTACKMAP_TEXT)
-            if ! [[ $var_value =~ ^(ENABLED|DISABLED|on|off|true|false)$ ]]; 
+            if ! [[ $var_value =~ ^(ENABLED|DISABLED|on|off|true|false)$ ]];
              then
                echo "# Error: Invalid value for $var_name. Expected ENABLED/DISABLED, on/off, true/false. Please check T-Pot .env config."
 		        echo
@ -94,7 +97,7 @@ validate_ip_or_domain() {

    # Regular expression for validating IPv4 addresses
    local ipv4Regex='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
-    
+
    # Regular expression for validating domain names (including subdomains)
    local domainRegex='^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$'

@ -119,7 +122,7 @@ create_web_users() {
    : > /data/nginx/conf/lswebpasswd
    for i in ${WEB_USER};
      do
-	    if [[ -n $i ]]; 
+	    if [[ -n $i ]];
 	      then
 	        # Need to control newlines as they kept coming up for some reason
 	        echo -n "$i" | base64 -d -w0 | tr -d '\n' >> /data/nginx/conf/nginxpasswd
@ -127,9 +130,9 @@ create_web_users() {
 	    fi
    done

-    for i in ${LS_WEB_USER}; 
+    for i in ${LS_WEB_USER};
      do
-        if [[ -n $i ]]; 
+        if [[ -n $i ]];
          then
            # Need to control newlines as they kept coming up for some reason
            echo -n "$i" | base64 -d -w0 | tr -d '\n' >> /data/nginx/conf/lswebpasswd
@ -153,25 +156,42 @@ update_permissions

 # Check for compatible OSType
 echo
-echo "# Checking if OSType is compatible."
+echo "# Checking if OSType is set correctly."
 echo
-myOSTYPE=$(uname -a | grep -Eo "linuxkit")
-if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
+myOSTYPE=$(uname -a | grep -Eo "microsoft|linuxkit")
+if [ "${myOSTYPE}" == "microsoft" ] && [ "${TPOT_OSTYPE}" != "win" ];
  then
-    echo "# Docker Desktop for macOS or Windows detected."
-    echo "# 1. You need to adjust the OSType the T-Pot .env config."
-    echo "# 2. You need to use the macos or win docker compose file."
+    echo "# Docker Desktop for Windows detected, but TPOT_OSTYPE is not set to win."
+    echo "# 1. You need to adjust the OSType in the T-Pot .env config."
+    echo "# 2. You need to copy compose/mac_win.yml to ./docker-compose.yml."
    echo
    echo "# Aborting."
    echo
+    sleep 1
    exit 1
 fi

-if ! [ "${myOSTYPE}" == "linuxkit" ] && ! [ -S /var/run/docker.sock ];
+if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" != "mac" ];
  then
-    echo "# Cannot access /var/run/docker.sock, check docker-compose.yml for proper volume definition."
+    echo "# Docker Desktop for macOS detected, but TPOT_OSTYPE is not set to mac."
+    echo "# 1. You need to adjust the OSType in the T-Pot .env config."
+    echo "# 2. You need to copy compose/mac_win.yml to ./docker-compose.yml."
    echo
    echo "# Aborting."
+    echo
+    sleep 1
+    exit 1
+fi
+
+if [ "${myOSTYPE}" == "" ] && [ "${TPOT_OSTYPE}" != "linux" ];
+  then
+    echo "# Docker Engine detected, but TPOT_OSTYPE is not set to linux."
+    echo "# 1. You need to adjust the OSType in the T-Pot .env config."
+    echo "# 2. You need to copy compose/standard.yml to ./docker-compose.yml."
+    echo
+    echo "# Aborting."
+    echo
+    sleep 1
    exit 1
 fi

@ -255,12 +275,8 @@ if [ -f "/data/uuid" ];
 fi

 # Check if TPOT_BLACKHOLE is enabled
-if [ "${myOSTYPE}" == "linuxkit" ];
+if [ "${TPOT_OSTYPE}" == "linux" ];
  then
-    echo
-    echo "# Docker Desktop for macOS or Windows detected, Blackhole feature is not supported."
-    echo
-  else
    if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ ! -f "/etc/blackhole/mass_scanner.txt" ];
      then
        echo
@ -278,6 +294,10 @@ if [ "${myOSTYPE}" == "linuxkit" ];
        echo
        echo "# Blackhole is not active."
    fi
+  else
+    echo
+    echo "# T-Pot is configured for macOS / Windows. Blackhole is not supported."
+    echo
 fi

 # Get IP
@ -291,7 +311,7 @@ update_permissions

 # Update interface settings (p0f and Suricata) and setup iptables to support NFQ based honeypots (glutton, honeytrap)
 ### This is currently not supported on Docker for Desktop, only on Docker Engine for Linux
-if [ "${myOSTYPE}" != "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
+if [ "${TPOT_OSTYPE}" == "linux" ];
  then
    echo
    echo "# Get IF, disable offloading, enable promiscious mode for p0f and suricata ..."
@ -303,10 +323,14 @@ if [ "${myOSTYPE}" != "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
    echo "# Adding firewall rules ..."
    echo
    /opt/tpot/bin/rules.sh ${COMPOSE} set
+  else
+    echo
+    echo "# T-Pot is configured for macOS / Windows. Setting up firewall rules on the host is not supported."
+    echo
 fi

 # Display open ports
-if [ "${myOSTYPE}" != "linuxkit" ];
+if [ "${TPOT_OSTYPE}" == "linux" ];
  then
    echo
    echo "# This is a list of open ports on the host (netstat -tulpen)."
@ -317,9 +341,9 @@ if [ "${myOSTYPE}" != "linuxkit" ];
    echo
  else
    echo
-    echo "# Docker Desktop for macOS or Windows detected, cannot show open ports on the host."
-    echo 
-fi 
+    echo "# T-Pot is configured for macOS / Windows. Showing open ports from the host is not supported."
+    echo
+fi


 # Done
@ -331,25 +355,20 @@ touch /tmp/success

 # We want to see true source for UDP packets in container (https://github.com/moby/libnetwork/issues/1994)
 # Start autoheal if running on a supported os
-if [ "${myOSTYPE}" != "linuxkit" ];
+if [ "${TPOT_OSTYPE}" == "linux" ];
  then
    sleep 60
    echo "# Dropping UDP connection tables to improve visibility of true source IPs."
    /usr/sbin/conntrack -D -p udp
-    # Starting container health monitoring
-    echo
-    figlet "Starting ..."
-    figlet "Autoheal"
-    echo "# Now monitoring healthcheck enabled containers to automatically restart them when unhealthy."
-    echo
-    # exec /opt/tpot/autoheal.sh autoheal
-    /opt/tpot/autoheal.sh autoheal &
-    PID=$!
-    wait $PID
-    echo "# T-Pot Init and Autoheal were stopped. Exiting."
-  else
-    echo
-    echo "# Docker Desktop for macOS or Windows detected, Conntrack feature is not supported."
-    echo
-    sleep infinity 
 fi
+
+# Starting container health monitoring
+echo
+figlet "Starting ..."
+figlet "Autoheal"
+echo "# Now monitoring healthcheck enabled containers to automatically restart them when unhealthy."
+echo
+/opt/tpot/autoheal.sh autoheal &
+PID=$!
+wait $PID
+echo "# T-Pot Init and Autoheal were stopped. Exiting."
--- a/dps.ps1
+++ b/dps.ps1
@ -0,0 +1,20 @@
+# Format, colorize docker ps output
+# Define a fixed width for the STATUS column
+$statusWidth = 30
+
+# Capture the Docker output into a variable
+$dockerOutput = docker ps -f status=running -f status=exited --format "{{.Names}}`t{{.Status}}`t{{.Ports}}"
+
+# Print header with colors
+Write-Host ("NAME".PadRight(20) + "STATUS".PadRight($statusWidth) + "PORTS") -ForegroundColor Cyan -NoNewline
+Write-Host ""
+
+# Split the output into lines and loop over them
+$dockerOutput -split '\r?\n' | ForEach-Object {
+    if ($_ -ne "") {
+        $fields = $_ -split "`t"
+        Write-Host ($fields[0].PadRight(20)) -NoNewline -ForegroundColor Yellow
+        Write-Host ($fields[1].PadRight($statusWidth)) -NoNewline -ForegroundColor Green
+        Write-Host ($fields[2]) -ForegroundColor Blue
+    }
+}
--- a/genuserwin.ps1
+++ b/genuserwin.ps1
@ -0,0 +1,12 @@
+# Run genuser.sh within tpotinit, prepare path and file
+# Define the volume paths
+$homePath = $Env:USERPROFILE + "\tpotce"
+$nginxpasswdPath = $homePath + "\data\nginx\conf\nginxpasswd"
+
+# Ensure nginxpasswd file exists
+if (-Not (Test-Path $nginxpasswdPath)) {
+    New-Item -ItemType File -Force -Path $nginxpasswdPath
+}
+
+# Run the Docker container without specifying UID / GID
+docker run -v "${homePath}:/data" --entrypoint bash -it dtagdevsec/tpotinit:24.04 "/opt/tpot/bin/genuser.sh"