From 31f09413e05e73efad182e270688cb63b07032bb Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Fri, 23 Feb 2024 16:41:52 +0100 Subject: [PATCH] continue working on env, tpotinit and deploy --- docker-compose.yml | 2 +- docker/tpotinit/dist/entrypoint.sh | 95 +++++++++++++++--------------- installer/install/deploy.sh | 73 +++++++++++++++-------- 3 files changed, 99 insertions(+), 71 deletions(-) mode change 100644 => 100755 installer/install/deploy.sh diff --git a/docker-compose.yml b/docker-compose.yml index 103a1018..7f6bc157 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -628,7 +628,7 @@ services: ################## -#### Tools +#### Tools ################## #### ELK diff --git a/docker/tpotinit/dist/entrypoint.sh b/docker/tpotinit/dist/entrypoint.sh index 559fd67b..28e2420f 100755 --- a/docker/tpotinit/dist/entrypoint.sh +++ b/docker/tpotinit/dist/entrypoint.sh @@ -11,7 +11,7 @@ check_var() { # Check if variable is set and not empty if [[ -z "$var_value" ]]; then - echo "# Error: $var_name is not set or empty. Please check T-Pot config file (.env)." + echo "# Error: $var_name is not set or empty. Please check T-Pot .env config." echo echo "# Aborting" exit 1 @@ -26,27 +26,28 @@ check_safety() { # General safety check for most variables if [[ $var_value =~ [^a-zA-Z0-9_/.:-] ]]; then - echo "# Error: Unsafe characters detected in $var_name. Please check T-Pot config file (.env)." + echo "# Error: Unsafe characters detected in $var_name. Please check T-Pot .env config." echo echo "# Aborting" exit 1 fi } -# Function to check the safety of the WEB_USER variable -check_web_user_safety() { - local web_user="$1" - local IFS=$'\n' # Set the Internal Field Separator (IFS) to newline for the loop - - # Iterate over each line in web_user - for user in $web_user; do - # Allow alphanumeric, $, ., /, and : for WEB_USER (to accommodate htpasswd hash) - if [[ ! $user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]]; then - echo "# Error: Unsafe characters / wrong format detected in (LS_)WEB_USER for user $user. Please check T-Pot config file (.env)." - echo - echo "# Aborting" - exit 1 - fi +validate_base64() { + local myCHECK=$1 + # base64 pattern match + for i in ${myCHECK}; + do + if [[ $i =~ ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$ ]]; + then + echo -n "Found valid user: " + echo $i | base64 -d -w0 | cut -f1 -d":" + else + echo "$i is not a valid base64 string. Please check T-Pot .env config." + echo + echo "# Aborting" + exit 1 + fi done } @@ -59,15 +60,12 @@ validate_format() { TPOT_BLACKHOLE|TPOT_PERSISTENCE|TPOT_ATTACKMAP_TEXT) if ! [[ $var_value =~ ^(ENABLED|DISABLED|on|off|true|false)$ ]]; then - echo "# Error: Invalid value for $var_name. Expected ENABLED/DISABLED, on/off, true/false. Please check T-Pot config file (.env)." + echo "# Error: Invalid value for $var_name. Expected ENABLED/DISABLED, on/off, true/false. Please check T-Pot .env config." echo echo "# Aborting" exit 1 fi ;; - *) - # Add additional specific format checks here if necessary - ;; esac } @@ -81,26 +79,12 @@ validate_ip_or_domain() { local domainRegex='^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' # Check if TPOT_HIVE_IP matches IPv4 or domain name - if [[ $myCHECK =~ $ipv4Regex ]]; then - echo "$myCHECK is a valid IPv4 address." - elif [[ $myCHECK =~ $domainRegex ]]; then - echo "$myCHECK is a valid domain name." + if [[ ${myCHECK} =~ $ipv4Regex ]]; then + echo "${myCHECK} is a valid IPv4 address." + elif [[ ${myCHECK} =~ $domainRegex ]]; then + echo "${myCHECK} is a valid domain name." else - echo "# Error: $myCHECK is not a valid IPv4 address or domain name. Please check T-Pot config file (.env)." - echo - echo "# Aborting" - exit 1 - fi -} - -validate_base64() { - local myCHECK=$1 - - # Base64 pattern match - if [[ $myCHECK =~ ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$ ]]; then - echo "$myCHECK is a valid Base64 string." - else - echo "$myCHECK is not a valid Base64 string. Please check T-Pot config file (.env)" + echo "# Error: $myCHECK is not a valid IPv4 address or domain name. Please check T-Pot .env config." echo echo "# Aborting" exit 1 @@ -109,10 +93,29 @@ validate_base64() { create_web_users() { echo - echo "# Creating passwd files based on .env configuration ..." - echo - echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd - echo "${LS_WEB_USER}" > /data/nginx/conf/lswebpasswd + echo "# Creating passwd files based on T-Pot .env config ..." + # Clear / create the passwd files + : > /data/nginx/conf/nginxpasswd + : > /data/nginx/conf/lswebpasswd + for i in ${WEB_USER}; + do + if [[ -n $i ]]; + then + # Need to control newlines as they kept coming up for some reason + echo -n "$i" | base64 -d -w0 | tr -d '\n' >> /data/nginx/conf/nginxpasswd + echo >> /data/nginx/conf/nginxpasswd + fi + done + + for i in ${LS_WEB_USER}; + do + if [[ -n $i ]]; + then + # Need to control newlines as they kept coming up for some reason + echo -n "$i" | base64 -d -w0 | tr -d '\n' >> /data/nginx/conf/lswebpasswd + echo >> /data/nginx/conf/lswebpasswd + fi + done } # Check for compatible OSType @@ -123,7 +126,7 @@ myOSTYPE=$(uname -a | grep -Eo "linuxkit") if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ]; then echo "# Docker Desktop for macOS or Windows detected." - echo "# 1. You need to adjust the OSType the T-Pot config file (.env)." + echo "# 1. You need to adjust the OSType the T-Pot .env config." echo "# 2. You need to use the macos or win docker compose file." echo echo "# Aborting." @@ -143,7 +146,7 @@ if [ "${TPOT_TYPE}" == "HIVE" ]; then # No $ for check_var check_var "WEB_USER" - check_web_user_safety "$WEB_USER" + validate_base64 "${WEB_USER}" TPOT_HIVE_USER="" TPOT_HIVE_IP="" if [ "${LS_WEB_USER}" == "" ]; @@ -151,7 +154,7 @@ if [ "${TPOT_TYPE}" == "HIVE" ]; echo "# Warning: No LS_WEB_USER detected! T-Pots of type SENSOR will not be able to submit logs to this HIVE." echo else - check_web_user_safety "$LS_WEB_USER" + validate_base64 "${LS_WEB_USER}" fi fi if [ "${TPOT_TYPE}" == "SENSOR" ]; diff --git a/installer/install/deploy.sh b/installer/install/deploy.sh old mode 100644 new mode 100755 index 7fc743a4..942d178e --- a/installer/install/deploy.sh +++ b/installer/install/deploy.sh @@ -1,9 +1,22 @@ #!/usr/bin/env bash myANSIBLE_PORT=64295 -myANSIBLE_TPOT_PLAYBOOK="deploy.yml" +myANSIBLE_TPOT_PLAYBOOK="installer/install/deploy.yml" +myADJECTIVE=$(shuf -n1 installer/install/a.txt) +myNOUN=$(shuf -n1 installer/install/n.txt) myENV_FILE="$HOME/tpotce/.env" +myDEPLOY=$(cat << "EOF" + + ____ [ T-Pot ] ____ _ +/ ___| ___ _ __ ___ ___ _ __ | _ \ ___ _ __ | | ___ _ _ +\___ \ / _ \ _ \/ __|/ _ \| __| | | | |/ _ \ _ \| |/ _ \| | | | + ___) | __/ | | \__ \ (_) | | | |_| | __/ |_) | | (_) | |_| | +|____/ \___|_| |_|___/\___/|_| |____/ \___| .__/|_|\___/ \__, | + |_| |___/ + +EOF +) # Check if the script is running in a HIVE installation if ! grep -q 'TPOT_TYPE=HIVE' "$HOME/tpotce/.env"; @@ -12,25 +25,30 @@ if ! grep -q 'TPOT_TYPE=HIVE' "$HOME/tpotce/.env"; exit 1 fi -# Ask if a T-Pot sensor was installed -read -p "# Was a T-Pot sensor installed? (y/n): " mySENSOR_INSTALLED +echo "${myDEPLOY}" +echo +echo "This script will prepare a T-Pot SENSOR installation to transmit logs into this HIVE." +echo + +# Ask if a T-Pot SENSOR was installed +read -p "# Was a T-Pot SENSOR installed? (y/n): " mySENSOR_INSTALLED if [[ ${mySENSOR_INSTALLED} != "y" ]]; then - echo "# A T-Pot sensor must be installed to continue." + echo "# A T-Pot SENSOR must be installed to continue." exit 1 fi # Check if ssh key has been deployed -read -p "# Has the SSH key been deployed to the sensor? (y/n): " mySSHKEY_DEPLOYED +read -p "# Has the SSH key been deployed to the SENSOR? (y/n): " mySSHKEY_DEPLOYED if [[ ${mySSHKEY_DEPLOYED} != "y" ]]; then - echo "# Generate a SSH key using 'ssh-keygen' and deploy it to the sensor with 'ssh-copy-id user@sensor-ip'." + echo "# Generate a SSH key using 'ssh-keygen' and deploy it to the SENSOR with 'ssh-copy-id user@sensor-ip'." exit 1 fi # Validate IP/domain name loop while true; do - read -p "# Enter the IP/domain name of the sensor: " mySENSOR_IP + read -p "# Enter the IP/domain name of the SENSOR: " mySENSOR_IP if [[ ${mySENSOR_IP} =~ ^([a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*\.[a-zA-Z]{2,})|(([0-9]{1,3}\.){3}[0-9]{1,3})$ ]]; then break @@ -50,10 +68,8 @@ while true; do fi done -# Create a random sensor user name that is easily readable -adjective=$(shuf -n1 a.txt) -noun=$(shuf -n1 n.txt) -myLS_WEB_USER="sensor-${adjective}-${noun}" +# Create a random SENSOR user name that is easily readable +myLS_WEB_USER="sensor-${myADJECTIVE}-${myNOUN}" # Create a random password myLS_WEB_PW=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1) @@ -62,35 +78,44 @@ myLS_WEB_PW=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1) myLS_WEB_USER_ENC=$(htpasswd -b -n "${myLS_WEB_USER}" "${myLS_WEB_PW}") myLS_WEB_USER_ENC_B64=$(echo -n "${myLS_WEB_USER_ENC}" | base64 -w0) -# Create myTPOT_HIVE_USER, since this is for Logstash on the sensor, it needs to directly base64 encoded +# Create myTPOT_HIVE_USER, since this is for Logstash on the SENSOR, it needs to directly base64 encoded myTPOT_HIVE_USER=$(echo -n "${myLS_WEB_USER}:${myLS_WEB_PW}" | base64 -w0) # Print credentials -echo "# The following sensor credentials have been created:" -echo "# New sensor username: ${myLS_WEB_USER}" -echo "# New sensor passowrd: ${myLS_WEB_PW}" +echo "# The following SENSOR credentials have been created:" +echo "# New SENSOR username: ${myLS_WEB_USER}" +echo "# New SENSOR passowrd: ${myLS_WEB_PW}" echo "# New htpasswd encoded credentials: ${myLS_WEB_USER_ENC}" echo "# New htpasswd credentials base64 encoded: ${myLS_WEB_USER_ENC_B64}" -echo "# New sensor credentials base64 encoded: ${myTPOT_HIVE_USER}" +echo "# New SENSOR credentials base64 encoded: ${myTPOT_HIVE_USER}" # Read LS_WEB_USER from file myENV_LS_WEB_USER=$(grep "^LS_WEB_USER=" "${myENV_FILE}" | sed 's/^LS_WEB_USER=//g' | tr -d "\"'") -# Add the new sensor and show a complete list of all the sensors +# Add the new SENSOR and show a complete list of all the SENSORs myENV_LS_WEB_USER="${myENV_LS_WEB_USER} ${myLS_WEB_USER_ENC_B64}" -# Update the .env on the host +# Update the T-Pot .env config and lswebpasswd (avoid the need to restart T-Pot) on the host +echo "# Updating SENSOR users on this HIVE and in the T-Pot .env config:" sed -i "/^LS_WEB_USER=/c\LS_WEB_USER=${myENV_LS_WEB_USER}" "${myENV_FILE}" - -echo "# Here is the complete and updated sensor list on HIVE:" +: > "${HOME}"/tpotce/data/nginx/conf/lswebpasswd for i in $myENV_LS_WEB_USER; do - echo -n $i | base64 --decode -w0 - echo -n " :" $i - echo + if [[ -n $i ]]; + then + # Need to control newlines as they kept coming up for some reason + echo -n "$i" | base64 -d -w0 + echo + echo -n "$i" | base64 -d -w0 | tr -d '\n' >> ${HOME}/tpotce/data/nginx/conf/lswebpasswd + echo >> ${HOME}/tpotce/data/nginx/conf/lswebpasswd + fi done +# Need to export for Ansible export myTPOT_HIVE_USER export myTPOT_HIVE_IP -ANSIBLE_LOG_PATH=$HOME/data/deploy_sensor.log ansible-playbook ${myANSIBLE_TPOT_PLAYBOOK} -vvv -i ${mySENSOR_IP}, --check -c ssh -e "ansible_port=${myANSIBLE_PORT}" +ANSIBLE_LOG_PATH=${HOME}/tpotce/data/deploy_sensor.log ansible-playbook ${myANSIBLE_TPOT_PLAYBOOK} -i ${mySENSOR_IP}, --check -c ssh -e "ansible_port=${myANSIBLE_PORT}" + +unset myTPOT_HIVE_USER +unset myTPOT_HIVE_IP