From 12af5c9d4601d0f9d2b4ae27a6d5787596311391 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Wed, 5 Jul 2023 23:03:41 +0200 Subject: [PATCH] Handle password securely, needs htpasswd to create user:password: - Update tpotinit and entrypoint.sh to reflect this - Update install.sh to reflect this - Update .env / env.example to reflect this Reorder recommended packages in T-Pot Playbook Add packages to T-Pot Playbook to ensure manual deployment via Ansible will offer the same environment as manual local installation via install.sh and local Ansible deployment. --- .env | 11 +++++------ docker/tpotinit/dist/entrypoint.sh | 6 +++--- env.example | 17 ++++++++--------- install.sh | 19 +++++++++---------- installer/install/tpot.yml | 21 +++++++++++++++------ 5 files changed, 40 insertions(+), 34 deletions(-) diff --git a/.env b/.env index 13287916..2f748aca 100644 --- a/.env +++ b/.env @@ -1,11 +1,10 @@ # T-Pot config file. Do not remove. -# Set Web username and password here, only required for first run -# Removing the password after first run is recommended -# You can always add or remove users as you see fit using htpasswd: -# htpasswd -b -c //nginx/conf/nginxpasswd -WEB_USER='changeme' -WEB_PW='changeme' +# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd. +# Use 'htpasswd -n ' to create the WEB_USER if you want to manually deploy T-Pot +# Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0 +# Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0' +WEB_USER='change:me' # T-Pot Blackhole # ENABLED: T-Pot will download a db of known mass scanners and nullroute them diff --git a/docker/tpotinit/dist/entrypoint.sh b/docker/tpotinit/dist/entrypoint.sh index 1c73163d..0e659db7 100755 --- a/docker/tpotinit/dist/entrypoint.sh +++ b/docker/tpotinit/dist/entrypoint.sh @@ -34,9 +34,9 @@ if [ -f "/data/uuid" ]; figlet "${VERSION}" echo echo "# Checking for default user." - if [ "${WEB_USER}" == "changeme" ] || [ "${WEB_PW}" == "changeme" ]; + if [ "${WEB_USER}" == "change:me" ]; then - echo "# Please change WEB_USER and WEB_PW in the hidden \".env\" file." + echo "# Please change WEB_USER in the hidden \".env\" file." echo "# Aborting." echo exit 1 @@ -66,7 +66,7 @@ if [ -f "/data/uuid" ]; echo echo "# Creating web user from tpot.env, make sure to erase the password from the .env ..." echo - htpasswd -b -c /data/nginx/conf/nginxpasswd "${WEB_USER}" "${WEB_PW}" + echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd echo echo "# Extracting objects, final touches and permissions ..." echo diff --git a/env.example b/env.example index 6b70286c..b2d27eb2 100644 --- a/env.example +++ b/env.example @@ -1,11 +1,10 @@ # T-Pot config file. Do not remove. -# Set Web username and password here, only required for first run -# Removing the password after first run is recommended -# You can always add or remove users as you see fit using htpasswd: -# htpasswd -b -c //nginx/conf/nginxpasswd -WEB_USER='changeme' -WEB_PW='changeme' +# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd. +# Use 'htpasswd -n ' to create the WEB_USER if you want to manually deploy T-Pot +# Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0 +# Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0' +WEB_USER='change:me' # T-Pot Blackhole # ENABLED: T-Pot will download a db of known mass scanners and nullroute them @@ -32,9 +31,9 @@ TPOT_DOCKER_ENV=./.env TPOT_DOCKER_COMPOSE=./docker-compose.yml # T-Pot Repo -# Depending on where you are located you may choose between DockerHub and GHCR -# dtagdevsec: This will use the DockerHub image registry -# ghcr.io/telekom-security: This will use the GitHub container registry +# Depending on where you are located you may choose between DockerHub and GHCR +# dtagdevsec: This will use the DockerHub image registry +# ghcr.io/telekom-security: This will use the GitHub container registry TPOT_REPO=dtagdevsec # T-Pot Version Tag diff --git a/install.sh b/install.sh index 58bf8fe0..85d9c5eb 100755 --- a/install.sh +++ b/install.sh @@ -3,10 +3,10 @@ myINSTALL_NOTIFICATION="### Now installing required packages ..." myUSER=$(whoami) myTPOT_CONF_FILE="/home/${myUSER}/tpotce/.env" -myPACKAGES_DEBIAN="ansible cracklib-runtime wget" -myPACKAGES_FEDORA="ansible cracklib wget" -myPACKAGES_ROCKY="ansible-core ansible-collection-redhat-rhel_mgmt cracklib wget" -myPACKAGES_OPENSUSE="ansible cracklib wget" +myPACKAGES_DEBIAN="ansible apache2-utils cracklib-runtime wget" +myPACKAGES_FEDORA="ansible cracklib httpd-tools wget" +myPACKAGES_ROCKY="ansible-core ansible-collection-redhat-rhel_mgmt cracklib httpd-tools wget" +myPACKAGES_OPENSUSE="ansible apache2-utils cracklib wget" myINSTALLER=$(cat << "EOF" @@ -74,7 +74,7 @@ case ${myCURRENT_DISTRIBUTION} in echo "### or press CTRL-C to manually install ‘sudo‘ and add your user to the sudoers." echo su -c "apt -y update && \ - apt -y install sudo ${myPACKAGES_DEBIAN} && \ + NEEDRESTART_SUSPEND=1 apt -y install sudo ${myPACKAGES_DEBIAN} && \ /usr/sbin/usermod -aG sudo ${myUSER} && \ echo '${myUSER} ALL=(ALL:ALL) ALL' | tee /etc/sudoers.d/${myUSER} >/dev/null && \ chmod 440 /etc/sudoers.d/${myUSER}" @@ -83,7 +83,7 @@ case ${myCURRENT_DISTRIBUTION} in echo else sudo apt update - sudo apt install -y ${myPACKAGES_DEBIAN} + sudo NEEDRESTART_SUSPEND=1 apt install -y ${myPACKAGES_DEBIAN} fi ;; "openSUSE Tumbleweed") @@ -204,11 +204,10 @@ while [ "${myWEB_PW}" != "${myWEB_PW2}" ] && [ "${mySECURE}" == "0" ] done # Write username and password to T-Pot config file -echo "### Writing username and password to T-Pot config file: ${myTPOT_CONF_FILE}" -echo "### You can empty the password after the first start of T-Pot." +echo "### Creating htpasswd username and password for T-Pot config file: ${myTPOT_CONF_FILE}" +myWEB_USER_ENC=$(htpasswd -b -n "${myWEB_USER}" "${myWEB_PW}") echo -sed -i "/^WEB_USER=/s/.*/WEB_USER='${myWEB_USER}'/" ${myTPOT_CONF_FILE} -sed -i "/^WEB_PW=/s/.*/WEB_PW='${myWEB_PW}'/" ${myTPOT_CONF_FILE} +sed -i "s|^WEB_USER=.*|WEB_USER='${myWEB_USER_ENC}'|" ${myTPOT_CONF_FILE} # Pull docker images echo "### Now pulling images ..." diff --git a/installer/install/tpot.yml b/installer/install/tpot.yml index 110e763f..4ab62a3a 100644 --- a/installer/install/tpot.yml +++ b/installer/install/tpot.yml @@ -58,11 +58,11 @@ tags: - "openSUSE Tumbleweed" -################################ -# T-Pot - Abort if run as root # -################################ +##################################################################### +# T-Pot - Abort if run as tpot, root or on unsupported distribution # +##################################################################### -- name: T-Pot - Abort if run as root +- name: T-Pot - Abort if run as tpot, root or on unsupported distribution hosts: all gather_facts: true become: false @@ -117,14 +117,17 @@ - name: Install recommended packages (Debian, Ubuntu) package: name: + - apache2-utils - bash-completion - ca-certificates + - cracklib-runtime - curl - git - gnupg - grc - - vim - net-tools + - vim + - wget state: latest update_cache: yes when: ansible_distribution in ["Debian", "Ubuntu"] @@ -147,12 +150,15 @@ name: - bash-completion - ca-certificates + - cracklib - curl - dnf-plugins-core - git - grc - - vim + - httpd-tools - net-tools + - vim + - wget state: latest update_cache: yes when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"] @@ -178,13 +184,16 @@ - name: Install recommended packages (openSUSE Tumbleweed) package: name: + - apache2-utils - bash-completion - busybox-net-tools - ca-certificates + - cracklib - curl - git - grc - vim + - wget state: latest update_cache: yes when: ansible_distribution in ["openSUSE Tumbleweed"]