diff --git a/installer/bin/updateip.sh b/installer/bin/updateip.sh new file mode 100755 index 00000000..7b64eb94 --- /dev/null +++ b/installer/bin/updateip.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# Let's add the first local ip to the /etc/issue and external ip to ews.ip file +source /etc/environment +myLOCALIP=$(hostname -I | awk '{ print $1 }') +myEXTIP=$(/usr/share/tpot/bin/myip.sh) +sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue +sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue +sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue +tee /data/ews/conf/ews.ip << EOF +[MAIN] +ip = $myEXTIP +EOF +tee /etc/tpot/elk/environment << EOF +MY_EXTIP=$myEXTIP +MY_HOSTNAME=$HOSTNAME +EOF +echo $myLOCALIP > /data/elk/logstash/mylocal.ip +chown tpot:tpot /data/ews/conf/ews.ip diff --git a/installer/etc/rc.local b/installer/etc/rc.local index 7fddb557..06bd9865 100755 --- a/installer/etc/rc.local +++ b/installer/etc/rc.local @@ -1,17 +1,2 @@ #!/bin/bash -# Let's add the first local ip to the /etc/issue and external ip to ews.ip file -source /etc/environment -myLOCALIP=$(hostname -I | awk '{ print $1 }') -myEXTIP=$(/usr/share/tpot/bin/myip.sh) -sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue -sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue -sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue -tee /data/ews/conf/ews.ip << EOF -[MAIN] -ip = $myEXTIP -EOF -tee /etc/tpot/elk/environment << EOF -MY_EXTIP=$myEXTIP -MY_HOSTNAME=$HOSTNAME -EOF -chown tpot:tpot /data/ews/conf/ews.ip +exit 0 diff --git a/installer/etc/tpot/compose/all.yml b/installer/etc/tpot/compose/all.yml index 5db16a78..95ac5b45 100644 --- a/installer/etc/tpot/compose/all.yml +++ b/installer/etc/tpot/compose/all.yml @@ -1,6 +1,6 @@ # T-Pot (Everything) # For docker-compose ... -version: '2' +version: '2.1' networks: conpot_local: @@ -35,9 +35,11 @@ services: restart: always networks: - cowrie_local + cap_add: + - NET_BIND_SERVICE ports: - - "22:2222" - - "23:2223" + - "22:22" + - "23:23" image: "dtagdevsec/cowrie:1706" volumes: - /data/cowrie:/data/cowrie @@ -101,7 +103,7 @@ services: nofile: soft: 65536 hard: 65536 -# mem_limit: 3g +# mem_limit: 2g ports: - "127.0.0.1:64298:9200" image: "dtagdevsec/elasticsearch:1706" @@ -113,7 +115,8 @@ services: container_name: kibana restart: always depends_on: - - elasticsearch + elasticsearch: + condition: service_healthy ports: - "127.0.0.1:64296:5601" image: "dtagdevsec/kibana:1706" @@ -123,7 +126,8 @@ services: container_name: logstash restart: always depends_on: - - elasticsearch + elasticsearch: + condition: service_healthy env_file: - /etc/tpot/elk/environment image: "dtagdevsec/logstash:1706" @@ -136,7 +140,8 @@ services: container_name: head restart: always depends_on: - - elasticsearch + elasticsearch: + condition: service_healthy ports: - "127.0.0.1:64302:9100" image: "dtagdevsec/head:1706" @@ -195,8 +200,13 @@ services: # Netdata service netdata: container_name: netdata + hostname: ${HOSTNAME} restart: always - network_mode: "host" + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64301:19999" cap_add: - SYS_PTRACE security_opt: diff --git a/installer/etc/tpot/compose/hp.yml b/installer/etc/tpot/compose/hp.yml index 2be2dc5e..a81d933a 100644 --- a/installer/etc/tpot/compose/hp.yml +++ b/installer/etc/tpot/compose/hp.yml @@ -1,6 +1,6 @@ # T-Pot (Honeypots) # For docker-compose ... -version: '2' +version: '2.1' networks: cowrie_local: @@ -17,9 +17,11 @@ services: restart: always networks: - cowrie_local + cap_add: + - NET_BIND_SERVICE ports: - - "22:2222" - - "23:2223" + - "22:22" + - "23:23" image: "dtagdevsec/cowrie:1706" volumes: - /data/cowrie:/data/cowrie @@ -34,7 +36,7 @@ services: cap_add: - NET_BIND_SERVICE ports: - - "21:21" + - "21:21" - "42:42" - "69:69/udp" - "8081:80" @@ -45,11 +47,11 @@ services: - "1723:1723" - "1883:1883" - "1900:1900" - - "3306:3306" + - "3306:3306" - "5060:5060" - "5061:5061" - "5060:5060/udp" - - "11211:11211" + - "11211:11211" image: "dtagdevsec/dionaea:1706" volumes: - /data/dionaea:/data/dionaea diff --git a/installer/etc/tpot/compose/industrial.yml b/installer/etc/tpot/compose/industrial.yml index 11e88dc4..ce9a54bd 100644 --- a/installer/etc/tpot/compose/industrial.yml +++ b/installer/etc/tpot/compose/industrial.yml @@ -1,6 +1,6 @@ # T-Pot (Industrial) # For docker-compose ... -version: '2' +version: '2.1' networks: conpot_local: @@ -32,7 +32,7 @@ services: restart: always environment: - bootstrap.memory_lock=true -# - "ES_JAVA_OPTS=-Xms512m -Xmx512m" +# - "ES_JAVA_OPTS=-Xms1g -Xmx1g" cap_add: - IPC_LOCK ulimits: @@ -54,7 +54,8 @@ services: container_name: kibana restart: always depends_on: - - elasticsearch + elasticsearch: + condition: service_healthy ports: - "127.0.0.1:64296:5601" image: "dtagdevsec/kibana:1706" @@ -64,7 +65,8 @@ services: container_name: logstash restart: always depends_on: - - elasticsearch + elasticsearch: + condition: service_healthy env_file: - /etc/tpot/elk/environment image: "dtagdevsec/logstash:1706" @@ -77,7 +79,8 @@ services: container_name: head restart: always depends_on: - - elasticsearch + elasticsearch: + condition: service_healthy ports: - "127.0.0.1:64302:9100" image: "dtagdevsec/head:1706" @@ -111,8 +114,13 @@ services: # Netdata service netdata: container_name: netdata + hostname: ${HOSTNAME} restart: always - network_mode: "host" + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64301:19999" cap_add: - SYS_PTRACE security_opt: diff --git a/installer/etc/tpot/compose/tpot.yml b/installer/etc/tpot/compose/tpot.yml index 4a601816..5f722bc3 100644 --- a/installer/etc/tpot/compose/tpot.yml +++ b/installer/etc/tpot/compose/tpot.yml @@ -1,6 +1,6 @@ # T-Pot (Standard) # For docker-compose ... -version: '2' +version: '2.1' networks: cowrie_local: @@ -19,9 +19,11 @@ services: restart: always networks: - cowrie_local + cap_add: + - NET_BIND_SERVICE ports: - - "22:2222" - - "23:2223" + - "22:22" + - "23:23" image: "dtagdevsec/cowrie:1706" volumes: - /data/cowrie:/data/cowrie @@ -75,7 +77,7 @@ services: restart: always environment: - bootstrap.memory_lock=true -# - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" cap_add: - IPC_LOCK ulimits: @@ -97,7 +99,8 @@ services: container_name: kibana restart: always depends_on: - - elasticsearch + elasticsearch: + condition: service_healthy ports: - "127.0.0.1:64296:5601" image: "dtagdevsec/kibana:1706" @@ -107,7 +110,8 @@ services: container_name: logstash restart: always depends_on: - - elasticsearch + elasticsearch: + condition: service_healthy env_file: - /etc/tpot/elk/environment image: "dtagdevsec/logstash:1706" @@ -120,7 +124,8 @@ services: container_name: head restart: always depends_on: - - elasticsearch + elasticsearch: + condition: service_healthy ports: - "127.0.0.1:64302:9100" image: "dtagdevsec/head:1706" @@ -164,8 +169,13 @@ services: # Netdata service netdata: container_name: netdata + hostname: ${HOSTNAME} restart: always - network_mode: "host" + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64301:19999" cap_add: - SYS_PTRACE security_opt: diff --git a/installer/etc/tpot/systemd/tpot.service b/installer/etc/tpot/systemd/tpot.service index 141d0e81..bf157b3d 100644 --- a/installer/etc/tpot/systemd/tpot.service +++ b/installer/etc/tpot/systemd/tpot.service @@ -5,16 +5,21 @@ After=docker.service [Service] Restart=always +RestartSec=5 +Environment=HOSTNAME=%H + +# Get and set internal, external IP infos, but ignore errors +ExecStartPre=-/usr/share/tpot/bin/updateip.sh # Clear state from /data -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh off' +ExecStartPre=-/bin/bash -c '/usr/share/tpot/bin/clean.sh off' # Remove old containers, images and volumes -ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v -ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml rm -v +ExecStartPre=-/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml down -v +ExecStartPre=-/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml rm -v ExecStartPre=-/bin/bash -c 'docker volume rm $(docker volume ls -q)' -ExecStartPre=-/bin/bash -c 'docker rmi $(docker images | grep "" | awk \'{print $3}\')' ExecStartPre=-/bin/bash -c 'docker rm -v $(docker ps -aq)' +ExecStartPre=-/bin/bash -c 'docker rmi $(docker images | grep "" | awk \'{print $3}\')' # Get IF, disable offloading, enable promiscious mode for p0f and suricata ExecStartPre=/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip address | grep "^2: " | awk \'{ print $2 }\' | tr -d [:punct:]) rx off tx off' @@ -24,17 +29,17 @@ ExecStartPre=/bin/bash -c '/sbin/ip link set $(/sbin/ip address | grep "^2: " | # Modify access rights on docker.sock for netdata ExecStartPre=-/bin/chmod 666 /var/run/docker.sock -# Prepare iptables rules for honeytrap -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295:64303 -j NFQUEUE -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE - # Compose T-Pot up -ExecStart=/usr/bin/docker-compose -f /etc/tpot/tpot.yml up +ExecStart=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml up -# Compose T-Pot down and remove containers -ExecStop=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v +# Prepare iptables rules for honeytrap +ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE +ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE +ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295:64303 -j NFQUEUE +ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE + +# Compose T-Pot down, remove containers and volumes +ExecStop=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml down -v # Remove iptables rules for honeytrap ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE diff --git a/installer/install.sh b/installer/install.sh index e9353154..02bde0fa 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -278,9 +278,21 @@ EOF fi # Let's provide a wireless example config ... -fuECHO "### Providing a wireless example config." +fuECHO "### Providing static ip, wireless example config." tee -a /etc/network/interfaces 2>&1>/dev/null < with the name of your physical interface name +# +#auto eth0 +#iface eth0 inet static +# address 192.168.1.1 +# netmask 255.255.255.0 +# network 192.168.1.0 +# broadcast 192.168.1.255 +# gateway 192.168.1.1 +# dns-nameservers 192.168.1.1 + ### Example wireless config without 802.1x ### This configuration was tested with the IntelNUC series ### If problems occur you can try and change wpa-driver to "iwlwifi" @@ -314,9 +326,9 @@ apt-get upgrade -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCON apt-get autoclean -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF apt-get autoremove -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF -# Installing alerta-cli, wetty, ctop, elasticdump +# Installing docker-compose, wetty, ctop, elasticdump pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF -pip install alerta 2>&1 | dialog --title "[ Installing alerta ]" $myPROGRESSBOXCONF +pip install docker-compose==1.12.0 2>&1 | dialog --title "[ Installing docker-compose ]" $myPROGRESSBOXCONF ln -s /usr/bin/nodejs /usr/bin/node 2>&1 | dialog --title "[ Installing wetty ]" $myPROGRESSBOXCONF npm install https://github.com/t3chn0m4g3/wetty -g 2>&1 | dialog --title "[ Installing wetty ]" $myPROGRESSBOXCONF npm install https://github.com/t3chn0m4g3/elasticsearch-dump -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF @@ -493,21 +505,7 @@ PATH="$PATH:/usr/share/tpot/bin" EOF # Let's create ews.ip before reboot and prevent race condition for first start -source /etc/environment 2>&1>/dev/null -myLOCALIP=$(hostname -I | awk '{ print $1 }') -myEXTIP=$(/usr/share/tpot/bin/myip.sh) -sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue 2>&1>/dev/null -sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue 2>&1>/dev/null -sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue 2>&1>/dev/null -tee /data/ews/conf/ews.ip 2>&1>/dev/null <&1>/dev/null <&1>/dev/null +/usr/share/tpot/bin/updateip.sh 2>&1>/dev/null # Final steps mv /root/tpot/etc/rc.local /etc/rc.local 2>&1>/dev/null && \ diff --git a/makeiso.sh b/makeiso.sh index 3f11e036..1101802a 100755 --- a/makeiso.sh +++ b/makeiso.sh @@ -1,18 +1,13 @@ #!/bin/bash -######################################################## -# T-Pot # -# .ISO creator # -# # -# v17.06 by mo, DTAG, 2017-03-13 # -######################################################## - # Set TERM, DIALOGRC export DIALOGRC=/etc/dialogrc export TERM=linux # Let's define some global vars myBACKTITLE="T-Pot - ISO Creator" +# If you need latest hardware support, try using the hardware enablement (hwe) ISO +# myUBUNTULINK="http://archive.ubuntu.com/ubuntu/dists/xenial-updates/main/installer-amd64/current/images/hwe-netboot/mini.iso" myUBUNTULINK="http://archive.ubuntu.com/ubuntu/dists/xenial-updates/main/installer-amd64/current/images/netboot/mini.iso" myUBUNTUISO="mini.iso" myTPOTISO="tpot.iso" diff --git a/preseed/tpot.seed b/preseed/tpot.seed index 5f6502bc..c42a48c6 100755 --- a/preseed/tpot.seed +++ b/preseed/tpot.seed @@ -100,7 +100,7 @@ tasksel tasksel/first multiselect ubuntu-server ######################## ### Package Installation ######################## -d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dnsutils docker.io docker-compose dstat ethtool genisoimage git glances html2text htop iptables iw jq libcrack2 libltdl7 lm-sensors man nginx-extras nodejs npm ntp openssh-server openssl syslinux psmisc pv python-pip vim wireless-tools wpasupplicant +d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dnsutils docker.io dstat ethtool genisoimage git glances html2text htop iptables iw jq libcrack2 libltdl7 lm-sensors man nginx-extras nodejs npm ntp openssh-server openssl syslinux psmisc pv python-pip vim wireless-tools wpasupplicant ################# ### Update Policy