diff --git a/iso/installer/install.sh b/iso/installer/install.sh index 6042c370..0196dd37 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -2,8 +2,8 @@ # T-Pot Universal Installer #### to do -#### 1. ditch authorized keys config, use fail2ban -#### 2. check for other services that might collide with the honeypots, if found abort install +#### 1. use fail2ban +#### 2. use cockpit ################################## # Extract command line arguments # @@ -160,9 +160,41 @@ if [ -f "dialogrc" ]; fi } +# Let's check for other services +function fuCHECK_PORTS { +if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; + then + echo + echo "### Checking for active services." + echo + grc netstat -tulpen + echo + echo "### Please review your running services." + echo "### We will take care of SSH (22), but other services i.e. FTP (21), TELNET (23), SMTP (25), HTTP (80), HTTPS (443), etc." + echo "### might collide with T-Pot's honeypots and prevent T-Pot from starting successfully." + echo + while [ 1 != 2 ] + do + read -s -n 1 -p "Continue [y/n]? " mySELECT + echo + case "$mySELECT" in + [y,Y]) + break + ;; + [n,N]) + exit + ;; + esac + done +fi +} + + # Prepare running the installer +echo "$myINFO" | head -n 3 fuGOT_ROOT fuGET_DEPS +fuCHECK_PORTS fuDIALOG_SETUP ############# @@ -211,7 +243,6 @@ if [ -f $myCONF_FILE ]; else # dialog logic considers 1=false, 0=true myCONF_PROXY_USE="1" - myCONF_SSH_PUBKEY_USE="1" myCONF_PFX_USE="1" myCONF_NTP_USE="1" fi @@ -287,6 +318,10 @@ fi # Let's put cursor back in standard form tput cnorm +#################### +# User interaction # +#################### + # Let's ask the user for install flavor if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; then @@ -426,6 +461,10 @@ echo $myCONF_WEB_PW ##### exit ##### exit +######################## +# Installation section # +######################## + # Put cursor in invisible mode tput civis @@ -547,7 +586,7 @@ tee -a /etc/ssh/ssh_config 2>&1>/dev/null <&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF @@ -556,8 +595,7 @@ pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESS hash -r 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF pip install elasticsearch-curator==5.4.1 2>&1 | dialog --title "[ Installing elasticsearch-curator ]" $myPROGRESSBOXCONF pip install yq==2.4.1 2>&1 | dialog --title "[ Installing yq ]" $myPROGRESSBOXCONF -wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF -mv ctop /usr/bin/ 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF +wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF chmod +x /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF git clone https://github.com/dtag-dev-sec/tpotce -b 18.04 /opt/tpot 2>&1 | dialog --title "[ Cloning T-Pot ]" $myPROGRESSBOXCONF @@ -574,13 +612,6 @@ sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts 2>&1 | dialog --title # Let's patch sshd_config sed -i 's#\#Port 22#Port 64295#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF -sed -i 's#\#PasswordAuthentication yes#PasswordAuthentication no#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH password authentication only from RFC1918 networks ]" $myPROGRESSBOXCONF -tee -a /etc/ssh/sshd_config 2>&1>/dev/null <&1 | dialog --title "[ Creating some file tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /opt/tpot/host/etc/issue /etc/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -cp $myCONF_SSH_PUBKEY_FILE /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF systemctl enable tpot 2>&1 | dialog --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF # Let's take care of some files and permissions @@ -704,8 +734,6 @@ chmod 760 -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $m chown tpot:tpot -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF chmod 644 -R /data/nginx/conf 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF chmod 644 -R /data/nginx/cert 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF -chmod 600 /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF -chown tsec:tsec /home/tsec/.ssh /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF # Let's replace "quiet splash" options, set a console font for more screen canvas and update grub sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"#GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0"#' /etc/default/grub 2>&1>/dev/null diff --git a/iso/installer/iso.conf.dist b/iso/installer/iso.conf.dist index 5aba0b92..f695f381 100644 --- a/iso/installer/iso.conf.dist +++ b/iso/installer/iso.conf.dist @@ -2,8 +2,6 @@ myCONF_PROXY_USE='0' myCONF_PROXY_IP='1.2.3.4' myCONF_PROXY_PORT='3128' -myCONF_SSH_PUBKEY_USE='0' -myCONF_SSH_PUBKEY_FILE='/' myCONF_PFX_USE='0' myCONF_PFX_FILE='/' myCONF_PFX_PW_USE='0' diff --git a/makeiso.sh b/makeiso.sh index f6995267..a33c665b 100755 --- a/makeiso.sh +++ b/makeiso.sh @@ -115,9 +115,6 @@ do myCONF_PROXY_PORT=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "Proxy Port (i.e. 3128)?" --inputbox "" 7 50 "$myCONF_PROXY_PORT" 3>&1 1>&2 2>&3 3>&-) if [[ $myCONF_PROXY_PORT =~ ^-?[0-9]+$ ]] && [ $myCONF_PROXY_PORT -gt 0 ] && [ $myCONF_PROXY_PORT -lt 65536 ]; then myPORTRESULT="true"; fi done - ################################################################# - #echo http://$myCONF_PROXY_IP:$myCONF_PROXY_PORT > $myPROXYCONFIG - ################################################################# sed -i.bak 's#d-i mirror/http/proxy.*#d-i mirror/http/proxy string http://'$myCONF_PROXY_IP':'$myCONF_PROXY_PORT'/#' $myTPOTSEED break else @@ -127,28 +124,6 @@ do fi done -# Let's ask the user for ssh keys ... -while true; -do - dialog --backtitle "$myBACKTITLE" --title "[ Add ssh keys? ]" --yesno "\nDo you want to add public key(s) to authorized_keys file?" 8 50 - myCONF_SSH_PUBKEY_USE=$? - if [ "$myCONF_SSH_PUBKEY_USE" = "0" ] - then - myCONF_SSH_PUBKEY_FILE=$(dialog --backtitle "$myBACKTITLE" --fselect "$myCONF_SSH_PUBKEY_FILE" 15 50 3>&1 1>&2 2>&3 3>&-) - if [ -f "$myCONF_SSH_PUBKEY_FILE" ] - then - cp $myCONF_SSH_PUBKEY_FILE $myAUTHKEYSFILE - break - else - dialog --backtitle "$myBACKTITLE" --title "[ Try again! ]" --msgbox "\nThis is no regular file." 7 50; - fi - else - echo > $myAUTHKEYSFILE - myCONF_SSH_PUBKEY_FILE="" - break - fi -done - # Let's ask the user for 802.1x data ... while true; do @@ -165,16 +140,10 @@ do if [ "$myCONF_PFX_PW_USE" = "0" ] then myCONF_PFX_PW=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Password?" 7 50 3>&1 1>&2 2>&3 3>&-) - ################################### - #echo $myCONF_PFX_PW > $myPFXPWPATH - ################################### else myCONF_PFX_PW="" fi myCONF_PFX_HOST_ID=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Host ID?" 7 50 "$myCONF_PFX_HOST_ID" 3>&1 1>&2 2>&3 3>&-) - ############################################ - #echo $myCONF_PFX_HOST_ID > $myPFXHOSTIDPATH - ############################################ break else dialog --backtitle "$myBACKTITLE" --title "[ Try again! ]" --msgbox "\nThis is no regular file." 7 50; @@ -225,19 +194,17 @@ done # Let's write the config file echo "# makeiso configuration file" > $myCONF_FILE -echo "myCONF_PROXY_USE=\'$myCONF_PROXY_USE\'" >> $myCONF_FILE -echo "myCONF_PROXY_IP=\'$myCONF_PROXY_IP\'" >> $myCONF_FILE -echo "myCONF_PROXY_PORT=\'$myCONF_PROXY_PORT\'" >> $myCONF_FILE -echo "myCONF_SSH_PUBKEY_USE=\'$myCONF_SSH_PUBKEY_USE\'" >> $myCONF_FILE -echo "myCONF_SSH_PUBKEY_FILE=\'/root/installer/keys/authorized_keys\'" >> $myCONF_FILE -echo "myCONF_PFX_USE=\'$myCONF_PFX_USE\'" >> $myCONF_FILE -echo "myCONF_PFX_FILE=\'/root/installer/keys/8021x.pfx\'" >> $myCONF_FILE -echo "myCONF_PFX_PW_USE=\'$myCONF_PFX_PW_USE\'" >> $myCONF_FILE -echo "myCONF_PFX_PW=\'$myCONF_PFX_PW\'" >> $myCONF_FILE -echo "myCONF_PFX_HOST_ID=\'$myCONF_PFX_HOST_ID\'" >> $myCONF_FILE -echo "myCONF_NTP_USE=\'$myCONF_NTP_USE\'" >> $myCONF_FILE -echo "myCONF_NTP_IP=\'$myCONF_NTP_IP\'" >> $myCONF_FILE -echo "myCONF_NTP_CONF_FILE=\'/root/installer/ntp.conf\'" >> $myCONF_FILE +echo "myCONF_PROXY_USE=\"$myCONF_PROXY_USE\"" >> $myCONF_FILE +echo "myCONF_PROXY_IP=\"$myCONF_PROXY_IP\"" >> $myCONF_FILE +echo "myCONF_PROXY_PORT=\"$myCONF_PROXY_PORT\"" >> $myCONF_FILE +echo "myCONF_PFX_USE=\"$myCONF_PFX_USE\"" >> $myCONF_FILE +echo "myCONF_PFX_FILE=\"/root/installer/keys/8021x.pfx\"" >> $myCONF_FILE +echo "myCONF_PFX_PW_USE=\"$myCONF_PFX_PW_USE\"" >> $myCONF_FILE +echo "myCONF_PFX_PW=\"$myCONF_PFX_PW\"" >> $myCONF_FILE +echo "myCONF_PFX_HOST_ID=\"$myCONF_PFX_HOST_ID\"" >> $myCONF_FILE +echo "myCONF_NTP_USE=\"$myCONF_NTP_USE\"" >> $myCONF_FILE +echo "myCONF_NTP_IP=\"$myCONF_NTP_IP\"" >> $myCONF_FILE +echo "myCONF_NTP_CONF_FILE=\"/root/installer/ntp.conf\"" >> $myCONF_FILE # Let's download Ubuntu Minimal ISO if [ ! -f $myUBUNTUISO ]