From 365e1a1e5cf6fe44b3319b391f86d5a3b31b6f73 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Sun, 30 Apr 2017 23:34:30 +0000 Subject: [PATCH] prepare switch to docker-compose --- installer/bin/clean.sh | 41 +---- installer/bin/dps.sh | 6 +- installer/data/imgcfg/all_images.conf | 13 -- installer/data/imgcfg/hp_images.conf | 6 - installer/data/imgcfg/industrial_images.conf | 8 - installer/data/imgcfg/tpot_images.conf | 11 -- installer/data/systemd/conpot.service | 15 -- installer/data/systemd/cowrie.service | 15 -- installer/data/systemd/dionaea.service | 15 -- installer/data/systemd/elasticpot.service | 15 -- installer/data/systemd/elk.service | 15 -- installer/data/systemd/emobility.service | 15 -- installer/data/systemd/ewsposter.service | 14 -- installer/data/systemd/glastopf.service | 15 -- installer/data/systemd/honeytrap.service | 23 --- installer/data/systemd/netdata.service | 15 -- installer/data/systemd/spiderfoot.service | 14 -- installer/data/systemd/suricata.service | 19 -- installer/data/systemd/ui-for-docker.service | 14 -- installer/etc/tpot/compose/all.yml | 174 ++++++++++++++++++ installer/etc/tpot/compose/hp.yml | 84 +++++++++ installer/etc/tpot/compose/industrial.yml | 103 +++++++++++ installer/etc/tpot/compose/tpot.yml | 149 +++++++++++++++ installer/{data => etc/tpot}/elkbase.tgz | Bin .../{data => etc/tpot}/kibana-objects.tgz | Bin installer/etc/tpot/systemd/tpot.service | 44 +++++ .../{data => etc/tpot}/systemd/wetty.service | 0 installer/install.sh | 37 ++-- preseed/tpot.seed | 2 +- 29 files changed, 586 insertions(+), 296 deletions(-) delete mode 100644 installer/data/imgcfg/all_images.conf delete mode 100644 installer/data/imgcfg/hp_images.conf delete mode 100644 installer/data/imgcfg/industrial_images.conf delete mode 100644 installer/data/imgcfg/tpot_images.conf delete mode 100644 installer/data/systemd/conpot.service delete mode 100644 installer/data/systemd/cowrie.service delete mode 100644 installer/data/systemd/dionaea.service delete mode 100644 installer/data/systemd/elasticpot.service delete mode 100644 installer/data/systemd/elk.service delete mode 100644 installer/data/systemd/emobility.service delete mode 100644 installer/data/systemd/ewsposter.service delete mode 100644 installer/data/systemd/glastopf.service delete mode 100644 installer/data/systemd/honeytrap.service delete mode 100644 installer/data/systemd/netdata.service delete mode 100644 installer/data/systemd/spiderfoot.service delete mode 100644 installer/data/systemd/suricata.service delete mode 100644 installer/data/systemd/ui-for-docker.service create mode 100644 installer/etc/tpot/compose/all.yml create mode 100644 installer/etc/tpot/compose/hp.yml create mode 100644 installer/etc/tpot/compose/industrial.yml create mode 100644 installer/etc/tpot/compose/tpot.yml rename installer/{data => etc/tpot}/elkbase.tgz (100%) rename installer/{data => etc/tpot}/kibana-objects.tgz (100%) create mode 100644 installer/etc/tpot/systemd/tpot.service rename installer/{data => etc/tpot}/systemd/wetty.service (100%) diff --git a/installer/bin/clean.sh b/installer/bin/clean.sh index 2e23a9e7..f3906114 100755 --- a/installer/bin/clean.sh +++ b/installer/bin/clean.sh @@ -8,7 +8,7 @@ ######################################################## # Set persistence -myPERSISTENCE=$2 +myPERSISTENCE=$1 # Check persistence if [ "$myPERSISTENCE" = "on" ]; @@ -36,7 +36,6 @@ fuCOWRIE () { # Let's create a function to clean up and prepare dionaea data fuDIONAEA () { rm -rf /data/dionaea/* - rm /data/ews/dionaea/ews.json mkdir -p /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp chmod 760 /data/dionaea -R chown tpot:tpot /data/dionaea -R @@ -93,32 +92,12 @@ fuSURICATA () { chown tpot:tpot -R /data/suricata } -case $1 in - conpot) - fuCONPOT $1 - ;; - cowrie) - fuCOWRIE $1 - ;; - dionaea) - fuDIONAEA $1 - ;; - elasticpot) - fuELASTICPOT $1 - ;; - elk) - fuELK $1 - ;; - emobility) - fuEMOBILITY $1 - ;; - glastopf) - fuGLASTOPF $1 - ;; - honeytrap) - fuHONEYTRAP $1 - ;; - suricata) - fuSURICATA $1 - ;; -esac +fuCONPOT +fuCOWRIE +fuDIONAEA +fuELASTICPOT +fuELK +fuEMOBILITY +fuGLASTOPF +fuHONEYTRAP +fuSURICATA diff --git a/installer/bin/dps.sh b/installer/bin/dps.sh index 3a12913f..6607b170 100755 --- a/installer/bin/dps.sh +++ b/installer/bin/dps.sh @@ -7,7 +7,9 @@ function fuCLEANUP { trap fuCLEANUP EXIT stty -echo -icanon time 0 min 0 -myIMAGES=$(cat /etc/tpot/images.conf) +#myIMAGES=$(cat /etc/tpot/images.conf) +#myIMAGES=$(/usr/bin/docker ps -a -f name=$i --format "table {{.Names}}" | grep -v NAMES) +myIMAGES=$(cat /etc/tpot/tpot.yml | grep container_name | cut -d: -f2) while true do clear @@ -18,7 +20,7 @@ while true echo echo "NAME CREATED PORTS" for i in $myIMAGES; do - mySTATUS=$(/usr/bin/docker ps -f name=$i --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" -f status=running -f status=exited | GREP_COLORS='mt=01;35' /bin/egrep --color=always "(^[_a-z-]+ |$)|$" | GREP_COLORS='mt=01;32' /bin/egrep --color=always "(Up[ 0-9a-Z ]+ |$)|$" | GREP_COLORS='mt=01;31' /bin/egrep --color=always "(Exited[ \(0-9\) ]+ [0-9a-Z ]+ ago|$)|$" | tail -n 1) + mySTATUS=$(/usr/bin/docker ps -f name=$i --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" -f status=running -f status=exited | GREP_COLORS='mt=01;35' /bin/egrep --color=always "(^[_0-9a-z-]+ |$)|$" | GREP_COLORS='mt=01;32' /bin/egrep --color=always "(Up[ 0-9a-Z ]+ |$)|$" | GREP_COLORS='mt=01;31' /bin/egrep --color=always "(Exited[ \(0-9\) ]+ [0-9a-Z ]+ ago|$)|$" | tail -n 1) myDOWN=$(echo "$mySTATUS" | grep -c "NAMES") if [ "$myDOWN" = "1" ]; then diff --git a/installer/data/imgcfg/all_images.conf b/installer/data/imgcfg/all_images.conf deleted file mode 100644 index 0b64dfee..00000000 --- a/installer/data/imgcfg/all_images.conf +++ /dev/null @@ -1,13 +0,0 @@ -conpot -cowrie -dionaea -elasticpot -elk -emobility -ewsposter -glastopf -honeytrap -netdata -spiderfoot -suricata -ui-for-docker diff --git a/installer/data/imgcfg/hp_images.conf b/installer/data/imgcfg/hp_images.conf deleted file mode 100644 index e5aa3e75..00000000 --- a/installer/data/imgcfg/hp_images.conf +++ /dev/null @@ -1,6 +0,0 @@ -cowrie -dionaea -elasticpot -ewsposter -glastopf -honeytrap diff --git a/installer/data/imgcfg/industrial_images.conf b/installer/data/imgcfg/industrial_images.conf deleted file mode 100644 index 6c242158..00000000 --- a/installer/data/imgcfg/industrial_images.conf +++ /dev/null @@ -1,8 +0,0 @@ -conpot -elk -emobility -ewsposter -netdata -spiderfoot -suricata -ui-for-docker diff --git a/installer/data/imgcfg/tpot_images.conf b/installer/data/imgcfg/tpot_images.conf deleted file mode 100644 index 62e9f29b..00000000 --- a/installer/data/imgcfg/tpot_images.conf +++ /dev/null @@ -1,11 +0,0 @@ -cowrie -dionaea -elasticpot -elk -ewsposter -glastopf -honeytrap -netdata -spiderfoot -suricata -ui-for-docker diff --git a/installer/data/systemd/conpot.service b/installer/data/systemd/conpot.service deleted file mode 100644 index a60d6b04..00000000 --- a/installer/data/systemd/conpot.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=conpot -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop conpot -ExecStartPre=-/usr/bin/docker rm -v conpot -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh conpot off' -ExecStart=/usr/bin/docker run --name conpot --rm=true -v /data/conpot:/data/conpot -v /data/ews:/data/ews -p 1025:1025 -p 50100:50100 dtagdevsec/conpot:1706 -ExecStop=/usr/bin/docker stop conpot - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/cowrie.service b/installer/data/systemd/cowrie.service deleted file mode 100644 index a52633ce..00000000 --- a/installer/data/systemd/cowrie.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=cowrie -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop cowrie -ExecStartPre=-/usr/bin/docker rm -v cowrie -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh cowrie off' -ExecStart=/usr/bin/docker run --name cowrie --rm=true -p 22:2222 -p 23:2223 -v /data/cowrie:/data/cowrie -v /data/ews:/data/ews dtagdevsec/cowrie:1706 -ExecStop=/usr/bin/docker stop cowrie - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/dionaea.service b/installer/data/systemd/dionaea.service deleted file mode 100644 index 87385f7f..00000000 --- a/installer/data/systemd/dionaea.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=dionaea -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop dionaea -ExecStartPre=-/usr/bin/docker rm -v dionaea -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh dionaea off' -ExecStart=/usr/bin/docker run --name dionaea --cap-add=NET_BIND_SERVICE --rm=true -p 21:21 -p 42:42 -p 69:69/udp -p 8081:80 -p 135:135 -p 443:443 -p 445:445 -p 1433:1433 -p 1723:1723 -p 1883:1883 -p 1900:1900 -p 3306:3306 -p 5060:5060 -p 5061:5061 -p 5060:5060/udp -p 11211:11211 -v /data/dionaea:/data/dionaea dtagdevsec/dionaea:1706 -ExecStop=/usr/bin/docker stop dionaea - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/elasticpot.service b/installer/data/systemd/elasticpot.service deleted file mode 100644 index 3b0ed484..00000000 --- a/installer/data/systemd/elasticpot.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=elasticpot -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop elasticpot -ExecStartPre=-/usr/bin/docker rm -v elasticpot -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh elasticpot off' -ExecStart=/usr/bin/docker run --name elasticpot --rm=true -v /data/elasticpot:/data/elasticpot -p 9200:9200 dtagdevsec/elasticpot:1706 -ExecStop=/usr/bin/docker stop elasticpot - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/elk.service b/installer/data/systemd/elk.service deleted file mode 100644 index 3fe38e38..00000000 --- a/installer/data/systemd/elk.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=elk -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop elk -ExecStartPre=-/usr/bin/docker rm -v elk -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh elk' -ExecStart=/usr/bin/docker run --name=elk --env-file /etc/tpot/elk/environment --cap-add=IPC_LOCK --ulimit memlock=-1:-1 --ulimit nofile=65536:65536 -v /data:/data -v /var/log:/data/host/log -p 127.0.0.1:64296:5601 -p 127.0.0.1:64302:9100 -p 127.0.0.1:64298:9200 --rm=true dtagdevsec/elk:1706 -ExecStop=/usr/bin/docker stop elk - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/emobility.service b/installer/data/systemd/emobility.service deleted file mode 100644 index cc96e0b8..00000000 --- a/installer/data/systemd/emobility.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=emobility -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop emobility -ExecStartPre=-/usr/bin/docker rm -v emobility -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh emobility off' -ExecStart=/usr/bin/docker run --name emobility --cap-add=NET_ADMIN -p 8080:8080 -v /data/emobility:/data/eMobility -v /data/ews:/data/ews --rm=true dtagdevsec/emobility:1706 -ExecStop=/usr/bin/docker stop emobility - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/ewsposter.service b/installer/data/systemd/ewsposter.service deleted file mode 100644 index 3979aa2f..00000000 --- a/installer/data/systemd/ewsposter.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=ewsposter -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop ewsposter -ExecStartPre=-/usr/bin/docker rm -v ewsposter -ExecStart=/usr/bin/docker run --name ewsposter --rm=true -v /data:/data -v /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip dtagdevsec/ewsposter:1706 -ExecStop=/usr/bin/docker stop ewsposter - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/glastopf.service b/installer/data/systemd/glastopf.service deleted file mode 100644 index 1ac6f39b..00000000 --- a/installer/data/systemd/glastopf.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=glastopf -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop glastopf -ExecStartPre=-/usr/bin/docker rm -v glastopf -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh glastopf off' -ExecStart=/usr/bin/docker run --name glastopf --rm=true -v /data/glastopf:/data/glastopf -v /data/ews:/data/ews -p 80:80 dtagdevsec/glastopf:1706 -ExecStop=/usr/bin/docker stop glastopf - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/honeytrap.service b/installer/data/systemd/honeytrap.service deleted file mode 100644 index a3b2f5f2..00000000 --- a/installer/data/systemd/honeytrap.service +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=honeytrap -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop honeytrap -ExecStartPre=-/usr/bin/docker rm -v honeytrap -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh honeytrap off' -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295,64296,64297,64298,64299,64300,64301,64302,64303 -j NFQUEUE -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE -ExecStart=/usr/bin/docker run --name honeytrap --cap-add=NET_ADMIN --net=host --rm=true -v /data/honeytrap:/data/honeytrap -v /data/ews:/data/ews dtagdevsec/honeytrap:1706 -ExecStop=/usr/bin/docker stop honeytrap -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295,64296,64297,64298,64299,64300,64301,64302,64303 -j NFQUEUE -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/netdata.service b/installer/data/systemd/netdata.service deleted file mode 100644 index d4d6e1f5..00000000 --- a/installer/data/systemd/netdata.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=netdata -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop netdata -ExecStartPre=-/usr/bin/docker rm -v netdata -ExecStartPre=-/bin/chmod 666 /var/run/docker.sock -ExecStart=/usr/bin/docker run --name netdata --net=host --cap-add=SYS_PTRACE --security-opt apparmor=unconfined --rm=true -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /var/run/docker.sock:/var/run/docker.sock dtagdevsec/netdata:1706 -ExecStop=/usr/bin/docker stop netdata - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/spiderfoot.service b/installer/data/systemd/spiderfoot.service deleted file mode 100644 index acae2287..00000000 --- a/installer/data/systemd/spiderfoot.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=spiderfoot -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop spiderfoot -ExecStartPre=-/usr/bin/docker rm -v spiderfoot -ExecStart=/usr/bin/docker run --name spiderfoot --rm=true -p 127.0.0.1:64303:8080 dtagdevsec/spiderfoot:1706 -ExecStop=/usr/bin/docker stop spiderfoot - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/suricata.service b/installer/data/systemd/suricata.service deleted file mode 100644 index d062895f..00000000 --- a/installer/data/systemd/suricata.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -Description=suricata -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop suricata -ExecStartPre=-/usr/bin/docker rm -v suricata -# Get IF, disable offloading, enable promiscious mode -ExecStartPre=/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') rx off tx off' -ExecStartPre=/bin/bash -c '/sbin/ethtool -K $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') gso off gro off' -ExecStartPre=/bin/bash -c '/sbin/ip link set $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') promisc on' -ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh suricata off' -ExecStart=/usr/bin/docker run --name suricata --cap-add=NET_ADMIN --net=host --rm=true -v /data/suricata:/data/suricata dtagdevsec/suricata:1706 -ExecStop=/usr/bin/docker stop suricata - -[Install] -WantedBy=multi-user.target diff --git a/installer/data/systemd/ui-for-docker.service b/installer/data/systemd/ui-for-docker.service deleted file mode 100644 index c833f756..00000000 --- a/installer/data/systemd/ui-for-docker.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=ui-for-docker -Requires=docker.service -After=docker.service - -[Service] -Restart=always -ExecStartPre=-/usr/bin/docker stop ui-for-docker -ExecStartPre=-/usr/bin/docker rm -v ui-for-docker -ExecStart=/usr/bin/docker run --name ui-for-docker --rm=true -v /var/run/docker.sock:/var/run/docker.sock -p 127.0.0.1:64299:9000 dtagdevsec/ui-for-docker:1706 -H unix:///var/run/docker.sock --no-auth -ExecStop=/usr/bin/docker stop ui-for-docker - -[Install] -WantedBy=multi-user.target diff --git a/installer/etc/tpot/compose/all.yml b/installer/etc/tpot/compose/all.yml new file mode 100644 index 00000000..ca6dfc38 --- /dev/null +++ b/installer/etc/tpot/compose/all.yml @@ -0,0 +1,174 @@ +# T-Pot (Everything) +# For docker-compose version ... +version: '2' +services: + +# Conpot service + conpot: + container_name: conpot + restart: always + ports: + - "1025:1025" + - "50100:50100" + image: "dtagdevsec/conpot:1706" + volumes: + - /data/conpot:/data/conpot + - /data/ews:/data/ews + +# Cowrie service + cowrie: + container_name: cowrie + restart: always + ports: + - "22:2222" + - "23:2223" + image: "dtagdevsec/cowrie:1706" + volumes: + - /data/cowrie:/data/cowrie + +# Dionaea service + dionaea: + container_name: dionaea + restart: always + cap_add: + - NET_BIND_SERVICE + ports: + - "21:21" + - "42:42" + - "69:69/udp" + - "8081:80" + - "135:135" + - "443:443" + - "445:445" + - "1433:1433" + - "1723:1723" + - "1883:1883" + - "1900:1900" + - "3306:3306" + - "5060:5060" + - "5061:5061" + - "5060:5060/udp" + - "11211:11211" + image: "dtagdevsec/dionaea:1706" + volumes: + - /data/dionaea:/data/dionaea + +# Elasticpot service + elasticpot: + container_name: elasticpot + restart: always + ports: + - "9200:9200" + image: "dtagdevsec/elasticpot:1706" + volumes: + - /data/elasticpot:/data/elasticpot + +# ELK service + elk: + container_name: elk + restart: always + env_file: + - /etc/tpot/elk/environment + cap_add: + - IPC_LOCK + ulimits: + memlock: -1 + nofile: 65536 + ports: + - "127.0.0.1:64296:5601" + - "127.0.0.1:64302:9100" + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elk:1706" + volumes: + - /data:/data + - /var/log:/data/host/log + +# Emobility service + emobility: + container_name: emobility + restart: always + cap_add: + - NET_ADMIN + ports: + - "8080:8080" + image: "dtagdevsec/emobility:1706" + volumes: + - /data/emobility:/data/eMobility + - /data/ews:/data/ews + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + image: "dtagdevsec/ewsposter:1706" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Glastopf service + glastopf: + container_name: glastopf + restart: always + ports: + - "80:80" + image: "dtagdevsec/glastopf:1706" + volumes: + - /data/glastopf:/data/glastopf + - /data/ews:/data/ews + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1706" + volumes: + - /data/honeytrap:/data/honeytrap + - /data/ews:/data/ews + +# Netdata service + netdata: + container_name: netdata + restart: always + network_mode: "host" + cap_add: + - SYS_PTRACE + security_opt: + - apparmor=unconfined + image: "dtagdevsec/netdata:1706" + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /var/run/docker.sock:/var/run/docker.sock + +# Spiderfoot service + spiderfoot: + container_name: spiderfoot + restart: always + ports: + - "127.0.0.1:64303:8080" + image: "dtagdevsec/spiderfoot:1706" + +# Ui-for-docker service + ui-for-docker: + container_name: ui-for-docker + command: -H unix:///var/run/docker.sock --no-auth + restart: always + ports: + - "127.0.0.1:64299:9000" + image: "dtagdevsec/ui-for-docker:1706" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + +# Suricata service + suricata: + container_name: suricata + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/suricata:1706" + volumes: + - /data/suricata:/data/suricata diff --git a/installer/etc/tpot/compose/hp.yml b/installer/etc/tpot/compose/hp.yml new file mode 100644 index 00000000..ea3ed8f4 --- /dev/null +++ b/installer/etc/tpot/compose/hp.yml @@ -0,0 +1,84 @@ +# T-Pot (Standard) +# For docker-compose version ... +version: '2' +services: + +# Cowrie service + cowrie: + container_name: cowrie + restart: always + ports: + - "22:2222" + - "23:2223" + image: "dtagdevsec/cowrie:1706" + volumes: + - /data/cowrie:/data/cowrie + +# Dionaea service + dionaea: + container_name: dionaea + restart: always + cap_add: + - NET_BIND_SERVICE + ports: + - "21:21" + - "42:42" + - "69:69/udp" + - "8081:80" + - "135:135" + - "443:443" + - "445:445" + - "1433:1433" + - "1723:1723" + - "1883:1883" + - "1900:1900" + - "3306:3306" + - "5060:5060" + - "5061:5061" + - "5060:5060/udp" + - "11211:11211" + image: "dtagdevsec/dionaea:1706" + volumes: + - /data/dionaea:/data/dionaea + +# Elasticpot service + elasticpot: + container_name: elasticpot + restart: always + ports: + - "9200:9200" + image: "dtagdevsec/elasticpot:1706" + volumes: + - /data/elasticpot:/data/elasticpot + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + image: "dtagdevsec/ewsposter:1706" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Glastopf service + glastopf: + container_name: glastopf + restart: always + ports: + - "80:80" + image: "dtagdevsec/glastopf:1706" + volumes: + - /data/glastopf:/data/glastopf + - /data/ews:/data/ews + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1706" + volumes: + - /data/honeytrap:/data/honeytrap + - /data/ews:/data/ews diff --git a/installer/etc/tpot/compose/industrial.yml b/installer/etc/tpot/compose/industrial.yml new file mode 100644 index 00000000..1f451c33 --- /dev/null +++ b/installer/etc/tpot/compose/industrial.yml @@ -0,0 +1,103 @@ +# T-Pot (Everything) +# For docker-compose version ... +version: '2' +services: + +# Conpot service + conpot: + container_name: conpot + restart: always + ports: + - "1025:1025" + - "50100:50100" + image: "dtagdevsec/conpot:1706" + volumes: + - /data/conpot:/data/conpot + - /data/ews:/data/ews + +# ELK service + elk: + container_name: elk + restart: always + env_file: + - /etc/tpot/elk/environment + cap_add: + - IPC_LOCK + ulimits: + memlock: -1 + nofile: 65536 + ports: + - "127.0.0.1:64296:5601" + - "127.0.0.1:64302:9100" + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elk:1706" + volumes: + - /data:/data + - /var/log:/data/host/log + +# Emobility service + emobility: + container_name: emobility + restart: always + cap_add: + - NET_ADMIN + ports: + - "8080:8080" + image: "dtagdevsec/emobility:1706" + volumes: + - /data/emobility:/data/eMobility + - /data/ews:/data/ews + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + image: "dtagdevsec/ewsposter:1706" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Netdata service + netdata: + container_name: netdata + restart: always + network_mode: "host" + cap_add: + - SYS_PTRACE + security_opt: + - apparmor=unconfined + image: "dtagdevsec/netdata:1706" + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /var/run/docker.sock:/var/run/docker.sock + +# Spiderfoot service + spiderfoot: + container_name: spiderfoot + restart: always + ports: + - "127.0.0.1:64303:8080" + image: "dtagdevsec/spiderfoot:1706" + +# Ui-for-docker service + ui-for-docker: + container_name: ui-for-docker + command: -H unix:///var/run/docker.sock --no-auth + restart: always + ports: + - "127.0.0.1:64299:9000" + image: "dtagdevsec/ui-for-docker:1706" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + +# Suricata service + suricata: + container_name: suricata + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/suricata:1706" + volumes: + - /data/suricata:/data/suricata diff --git a/installer/etc/tpot/compose/tpot.yml b/installer/etc/tpot/compose/tpot.yml new file mode 100644 index 00000000..39150568 --- /dev/null +++ b/installer/etc/tpot/compose/tpot.yml @@ -0,0 +1,149 @@ +# T-Pot (Standard) +# For docker-compose version ... +version: '2' +services: + +# Cowrie service + cowrie: + container_name: cowrie + restart: always + ports: + - "22:2222" + - "23:2223" + image: "dtagdevsec/cowrie:1706" + volumes: + - /data/cowrie:/data/cowrie + +# Dionaea service + dionaea: + container_name: dionaea + restart: always + cap_add: + - NET_BIND_SERVICE + ports: + - "21:21" + - "42:42" + - "69:69/udp" + - "8081:80" + - "135:135" + - "443:443" + - "445:445" + - "1433:1433" + - "1723:1723" + - "1883:1883" + - "1900:1900" + - "3306:3306" + - "5060:5060" + - "5061:5061" + - "5060:5060/udp" + - "11211:11211" + image: "dtagdevsec/dionaea:1706" + volumes: + - /data/dionaea:/data/dionaea + +# Elasticpot service + elasticpot: + container_name: elasticpot + restart: always + ports: + - "9200:9200" + image: "dtagdevsec/elasticpot:1706" + volumes: + - /data/elasticpot:/data/elasticpot + +# ELK service + elk: + container_name: elk + restart: always + env_file: + - /etc/tpot/elk/environment + cap_add: + - IPC_LOCK + ulimits: + memlock: -1 + nofile: 65536 + ports: + - "127.0.0.1:64296:5601" + - "127.0.0.1:64302:9100" + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elk:1706" + volumes: + - /data:/data + - /var/log:/data/host/log + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + image: "dtagdevsec/ewsposter:1706" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Glastopf service + glastopf: + container_name: glastopf + restart: always + ports: + - "80:80" + image: "dtagdevsec/glastopf:1706" + volumes: + - /data/glastopf:/data/glastopf + - /data/ews:/data/ews + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1706" + volumes: + - /data/honeytrap:/data/honeytrap + - /data/ews:/data/ews + +# Netdata service + netdata: + container_name: netdata + restart: always + network_mode: "host" + cap_add: + - SYS_PTRACE + security_opt: + - apparmor=unconfined + image: "dtagdevsec/netdata:1706" + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /var/run/docker.sock:/var/run/docker.sock + +# Spiderfoot service + spiderfoot: + container_name: spiderfoot + restart: always + ports: + - "127.0.0.1:64303:8080" + image: "dtagdevsec/spiderfoot:1706" + +# Ui-for-docker service + ui-for-docker: + container_name: ui-for-docker + command: -H unix:///var/run/docker.sock --no-auth + restart: always + ports: + - "127.0.0.1:64299:9000" + image: "dtagdevsec/ui-for-docker:1706" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + +# Suricata service + suricata: + container_name: suricata + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/suricata:1706" + volumes: + - /data/suricata:/data/suricata diff --git a/installer/data/elkbase.tgz b/installer/etc/tpot/elkbase.tgz similarity index 100% rename from installer/data/elkbase.tgz rename to installer/etc/tpot/elkbase.tgz diff --git a/installer/data/kibana-objects.tgz b/installer/etc/tpot/kibana-objects.tgz similarity index 100% rename from installer/data/kibana-objects.tgz rename to installer/etc/tpot/kibana-objects.tgz diff --git a/installer/etc/tpot/systemd/tpot.service b/installer/etc/tpot/systemd/tpot.service new file mode 100644 index 00000000..40344551 --- /dev/null +++ b/installer/etc/tpot/systemd/tpot.service @@ -0,0 +1,44 @@ +[Unit] +Description=tpot +Requires=docker.service +After=docker.service + +[Service] +Restart=always + +# Clear state from /data +ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh off' + +# Remove old containers and volumes +ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v +ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml rm -v +ExecStartPre=-/bin/bash -c 'docker volume rm $(docker volume ls -q)' + +# Get IF, disable offloading, enable promiscious mode for p0f and suricata +ExecStartPre=/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') rx off tx off' +ExecStartPre=/bin/bash -c '/sbin/ethtool -K $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') gso off gro off' +ExecStartPre=/bin/bash -c '/sbin/ip link set $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') promisc on' + +# Modify access rights on docker.sock for netdata +ExecStartPre=-/bin/chmod 666 /var/run/docker.sock + +# Prepare iptables rules for honeytrap +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295,64296,64297,64298,64299,64300,64301,64302,64303 -j NFQUEUE +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE + +# Compose T-Pot up and run as daemon +ExecStart=/usr/bin/docker-compose -f /etc/tpot/tpot.yml up + +# Compose T-Pot down and remove containers +ExecStop=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v + +# Remove iptables rules for honeytrap +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295,64296,64297,64298,64299,64300,64301,64302,64303 -j NFQUEUE +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE + +[Install] +WantedBy=multi-user.target diff --git a/installer/data/systemd/wetty.service b/installer/etc/tpot/systemd/wetty.service similarity index 100% rename from installer/data/systemd/wetty.service rename to installer/etc/tpot/systemd/wetty.service diff --git a/installer/install.sh b/installer/install.sh index 05fb622b..472146ce 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -353,26 +353,26 @@ EOF case $myFLAVOR in HP) echo "### Preparing HONEYPOT flavor installation." - cp /root/tpot/data/imgcfg/hp_images.conf /root/tpot/data/images.conf 2>&1>/dev/null + cp /root/tpot/etc/tpot/compose/hp.yml /root/tpot/etc/tpot/tpot.yml 2>&1>/dev/null ;; INDUSTRIAL) echo "### Preparing INDUSTRIAL flavor installation." - cp /root/tpot/data/imgcfg/industrial_images.conf /root/tpot/data/images.conf 2>&1>/dev/null + cp /root/tpot/etc/tpot/compose/industrial.yml /root/tpot/etc/tpot/tpot.yml 2>&1>/dev/null ;; TPOT) echo "### Preparing TPOT flavor installation." - cp /root/tpot/data/imgcfg/tpot_images.conf /root/tpot/data/images.conf 2>&1>/dev/null + cp /root/tpot/etc/tpot/compose/tpot.yml /root/tpot/etc/tpot/tpot.yml 2>&1>/dev/null ;; EVERYTHING) echo "### Preparing EVERYTHING flavor installation." - cp /root/tpot/data/imgcfg/all_images.conf /root/tpot/data/images.conf 2>&1>/dev/null + cp /root/tpot/etc/tpot/compose/all.yml /root/tpot/etc/tpot/tpot.yml 2>&1>/dev/null ;; esac # Let's load docker images -myIMAGESCOUNT=$(cat /root/tpot/data/images.conf | wc -w) +myIMAGESCOUNT=$(cat /root/tpot/etc/tpot/tpot.yml | grep container_name | cut -d: -f2 | wc -l) j=0 -for name in $(cat /root/tpot/data/images.conf) +for name in $(cat /root/tpot/etc/tpot/tpot.yml | grep container_name | cut -d: -f2) do dialog --title "[ Downloading docker images, please be patient ]" --backtitle "$myBACKTITLE" \ --gauge "\n Now downloading: dtagdevsec/$name:1706\n" 8 80 $(expr 100 \* $j / $myIMAGESCOUNT) <&1>/dev/null <:/api delete --filters resource= && alerta --endpoint-url http://:/api send -e IP -r -E Production -s ok -S T-Pot -t \$(cat /data/elk/logstash/mylocal.ip) --status open # Check if updated images are available and download them -27 1 * * * root for i in \$(cat /etc/tpot/images.conf); do docker pull dtagdevsec/\$i:1706; done +27 1 * * * root /usr/bin/docker-compose -f /etc/tpot/tpot.yml pull # Restart docker service and containers -27 3 * * * root dcres.sh +#27 3 * * * root dcres.sh # Delete elastic indices older than 90 days (kibana index is omitted by default) -27 4 * * * root docker exec elk bash -c '/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 90 --time-unit days --timestring \%Y.\%m.\%d' +#27 4 * * * root docker exec elk bash -c '/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 90 --time-unit days --timestring \%Y.\%m.\%d' # Update IP and erase check.lock if it exists 27 5 * * * root /etc/rc.local @@ -445,31 +445,28 @@ mkdir -p /data/conpot/log \ /data/emobility/log \ /data/ews/conf \ /data/suricata/log /home/tsec/.ssh/ \ - /etc/tpot/elk /etc/tpot/imgcfg /etc/tpot/systemd \ + /etc/tpot/elk /etc/tpot/compose /etc/tpot/systemd \ /usr/share/tpot/bin 2>&1 | dialog --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF # Let's take care of some files and permissions before copying chmod 500 /root/tpot/bin/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF -chmod 600 /root/tpot/data/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF +chmod 600 -R /root/tpot/etc/tpot 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF chmod 644 /root/tpot/etc/issue 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF chmod 755 /root/tpot/etc/rc.local 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF -chmod 644 /root/tpot/data/systemd/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF +chmod 644 /root/tpot/etc/tpot/systemd/* 2>&1 | dialog --title "[ Setting permissions ]" $myPROGRESSBOXCONF # Let's copy some files -tar xvfz /root/tpot/data/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF +tar xvfz /root/tpot/etc/tpot/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF cp -R /root/tpot/bin/* /usr/share/tpot/bin/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -cp -R /root/tpot/data/* /etc/tpot/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -cp /root/tpot/data/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF +cp -R /root/tpot/etc/tpot/* /etc/tpot/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF +cp /root/tpot/etc/tpot/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/etc/issue /etc/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp -R /root/tpot/etc/nginx/ssl /etc/nginx/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/etc/nginx/tpotweb.conf /etc/nginx/sites-available/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/etc/nginx/nginx.conf /etc/nginx/nginx.conf 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/keys/authorized_keys /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /root/tpot/usr/share/nginx/html/* /usr/share/nginx/html/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF -for i in $(cat /etc/tpot/images.conf); - do - systemctl enable $i 2>&1 | dialog --title "[ Enabling service for $i ]" $myPROGRESSBOXCONF -done +systemctl enable tpot 2>&1 | dialog --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF systemctl enable wetty 2>&1 | dialog --title "[ Enabling service for wetty ]" $myPROGRESSBOXCONF # Let's enable T-Pot website diff --git a/preseed/tpot.seed b/preseed/tpot.seed index c42a48c6..5f6502bc 100755 --- a/preseed/tpot.seed +++ b/preseed/tpot.seed @@ -100,7 +100,7 @@ tasksel tasksel/first multiselect ubuntu-server ######################## ### Package Installation ######################## -d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dnsutils docker.io dstat ethtool genisoimage git glances html2text htop iptables iw jq libcrack2 libltdl7 lm-sensors man nginx-extras nodejs npm ntp openssh-server openssl syslinux psmisc pv python-pip vim wireless-tools wpasupplicant +d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dnsutils docker.io docker-compose dstat ethtool genisoimage git glances html2text htop iptables iw jq libcrack2 libltdl7 lm-sensors man nginx-extras nodejs npm ntp openssh-server openssl syslinux psmisc pv python-pip vim wireless-tools wpasupplicant ################# ### Update Policy