From 48420d16c4ce02aacbbce2ff27c1c3eb409169ce Mon Sep 17 00:00:00 2001 From: Domenico Del Giudice Date: Sat, 1 Mar 2025 14:19:37 +0100 Subject: [PATCH] Initial commit after cloning --- .env | 166 ++++++++++++++++++ .../ISSUE_TEMPLATE/bug-report-for-t-pot.md | 43 +++++ .../feature-request-for-t-pot.md | 20 +++ .../ISSUE_TEMPLATE/general-issue-for-t-pot.md | 43 +++++ .github/workflows/basic-support-info.yml | 49 ++++++ .github/workflows/stale.yml | 24 +++ .gitignore | 6 + 7 files changed, 351 insertions(+) create mode 100755 .env create mode 100644 .github/ISSUE_TEMPLATE/bug-report-for-t-pot.md create mode 100644 .github/ISSUE_TEMPLATE/feature-request-for-t-pot.md create mode 100644 .github/ISSUE_TEMPLATE/general-issue-for-t-pot.md create mode 100644 .github/workflows/basic-support-info.yml create mode 100644 .github/workflows/stale.yml create mode 100644 .gitignore diff --git a/.env b/.env new file mode 100755 index 00000000..c46c06aa --- /dev/null +++ b/.env @@ -0,0 +1,166 @@ +# T-Pot config file. Do not remove. + +############################################### +# T-Pot Base Settings - Adjust to your needs. # +############################################### + +# Set Web usernames and passwords here. This section will be used to create / update the Nginx password file nginxpasswd. +# : This is the default +# : +# Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the WEB_USER if you want to manually deploy T-Pot, run 'install.sh' to automatically add a user during installation, or 'genuser.sh' if you just want to add a web user. +# Example: 'htpasswd -n -b "tsec" "tsec" | base64 -w0' will print dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo= +# Copy the string and replace WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo= +# Multiple users are possible: +# WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo= dHNlYzokYXByMSR6VUFHVWdmOCRROXI3a09CTjFjY3lCeU1DTloyanEvCgo= +WEB_USER=ZG9tZTokYXByMSR6TDVKUklSRiRVN29oZENBdjVrSFNRbFV3TFVudEgvCgo= ZG9tZTokYXByMSR6TDVKUklSRiRVN29oZENBdjVrSFNRbFV3TFVudEgvCgo= + +# Set Logstash Web usernames and passwords here. This section will be used to create / update the Nginx password file lswebpasswd. +# The Lostsash Web usernames are used for T-Pot log ingestion via Logstash, each sensor should have its own user. +# : This is empty by default. +# <'htpasswd encoded usernames / passwords'>: +# Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the LS_WEB_USER if you want to manually deploy the sensor. +# Example: 'htpasswd -n -b "sensor" "sensor" | base64 -w0' will print c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg== +# Copy the string and replace / add LS_WEB_USER=c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg== +# Multiple users are possible: +# LS_WEB_USER=c2Vuc29yMTokYXByMSQ5aXhNRk5yMCR6d3F2dGFwQ2x0cFBhU1pqMm9ZemYxCgo= c2Vuc29yMjokYXByMSRtYTlOS1J2NCQvU3dsVVBMeW5RaVIyM3pyWVAzOUkwCgo= +LS_WEB_USER= + +# T-Pot Blackhole +# ENABLED: T-Pot will download a db of known mass scanners and nullroute them. +# Be aware, this will put T-Pot off the map for stealth reasons and +# you will get less traffic. Routes will be active until next reboot +# and will be re-added with every T-Pot start until disabled. +# DISABLED: This is the default and no stealth efforts are in place. +TPOT_BLACKHOLE=DISABLED + +# T-Pot Persistence +# on: This is the default. T-Pot will keep the honeypot logfiles and rotate +# with logrotate for 30 days. +# off: This is recommended for Raspberry Pi or setups with weaker CPUs or +# if you just do not need any of the logfiles. +TPOT_PERSISTENCE=on + +# T-Pot Type +# HIVE: This is the default and offers everything to connect T-Pot sensors. +# SENSOR: This needs to be used when running a sensor. Be aware to adjust all other +# settings as well. +# 1. You will need to copy compose/sensor.yml to ./docker-comopose.yml +# 2. From HIVE host you will need to copy ~/tpotce/data/nginx/cert/nginx.crt to +# your SENSOR host to ~/tpotce/data/hive.crt +# 3. On HIVE: Create a web user per SENSOR on HIVE and provide credentials below +# Create credentials with 'htpasswd ~/tpotce/data/nginx/conf/lswebpasswd ' +# 4. On SENSOR: Provide username / password from (3) for TPOT_HIVE_USER as base64 encoded string: +# "echo -n 'username:password' | base64 -w0" +# MOBILE: This will set the correct type for T-Pot Mobile (https://github.com/telekom-security/tpotmobile) +TPOT_TYPE=HIVE + +# T-Pot Hive User (only relevant for SENSOR deployment) +# : This is empty by default. +# : Provide a base64 encoded string "echo -n 'username:password' | base64 -w0" +# i.e. TPOT_HIVE_USER='dXNlcm5hbWU6cGFzc3dvcmQ=' +TPOT_HIVE_USER= + +# Logstash Sensor SSL verfication (only relevant on SENSOR hosts) +# full: This is the default. Logstash, by default, verifies the complete certificate chain for ssl certificates. +# This also includes the FQDN and sANs. By default T-Pot will only generate a self-signed certificate which +# contains a sAN for the HIVE IP. In scenario where the HIVE needs to be accessed via Internet, maybe with +# a different NAT address, a new certificate needs to be generated before deployment that includes all the +# IPs and FQDNs as sANs for logstash successfully establishing a connection to the HIVE for transmitting +# logs. Details here: https://github.com/telekom-security/tpotce?tab=readme-ov-file#distributed-deployment +# none: This setting will disable the ssl verification check of logstash and should only be used in a testing +# environment where IPs often change. It is not recommended for a production environment where trust between +# HIVE and SENSOR is only established through a self signed certificate. +LS_SSL_VERIFICATION=full + +# T-Pot Hive IP (only relevant for SENSOR deployment) +# : This is empty by default. +# : This can be either a IP (i.e. 192.168.1.1) or a FQDN (i.e. foo.bar.local) +TPOT_HIVE_IP= + +# T-Pot AttackMap Text Output +# ENABLED: This is the default and the docker container map_data will print events to the console. +# DISABLED: Printing events to the console is disabled. +TPOT_ATTACKMAP_TEXT=ENABLED + +# T-Pot AttackMap Text Output Timezone +# UTC: (T-Pot default) This is usually the best option. +# Continent/City: In Linux you can check our timezone with `readlink` /etc/localtime or +# see the full list here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones +# Examples: America/New_York, Asia/Taipei, Australia/Melbourne, Europe/Athens, Europe/Berlin +TPOT_ATTACKMAP_TEXT_TIMEZONE=UTC + +################################################################################### +# Honeypots / Tools settings +################################################################################### +# Some services / tools offer adjustments using ENVs which can be adjusted here. +################################################################################### + +# Suricata ET Pro ruleset +# OPEN: This is the default and will the ET Open ruleset +# OINKCODE: Replace OPEN with your Oinkcode to use the ET Pro ruleset +OINKCODE=OPEN + +# Beelzebub Honeypot supports LLMs such as ChatGPT and the Ollama backend. +# Beelzebub is not part of the standard edition, please follow the README regarding setup. +# It is recommended to use the Ollama backend to keep costs at bay. +# Remember to rate limit API usage / set budget alerts when using ChatGPT API. +# BEELZEBUB_LLM_MODEL: Set to "ollama" or "gpt4-o". +# BEELZEBUB_LLM_HOST: When using "ollama" set it to the URL of your Ollama backend. +# BEELZEBUB_OLLAMA_MODEL: Set to the model you are serving on your Ollama backend, i.e. "openchat". +# BEELZEBUB_LLM_MODEL: "gpt4-o" +# BEELZEBUB_OPENAISECRETKEY: "sk-proj-123456" +BEELZEBUB_LLM_MODEL: "ollama" +BEELZEBUB_LLM_HOST: "http://ollama.local:11434/api/chat" +BEELZEBUB_OLLAMA_MODEL: "openchat" + +# Galah is a LLM-powered web honeypot supporting various LLM backends. +# Galah is not part of the standard edition, please follow the README regarding setup. +# It is recommended to use the Ollama backend to keep costs at bay. +# Remember to rate limit API usage / set budget alerts when using ChatGPT API. +# GALAH_LLM_PROVIDER: Set to "ollama" or "gpt4-o". +# GALAH_LLM_SERVER_URL: When using "ollama" set it to the URL of your Ollama backend. +# GALAH_LLM_MODEL: Set to the model you are serving on your Ollama backend, i.e. "llama3". +# GALAH_LLM_TEMPERATURE: "1" +# GALAH_LLM_API_KEY: "sk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" +# GALAH_LLM_CLOUD_LOCATION: "" +# GALAH_LLM_CLOUD_PROJECT: "" +GALAH_LLM_PROVIDER: "ollama" +GALAH_LLM_SERVER_URL: "http://ollama.local:11434" +GALAH_LLM_MODEL: "llama3.1" + + +################################################################################### +# NEVER MAKE CHANGES TO THIS SECTION UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!!! # +################################################################################### + +# docker.sock Path +TPOT_DOCKER_SOCK=/var/run/docker.sock + +# docker compose .env +TPOT_DOCKER_ENV=./.env + +# Docker-Compose file +TPOT_DOCKER_COMPOSE=./docker-compose.yml + +# T-Pot Docker Repo +# Depending on where you are located you may choose between DockerHub and GHCR +# dtagdevsec: This will use the DockerHub image registry +# ghcr.io/telekom-security: This will use the GitHub container registry +TPOT_REPO=ghcr.io/telekom-security + +# T-Pot Version Tag +TPOT_VERSION=24.04.1 + +# T-Pot Pull Policy +# always: (T-Pot default) Compose implementations SHOULD always pull the image from the registry. +# never: Compose implementations SHOULD NOT pull the image from a registry and SHOULD rely on the platform cached image. +# missing: Compose implementations SHOULD pull the image only if it's not available in the platform cache. +# build: Compose implementations SHOULD build the image. Compose implementations SHOULD rebuild the image if already present. +TPOT_PULL_POLICY=always + +# T-Pot Data Path +TPOT_DATA_PATH=./data + +# OSType (linux, mac, win) +# Most docker features are available on linux +TPOT_OSTYPE=mac diff --git a/.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md b/.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md new file mode 100644 index 00000000..e2eb2e88 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md @@ -0,0 +1,43 @@ +--- +name: Bug report for T-Pot 24.04.x +about: Bug report for T-Pot 24.04.x +title: '' +labels: '' +assignees: '' + +--- + +# Successfully raise an issue +Before you post your issue make sure it has not been answered yet and provide **⚠️ BASIC SUPPORT INFORMATION** (as requested below) if you come to the conclusion it is a new issue. + +- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first +- 🧐 Check our [Wiki](https://github.com/dtag-dev-sec/tpotce/wiki) and the [discussions](https://github.com/telekom-security/tpotce/discussions) +- 📚 Consult the documentation of 💻 your Linux OS, 🐳 [Docker](https://docs.docker.com/), the 🦌 [Elastic stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md). +- ⚙️ The [Troubleshoot Section](https://github.com/telekom-security/tpotce?tab=readme-ov-file#troubleshooting) of the [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md) is a good starting point to collect a good set of information for the issue and / or to fix things on your own. +- **⚠️ Provide [BASIC SUPPORT INFORMATION](#-basic-support-information-commands-are-expected-to-run-as-root) or similar detailed information with regard to your issue or we will close the issue or convert it into a discussion without further interaction from the maintainers**.
+ +# ⚠️ Basic support information (commands are expected to run as `root`) + +**We happily take the time to improve T-Pot and take care of things, but we need you to take the time to create an issue that provides us with all the information we need.** + +- What OS are you T-Pot running on? +- What is the version of the OS `lsb_release -a` and `uname -a`? +- What T-Pot version are you currently using (only **T-Pot 24.04.x** is currently supported)? +- What architecture are you running on (i.e. hardware, cloud, VM, etc.)? +- Review the `~/install_tpot.log`, attach the log and highlight the errors. +- How long has your installation been running? + - If it is a fresh install consult the documentation first. + - Most likely it is a port conflict or a remote dependency was unavailable. + - Retry a fresh installation and only open the issue if the error keeps coming up and is not resolved using the documentation as described [here](#how-to-raise-an-issue). +- Did you install upgrades, packages or use the update script? +- Did you modify any scripts or configs? If yes, please attach the changes. +- Please provide a screenshot of `htop` and `docker stats`. +- How much free disk space is available (`df -h`)? +- What is the current container status (`dps`)? +- On Linux: What is the status of the T-Pot service (`systemctl status tpot`)? +- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `grc netstat -tulpen` + - Stop T-Pot `systemctl stop tpot` + - Run `grc netstat -tulpen` + - Run T-Pot manually with `docker compose -f ~/tpotce/docker-compose.yml up` and check for errors + - Stop execution with `CTRL-C` and `docker compose -f ~/tpotce/docker-compose.yml down -v` +- If a single container shows as `DOWN` you can run `docker logs ` for the latest log entries diff --git a/.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md b/.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md new file mode 100644 index 00000000..81063643 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md @@ -0,0 +1,20 @@ +--- +name: Feature request for T-Pot 24.04.x +about: Suggest an idea for T-Pot 24.04.x +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md b/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md new file mode 100644 index 00000000..45ca029d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md @@ -0,0 +1,43 @@ +--- +name: General issue for T-Pot 24.04.x +about: General issue for T-Pot 24.04.x +title: '' +labels: '' +assignees: '' + +--- + +# Successfully raise an issue +Before you post your issue make sure it has not been answered yet and provide **⚠️ BASIC SUPPORT INFORMATION** (as requested below) if you come to the conclusion it is a new issue. + +- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first +- 🧐 Check our [Wiki](https://github.com/dtag-dev-sec/tpotce/wiki) and the [discussions](https://github.com/telekom-security/tpotce/discussions) +- 📚 Consult the documentation of 💻 your Linux OS, 🐳 [Docker](https://docs.docker.com/), the 🦌 [Elastic stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md). +- ⚙️ The [Troubleshoot Section](https://github.com/telekom-security/tpotce?tab=readme-ov-file#troubleshooting) of the [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md) is a good starting point to collect a good set of information for the issue and / or to fix things on your own. +- **⚠️ Provide [BASIC SUPPORT INFORMATION](#-basic-support-information-commands-are-expected-to-run-as-root) or similar detailed information with regard to your issue or we will close the issue or convert it into a discussion without further interaction from the maintainers**.
+ +# ⚠️ Basic support information (commands are expected to run as `root`) + +**We happily take the time to improve T-Pot and take care of things, but we need you to take the time to create an issue that provides us with all the information we need.** + +- What OS are you T-Pot running on? +- What is the version of the OS `lsb_release -a` and `uname -a`? +- What T-Pot version are you currently using (only **T-Pot 24.04.x** is currently supported)? +- What architecture are you running on (i.e. hardware, cloud, VM, etc.)? +- Review the `~/install_tpot.log`, attach the log and highlight the errors. +- How long has your installation been running? + - If it is a fresh install consult the documentation first. + - Most likely it is a port conflict or a remote dependency was unavailable. + - Retry a fresh installation and only open the issue if the error keeps coming up and is not resolved using the documentation as described [here](#how-to-raise-an-issue). +- Did you install upgrades, packages or use the update script? +- Did you modify any scripts or configs? If yes, please attach the changes. +- Please provide a screenshot of `htop` and `docker stats`. +- How much free disk space is available (`df -h`)? +- What is the current container status (`dps`)? +- On Linux: What is the status of the T-Pot service (`systemctl status tpot`)? +- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `grc netstat -tulpen` + - Stop T-Pot `systemctl stop tpot` + - Run `grc netstat -tulpen` + - Run T-Pot manually with `docker compose -f ~/tpotce/docker-compose.yml up` and check for errors + - Stop execution with `CTRL-C` and `docker compose -f ~/tpotce/docker-compose.yml down -v` +- If a single container shows as `DOWN` you can run `docker logs ` for the latest log entries diff --git a/.github/workflows/basic-support-info.yml b/.github/workflows/basic-support-info.yml new file mode 100644 index 00000000..accc603c --- /dev/null +++ b/.github/workflows/basic-support-info.yml @@ -0,0 +1,49 @@ +name: "Check Basic Support Info" + +on: + issues: + types: [opened, edited] + +permissions: + issues: write + contents: read + +jobs: + check-issue: + runs-on: ubuntu-latest + + steps: + - name: Check out the repository + uses: actions/checkout@v4 + + - name: Install jq + run: sudo apt-get install jq -y + + - name: Check issue for basic support info + id: check_issue + run: | + REQUIRED_INFO=("What OS are you T-Pot running on?" "What is the version of the OS" "What T-Pot version are you currently using" "What architecture are you running on" "Review the \`~/install_tpot.log\`" "How long has your installation been running?" "Did you install upgrades, packages or use the update script?" "Did you modify any scripts or configs?" "Please provide a screenshot of \`htop\` and \`docker stats\`." "How much free disk space is available" "What is the current container status" "What is the status of the T-Pot service" "What ports are being occupied?") + + ISSUE_BODY=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.body') + MISSING_INFO=() + + for info in "${REQUIRED_INFO[@]}"; do + if [[ "$ISSUE_BODY" != *"$info"* ]]; then + MISSING_INFO+=("$info") + fi + done + + if [ ${#MISSING_INFO[@]} -ne 0 ]; then + echo "missing=true" >> $GITHUB_ENV + else + echo "missing=false" >> $GITHUB_ENV + fi + + - name: Add "no basic support info" label if necessary + if: env.missing == 'true' + run: gh issue edit "$NUMBER" --add-label "$LABELS" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.issue.number }} + LABELS: no basic support info diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 00000000..8d8b3d78 --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,24 @@ +name: "Tag stale issues and pull requests" + +on: + schedule: + - cron: "0 0 * * *" # Runs every day at midnight + workflow_dispatch: # Allows the workflow to be triggered manually + +jobs: + stale: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@v7 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-issue-message: "This issue has been marked as stale because it has had no activity for 7 days. If you are still experiencing this issue, please comment or it will be closed in 7 days." + stale-pr-message: "This pull request has been marked as stale because it has had no activity for 7 days. If you are still working on this, please comment or it will be closed in 7 days." + days-before-stale: 7 + days-before-close: 7 + stale-issue-label: "stale" + exempt-issue-labels: "keep-open" + stale-pr-label: "stale" + exempt-pr-labels: "keep-open" + operations-per-run: 30 + debug-only: false diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..14b8fa50 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +# Ignore data folder +data/ +_data/ +**/.DS_Store +.idea +install_tpot.log