Continue working on installer

iso/installer/install.sh

@@ -2,8 +2,8 @@
 # T-Pot Universal Installer
 
 #### to do
-#### 1. ditch authorized keys config, use fail2ban
-#### 2. check for other services that might collide with the honeypots, if found abort install
+#### 1. use fail2ban
+#### 2. use cockpit
 
 ##################################
 # Extract command line arguments #
@@ -160,9 +160,41 @@ if [ -f "dialogrc" ];
   fi
 }
 
+# Let's check for other services
+function fuCHECK_PORTS {
+if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
+  then
+    echo
+    echo "### Checking for active services."
+    echo
+    grc netstat -tulpen
+    echo
+    echo "### Please review your running services."
+    echo "### We will take care of SSH (22), but other services i.e. FTP (21), TELNET (23), SMTP (25), HTTP (80), HTTPS (443), etc."
+    echo "### might collide with T-Pot's honeypots and prevent T-Pot from starting successfully."
+    echo
+    while [ 1 != 2 ]
+      do
+        read -s -n 1 -p "Continue [y/n]? " mySELECT
+	echo
+        case "$mySELECT" in
+          [y,Y])
+            break
+            ;;
+          [n,N])
+            exit
+            ;;
+        esac
+      done
+fi
+}
+
+
 # Prepare running the installer
+echo "$myINFO" | head -n 3
 fuGOT_ROOT
 fuGET_DEPS
+fuCHECK_PORTS
 fuDIALOG_SETUP
 
 #############
@@ -211,7 +243,6 @@ if [ -f $myCONF_FILE ];
   else
     # dialog logic considers 1=false, 0=true
     myCONF_PROXY_USE="1"
-    myCONF_SSH_PUBKEY_USE="1"
     myCONF_PFX_USE="1"
     myCONF_NTP_USE="1"
 fi
@@ -287,6 +318,10 @@ fi
 # Let's put cursor back in standard form
 tput cnorm
 
+####################
+# User interaction #
+####################
+
 # Let's ask the user for install flavor
 if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
   then
@@ -426,6 +461,10 @@ echo $myCONF_WEB_PW
 ##### exit #####
 exit
 
+########################
+# Installation section #
+########################
+
 # Put cursor in invisible mode
 tput civis
 
@@ -547,7 +586,7 @@ tee -a /etc/ssh/ssh_config 2>&1>/dev/null <<EOF
 UseRoaming no
 EOF
 
-# Installing ctop, elasticdump, tpot
+# Installing ctop, elasticdump, tpot, yq
 if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
   then
     npm install https://github.com/taskrabbit/elasticsearch-dump#9fcc8cc -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF
@@ -556,8 +595,7 @@ pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESS
 hash -r 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF
 pip install elasticsearch-curator==5.4.1 2>&1 | dialog --title "[ Installing elasticsearch-curator ]" $myPROGRESSBOXCONF
 pip install yq==2.4.1 2>&1 | dialog --title "[ Installing yq ]" $myPROGRESSBOXCONF
-wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
-mv ctop /usr/bin/ 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
+wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
 chmod +x /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
 git clone https://github.com/dtag-dev-sec/tpotce -b 18.04 /opt/tpot 2>&1 | dialog --title "[ Cloning T-Pot ]" $myPROGRESSBOXCONF
 
@@ -574,13 +612,6 @@ sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts 2>&1 | dialog --title
 
 # Let's patch sshd_config
 sed -i 's#\#Port 22#Port 64295#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF
-sed -i 's#\#PasswordAuthentication yes#PasswordAuthentication no#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH password authentication only from RFC1918 networks ]" $myPROGRESSBOXCONF
-tee -a /etc/ssh/sshd_config 2>&1>/dev/null <<EOF
-
-
-Match address 127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
-    PasswordAuthentication yes
-EOF
 
 # Let's make sure only myCONF_TPOT_FLAVOR images will be downloaded and started
 case $myCONF_TPOT_FLAVOR in
@@ -696,7 +727,6 @@ touch /data/spiderfoot/spiderfoot.db 2>&1 | dialog --title "[ Creating some file
 tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF
 cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF
 cp /opt/tpot/host/etc/issue /etc/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF
-cp $myCONF_SSH_PUBKEY_FILE /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF
 systemctl enable tpot 2>&1 | dialog --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF
 
 # Let's take care of some files and permissions
@@ -704,8 +734,6 @@ chmod 760 -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $m
 chown tpot:tpot -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
 chmod 644 -R /data/nginx/conf 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
 chmod 644 -R /data/nginx/cert 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
-chmod 600 /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
-chown tsec:tsec /home/tsec/.ssh /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
 
 # Let's replace "quiet splash" options, set a console font for more screen canvas and update grub
 sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"#GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0"#' /etc/default/grub 2>&1>/dev/null

iso/installer/iso.conf.dist

@@ -2,8 +2,6 @@
 myCONF_PROXY_USE='0'
 myCONF_PROXY_IP='1.2.3.4'
 myCONF_PROXY_PORT='3128'
-myCONF_SSH_PUBKEY_USE='0'
-myCONF_SSH_PUBKEY_FILE='/'
 myCONF_PFX_USE='0'
 myCONF_PFX_FILE='/'
 myCONF_PFX_PW_USE='0'

makeiso.sh

@@ -115,9 +115,6 @@ do
           myCONF_PROXY_PORT=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "Proxy Port (i.e. 3128)?" --inputbox "" 7 50 "$myCONF_PROXY_PORT" 3>&1 1>&2 2>&3 3>&-)
           if [[ $myCONF_PROXY_PORT =~ ^-?[0-9]+$ ]] && [ $myCONF_PROXY_PORT -gt 0 ] && [ $myCONF_PROXY_PORT -lt 65536 ]; then myPORTRESULT="true"; fi
       done
-      #################################################################
-      #echo http://$myCONF_PROXY_IP:$myCONF_PROXY_PORT > $myPROXYCONFIG
-      #################################################################
       sed -i.bak 's#d-i mirror/http/proxy.*#d-i mirror/http/proxy string http://'$myCONF_PROXY_IP':'$myCONF_PROXY_PORT'/#' $myTPOTSEED
       break
     else
@@ -127,28 +124,6 @@ do
   fi
 done
 
-# Let's ask the user for ssh keys ...
-while true;
-do
-  dialog --backtitle "$myBACKTITLE" --title "[ Add ssh keys? ]" --yesno "\nDo you want to add public key(s) to authorized_keys file?" 8 50
-  myCONF_SSH_PUBKEY_USE=$?
-  if [ "$myCONF_SSH_PUBKEY_USE" = "0" ]
-    then
-      myCONF_SSH_PUBKEY_FILE=$(dialog --backtitle "$myBACKTITLE" --fselect "$myCONF_SSH_PUBKEY_FILE" 15 50 3>&1 1>&2 2>&3 3>&-)
-      if [ -f "$myCONF_SSH_PUBKEY_FILE" ]
-        then
-          cp $myCONF_SSH_PUBKEY_FILE $myAUTHKEYSFILE
-          break
-        else
-          dialog --backtitle "$myBACKTITLE" --title "[ Try again! ]" --msgbox "\nThis is no regular file." 7 50;
-      fi
-    else
-      echo > $myAUTHKEYSFILE
-      myCONF_SSH_PUBKEY_FILE=""
-      break
-  fi
-done
-
 # Let's ask the user for 802.1x data ...
 while true;
 do
@@ -165,16 +140,10 @@ do
           if [ "$myCONF_PFX_PW_USE" = "0" ]
             then
               myCONF_PFX_PW=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Password?" 7 50 3>&1 1>&2 2>&3 3>&-)
-              ###################################
-	      #echo $myCONF_PFX_PW > $myPFXPWPATH
-	      ###################################
 	    else
 	      myCONF_PFX_PW=""
           fi
           myCONF_PFX_HOST_ID=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Host ID?" 7 50 "$myCONF_PFX_HOST_ID" 3>&1 1>&2 2>&3 3>&-)
-          ############################################
-	  #echo $myCONF_PFX_HOST_ID > $myPFXHOSTIDPATH
-	  ############################################
           break
         else
           dialog --backtitle "$myBACKTITLE" --title "[ Try again! ]" --msgbox "\nThis is no regular file." 7 50;
@@ -225,19 +194,17 @@ done
 
 # Let's write the config file
 echo "# makeiso configuration file" > $myCONF_FILE
-echo "myCONF_PROXY_USE=\'$myCONF_PROXY_USE\'" >> $myCONF_FILE
-echo "myCONF_PROXY_IP=\'$myCONF_PROXY_IP\'" >> $myCONF_FILE
-echo "myCONF_PROXY_PORT=\'$myCONF_PROXY_PORT\'" >> $myCONF_FILE
-echo "myCONF_SSH_PUBKEY_USE=\'$myCONF_SSH_PUBKEY_USE\'" >> $myCONF_FILE
-echo "myCONF_SSH_PUBKEY_FILE=\'/root/installer/keys/authorized_keys\'" >> $myCONF_FILE
-echo "myCONF_PFX_USE=\'$myCONF_PFX_USE\'" >> $myCONF_FILE
-echo "myCONF_PFX_FILE=\'/root/installer/keys/8021x.pfx\'" >> $myCONF_FILE
-echo "myCONF_PFX_PW_USE=\'$myCONF_PFX_PW_USE\'" >> $myCONF_FILE
-echo "myCONF_PFX_PW=\'$myCONF_PFX_PW\'" >> $myCONF_FILE
-echo "myCONF_PFX_HOST_ID=\'$myCONF_PFX_HOST_ID\'" >> $myCONF_FILE
-echo "myCONF_NTP_USE=\'$myCONF_NTP_USE\'" >> $myCONF_FILE
-echo "myCONF_NTP_IP=\'$myCONF_NTP_IP\'" >> $myCONF_FILE
-echo "myCONF_NTP_CONF_FILE=\'/root/installer/ntp.conf\'" >> $myCONF_FILE
+echo "myCONF_PROXY_USE=\"$myCONF_PROXY_USE\"" >> $myCONF_FILE
+echo "myCONF_PROXY_IP=\"$myCONF_PROXY_IP\"" >> $myCONF_FILE
+echo "myCONF_PROXY_PORT=\"$myCONF_PROXY_PORT\"" >> $myCONF_FILE
+echo "myCONF_PFX_USE=\"$myCONF_PFX_USE\"" >> $myCONF_FILE
+echo "myCONF_PFX_FILE=\"/root/installer/keys/8021x.pfx\"" >> $myCONF_FILE
+echo "myCONF_PFX_PW_USE=\"$myCONF_PFX_PW_USE\"" >> $myCONF_FILE
+echo "myCONF_PFX_PW=\"$myCONF_PFX_PW\"" >> $myCONF_FILE
+echo "myCONF_PFX_HOST_ID=\"$myCONF_PFX_HOST_ID\"" >> $myCONF_FILE
+echo "myCONF_NTP_USE=\"$myCONF_NTP_USE\"" >> $myCONF_FILE
+echo "myCONF_NTP_IP=\"$myCONF_NTP_IP\"" >> $myCONF_FILE
+echo "myCONF_NTP_CONF_FILE=\"/root/installer/ntp.conf\"" >> $myCONF_FILE
 
 # Let's download Ubuntu Minimal ISO
 if [ ! -f $myUBUNTUISO ]