diff --git a/.env b/.env index 95afd4c6..13287916 100644 --- a/.env +++ b/.env @@ -4,8 +4,8 @@ # Removing the password after first run is recommended # You can always add or remove users as you see fit using htpasswd: # htpasswd -b -c //nginx/conf/nginxpasswd -WEB_USER=changeme -WEB_PW=changeme +WEB_USER='changeme' +WEB_PW='changeme' # T-Pot Blackhole # ENABLED: T-Pot will download a db of known mass scanners and nullroute them @@ -32,7 +32,9 @@ TPOT_DOCKER_ENV=./.env TPOT_DOCKER_COMPOSE=./docker-compose.yml # T-Pot Repo -#TPOT_REPO=dtagdevsec +# Depending on where you are located you may choose between DockerHub and GHCR +# dtagdevsec: This will use the DockerHub image registry +# ghcr.io/telekom-security: This will use the GitHub container registry TPOT_REPO=ghcr.io/telekom-security # T-Pot Version Tag diff --git a/env.example b/env.example index 5db49a98..6b70286c 100644 --- a/env.example +++ b/env.example @@ -1,11 +1,11 @@ -# T-Pot Light config file. Do not remove. +# T-Pot config file. Do not remove. # Set Web username and password here, only required for first run # Removing the password after first run is recommended # You can always add or remove users as you see fit using htpasswd: # htpasswd -b -c //nginx/conf/nginxpasswd -WEB_USER=changeme -WEB_PW=changeme +WEB_USER='changeme' +WEB_PW='changeme' # T-Pot Blackhole # ENABLED: T-Pot will download a db of known mass scanners and nullroute them @@ -32,6 +32,9 @@ TPOT_DOCKER_ENV=./.env TPOT_DOCKER_COMPOSE=./docker-compose.yml # T-Pot Repo +# Depending on where you are located you may choose between DockerHub and GHCR +# dtagdevsec: This will use the DockerHub image registry +# ghcr.io/telekom-security: This will use the GitHub container registry TPOT_REPO=dtagdevsec # T-Pot Version Tag diff --git a/install.sh b/install.sh index 95c52814..e95c9549 100755 --- a/install.sh +++ b/install.sh @@ -1,5 +1,8 @@ #!/bin/bash +myINSTALL_NOTIFICATION="### Now installing required packages ..." +myUSER=$(whoami) +myTPOT_CONF_FILE="/home/${myUSER}/tpotce/.env" myPACKAGES="ansible wget" myINSTALLER=$(cat << "EOF" _____ ____ _ ___ _ _ _ @@ -11,9 +14,10 @@ EOF ) # Check if running with root privileges -if [ $EUID -eq 0 ]; +if [ ${EUID} -eq 0 ]; then echo "This script should not be run as root. Please run it as a regular user." + echo exit 1 fi @@ -24,6 +28,7 @@ myCURRENT_DISTRIBUTION=$(awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"' if [[ ! " ${mySUPPORTED_DISTRIBUTIONS[@]} " =~ " ${myCURRENT_DISTRIBUTION} " ]]; then echo "### Only the following distributions are supported: Fedora, Debian, openSUSE Tumbleweed and Ubuntu." + echo exit 1 fi @@ -32,11 +37,13 @@ echo "$myINSTALLER" echo echo echo "### This script will now install T-Pot and all of its dependencies." -while [ "$myQST" != "y" ] && [ "$myQST" != "n" ]; +while [ "${myQST}" != "y" ] && [ "{$myQST}" != "n" ]; do + echo read -p "### Install? (y/n) " myQST + echo done -if [ "$myQST" = "n" ]; +if [ "${myQST}" = "n" ]; then echo echo "### Aborting!" @@ -45,26 +52,37 @@ if [ "$myQST" = "n" ]; fi # Install packages based on the distribution -case $myCURRENT_DISTRIBUTION in +case ${myCURRENT_DISTRIBUTION} in "Fedora Linux") + echo + echo ${myINSTALL_NOTIFICATION} + echo sudo dnf update -y - sudo dnf install -y ${myPACKAGES} + sudo dnf install -y cracklib ${myPACKAGES} ;; "Debian GNU/Linux"|"Ubuntu") - if ! command -v sudo >/dev/null; + echo + echo ${myINSTALL_NOTIFICATION} + echo + if ! command -v sudo >/dev/null; then - echo "### ‘sudo‘ is not installed. To continue you need to provide the ‘root‘ password ... " - echo "### ... or press CTRL-C to manually install ‘sudo‘ and add your user to the sudoers." - su -c "apt -y update && apt -y install sudo ${myPACKAGES}" - su -c "/usr/sbin/usermod -aG sudo $(whoami)" - # Refresh groups, so sudo is directly usable - newgrp sudo + echo "### ‘sudo‘ is not installed. To continue you need to provide the ‘root‘ password" + echo "### or press CTRL-C to manually install ‘sudo‘ and add your user to the sudoers." + echo + su -c "apt -y update && \ + apt -y install sudo cracklib-runtime ${myPACKAGES} && \ + /usr/sbin/usermod -aG sudo ${myUSER} && \ + echo '${myUSER} ALL=(ALL:ALL) ALL' | tee /etc/sudoers.d/${myUSER} >/dev/null && \ + chmod 440 /etc/sudoers.d/${myUSER}" else sudo apt update - sudo apt install -y ${myPACKAGES} + sudo apt install -y cracklib ${myPACKAGES} fi ;; "openSUSE Tumbleweed") + echo + echo ${myINSTALL_NOTIFICATION} + echo sudo zypper refresh sudo zypper install -y ${myPACKAGES} echo "export ANSIBLE_PYTHON_INTERPRETER=/bin/python3" | sudo tee /etc/profile.d/ansible.sh >/dev/null @@ -73,7 +91,7 @@ case $myCURRENT_DISTRIBUTION in esac echo -# Check if sudo access is available +# Check type of sudo access sudo -n true > /dev/null 2>&1 if [ $? -eq 1 ]; then @@ -102,18 +120,86 @@ fi echo "### Now running T-Pot Ansible Installation Playbook ..." echo "### Ansible will ask for the ‘BECOME password‘ which is typically the password you ’sudo’ with." echo -ANSIBLE_LOG_PATH=$PWD/install_tpot.log ansible-playbook ${myANSIBLE_TPOT_PLAYBOOK} -i 127.0.0.1, -c local ${myANSIBLE_BECOME_OPTION} +ANSIBLE_LOG_PATH=${PWD}/install_tpot.log ansible-playbook ${myANSIBLE_TPOT_PLAYBOOK} -i 127.0.0.1, -c local ${myANSIBLE_BECOME_OPTION} + +# Asking for web user name +myWEB_USER="" +while [ 1 != 2 ]; + do + myOK="" + read -rp "### Enter your web user name: " myWEB_USER + myWEB_USER=$(echo $myWEB_USER | tr -cd "[:alnum:]_.-") + echo "### Your username is: ${myWEB_USER}" + while [[ ! "${myOK}" =~ [YyNn] ]]; + do + read -rp "### Is this correct? (y/n) " myOK + done + if [[ "${myOK}" =~ [Yy] ]] && [ "$myWEB_USER" != "" ]; + then + break + else + echo + fi + done + +# Asking for web user password +myWEB_PW="pass1" +myWEB_PW2="pass2" +mySECURE=0 +myOK="" +while [ "${myWEB_PW}" != "${myWEB_PW2}" ] && [ "${mySECURE}" == "0" ] + do + echo + while [ "${myWEB_PW}" == "pass1" ] || [ "${myWEB_PW}" == "" ] + do + read -rsp "### Enter password for your web user: " myWEB_PW + echo + done + read -rsp "### Repeat password you your web user: " myWEB_PW2 + echo + if [ "${myWEB_PW}" != "${myWEB_PW2}" ]; + then + echo "### Passwords do not match." + myWEB_PW="pass1" + myWEB_PW2="pass2" + fi + mySECURE=$(printf "%s" "$myWEB_PW" | /usr/sbin/cracklib-check | grep -c "OK") + if [ "$mySECURE" == "0" ] && [ "$myWEB_PW" == "$myWEB_PW2" ]; + then + while [[ ! "${myOK}" =~ [YyNn] ]]; + do + read -rp "### Keep insecure password? (y/n) " myOK + done + if [[ "${myOK}" =~ [Nn] ]] || [ "$myWEB_PW" == "" ]; + then + myWEB_PW="pass1" + myWEB_PW2="pass2" + mySECURE=0 + myOK="" + fi + fi +done + +# Write username and password to T-Pot config file +echo "### Writing username and password to T-Pot config file: ${myTPOT_CONF_FILE}" +echo "### You can empty the password after the first start of T-Pot." +echo +sed -i "/^WEB_USER=/s/.*/WEB_USER='${myWEB_USER}'/" ${myTPOT_CONF_FILE} +sed -i "/^WEB_PW=/s/.*/WEB_PW='${myWEB_PW}'/" ${myTPOT_CONF_FILE} # Pull docker images echo "### Now pulling images ..." -docker compose -f /home/$(whoami)/tpotce/docker-compose.yml pull +sudo docker compose -f /home/${myUSER}/tpotce/docker-compose.yml pull echo -# Done and show running services +# Show running services +echo "### Please review for possible honeypot port conflicts." +echo "### While SSH is taken care of, other services such as" +echo "### SMTP, HTTP, etc. might prevent T-Pot from starting." +echo sudo grc netstat -tulpen -echo "Please review for possible honeypot port conflicts." -echo "While SSH is taken care of, other services such as" -echo "SMTP, HTTP, etc. might prevent T-Pot from starting." +echo +# Done echo "Done. Please reboot and re-connect via SSH on tcp/64295." echo