Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-01 12:32:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

improvements

Browse source 
use docker-compose from pypi with support for 2.1 compose file version
logstash, kibana, head & netdata are now depending on a healthy elasticsearch container before starting
remove alerta-cli
tweak installer
This commit is contained in:
Marco Ochse 2017-05-22 19:36:41 +00:00
parent 931ac2dd85
commit 345df08941
10 changed files with 114 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
installer/bin/updateip.sh Executable file
View file

@ -0,0 +1,18 @@
#!/bin/bash
# Let's add the first local ip to the /etc/issue and external ip to ews.ip file
source /etc/environment
myLOCALIP=$(hostname -I | awk '{ print $1 }')
myEXTIP=$(/usr/share/tpot/bin/myip.sh)
sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue
sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue
sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue
tee /data/ews/conf/ews.ip << EOF
[MAIN]
ip = $myEXTIP
EOF
tee /etc/tpot/elk/environment << EOF
MY_EXTIP=$myEXTIP
MY_HOSTNAME=$HOSTNAME
EOF
echo $myLOCALIP > /data/elk/logstash/mylocal.ip
chown tpot:tpot /data/ews/conf/ews.ip

17
installer/etc/rc.local
View file

@ -1,17 +1,2 @@
#!/bin/bash #!/bin/bash
# Let's add the first local ip to the /etc/issue and external ip to ews.ip file exit 0
source /etc/environment
myLOCALIP=$(hostname -I | awk '{ print $1 }')
myEXTIP=$(/usr/share/tpot/bin/myip.sh)
sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue
sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue
sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue
tee /data/ews/conf/ews.ip << EOF
[MAIN]
ip = $myEXTIP
EOF
tee /etc/tpot/elk/environment << EOF
MY_EXTIP=$myEXTIP
MY_HOSTNAME=$HOSTNAME
EOF
chown tpot:tpot /data/ews/conf/ews.ip

26
installer/etc/tpot/compose/all.yml
View file

@ -1,6 +1,6 @@
# T-Pot (Everything) # T-Pot (Everything)
# For docker-compose ... # For docker-compose ...
version: '2' version: '2.1'
networks: networks:
conpot_local: conpot_local:
@ -35,9 +35,11 @@ services:
restart: always restart: always
networks: networks:
- cowrie_local - cowrie_local
cap_add:
- NET_BIND_SERVICE
ports: ports:
- "22:2222" - "22:22"
- "23:2223" - "23:23"
image: "dtagdevsec/cowrie:1706" image: "dtagdevsec/cowrie:1706"
volumes: volumes:
- /data/cowrie:/data/cowrie - /data/cowrie:/data/cowrie
@ -101,7 +103,7 @@ services:
nofile: nofile:
soft: 65536 soft: 65536
hard: 65536 hard: 65536
# mem_limit: 3g # mem_limit: 2g
ports: ports:
- "127.0.0.1:64298:9200" - "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:1706" image: "dtagdevsec/elasticsearch:1706"
@ -113,7 +115,8 @@ services:
container_name: kibana container_name: kibana
restart: always restart: always
depends_on: depends_on:
- elasticsearch elasticsearch:
condition: service_healthy
ports: ports:
- "127.0.0.1:64296:5601" - "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:1706" image: "dtagdevsec/kibana:1706"
@ -123,7 +126,8 @@ services:
container_name: logstash container_name: logstash
restart: always restart: always
depends_on: depends_on:
- elasticsearch elasticsearch:
condition: service_healthy
env_file: env_file:
- /etc/tpot/elk/environment - /etc/tpot/elk/environment
image: "dtagdevsec/logstash:1706" image: "dtagdevsec/logstash:1706"
@ -136,7 +140,8 @@ services:
container_name: head container_name: head
restart: always restart: always
depends_on: depends_on:
- elasticsearch elasticsearch:
condition: service_healthy
ports: ports:
- "127.0.0.1:64302:9100" - "127.0.0.1:64302:9100"
image: "dtagdevsec/head:1706" image: "dtagdevsec/head:1706"
@ -195,8 +200,13 @@ services:
# Netdata service # Netdata service
netdata: netdata:
container_name: netdata container_name: netdata
hostname: ${HOSTNAME}
restart: always restart: always
network_mode: "host" depends_on:
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64301:19999"
cap_add: cap_add:
- SYS_PTRACE - SYS_PTRACE
security_opt: security_opt:

14
installer/etc/tpot/compose/hp.yml
View file

@ -1,6 +1,6 @@
# T-Pot (Honeypots) # T-Pot (Honeypots)
# For docker-compose ... # For docker-compose ...
version: '2' version: '2.1'
networks: networks:
cowrie_local: cowrie_local:
@ -17,9 +17,11 @@ services:
restart: always restart: always
networks: networks:
- cowrie_local - cowrie_local
cap_add:
- NET_BIND_SERVICE
ports: ports:
- "22:2222" - "22:22"
- "23:2223" - "23:23"
image: "dtagdevsec/cowrie:1706" image: "dtagdevsec/cowrie:1706"
volumes: volumes:
- /data/cowrie:/data/cowrie - /data/cowrie:/data/cowrie
@ -34,7 +36,7 @@ services:
cap_add: cap_add:
- NET_BIND_SERVICE - NET_BIND_SERVICE
ports: ports:
- "21:21" - "21:21"
- "42:42" - "42:42"
- "69:69/udp" - "69:69/udp"
- "8081:80" - "8081:80"
@ -45,11 +47,11 @@ services:
- "1723:1723" - "1723:1723"
- "1883:1883" - "1883:1883"
- "1900:1900" - "1900:1900"
- "3306:3306" - "3306:3306"
- "5060:5060" - "5060:5060"
- "5061:5061" - "5061:5061"
- "5060:5060/udp" - "5060:5060/udp"
- "11211:11211" - "11211:11211"
image: "dtagdevsec/dionaea:1706" image: "dtagdevsec/dionaea:1706"
volumes: volumes:
- /data/dionaea:/data/dionaea - /data/dionaea:/data/dionaea

20
installer/etc/tpot/compose/industrial.yml
View file

@ -1,6 +1,6 @@
# T-Pot (Industrial) # T-Pot (Industrial)
# For docker-compose ... # For docker-compose ...
version: '2' version: '2.1'
networks: networks:
conpot_local: conpot_local:
@ -32,7 +32,7 @@ services:
restart: always restart: always
environment: environment:
- bootstrap.memory_lock=true - bootstrap.memory_lock=true
# - "ES_JAVA_OPTS=-Xms512m -Xmx512m" # - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
cap_add: cap_add:
- IPC_LOCK - IPC_LOCK
ulimits: ulimits:
@ -54,7 +54,8 @@ services:
container_name: kibana container_name: kibana
restart: always restart: always
depends_on: depends_on:
- elasticsearch elasticsearch:
condition: service_healthy
ports: ports:
- "127.0.0.1:64296:5601" - "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:1706" image: "dtagdevsec/kibana:1706"
@ -64,7 +65,8 @@ services:
container_name: logstash container_name: logstash
restart: always restart: always
depends_on: depends_on:
- elasticsearch elasticsearch:
condition: service_healthy
env_file: env_file:
- /etc/tpot/elk/environment - /etc/tpot/elk/environment
image: "dtagdevsec/logstash:1706" image: "dtagdevsec/logstash:1706"
@ -77,7 +79,8 @@ services:
container_name: head container_name: head
restart: always restart: always
depends_on: depends_on:
- elasticsearch elasticsearch:
condition: service_healthy
ports: ports:
- "127.0.0.1:64302:9100" - "127.0.0.1:64302:9100"
image: "dtagdevsec/head:1706" image: "dtagdevsec/head:1706"
@ -111,8 +114,13 @@ services:
# Netdata service # Netdata service
netdata: netdata:
container_name: netdata container_name: netdata
hostname: ${HOSTNAME}
restart: always restart: always
network_mode: "host" depends_on:
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64301:19999"
cap_add: cap_add:
- SYS_PTRACE - SYS_PTRACE
security_opt: security_opt:

26
installer/etc/tpot/compose/tpot.yml
View file

@ -1,6 +1,6 @@
# T-Pot (Standard) # T-Pot (Standard)
# For docker-compose ... # For docker-compose ...
version: '2' version: '2.1'
networks: networks:
cowrie_local: cowrie_local:
@ -19,9 +19,11 @@ services:
restart: always restart: always
networks: networks:
- cowrie_local - cowrie_local
cap_add:
- NET_BIND_SERVICE
ports: ports:
- "22:2222" - "22:22"
- "23:2223" - "23:23"
image: "dtagdevsec/cowrie:1706" image: "dtagdevsec/cowrie:1706"
volumes: volumes:
- /data/cowrie:/data/cowrie - /data/cowrie:/data/cowrie
@ -75,7 +77,7 @@ services:
restart: always restart: always
environment: environment:
- bootstrap.memory_lock=true - bootstrap.memory_lock=true
# - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
cap_add: cap_add:
- IPC_LOCK - IPC_LOCK
ulimits: ulimits:
@ -97,7 +99,8 @@ services:
container_name: kibana container_name: kibana
restart: always restart: always
depends_on: depends_on:
- elasticsearch elasticsearch:
condition: service_healthy
ports: ports:
- "127.0.0.1:64296:5601" - "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:1706" image: "dtagdevsec/kibana:1706"
@ -107,7 +110,8 @@ services:
container_name: logstash container_name: logstash
restart: always restart: always
depends_on: depends_on:
- elasticsearch elasticsearch:
condition: service_healthy
env_file: env_file:
- /etc/tpot/elk/environment - /etc/tpot/elk/environment
image: "dtagdevsec/logstash:1706" image: "dtagdevsec/logstash:1706"
@ -120,7 +124,8 @@ services:
container_name: head container_name: head
restart: always restart: always
depends_on: depends_on:
- elasticsearch elasticsearch:
condition: service_healthy
ports: ports:
- "127.0.0.1:64302:9100" - "127.0.0.1:64302:9100"
image: "dtagdevsec/head:1706" image: "dtagdevsec/head:1706"
@ -164,8 +169,13 @@ services:
# Netdata service # Netdata service
netdata: netdata:
container_name: netdata container_name: netdata
hostname: ${HOSTNAME}
restart: always restart: always
network_mode: "host" depends_on:
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64301:19999"
cap_add: cap_add:
- SYS_PTRACE - SYS_PTRACE
security_opt: security_opt:

31
installer/etc/tpot/systemd/tpot.service
View file

@ -5,16 +5,21 @@ After=docker.service
[Service] [Service]
Restart=always Restart=always
RestartSec=5
Environment=HOSTNAME=%H
# Get and set internal, external IP infos, but ignore errors
ExecStartPre=-/usr/share/tpot/bin/updateip.sh
# Clear state from /data # Clear state from /data
ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh off' ExecStartPre=-/bin/bash -c '/usr/share/tpot/bin/clean.sh off'
# Remove old containers, images and volumes # Remove old containers, images and volumes
ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v ExecStartPre=-/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml down -v
ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml rm -v ExecStartPre=-/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml rm -v
ExecStartPre=-/bin/bash -c 'docker volume rm $(docker volume ls -q)' ExecStartPre=-/bin/bash -c 'docker volume rm $(docker volume ls -q)'
ExecStartPre=-/bin/bash -c 'docker rmi $(docker images | grep "<none>" | awk \'{print $3}\')'
ExecStartPre=-/bin/bash -c 'docker rm -v $(docker ps -aq)' ExecStartPre=-/bin/bash -c 'docker rm -v $(docker ps -aq)'
ExecStartPre=-/bin/bash -c 'docker rmi $(docker images | grep "<none>" | awk \'{print $3}\')'
# Get IF, disable offloading, enable promiscious mode for p0f and suricata # Get IF, disable offloading, enable promiscious mode for p0f and suricata
ExecStartPre=/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip address | grep "^2: " | awk \'{ print $2 }\' | tr -d [:punct:]) rx off tx off' ExecStartPre=/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip address | grep "^2: " | awk \'{ print $2 }\' | tr -d [:punct:]) rx off tx off'
@ -24,17 +29,17 @@ ExecStartPre=/bin/bash -c '/sbin/ip link set $(/sbin/ip address | grep "^2: " |
# Modify access rights on docker.sock for netdata # Modify access rights on docker.sock for netdata
ExecStartPre=-/bin/chmod 666 /var/run/docker.sock ExecStartPre=-/bin/chmod 666 /var/run/docker.sock
# Prepare iptables rules for honeytrap
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295:64303 -j NFQUEUE
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE
# Compose T-Pot up # Compose T-Pot up
ExecStart=/usr/bin/docker-compose -f /etc/tpot/tpot.yml up ExecStart=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml up
# Compose T-Pot down and remove containers # Prepare iptables rules for honeytrap
ExecStop=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE
ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE
ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295:64303 -j NFQUEUE
ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE
# Compose T-Pot down, remove containers and volumes
ExecStop=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml down -v
# Remove iptables rules for honeytrap # Remove iptables rules for honeytrap
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE

34
installer/install.sh
View file

@ -278,9 +278,21 @@ EOF
fi fi
# Let's provide a wireless example config ... # Let's provide a wireless example config ...
fuECHO "### Providing a wireless example config." fuECHO "### Providing static ip, wireless example config."
tee -a /etc/network/interfaces 2>&1>/dev/null <<EOF tee -a /etc/network/interfaces 2>&1>/dev/null <<EOF
### Example static ip config
### Replace <eth0> with the name of your physical interface name
#
#auto eth0
#iface eth0 inet static
# address 192.168.1.1
# netmask 255.255.255.0
# network 192.168.1.0
# broadcast 192.168.1.255
# gateway 192.168.1.1
# dns-nameservers 192.168.1.1
### Example wireless config without 802.1x ### Example wireless config without 802.1x
### This configuration was tested with the IntelNUC series ### This configuration was tested with the IntelNUC series
### If problems occur you can try and change wpa-driver to "iwlwifi" ### If problems occur you can try and change wpa-driver to "iwlwifi"
@ -314,9 +326,9 @@ apt-get upgrade -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCON
apt-get autoclean -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF apt-get autoclean -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF
apt-get autoremove -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF apt-get autoremove -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF
# Installing alerta-cli, wetty, ctop, elasticdump # Installing docker-compose, wetty, ctop, elasticdump
pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF
pip install alerta 2>&1 | dialog --title "[ Installing alerta ]" $myPROGRESSBOXCONF pip install docker-compose==1.12.0 2>&1 | dialog --title "[ Installing docker-compose ]" $myPROGRESSBOXCONF
ln -s /usr/bin/nodejs /usr/bin/node 2>&1 | dialog --title "[ Installing wetty ]" $myPROGRESSBOXCONF ln -s /usr/bin/nodejs /usr/bin/node 2>&1 | dialog --title "[ Installing wetty ]" $myPROGRESSBOXCONF
npm install https://github.com/t3chn0m4g3/wetty -g 2>&1 | dialog --title "[ Installing wetty ]" $myPROGRESSBOXCONF npm install https://github.com/t3chn0m4g3/wetty -g 2>&1 | dialog --title "[ Installing wetty ]" $myPROGRESSBOXCONF
npm install https://github.com/t3chn0m4g3/elasticsearch-dump -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF npm install https://github.com/t3chn0m4g3/elasticsearch-dump -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF
@ -493,21 +505,7 @@ PATH="$PATH:/usr/share/tpot/bin"
EOF EOF
# Let's create ews.ip before reboot and prevent race condition for first start # Let's create ews.ip before reboot and prevent race condition for first start
source /etc/environment 2>&1>/dev/null /usr/share/tpot/bin/updateip.sh 2>&1>/dev/null
myLOCALIP=$(hostname -I | awk '{ print $1 }')
myEXTIP=$(/usr/share/tpot/bin/myip.sh)
sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue 2>&1>/dev/null
sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue 2>&1>/dev/null
sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue 2>&1>/dev/null
tee /data/ews/conf/ews.ip 2>&1>/dev/null <<EOF
[MAIN]
ip = $myEXTIP
EOF
tee /etc/tpot/elk/environment 2>&1>/dev/null <<EOF
MY_EXTIP=$myEXTIP
MY_HOSTNAME=$HOSTNAME
EOF
chown tpot:tpot /data/ews/conf/ews.ip 2>&1>/dev/null
# Final steps # Final steps
mv /root/tpot/etc/rc.local /etc/rc.local 2>&1>/dev/null && \ mv /root/tpot/etc/rc.local /etc/rc.local 2>&1>/dev/null && \

9
makeiso.sh
View file

@ -1,18 +1,13 @@
#!/bin/bash #!/bin/bash
########################################################
# T-Pot #
# .ISO creator #
# #
# v17.06 by mo, DTAG, 2017-03-13 #
########################################################
# Set TERM, DIALOGRC # Set TERM, DIALOGRC
export DIALOGRC=/etc/dialogrc export DIALOGRC=/etc/dialogrc
export TERM=linux export TERM=linux
# Let's define some global vars # Let's define some global vars
myBACKTITLE="T-Pot - ISO Creator" myBACKTITLE="T-Pot - ISO Creator"
# If you need latest hardware support, try using the hardware enablement (hwe) ISO
# myUBUNTULINK="http://archive.ubuntu.com/ubuntu/dists/xenial-updates/main/installer-amd64/current/images/hwe-netboot/mini.iso"
myUBUNTULINK="http://archive.ubuntu.com/ubuntu/dists/xenial-updates/main/installer-amd64/current/images/netboot/mini.iso" myUBUNTULINK="http://archive.ubuntu.com/ubuntu/dists/xenial-updates/main/installer-amd64/current/images/netboot/mini.iso"
myUBUNTUISO="mini.iso" myUBUNTUISO="mini.iso"
myTPOTISO="tpot.iso" myTPOTISO="tpot.iso"

2
preseed/tpot.seed
View file

@ -100,7 +100,7 @@ tasksel tasksel/first multiselect ubuntu-server
######################## ########################
### Package Installation ### Package Installation
######################## ########################
d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dnsutils docker.io docker-compose dstat ethtool genisoimage git glances html2text htop iptables iw jq libcrack2 libltdl7 lm-sensors man nginx-extras nodejs npm ntp openssh-server openssl syslinux psmisc pv python-pip vim wireless-tools wpasupplicant d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dnsutils docker.io dstat ethtool genisoimage git glances html2text htop iptables iw jq libcrack2 libltdl7 lm-sensors man nginx-extras nodejs npm ntp openssh-server openssl syslinux psmisc pv python-pip vim wireless-tools wpasupplicant
################# #################
### Update Policy ### Update Policy