From 99539562f23da3c9949265fffa1b6e214c770ae6 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Sun, 5 May 2024 18:57:59 +0200 Subject: [PATCH 1/4] Prepare fix for Docker Desktop in Windows --- compose/mac_win.yml | 29 +---------- docker/tpotinit/dist/entrypoint.sh | 77 +++++++++++++++++++----------- dps.ps1 | 20 ++++++++ genuserwin.ps1 | 12 +++++ 4 files changed, 82 insertions(+), 56 deletions(-) create mode 100644 dps.ps1 create mode 100644 genuserwin.ps1 diff --git a/compose/mac_win.yml b/compose/mac_win.yml index de60b56d..f613618c 100644 --- a/compose/mac_win.yml +++ b/compose/mac_win.yml @@ -53,6 +53,7 @@ services: - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole - ${TPOT_DATA_PATH}:/data + - /var/run/docker.sock:/var/run/docker.sock:ro ################## @@ -190,32 +191,6 @@ services: volumes: - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot -# Conpot kamstrup_382 - conpot_kamstrup_382: - container_name: conpot_kamstrup_382 - restart: always - depends_on: - tpotinit: - condition: service_healthy - environment: - - CONPOT_CONFIG=/etc/conpot/conpot.cfg - - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json - - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log - - CONPOT_TEMPLATE=kamstrup_382 - - CONPOT_TMP=/tmp/conpot - tmpfs: - - /tmp/conpot:uid=2000,gid=2000 - networks: - - conpot_local_kamstrup_382 - ports: - - "1025:1025" - - "50100:50100" - image: ${TPOT_REPO}/conpot:${TPOT_VERSION} - pull_policy: ${TPOT_PULL_POLICY} - read_only: true - volumes: - - ${TPOT_DATA_PATH}/conpot/log:/var/log/conpot - # Cowrie service cowrie: container_name: cowrie @@ -303,7 +278,7 @@ services: - "81:81" - "135:135" # - "443:443" - - "445:445" + # - "445:445" - "1433:1433" - "1723:1723" - "1883:1883" diff --git a/docker/tpotinit/dist/entrypoint.sh b/docker/tpotinit/dist/entrypoint.sh index 87fdc21f..80bd25b9 100755 --- a/docker/tpotinit/dist/entrypoint.sh +++ b/docker/tpotinit/dist/entrypoint.sh @@ -7,14 +7,17 @@ exec > >(tee /data/tpotinit.log) 2>&1 cleanup() { echo "# SIGTERM received, cleaning up ..." echo - echo "## ... removing firewall rules." - /opt/tpot/bin/rules.sh ${COMPOSE} unset - echo - if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ]; + if [ "${TPOT_OSTYPE}" = "linux" ]; then - echo "## ... removing Blackhole routes." - /opt/tpot/bin/blackhole.sh del + echo "## ... removing firewall rules." + /opt/tpot/bin/rules.sh ${COMPOSE} unset echo + if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ]; + then + echo "## ... removing Blackhole routes." + /opt/tpot/bin/blackhole.sh del + echo + fi fi kill -TERM "$PID" rm -f /tmp/success @@ -153,25 +156,42 @@ update_permissions # Check for compatible OSType echo -echo "# Checking if OSType is compatible." +echo "# Checking if OSType is set correctly." echo -myOSTYPE=$(uname -a | grep -Eo "linuxkit") -if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ]; +myOSTYPE=$(uname -a | grep -Eo "microsoft|linuxkit") +if [ "${myOSTYPE}" == "microsoft" ] && [ "${TPOT_OSTYPE}" != "win" ]; then - echo "# Docker Desktop for macOS or Windows detected." - echo "# 1. You need to adjust the OSType the T-Pot .env config." - echo "# 2. You need to use the macos or win docker compose file." + echo "# Docker Desktop for Windows detected, but TPOT_OSTYPE is not set to win." + echo "# 1. You need to adjust the OSType in the T-Pot .env config." + echo "# 2. You need to copy compose/mac_win.yml to ./docker-compose.yml." echo echo "# Aborting." echo + sleep 1 exit 1 fi -if ! [ "${myOSTYPE}" == "linuxkit" ] && ! [ -S /var/run/docker.sock ]; +if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" != "mac" ]; then - echo "# Cannot access /var/run/docker.sock, check docker-compose.yml for proper volume definition." + echo "# Docker Desktop for macOS detected, but TPOT_OSTYPE is not set to mac." + echo "# 1. You need to adjust the OSType in the T-Pot .env config." + echo "# 2. You need to copy compose/mac_win.yml to ./docker-compose.yml." echo echo "# Aborting." + echo + sleep 1 + exit 1 +fi + +if [ "${myOSTYPE}" == "" ] && [ "${TPOT_OSTYPE}" != "linux" ]; + then + echo "# Docker Engine detected, but TPOT_OSTYPE is not set to linux." + echo "# 1. You need to adjust the OSType in the T-Pot .env config." + echo "# 2. You need to copy compose/standard.yml to ./docker-compose.yml." + echo + echo "# Aborting." + echo + sleep 1 exit 1 fi @@ -255,12 +275,8 @@ if [ -f "/data/uuid" ]; fi # Check if TPOT_BLACKHOLE is enabled -if [ "${myOSTYPE}" == "linuxkit" ]; +if [ "${TPOT_OSTYPE}" == "linux" ]; then - echo - echo "# Docker Desktop for macOS or Windows detected, Blackhole feature is not supported." - echo - else if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ ! -f "/etc/blackhole/mass_scanner.txt" ]; then echo @@ -278,6 +294,10 @@ if [ "${myOSTYPE}" == "linuxkit" ]; echo echo "# Blackhole is not active." fi + else + echo + echo "# T-Pot is configured for macOS / Windows. Blackhole is not supported." + echo fi # Get IP @@ -291,7 +311,7 @@ update_permissions # Update interface settings (p0f and Suricata) and setup iptables to support NFQ based honeypots (glutton, honeytrap) ### This is currently not supported on Docker for Desktop, only on Docker Engine for Linux -if [ "${myOSTYPE}" != "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ]; +if [ "${TPOT_OSTYPE}" == "linux" ]; then echo echo "# Get IF, disable offloading, enable promiscious mode for p0f and suricata ..." @@ -303,10 +323,14 @@ if [ "${myOSTYPE}" != "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ]; echo "# Adding firewall rules ..." echo /opt/tpot/bin/rules.sh ${COMPOSE} set + else + echo + echo "# T-Pot is configured for macOS / Windows. Setting up firewall rules on the host is not supported." + echo fi # Display open ports -if [ "${myOSTYPE}" != "linuxkit" ]; +if [ "${TPOT_OSTYPE}" = "linux" ]; then echo echo "# This is a list of open ports on the host (netstat -tulpen)." @@ -317,7 +341,7 @@ if [ "${myOSTYPE}" != "linuxkit" ]; echo else echo - echo "# Docker Desktop for macOS or Windows detected, cannot show open ports on the host." + echo "# T-Pot is configured for macOS / Windows. Showing open ports from the host is not supported." echo fi @@ -331,25 +355,20 @@ touch /tmp/success # We want to see true source for UDP packets in container (https://github.com/moby/libnetwork/issues/1994) # Start autoheal if running on a supported os -if [ "${myOSTYPE}" != "linuxkit" ]; +if [ "${TPOT_OSTYPE}" = "linux" ]; then sleep 60 echo "# Dropping UDP connection tables to improve visibility of true source IPs." /usr/sbin/conntrack -D -p udp + else # Starting container health monitoring echo figlet "Starting ..." figlet "Autoheal" echo "# Now monitoring healthcheck enabled containers to automatically restart them when unhealthy." echo - # exec /opt/tpot/autoheal.sh autoheal /opt/tpot/autoheal.sh autoheal & PID=$! wait $PID echo "# T-Pot Init and Autoheal were stopped. Exiting." - else - echo - echo "# Docker Desktop for macOS or Windows detected, Conntrack feature is not supported." - echo - sleep infinity fi diff --git a/dps.ps1 b/dps.ps1 new file mode 100644 index 00000000..12dcc2f8 --- /dev/null +++ b/dps.ps1 @@ -0,0 +1,20 @@ +# Format, colorize docker ps output +# Define a fixed width for the STATUS column +$statusWidth = 30 + +# Capture the Docker output into a variable +$dockerOutput = docker ps -f status=running -f status=exited --format "{{.Names}}`t{{.Status}}`t{{.Ports}}" + +# Print header with colors +Write-Host ("NAME".PadRight(20) + "STATUS".PadRight($statusWidth) + "PORTS") -ForegroundColor Cyan -NoNewline +Write-Host "" + +# Split the output into lines and loop over them +$dockerOutput -split '\r?\n' | ForEach-Object { + if ($_ -ne "") { + $fields = $_ -split "`t" + Write-Host ($fields[0].PadRight(20)) -NoNewline -ForegroundColor Yellow + Write-Host ($fields[1].PadRight($statusWidth)) -NoNewline -ForegroundColor Green + Write-Host ($fields[2]) -ForegroundColor Blue + } +} diff --git a/genuserwin.ps1 b/genuserwin.ps1 new file mode 100644 index 00000000..3cc46889 --- /dev/null +++ b/genuserwin.ps1 @@ -0,0 +1,12 @@ +# Run genuser.sh within tpotinit, prepare path and file +# Define the volume paths +$homePath = $Env:USERPROFILE + "\tpotce" +$nginxpasswdPath = $homePath + "\data\nginx\conf\nginxpasswd" + +# Ensure nginxpasswd file exists +if (-Not (Test-Path $nginxpasswdPath)) { + New-Item -ItemType File -Force -Path $nginxpasswdPath +} + +# Run the Docker container without specifying UID / GID +docker run -v "${homePath}:/data" --entrypoint bash -it dtagdevsec/tpotinit:24.04 "/opt/tpot/bin/genuser.sh" From 3b94af2d5eccda96ae33551270cd0413bc7477f0 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Mon, 6 May 2024 19:22:33 +0200 Subject: [PATCH 2/4] Optimize for linux --- docker/tpotinit/dist/entrypoint.sh | 44 +++++++++++++++--------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/docker/tpotinit/dist/entrypoint.sh b/docker/tpotinit/dist/entrypoint.sh index 80bd25b9..67da5055 100755 --- a/docker/tpotinit/dist/entrypoint.sh +++ b/docker/tpotinit/dist/entrypoint.sh @@ -32,7 +32,7 @@ check_var() { local var_value=$(eval echo \$$var_name) # Check if variable is set and not empty - if [[ -z "$var_value" ]]; + if [[ -z "$var_value" ]]; then echo "# Error: $var_name is not set or empty. Please check T-Pot .env config." echo @@ -47,7 +47,7 @@ check_safety() { local var_value=$(eval echo \$$var_name) # General safety check for most variables - if [[ $var_value =~ [^a-zA-Z0-9_/.:-] ]]; + if [[ $var_value =~ [^a-zA-Z0-9_/.:-] ]]; then echo "# Error: Unsafe characters detected in $var_name. Please check T-Pot .env config." echo @@ -81,7 +81,7 @@ validate_format() { case "$var_name" in TPOT_BLACKHOLE|TPOT_PERSISTENCE|TPOT_ATTACKMAP_TEXT) - if ! [[ $var_value =~ ^(ENABLED|DISABLED|on|off|true|false)$ ]]; + if ! [[ $var_value =~ ^(ENABLED|DISABLED|on|off|true|false)$ ]]; then echo "# Error: Invalid value for $var_name. Expected ENABLED/DISABLED, on/off, true/false. Please check T-Pot .env config." echo @@ -97,7 +97,7 @@ validate_ip_or_domain() { # Regular expression for validating IPv4 addresses local ipv4Regex='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' - + # Regular expression for validating domain names (including subdomains) local domainRegex='^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' @@ -122,7 +122,7 @@ create_web_users() { : > /data/nginx/conf/lswebpasswd for i in ${WEB_USER}; do - if [[ -n $i ]]; + if [[ -n $i ]]; then # Need to control newlines as they kept coming up for some reason echo -n "$i" | base64 -d -w0 | tr -d '\n' >> /data/nginx/conf/nginxpasswd @@ -130,9 +130,9 @@ create_web_users() { fi done - for i in ${LS_WEB_USER}; + for i in ${LS_WEB_USER}; do - if [[ -n $i ]]; + if [[ -n $i ]]; then # Need to control newlines as they kept coming up for some reason echo -n "$i" | base64 -d -w0 | tr -d '\n' >> /data/nginx/conf/lswebpasswd @@ -297,7 +297,7 @@ if [ "${TPOT_OSTYPE}" == "linux" ]; else echo echo "# T-Pot is configured for macOS / Windows. Blackhole is not supported." - echo + echo fi # Get IP @@ -326,7 +326,7 @@ if [ "${TPOT_OSTYPE}" == "linux" ]; else echo echo "# T-Pot is configured for macOS / Windows. Setting up firewall rules on the host is not supported." - echo + echo fi # Display open ports @@ -342,8 +342,8 @@ if [ "${TPOT_OSTYPE}" = "linux" ]; else echo echo "# T-Pot is configured for macOS / Windows. Showing open ports from the host is not supported." - echo -fi + echo +fi # Done @@ -360,15 +360,15 @@ if [ "${TPOT_OSTYPE}" = "linux" ]; sleep 60 echo "# Dropping UDP connection tables to improve visibility of true source IPs." /usr/sbin/conntrack -D -p udp - else - # Starting container health monitoring - echo - figlet "Starting ..." - figlet "Autoheal" - echo "# Now monitoring healthcheck enabled containers to automatically restart them when unhealthy." - echo - /opt/tpot/autoheal.sh autoheal & - PID=$! - wait $PID - echo "# T-Pot Init and Autoheal were stopped. Exiting." fi + +# Starting container health monitoring +echo +figlet "Starting ..." +figlet "Autoheal" +echo "# Now monitoring healthcheck enabled containers to automatically restart them when unhealthy." +echo +/opt/tpot/autoheal.sh autoheal & +PID=$! +wait $PID +echo "# T-Pot Init and Autoheal were stopped. Exiting." From f18530575ca599824898c40e8e3cb4ca8dee6fa9 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Mon, 6 May 2024 19:29:17 +0200 Subject: [PATCH 3/4] Adjust README.md for macOS / Windows install --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 98124077..315af4bf 100644 --- a/README.md +++ b/README.md @@ -327,10 +327,10 @@ Choose a supported distro of your choice. It is recommended to use the minimum / Sometimes it is just nice if you can spin up a T-Pot instance on macOS or Windows, i.e. for development, testing or just the fun of it. As Docker Desktop is rather limited not all honeypot types or T-Pot features are supported. Also remember, by default the macOS and Windows firewall are blocking access from remote, so testing is limited to the host. For production it is recommended to run T-Pot on [Linux](#choose-your-distro).
To get things up and running just follow these steps: 1. Install Docker Desktop for [macOS](https://docs.docker.com/desktop/install/mac-install/) or [Windows](https://docs.docker.com/desktop/install/windows-install/). -2. Clone the GitHub repository: `git clone https://github.com/telekom-security/tpotce` +2. Clone the GitHub repository: `git clone https://github.com/telekom-security/tpotce` (in Windows make sure the code is checked out with `LF` instead of `CRLF`!) 3. Go to: `cd ~/tpotce` 4. Copy `cp compose/mac_win.yml ./docker-compose.yml` -5. Create a `WEB_USER` by running `~/tpotce/genuser.sh` +5. Create a `WEB_USER` by running `~/tpotce/genuser.sh` (macOS) or `~/tpotce/genuserwin.ps1` (Windows) 6. Adjust the `.env` file by changing `TPOT_OSTYPE=linux` to either `mac` or `win`: ``` # OSType (linux, mac, win) From 3f087b018250d32fc66a335c9ea4088de722941f Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Mon, 6 May 2024 19:37:34 +0200 Subject: [PATCH 4/4] Update entrypoint.sh --- docker/tpotinit/dist/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/tpotinit/dist/entrypoint.sh b/docker/tpotinit/dist/entrypoint.sh index 67da5055..706924a3 100755 --- a/docker/tpotinit/dist/entrypoint.sh +++ b/docker/tpotinit/dist/entrypoint.sh @@ -330,7 +330,7 @@ if [ "${TPOT_OSTYPE}" == "linux" ]; fi # Display open ports -if [ "${TPOT_OSTYPE}" = "linux" ]; +if [ "${TPOT_OSTYPE}" == "linux" ]; then echo echo "# This is a list of open ports on the host (netstat -tulpen)." @@ -355,7 +355,7 @@ touch /tmp/success # We want to see true source for UDP packets in container (https://github.com/moby/libnetwork/issues/1994) # Start autoheal if running on a supported os -if [ "${TPOT_OSTYPE}" = "linux" ]; +if [ "${TPOT_OSTYPE}" == "linux" ]; then sleep 60 echo "# Dropping UDP connection tables to improve visibility of true source IPs."