From 4cbd5e1b0b9f14b09c99ef57baf4e50565568707 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Thu, 7 Jun 2018 18:10:40 +0200 Subject: [PATCH] Add NG edition or ... ... not for the faint of heart edition :) --- etc/compose/{tpotng.yml => ng.yml} | 457 +++++++++++++++++++++-------- 1 file changed, 335 insertions(+), 122 deletions(-) rename etc/compose/{tpotng.yml => ng.yml} (61%) diff --git a/etc/compose/tpotng.yml b/etc/compose/ng.yml similarity index 61% rename from etc/compose/tpotng.yml rename to etc/compose/ng.yml index 79ddd828..9bbac11f 100644 --- a/etc/compose/tpotng.yml +++ b/etc/compose/ng.yml @@ -1,20 +1,119 @@ -# T-Pot (Standard) +# T-Pot (NG) # Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton) version: '2.3' networks: + conpot_local_IEC104: + conpot_local_guardian_ast: + conpot_local_ipmi: + conpot_local_kamstrup_382: cowrie_local: elasticpot_local: - ewsposter_local: - glastopf_local: + heralding_local: mailoney_local: rdpy_local: + tanner_local: + vnclowpot_local: + ewsposter_local: spiderfoot_local: portainer_local: - vnclowpot_local: services: +################## +#### Honeypots +################## + +# Conpot IEC104 service + conpot_IEC104: + container_name: conpot_IEC104 + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json + - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log + - CONPOT_TEMPLATE=IEC104 + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_IEC104 + ports: + - "161:161" + - "2404:2404" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Conpot guardian_ast service + conpot_guardian_ast: + container_name: conpot_guardian_ast + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json + - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log + - CONPOT_TEMPLATE=guardian_ast + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_guardian_ast + ports: + - "10001:10001" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Conpot ipmi + conpot_ipmi: + container_name: conpot_ipmi + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json + - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log + - CONPOT_TEMPLATE=ipmi + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_ipmi + ports: + - "623:623" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Conpot kamstrup_382 + conpot_kamstrup_382: + container_name: conpot_kamstrup_382 + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json + - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log + - CONPOT_TEMPLATE=kamstrup_382 + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_kamstrup_382 + ports: + - "1025:1025" + - "50100:50100" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + # Ciscoasa service ciscoasa: container_name: ciscoasa @@ -50,7 +149,7 @@ services: - /data/cowrie/keys:/home/cowrie/cowrie/etc - /data/cowrie/log:/home/cowrie/cowrie/log - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty - + # Dionaea service dionaea: container_name: dionaea @@ -101,7 +200,235 @@ services: volumes: - /data/elasticpot/log:/opt/ElasticpotPY/log -# ELK services +# Heralding service + heralding: + container_name: heralding + restart: always + stop_signal: SIGINT + tmpfs: + - /tmp/heralding:uid=2000,gid=2000 + networks: + - heralding_local + ports: + # - "21:21" + # - "22:22" + # - "23:23" + # - "25:25" + # - "80:80" + - "110:110" + - "143:143" + # - "443:443" + - "993:993" + - "995:995" + - "5432:5432" + # - "5900:5900" + image: "dtagdevsec/heralding:1804" + read_only: true + volumes: + - /data/heralding/log:/var/log/heralding + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + tmpfs: + - /tmp/honeytrap:uid=2000,gid=2000 + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1804" + read_only: true + volumes: + - /data/honeytrap/attacks:/opt/honeytrap/var/attacks + - /data/honeytrap/downloads:/opt/honeytrap/var/downloads + - /data/honeytrap/log:/opt/honeytrap/var/log + +# Mailoney service + mailoney: + container_name: mailoney + restart: always + environment: + - HPFEEDS_SERVER= + - HPFEEDS_IDENT=user + - HPFEEDS_SECRET=pass + - HPFEEDS_PORT=20000 + - HPFEEDS_CHANNELPREFIX=prefix + stop_signal: SIGINT + networks: + - mailoney_local + ports: + - "25:25" + image: "dtagdevsec/mailoney:1804" + read_only: true + volumes: + - /data/mailoney/log:/opt/mailoney/logs + +# Rdpy service + rdpy: + container_name: rdpy + extra_hosts: + - hpfeeds.example.com:127.0.0.1 + restart: always + environment: + - HPFEEDS_SERVER=hpfeeds.example.com + - HPFEEDS_IDENT=user + - HPFEEDS_SECRET=pass + - HPFEEDS_PORT=65000 + - SERVERID=id + networks: + - rdpy_local + ports: + - "3389:3389" + image: "dtagdevsec/rdpy:1804" + read_only: true + volumes: + - /data/rdpy/log:/var/log/rdpy + +#### Snare / Tanner +## Tanner Redis Service + tanner_redis: + container_name: tanner_redis + restart: always + stop_signal: SIGKILL + tty: true + networks: + - tanner_local + image: "dtagdevsec/redis:1804" + read_only: true + +## PHP Sandbox service + tanner_phpox: + container_name: tanner_phpox + restart: always + stop_signal: SIGKILL + tty: true + networks: + - tanner_local + image: "dtagdevsec/phpox:1804" + read_only: true + +## Tanner API Service + tanner_api: + container_name: tanner_api + restart: always + stop_signal: SIGKILL + tmpfs: + - /tmp/tanner:uid=2000,gid=2000 + tty: true + networks: + - tanner_local + image: "dtagdevsec/tanner:1804" + read_only: true + volumes: + - /data/tanner/log:/var/log/tanner + command: tannerapi + depends_on: + - tanner_redis + +## Tanner WEB Service + tanner_web: + container_name: tanner_web + restart: always + stop_signal: SIGKILL + tmpfs: + - /tmp/tanner:uid=2000,gid=2000 + tty: true + networks: + - tanner_local + image: "dtagdevsec/tanner:1804" + command: tannerweb + read_only: true + volumes: + - /data/tanner/log:/var/log/tanner + depends_on: + - tanner_redis + +## Tanner Service + tanner: + container_name: tanner + restart: always + stop_signal: SIGKILL + tmpfs: + - /tmp/tanner:uid=2000,gid=2000 + tty: true + networks: + - tanner_local + image: "dtagdevsec/tanner:1804" + command: tanner + read_only: true + volumes: + - /data/tanner/log:/var/log/tanner + - /data/tanner/files:/opt/tanner/files + depends_on: + - tanner_api + - tanner_web + - tanner_phpox + +## Snare Service + snare: + container_name: snare + restart: always + stop_signal: SIGKILL + tty: true + networks: + - tanner_local + ports: + - "80:80" + image: "dtagdevsec/snare:1804" + depends_on: + - tanner + +# Vnclowpot service + vnclowpot: + container_name: vnclowpot + restart: always + networks: + - vnclowpot_local + ports: + - "5900:5900" + image: "dtagdevsec/vnclowpot:1804" + read_only: true + volumes: + - /data/vnclowpot/log:/var/log/vnclowpot + + +################## +#### NSM +################## + +# P0f service + p0f: + container_name: p0f + restart: always + network_mode: "host" + image: "dtagdevsec/p0f:1804" + read_only: true + volumes: + - /data/p0f/log:/var/log/p0f + +# Suricata service + suricata: + container_name: suricata + restart: always + stop_signal: SIGINT + environment: + # For ET Pro ruleset replace "OPEN" with your OINKCODE + - OINKCODE=OPEN + network_mode: "host" + cap_add: + - NET_ADMIN + - SYS_NICE + - NET_RAW + image: "dtagdevsec/suricata:1804" + volumes: + - /data/suricata/log:/var/log/suricata + + +################## +#### Tools +################## + +#### ELK ## Elasticsearch service elasticsearch: container_name: elasticsearch @@ -119,7 +446,7 @@ services: nofile: soft: 65536 hard: 65536 - mem_limit: 2g + mem_limit: 4g ports: - "127.0.0.1:64298:9200" image: "dtagdevsec/elasticsearch:1804" @@ -178,59 +505,6 @@ services: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip -# Glastopf service - glastopf: - container_name: glastopf - tmpfs: - - /tmp/glastopf:uid=2000,gid=2000 - restart: always - stop_signal: SIGINT - networks: - - glastopf_local - ports: - - "80:80" - image: "dtagdevsec/glastopf:1804" - read_only: true - volumes: - - /data/glastopf/db:/tmp/glastopf/db - - /data/glastopf/log:/tmp/glastopf/log - -# Honeytrap service - honeytrap: - container_name: honeytrap - restart: always - tmpfs: - - /tmp/honeytrap:uid=2000,gid=2000 - network_mode: "host" - cap_add: - - NET_ADMIN - image: "dtagdevsec/honeytrap:1804" - read_only: true - volumes: - - /data/honeytrap/attacks:/opt/honeytrap/var/attacks - - /data/honeytrap/downloads:/opt/honeytrap/var/downloads - - /data/honeytrap/log:/opt/honeytrap/var/log - -# Mailoney service - mailoney: - container_name: mailoney - restart: always - environment: - - HPFEEDS_SERVER= - - HPFEEDS_IDENT=user - - HPFEEDS_SECRET=pass - - HPFEEDS_PORT=20000 - - HPFEEDS_CHANNELPREFIX=prefix - stop_signal: SIGINT - networks: - - mailoney_local - ports: - - "25:25" - image: "dtagdevsec/mailoney:1804" - read_only: true - volumes: - - /data/mailoney/log:/opt/mailoney/logs - # Netdata service netdata: container_name: netdata @@ -251,7 +525,7 @@ services: - /sys:/host/sys:ro - /var/run/docker.sock:/var/run/docker.sock:ro -# nginx service +# Nginx service nginx: container_name: nginx restart: always @@ -286,27 +560,6 @@ services: volumes: - /var/run/docker.sock:/var/run/docker.sock -# Rdpy service - rdpy: - container_name: rdpy - extra_hosts: - - hpfeeds.example.com:127.0.0.1 - restart: always - environment: - - HPFEEDS_SERVER=hpfeeds.example.com - - HPFEEDS_IDENT=user - - HPFEEDS_SECRET=pass - - HPFEEDS_PORT=65000 - - SERVERID=id - networks: - - rdpy_local - ports: - - "3389:3389" - image: "dtagdevsec/rdpy:1804" - read_only: true - volumes: - - /data/rdpy/log:/var/log/rdpy - # Spiderfoot service spiderfoot: container_name: spiderfoot @@ -319,46 +572,6 @@ services: volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db -# Suricata service - suricata: - container_name: suricata - restart: always - stop_signal: SIGINT - environment: - # For ET Pro ruleset replace with your OINKCODE - - OINKCODE=OPEN - network_mode: "host" - cap_add: - - NET_ADMIN - - SYS_NICE - - NET_RAW - image: "dtagdevsec/suricata:1804" - volumes: - - /data/suricata/log:/var/log/suricata - -# P0f service - p0f: - container_name: p0f - restart: always - network_mode: "host" - image: "dtagdevsec/p0f:1804" - read_only: true - volumes: - - /data/p0f/log:/var/log/p0f - -# vnclowpot service - vnclowpot: - container_name: vnclowpot - restart: always - networks: - - vnclowpot_local - ports: - - "5900:5900" - image: "dtagdevsec/vnclowpot:1804" - read_only: true - volumes: - - /data/vnclowpot/log:/var/log/vnclowpot - # Wetty service wetty: container_name: wetty