Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-05-03 21:58:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

tweaking, switch to maltrail mass scanner list

Browse source
This commit is contained in:
t3chn0m4g3 2022-02-07 11:56:31 +00:00
parent 22bfb69f28
commit 3cc90fdf8e
2 changed files with 32 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -501,7 +501,7 @@ The software that T-Pot is built on uses the following licenses.
<br>GPLv2: [conpot](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeysap](https://github.com/SecureAuthCorp/HoneySAP/blob/master/COPYING), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](http://suricata-ids.org/about/open-source/) <br>GPLv2: [conpot](https://github.com/mushorg/conpot/blob/master/LICENSE.txt), [dionaea](https://github.com/DinoTools/dionaea/blob/master/LICENSE), [honeysap](https://github.com/SecureAuthCorp/HoneySAP/blob/master/COPYING), [honeytrap](https://github.com/armedpot/honeytrap/blob/master/LICENSE), [suricata](http://suricata-ids.org/about/open-source/)
<br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/telekom-security/ews/), [log4pot](https://github.com/thomaspatzke/Log4Pot/blob/master/LICENSE), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot/blob/main/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE) <br>GPLv3: [adbhoney](https://github.com/huuck/ADBHoney), [elasticpot](https://gitlab.com/bontchev/elasticpot/-/blob/master/LICENSE), [ewsposter](https://github.com/telekom-security/ews/), [log4pot](https://github.com/thomaspatzke/Log4Pot/blob/master/LICENSE), [fatt](https://github.com/0x4D31/fatt/blob/master/LICENSE), [rdpy](https://github.com/citronneur/rdpy/blob/master/LICENSE), [heralding](https://github.com/johnnykv/heralding/blob/master/LICENSE.txt), [ipphoney](https://gitlab.com/bontchev/ipphoney/-/blob/master/LICENSE), [redishoneypot](https://github.com/cypwnpwnsocute/RedisHoneyPot/blob/main/LICENSE), [snare](https://github.com/mushorg/snare/blob/master/LICENSE), [tanner](https://github.com/mushorg/snare/blob/master/LICENSE)
<br>Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE) <br>Apache 2 License: [cyberchef](https://github.com/gchq/CyberChef/blob/master/LICENSE), [dicompot](https://github.com/nsmfoo/dicompot/blob/master/LICENSE), [elasticsearch](https://github.com/elasticsearch/elasticsearch/blob/master/LICENSE.txt), [logstash](https://github.com/elasticsearch/logstash/blob/master/LICENSE), [kibana](https://github.com/elasticsearch/kibana/blob/master/LICENSE.md), [docker](https://github.com/docker/docker/blob/master/LICENSE)
<br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [elasticvue](https://github.com/cars10/elasticvue/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE) <br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [elasticvue](https://github.com/cars10/elasticvue/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE), [maltrail](https://github.com/stamparm/maltrail/blob/master/LICENSE)
<br> Unlicense: [endlessh](https://github.com/skeeto/endlessh/blob/master/UNLICENSE) <br> Unlicense: [endlessh](https://github.com/skeeto/endlessh/blob/master/UNLICENSE)
<br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license) <br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license)
<br> AGPL-3.0: [honeypots](https://github.com/qeeqbox/honeypots/blob/main/LICENSE) <br> AGPL-3.0: [honeypots](https://github.com/qeeqbox/honeypots/blob/main/LICENSE)
@ -542,6 +542,7 @@ Without open source and the fruitful development community (we are proud to be a
* [logstash](https://github.com/elastic/logstash/graphs/contributors) * [logstash](https://github.com/elastic/logstash/graphs/contributors)
* [log4pot](https://github.com/thomaspatzke/Log4Pot/graphs/contributors) * [log4pot](https://github.com/thomaspatzke/Log4Pot/graphs/contributors)
* [mailoney](https://github.com/awhitehatter/mailoney) * [mailoney](https://github.com/awhitehatter/mailoney)
* [maltrail](https://github.com/stamparm/maltrail/graphs/contributors)
* [medpot](https://github.com/schmalle/medpot/graphs/contributors) * [medpot](https://github.com/schmalle/medpot/graphs/contributors)
* [p0f](http://lcamtuf.coredump.cx/p0f3/) * [p0f](http://lcamtuf.coredump.cx/p0f3/)
* [rdpy](https://github.com/citronneur/rdpy) * [rdpy](https://github.com/citronneur/rdpy)

52
bin/blackhole.sh
View file

@ -4,7 +4,8 @@
myWHOAMI=$(whoami) myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ] if [ "$myWHOAMI" != "root" ]
then then
echo "Need to run as root ..." echo "### Need to run as root ..."
echo
exit exit
fi fi
@ -23,38 +24,44 @@ if [ "$1" == "" ];
exit exit
fi fi
# QnD paths # QnD paths, files
mkdir -p /etc/blackhole mkdir -p /etc/blackhole
cd /etc/blackhole cd /etc/blackhole
myFILE="mass_scanner.txt"
myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt"
myBASELINE="3000"
# Alternatively, using less routes, but blocking complete /24 networks
#myFILE="mass_scanner_cidr.txt"
#myURL="https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner_cidr.txt"
#myBASELINE="500"
# Calculate age of downloaded reputation list # Calculate age of downloaded list, read IPs
if [ -f "iprep.yaml" ]; if [ -f "$myFILE" ];
then then
myNOW=$(date +%s) myNOW=$(date +%s)
myOLD=$(date +%s -r iprep.yaml) myOLD=$(date +%s -r "$myFILE")
myDAYS=$(( (now-old) / (60*60*24) )) myDAYS=$(( (now-old) / (60*60*24) ))
echo "### Downloaded reputation list is $myDAYS days old." echo "### Downloaded $myFILE list is $myDAYS days old."
myBLACKHOLE_IPS=$(grep "mass scanner" iprep.yaml | cut -f 1 -d":" | tr -d '"') myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
fi fi
# Let's load ip reputation list from listbot service # Let's load ip list
if [[ ! -f "iprep.yaml" && "$1" == "add" || "$myDAYS" -gt 30 ]]; if [[ ! -f "$myFILE" && "$1" == "add" || "$myDAYS" -gt 30 ]];
then then
echo "### Downloading reputation list." echo "### Downloading $myFILE list."
aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/iprep.yaml.bz2 && \ aria2c --allow-overwrite -s16 -x 16 "$myURL" && \
bunzip2 -f *.bz2 myBLACKHOLE_IPS=$(grep -o -P "\b(?:\d{1,3}\.){3}\d{1,3}\b" "$myFILE" | sort -u)
myBLACKHOLE_IPS=$(grep "mass scanner" iprep.yaml | cut -f 1 -d":" | tr -d '"')
fi fi
myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w) myCOUNT=$(echo $myBLACKHOLE_IPS | wc -w)
# Let's extract mass scanner IPs # Let's extract mass scanner IPs
if [ "$myCOUNT" -lt "3000" ] && [ "$1" == "add" ]; if [ "$myCOUNT" -lt "$myBASELINE" ] && [ "$1" == "add" ];
then then
echo "### Something went wrong. Please check contents of /etc/blackhole/iprep.yaml." echo "### Something went wrong. Please check contents of /etc/blackhole/$myFILE."
echo "### Aborting." echo "### Aborting."
echo echo
exit exit
elif [ "$(ip r | grep 'blackhole' -c)" -gt "3000" ] && [ "$1" == "add" ]; elif [ "$(ip r | grep 'blackhole' -c)" -gt "$myBASELINE" ] && [ "$1" == "add" ];
then then
echo "### Blackhole already enabled." echo "### Blackhole already enabled."
echo "### Aborting." echo "### Aborting."
@ -63,14 +70,13 @@ elif [ "$(ip r | grep 'blackhole' -c)" -gt "3000" ] && [ "$1" == "add" ];
fi fi
# Let's add blackhole routes for all mass scanner IPs # Let's add blackhole routes for all mass scanner IPs
# Your personal preferences may vary, feel free to adjust accordingly
if [ "$1" == "add" ]; if [ "$1" == "add" ];
then then
echo echo
echo -n "Now adding $myCOUNT IPs to blackhole." echo -n "Now adding $myCOUNT IPs to blackhole."
for i in $myBLACKHOLE_IPS; for i in $myBLACKHOLE_IPS;
do do
ip route add blackhole $i ip route add blackhole "$i"
echo -n "." echo -n "."
done done
echo echo
@ -83,18 +89,20 @@ if [ "$1" == "add" ];
fi fi
# Let's delete blackhole routes for all mass scanner IPs # Let's delete blackhole routes for all mass scanner IPs
if [ "$1" == "del" ] && [ "$myCOUNT" -gt 3000 ]; if [ "$1" == "del" ] && [ "$myCOUNT" -gt "$myBASELINE" ];
then then
echo echo
echo -n "Now deleting $myCOUNT IPs from blackhole." echo -n "Now deleting $myCOUNT IPs from blackhole."
for i in $myBLACKHOLE_IPS; for i in $myBLACKHOLE_IPS;
do do
ip route del blackhole $i ip route del blackhole "$i"
echo -n "." echo -n "."
done done
echo echo
echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole." echo "$(ip r | grep 'blackhole' -c) IPs remaining in blackhole."
rm iprep.yaml echo
rm "$myFILE"
else else
echo "Blackhole already disabled." echo "### Blackhole already disabled."
echo
fi fi