Initial commit after cloning

.env

@@ -0,0 +1,166 @@
+# T-Pot config file. Do not remove.
+
+###############################################
+# T-Pot Base Settings - Adjust to your needs. #
+###############################################
+
+# Set Web usernames and passwords here. This section will be used to create / update the Nginx password file nginxpasswd.
+#  <empty>: This is the default
+#  <base64 encoded htpasswd usernames / passwords>:
+#   Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the WEB_USER if you want to manually deploy T-Pot, run 'install.sh' to automatically add a user during installation, or 'genuser.sh' if you just want to add a web user.
+#   Example: 'htpasswd -n -b "tsec" "tsec" | base64 -w0' will print dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo=
+#   Copy the string and replace WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo=
+#   Multiple users are possible:
+#   WEB_USER=dHNlYzokYXByMSRYUnE2SC5rbiRVRjZQM1VVQmJVNWJUQmNmSGRuUFQxCgo= dHNlYzokYXByMSR6VUFHVWdmOCRROXI3a09CTjFjY3lCeU1DTloyanEvCgo=
+WEB_USER=ZG9tZTokYXByMSR6TDVKUklSRiRVN29oZENBdjVrSFNRbFV3TFVudEgvCgo= ZG9tZTokYXByMSR6TDVKUklSRiRVN29oZENBdjVrSFNRbFV3TFVudEgvCgo=
+
+# Set Logstash Web usernames and passwords here. This section will be used to create / update the Nginx password file lswebpasswd.
+# The Lostsash Web usernames are used for T-Pot log ingestion via Logstash, each sensor should have its own user.
+#  <empty>: This is empty by default.
+#  <'htpasswd encoded usernames / passwords'>:
+#   Use 'htpasswd -n -b "username" "password" | base64 -w0' to create the LS_WEB_USER if you want to manually deploy the sensor.
+#   Example: 'htpasswd -n -b "sensor" "sensor" | base64 -w0' will print c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg==
+#   Copy the string and replace / add LS_WEB_USER=c2Vuc29yOiRhcHIxJGVpMHdzUmdYJHNyWHF4UG53ZzZqWUc3aEFaUWxrWDEKCg==
+#   Multiple users are possible:
+#   LS_WEB_USER=c2Vuc29yMTokYXByMSQ5aXhNRk5yMCR6d3F2dGFwQ2x0cFBhU1pqMm9ZemYxCgo= c2Vuc29yMjokYXByMSRtYTlOS1J2NCQvU3dsVVBMeW5RaVIyM3pyWVAzOUkwCgo=
+LS_WEB_USER=
+
+# T-Pot Blackhole
+#  ENABLED: T-Pot will download a db of known mass scanners and nullroute them.
+#           Be aware, this will put T-Pot off the map for stealth reasons and
+#           you will get less traffic. Routes will be active until next reboot
+#           and will be re-added with every T-Pot start until disabled.
+#  DISABLED: This is the default and no stealth efforts are in place.
+TPOT_BLACKHOLE=DISABLED
+
+# T-Pot Persistence
+#  on: This is the default. T-Pot will keep the honeypot logfiles and rotate
+#      with logrotate for 30 days.
+#  off: This is recommended for Raspberry Pi or setups with weaker CPUs or
+#       if you just do not need any of the logfiles.
+TPOT_PERSISTENCE=on
+
+# T-Pot Type
+#  HIVE: This is the default and offers everything to connect T-Pot sensors.
+#  SENSOR: This needs to be used when running a sensor. Be aware to adjust all other
+#          settings as well.
+#          1. You will need to copy compose/sensor.yml to ./docker-comopose.yml
+#          2. From HIVE host you will need to copy ~/tpotce/data/nginx/cert/nginx.crt to
+#             your SENSOR host to ~/tpotce/data/hive.crt
+#          3. On HIVE: Create a web user per SENSOR on HIVE and provide credentials below
+#             Create credentials with 'htpasswd ~/tpotce/data/nginx/conf/lswebpasswd <username>'
+#          4. On SENSOR: Provide username / password from (3) for TPOT_HIVE_USER as base64 encoded string:
+#                        "echo -n 'username:password' | base64 -w0"
+#  MOBILE: This will set the correct type for T-Pot Mobile (https://github.com/telekom-security/tpotmobile)
+TPOT_TYPE=HIVE
+
+# T-Pot Hive User (only relevant for SENSOR deployment)
+#  <empty>: This is empty by default.
+#  <base64 encoded string>: Provide a base64 encoded string "echo -n 'username:password' | base64 -w0"
+#                           i.e. TPOT_HIVE_USER='dXNlcm5hbWU6cGFzc3dvcmQ='
+TPOT_HIVE_USER=
+
+# Logstash Sensor SSL verfication (only relevant on SENSOR hosts)
+# full: This is the default. Logstash, by default, verifies the complete certificate chain for ssl certificates.
+#       This also includes the FQDN and sANs. By default T-Pot will only generate a self-signed certificate which
+#       contains a sAN for the HIVE IP. In scenario where the HIVE needs to be accessed via Internet, maybe with
+#       a different NAT address, a new certificate needs to be generated before deployment that includes all the
+#       IPs and FQDNs as sANs for logstash successfully establishing a connection to the HIVE for transmitting
+#       logs. Details here: https://github.com/telekom-security/tpotce?tab=readme-ov-file#distributed-deployment
+# none: This setting will disable the ssl verification check of logstash and should only be used in a testing
+#       environment where IPs often change. It is not recommended for a production environment where trust between
+#       HIVE and SENSOR is only established through a self signed certificate. 
+LS_SSL_VERIFICATION=full
+
+# T-Pot Hive IP (only relevant for SENSOR deployment)
+#  <empty>: This is empty by default.
+#  <IP, FQDN>: This can be either a IP (i.e. 192.168.1.1) or a FQDN (i.e. foo.bar.local)
+TPOT_HIVE_IP=
+
+# T-Pot AttackMap Text Output
+#  ENABLED: This is the default and the docker container map_data will print events to the console.
+#  DISABLED: Printing events to the console is disabled.
+TPOT_ATTACKMAP_TEXT=ENABLED
+
+# T-Pot AttackMap Text Output Timezone
+#  UTC: (T-Pot default) This is usually the best option.
+#  Continent/City: In Linux you can check our timezone with `readlink` /etc/localtime or
+#                  see the full list here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+#  Examples: America/New_York, Asia/Taipei, Australia/Melbourne, Europe/Athens, Europe/Berlin
+TPOT_ATTACKMAP_TEXT_TIMEZONE=UTC
+
+###################################################################################
+# Honeypots / Tools settings
+###################################################################################
+# Some services / tools offer adjustments using ENVs which can be adjusted here.
+###################################################################################
+
+# Suricata ET Pro ruleset
+#  OPEN: This is the default and will the ET Open ruleset
+#  OINKCODE: Replace OPEN with your Oinkcode to use the ET Pro ruleset
+OINKCODE=OPEN
+
+# Beelzebub Honeypot supports LLMs such as ChatGPT and the Ollama backend.
+# Beelzebub is not part of the standard edition, please follow the README regarding setup.
+# It is recommended to use the Ollama backend to keep costs at bay.
+# Remember to rate limit API usage / set budget alerts when using ChatGPT API.
+# BEELZEBUB_LLM_MODEL: Set to "ollama" or "gpt4-o".
+# BEELZEBUB_LLM_HOST: When using "ollama" set it to the URL of your Ollama backend.
+# BEELZEBUB_OLLAMA_MODEL: Set to the model you are serving on your Ollama backend, i.e. "openchat".
+# BEELZEBUB_LLM_MODEL: "gpt4-o"
+# BEELZEBUB_OPENAISECRETKEY: "sk-proj-123456"
+BEELZEBUB_LLM_MODEL: "ollama"
+BEELZEBUB_LLM_HOST: "http://ollama.local:11434/api/chat"
+BEELZEBUB_OLLAMA_MODEL: "openchat"
+
+# Galah is a LLM-powered web honeypot supporting various LLM backends.
+# Galah is not part of the standard edition, please follow the README regarding setup.
+# It is recommended to use the Ollama backend to keep costs at bay.
+# Remember to rate limit API usage / set budget alerts when using ChatGPT API.
+# GALAH_LLM_PROVIDER: Set to "ollama" or "gpt4-o".
+# GALAH_LLM_SERVER_URL: When using "ollama" set it to the URL of your Ollama backend.
+# GALAH_LLM_MODEL: Set to the model you are serving on your Ollama backend, i.e. "llama3".
+# GALAH_LLM_TEMPERATURE: "1"
+# GALAH_LLM_API_KEY: "sk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+# GALAH_LLM_CLOUD_LOCATION: ""
+# GALAH_LLM_CLOUD_PROJECT: ""
+GALAH_LLM_PROVIDER: "ollama"
+GALAH_LLM_SERVER_URL: "http://ollama.local:11434"
+GALAH_LLM_MODEL: "llama3.1"
+
+
+###################################################################################
+# NEVER MAKE CHANGES TO THIS SECTION UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!!! #
+###################################################################################
+
+# docker.sock Path
+TPOT_DOCKER_SOCK=/var/run/docker.sock
+
+# docker compose .env
+TPOT_DOCKER_ENV=./.env
+
+# Docker-Compose file
+TPOT_DOCKER_COMPOSE=./docker-compose.yml
+
+# T-Pot Docker Repo
+#  Depending on where you are located you may choose between DockerHub and GHCR
+#  dtagdevsec: This will use the DockerHub image registry
+#  ghcr.io/telekom-security: This will use the GitHub container registry
+TPOT_REPO=ghcr.io/telekom-security
+
+# T-Pot Version Tag
+TPOT_VERSION=24.04.1
+
+# T-Pot Pull Policy
+#  always: (T-Pot default) Compose implementations SHOULD always pull the image from the registry.
+#  never: Compose implementations SHOULD NOT pull the image from a registry and SHOULD rely on the platform cached image.
+#  missing: Compose implementations SHOULD pull the image only if it's not available in the platform cache.
+#  build: Compose implementations SHOULD build the image. Compose implementations SHOULD rebuild the image if already present.
+TPOT_PULL_POLICY=always
+
+# T-Pot Data Path
+TPOT_DATA_PATH=./data
+
+# OSType (linux, mac, win)
+#  Most docker features are available on linux
+TPOT_OSTYPE=mac

.github/ISSUE_TEMPLATE/bug-report-for-t-pot.md

@@ -0,0 +1,43 @@
+---
+name: Bug report for T-Pot 24.04.x
+about: Bug report for T-Pot 24.04.x
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+# Successfully raise an issue
+Before you post your issue make sure it has not been answered yet and provide **⚠️ BASIC SUPPORT INFORMATION** (as requested below) if you come to the conclusion it is a new issue.
+
+- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
+- 🧐 Check our [Wiki](https://github.com/dtag-dev-sec/tpotce/wiki) and the [discussions](https://github.com/telekom-security/tpotce/discussions)
+- 📚 Consult the documentation of 💻 your Linux OS, 🐳 [Docker](https://docs.docker.com/), the 🦌 [Elastic stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
+- ⚙️ The [Troubleshoot Section](https://github.com/telekom-security/tpotce?tab=readme-ov-file#troubleshooting) of the [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md) is a good starting point to collect a good set of information for the issue and / or to fix things on your own.
+- **⚠️ Provide [BASIC SUPPORT INFORMATION](#-basic-support-information-commands-are-expected-to-run-as-root) or similar detailed information with regard to your issue or we will close the issue or convert it into a discussion without further interaction from the maintainers**.<br>
+
+# ⚠️ Basic support information (commands are expected to run as `root`)
+
+**We happily take the time to improve T-Pot and take care of things, but we need you to take the time to create an issue that provides us with all the information we need.** 
+
+- What OS are you T-Pot running on?
+- What is the version of the OS `lsb_release -a` and `uname -a`?
+- What T-Pot version are you currently using (only **T-Pot 24.04.x** is currently supported)?
+- What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
+- Review the `~/install_tpot.log`, attach the log and highlight the errors.
+- How long has your installation been running?
+  - If it is a fresh install consult the documentation first.
+  - Most likely it is a port conflict or a remote dependency was unavailable.
+  - Retry a fresh installation and only open the issue if the error keeps coming up and is not resolved using the documentation as described [here](#how-to-raise-an-issue).  
+- Did you install upgrades, packages or use the update script?
+- Did you modify any scripts or configs? If yes, please attach the changes.
+- Please provide a screenshot of `htop` and `docker stats`.
+- How much free disk space is available (`df -h`)?
+- What is the current container status (`dps`)?
+- On Linux: What is the status of the T-Pot service (`systemctl status tpot`)?
+- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `grc netstat -tulpen`
+  - Stop T-Pot `systemctl stop tpot`
+  - Run `grc netstat -tulpen`
+  - Run T-Pot manually with `docker compose -f ~/tpotce/docker-compose.yml up` and check for errors
+  - Stop execution with `CTRL-C` and `docker compose -f ~/tpotce/docker-compose.yml down -v`
+- If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

.github/ISSUE_TEMPLATE/feature-request-for-t-pot.md

@@ -0,0 +1,20 @@
+---
+name: Feature request for T-Pot 24.04.x
+about: Suggest an idea for T-Pot 24.04.x
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/general-issue-for-t-pot.md

@@ -0,0 +1,43 @@
+---
+name: General issue for T-Pot 24.04.x
+about: General issue for T-Pot 24.04.x
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+# Successfully raise an issue
+Before you post your issue make sure it has not been answered yet and provide **⚠️ BASIC SUPPORT INFORMATION** (as requested below) if you come to the conclusion it is a new issue.
+
+- 🔍 Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first
+- 🧐 Check our [Wiki](https://github.com/dtag-dev-sec/tpotce/wiki) and the [discussions](https://github.com/telekom-security/tpotce/discussions)
+- 📚 Consult the documentation of 💻 your Linux OS, 🐳 [Docker](https://docs.docker.com/), the 🦌 [Elastic stack](https://www.elastic.co/guide/index.html) and the 🍯 [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md).
+- ⚙️ The [Troubleshoot Section](https://github.com/telekom-security/tpotce?tab=readme-ov-file#troubleshooting) of the [T-Pot Readme](https://github.com/dtag-dev-sec/tpotce/blob/master/README.md) is a good starting point to collect a good set of information for the issue and / or to fix things on your own.
+- **⚠️ Provide [BASIC SUPPORT INFORMATION](#-basic-support-information-commands-are-expected-to-run-as-root) or similar detailed information with regard to your issue or we will close the issue or convert it into a discussion without further interaction from the maintainers**.<br>
+
+# ⚠️ Basic support information (commands are expected to run as `root`)
+
+**We happily take the time to improve T-Pot and take care of things, but we need you to take the time to create an issue that provides us with all the information we need.** 
+
+- What OS are you T-Pot running on?
+- What is the version of the OS `lsb_release -a` and `uname -a`?
+- What T-Pot version are you currently using (only **T-Pot 24.04.x** is currently supported)?
+- What architecture are you running on (i.e. hardware, cloud, VM, etc.)?
+- Review the `~/install_tpot.log`, attach the log and highlight the errors.
+- How long has your installation been running?
+  - If it is a fresh install consult the documentation first.
+  - Most likely it is a port conflict or a remote dependency was unavailable.
+  - Retry a fresh installation and only open the issue if the error keeps coming up and is not resolved using the documentation as described [here](#how-to-raise-an-issue).  
+- Did you install upgrades, packages or use the update script?
+- Did you modify any scripts or configs? If yes, please attach the changes.
+- Please provide a screenshot of `htop` and `docker stats`.
+- How much free disk space is available (`df -h`)?
+- What is the current container status (`dps`)?
+- On Linux: What is the status of the T-Pot service (`systemctl status tpot`)?
+- What ports are being occupied? Stop T-Pot `systemctl stop tpot` and run `grc netstat -tulpen`
+  - Stop T-Pot `systemctl stop tpot`
+  - Run `grc netstat -tulpen`
+  - Run T-Pot manually with `docker compose -f ~/tpotce/docker-compose.yml up` and check for errors
+  - Stop execution with `CTRL-C` and `docker compose -f ~/tpotce/docker-compose.yml down -v`
+- If a single container shows as `DOWN` you can run `docker logs <container-name>` for the latest log entries

.github/workflows/basic-support-info.yml

@@ -0,0 +1,49 @@
+name: "Check Basic Support Info"
+
+on:
+  issues:
+    types: [opened, edited]
+
+permissions:
+  issues: write
+  contents: read
+
+jobs:
+  check-issue:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repository
+      uses: actions/checkout@v4
+
+    - name: Install jq
+      run: sudo apt-get install jq -y
+
+    - name: Check issue for basic support info
+      id: check_issue
+      run: |
+        REQUIRED_INFO=("What OS are you T-Pot running on?" "What is the version of the OS" "What T-Pot version are you currently using" "What architecture are you running on" "Review the \`~/install_tpot.log\`" "How long has your installation been running?" "Did you install upgrades, packages or use the update script?" "Did you modify any scripts or configs?" "Please provide a screenshot of \`htop\` and \`docker stats\`." "How much free disk space is available" "What is the current container status" "What is the status of the T-Pot service" "What ports are being occupied?")
+
+        ISSUE_BODY=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.body')
+        MISSING_INFO=()
+        
+        for info in "${REQUIRED_INFO[@]}"; do
+          if [[ "$ISSUE_BODY" != *"$info"* ]]; then
+            MISSING_INFO+=("$info")
+          fi
+        done
+        
+        if [ ${#MISSING_INFO[@]} -ne 0 ]; then
+          echo "missing=true" >> $GITHUB_ENV
+        else
+          echo "missing=false" >> $GITHUB_ENV
+        fi
+
+    - name: Add "no basic support info" label if necessary
+      if: env.missing == 'true'
+      run: gh issue edit "$NUMBER" --add-label "$LABELS"
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GH_REPO: ${{ github.repository }}
+        NUMBER: ${{ github.event.issue.number }}
+        LABELS: no basic support info

.github/workflows/stale.yml

@@ -0,0 +1,24 @@
+name: "Tag stale issues and pull requests"
+
+on:
+  schedule:
+    - cron: "0 0 * * *" # Runs every day at midnight
+  workflow_dispatch: # Allows the workflow to be triggered manually
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/stale@v7
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: "This issue has been marked as stale because it has had no activity for 7 days. If you are still experiencing this issue, please comment or it will be closed in 7 days."
+        stale-pr-message: "This pull request has been marked as stale because it has had no activity for 7 days. If you are still working on this, please comment or it will be closed in 7 days."
+        days-before-stale: 7
+        days-before-close: 7
+        stale-issue-label: "stale"
+        exempt-issue-labels: "keep-open"
+        stale-pr-label: "stale"
+        exempt-pr-labels: "keep-open"
+        operations-per-run: 30
+        debug-only: false

.gitignore

@@ -0,0 +1,6 @@
+# Ignore data folder
+data/
+_data/
+**/.DS_Store
+.idea
+install_tpot.log