Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-04-19 21:52:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Azure Deployment via ARM template

Browse source 
The following is a Azure Deployment of T-Pot using a ARM Template, creates a debian 11 vm, disks, nic, nsg, pip and leverages cloud-init customData to pass a B64 encoded string of a cloud-inity yaml file, example in readme docs.
This commit is contained in:
swiftsolves-msft 2023-07-02 00:56:38 -04:00
parent 81fab84040
commit 1af7cdcaa1
3 changed files with 379 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
cloud/azure/README.md Normal file
View file

@ -0,0 +1,71 @@
# Azure T-Pot
The following deployment template will deploy a Standard T-Pot server on a Azure VM on a Network\Subnet of your choosing. [Click here to learn more on T-Pot](https://github.com/telekom-security/tpotce)
[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ftelekom-security%2Ftpotce%2Fmaster%2Fcloud%2Fazure%2Fazuredeploy.json)
[![Deploy To Azure US Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ftelekom-security%2Ftpotce%2Fmaster%2Fcloud%2Fazure%2Fazuredeploy.json)
[![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.svg?sanitize=true)](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2Ftelekom-security%2Ftpotce%2Fmaster%2Fcloud%2Fazure%2Fazuredeploy.json)
## Install Instructions
1. Update the VM Name to reflect your naming convention and taxonomy.
2. Place you Azure Virtual Network Resource Id *(Recommendation of
placement depending on goal, you may want to place in Hub Virtual
Network to detect activity from on-premise or other virtual
network spokes. You can also place in DMZ or isolated in a unique
virtual network exposed to direct internet.)*
3. My Connection IP of a public ip address you are coming from to use dashboards and manage.
4. Cloud Init B64 Encoded write your cloud init yaml contents and base 64 encode them into this string parameter.
Cloud-Init Yaml Example before B64 Encoding:
packages:
- git
runcmd:
- curl -sS --retry 5 https://github.com
- git clone https://github.com/telekom-security/tpotce /root/tpot
- /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
- rm /root/tpot.conf
- /sbin/shutdown -r now
password: w3b$ecrets2!
chpasswd:
expire: false
write_files:
- content: |
# tpot configuration file
myCONF_TPOT_FLAVOR='STANDARD'
myCONF_WEB_USER='webuser'
myCONF_WEB_PW='w3b$ecrets2!'
owner: root:root
path: /root/tpot.conf
permissions: '0600'
Be sure to copy and update values like:
- password:
- myCONF_TPOT_FLAVOR= (Different flavors as follows: [STANDARD,
HIVE, HIVE_SENSOR, INDUSTRIAL, LOG4J, MEDICAL, MINI, SENSOR]
**Recommend deploying STANDARD** if you are exploring first time)
- myCONF_WEB_USER=
- myCONF_WEB_PW=
Once you update the cloud init yaml file locally then base 64 encode and paste this string to in the securestring parameter.
B64 Example:
I2Nsb3VkLWNvbmZpZwp0aW1lem9uZTogVVMvRWFzdGVybgoKcGFja2FnZXM6CiAgLSBnaXQKCnJ1bmNtZDoKICAtIGN1cmwgLXNTIC0tcmV0cnkgNSBodHRwczovL2dpdGh1Yi5jb20KICAtIGdpdCBjbG9uZSBodHRwczovL2dpdGh1Yi5jb20vdGVsZWtvbS1zZWN1cml0eS90cG90Y2UgL3Jvb3QvdHBvdAogIC0gL3Jvb3QvdHBvdC9pc28vaW5zdGFsbGVyL2luc3RhbGwuc2ggLS10eXBlPWF1dG8gLS1jb25mPS9yb290L3Rwb3QuY29uZgogIC0gcm0gL3Jvb3QvdHBvdC5jb25mCiAgLSAvc2Jpbi9zaHV0ZG93biAtciBub3cKCnBhc3N3b3JkOiB3M2IkZWNyZXRzMiEKY2hwYXNzd2Q6CiAgZXhwaXJlOiBmYWxzZQoKd3JpdGVfZmlsZXM6CiAgLSBjb250ZW50OiB8CiAgICAgICMgdHBvdCBjb25maWd1cmF0aW9uIGZpbGUKICAgICAgbXlDT05GX1RQT1RfRkxBVk9SPSdTVEFOREFSRCcKICAgICAgbXlDT05GX1dFQl9VU0VSPSd3ZWJ1c2VyJwogICAgICBteUNPTkZfV0VCX1BXPSd3M2IkZWNyZXRzMiEnCiAgICBvd25lcjogcm9vdDpyb290CiAgICBwYXRoOiAvcm9vdC90cG90LmNvbmYKICAgIHBlcm1pc3Npb25zOiAnMDYwMCc=
Click review and create, deployment of VM should take less than 5 minutes, however Cloud-Init will take some time, **typically 15 minutes** before T-Pot services are up and running.
## Post Install Instructions
Install **may take around 15 minutes** for services to come up. Check to make sure from your public IP you can connect to https://azurepuplicip:64297 you will be prompted for your username and password supplied in the B64 Cloud Init String you supplied for *myCONF_WEB_PW=*
Review the [available honeypots architecture section](https://raw.githubusercontent.com/telekom-security/tpotce/master/doc/architecture.png) and [available ports](https://github.com/telekom-security/tpotce#required-ports) and poke a hole in the Network Security Group to expose the T-Pot to your on-premise network CIDR, or other Azure virtual network CIDRs, finally you can also expose a port to the public Internet for Threat Intelligence gathering.
## Network Security Group
Please study the rules carefully. You may need to make some additional rules or modifications based on your needs and considerations. As an example if this is for internal private ip range detections you may want to remove rules and place a higher priority DENY rule preventing all the T-Pot ports and services being exposed internally, and then place a few ALLOW rules to your on-premise private ip address CIDR, other Hub Private IPs, and some Spoke Private IPs.
![enter image description here](https://raw.githubusercontent.com/telekom-security/tpotce/master/cloud/azure/images/nsg.png)

308
cloud/azure/azuredeploy.json Normal file
View file

@ -0,0 +1,308 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"VMName": {
"type": "string",
"metadata": {
"description": "VM Name and convention your company uses, be sure to entice naming EX. vm-fileshares-prod-eastus-003"
},
"defaultValue": "vm-fileshares-prod-eastus-003"
},
"virtualNetworkId": {
"type": "string",
"metadata": {
"description": "Virtual Network Resource ID to Deploy Azure VM into"
},
"defaultValue": "/subscriptions/{SUBID}/resourceGroups/{RG NAME}/providers/Microsoft.Network/virtualNetworks/{VNET NAME}"
},
"subnetName": {
"type": "string",
"metadata": {
"description": "Virtual Network Subnet Name to Deploy Azure VM into"
}
},
"MyConnectionIP": {
"type": "string",
"minLength": 7,
"maxLength": 15,
"metadata": {
"description": "The Public IP I will be connecting from to administer and configure"
},
"defaultValue": "XXX.XXX.XXX.XXX"
},
"adminUsername": {
"type": "string",
"minLength": 1,
"defaultValue": "webuser",
"metadata": {
"description": "Admin user name for Linux VM"
}
},
"authenticationType": {
"type": "string",
"defaultValue": "password",
"allowedValues": [
"sshPublicKey",
"password"
],
"metadata": {
"description": "Type of authentication to use on the Virtual Machine. SSH key is recommended."
}
},
"adminPasswordOrKey": {
"type": "securestring",
"metadata": {
"description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
}
},
"CloudInitB64Encoded": {
"type": "securestring",
"metadata": {
"description": "Cloud Init Configuration as a Base 64 encoded string, decode to examine a few variables to change and encode and submit"
},
"defaultValue": "I2Nsb3VkLWNvbmZpZwp0aW1lem9uZTogVVMvRWFzdGVybgoKcGFja2FnZXM6CiAgLSBnaXQKCnJ1bmNtZDoKICAtIGN1cmwgLXNTIC0tcmV0cnkgNSBodHRwczovL2dpdGh1Yi5jb20KICAtIGdpdCBjbG9uZSBodHRwczovL2dpdGh1Yi5jb20vdGVsZWtvbS1zZWN1cml0eS90cG90Y2UgL3Jvb3QvdHBvdAogIC0gL3Jvb3QvdHBvdC9pc28vaW5zdGFsbGVyL2luc3RhbGwuc2ggLS10eXBlPWF1dG8gLS1jb25mPS9yb290L3Rwb3QuY29uZgogIC0gcm0gL3Jvb3QvdHBvdC5jb25mCiAgLSAvc2Jpbi9zaHV0ZG93biAtciBub3cKCnBhc3N3b3JkOiB3M2IkZWNyZXRzMiEKY2hwYXNzd2Q6CiAgZXhwaXJlOiBmYWxzZQoKd3JpdGVfZmlsZXM6CiAgLSBjb250ZW50OiB8CiAgICAgICMgdHBvdCBjb25maWd1cmF0aW9uIGZpbGUKICAgICAgbXlDT05GX1RQT1RfRkxBVk9SPSdTVEFOREFSRCcKICAgICAgbXlDT05GX1dFQl9VU0VSPSd3ZWJ1c2VyJwogICAgICBteUNPTkZfV0VCX1BXPSd3M2IkZWNyZXRzMiEnCiAgICBvd25lcjogcm9vdDpyb290CiAgICBwYXRoOiAvcm9vdC90cG90LmNvbmYKICAgIHBlcm1pc3Npb25zOiAnMDYwMCc="
}
},
"variables": {
"vnetId": "[parameters('virtualNetworkId')]",
"subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]",
"keyData": "[parameters('adminPasswordOrKey')]"
}
]
}
}
},
"resources": [
{
"name": "[concat(uniqueString(resourceGroup().id, deployment().name),'-nic')]",
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-08-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups/', concat(uniqueString(resourceGroup().id, deployment().name),'-nsg'))]",
"[resourceId('Microsoft.Network/publicIpAddresses', concat(uniqueString(resourceGroup().id, deployment().name),'-pip'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"subnet": {
"id": "[variables('subnetRef')]"
},
"privateIPAllocationMethod": "Dynamic",
"publicIpAddress": {
"id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', concat(uniqueString(resourceGroup().id, deployment().name),'-pip'))]",
"properties": {
"deleteOption": "Detach"
}
}
}
}
],
"enableAcceleratedNetworking": true,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups/', concat(uniqueString(resourceGroup().id, deployment().name),'-nsg'))]"
}
}
},
{
"name": "[concat(uniqueString(resourceGroup().id, deployment().name),'-nsg')]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-02-01",
"location": "[resourceGroup().location]",
"properties": {
"securityRules": [
{
"name": "AllowAzureCloud22Inbound",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "AzureCloud",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1011,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowCustom64294Inbound",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "64294",
"sourceAddressPrefix": "[parameters('MyConnectionIP')]",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1021,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowSSHCustom64295Inbound",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "64295",
"sourceAddressPrefix": "[parameters('MyConnectionIP')]",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1031,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowAzureCloud64295Inbound",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "64295",
"sourceAddressPrefix": "AzureCloud",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1041,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowCustom64297Inbound",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "64297",
"sourceAddressPrefix": "[parameters('MyConnectionIP')]",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1051,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowAllHomeOfficeCustomAnyInbound",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "[parameters('MyConnectionIP')]",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1061,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
},
{
"name": "[concat(uniqueString(resourceGroup().id, deployment().name),'-pip')]",
"type": "Microsoft.Network/publicIpAddresses",
"apiVersion": "2020-08-01",
"location": "[resourceGroup().location]",
"properties": {
"publicIpAllocationMethod": "Static"
},
"sku": {
"name": "Standard"
},
"zones": [
"1"
]
},
{
"name": "[parameters('VMName')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-03-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', concat(uniqueString(resourceGroup().id, deployment().name),'-nic'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "Standard_D4s_v3"
},
"storageProfile": {
"osDisk": {
"createOption": "fromImage",
"managedDisk": {
"storageAccountType": "StandardSSD_LRS"
},
"deleteOption": "Delete"
},
"imageReference": {
"publisher": "debian",
"offer": "debian-11",
"sku": "11-gen2",
"version": "latest"
},
"dataDisks": [
{
"name": "[concat(parameters('VMName'),'-datadisk')]",
"diskSizeGB": 256,
"lun": 0,
"createOption": "Empty",
"caching": "ReadWrite"
}
]
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', concat(uniqueString(resourceGroup().id, deployment().name),'-nic'))]",
"properties": {
"deleteOption": "Delete"
}
}
]
},
"osProfile": {
"computerName": "[parameters('VMName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPasswordOrKey')]",
"linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]",
"customData": "[parameters('CloudInitB64Encoded')]"
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true
}
}
},
"zones": [
"1"
]
}
],
"outputs": {}
}

BIN
cloud/azure/images/nsg.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 49 KiB