Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-01 12:32:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Adjust T-Pot config file, tpotinit

Browse source 
fix logrotate.conf path
add tpotinit logging
add support for LS_WEB_USER in tpot config (.env)
make tpotinit always validate config / adjust users on tpotinit start
This commit is contained in:
t3chn0m4g3 2024-02-19 17:34:14 +01:00
parent 09b75cb5be
commit 4f41b84103
6 changed files with 201 additions and 112 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
.env
View file

@ -4,17 +4,34 @@
# T-Pot Base Settings - Adjust to your needs. #
###############################################
# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd.
# Set Web usernames and passwords here. This section will be used to create / update the Nginx password file nginxpasswd.
# <empty>: This is the default
# <'htpasswd encoded usernames / passwords'>:
# Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
# Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
# Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
WEB_USER='change:me'
# Multiple users are possible, example (notice the quotes!):
# WEB_USER='user1:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
# user2:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
WEB_USER=
# Set Logstash Web usernames and passwords here. This section will be used to create / update the Nginx password file lswebpasswd.
# The Lostsash Web usernames are used for T-Pot log ingestion via Logstash, each sensor should have its own user.
# <empty>: This is empty by default.
# <'htpasswd encoded usernames / passwords'>:
# Use 'htpasswd -n <username>' to create the LS_WEB_USER if you want to manually deploy T-Pot
# Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
# Copy the string and replace / add LS_WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
# Multiple users are possible, example (notice the quotes!):
# LS_WEB_USER='sensor1:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
# sensor2:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
LS_WEB_USER=
# T-Pot Blackhole
# ENABLED: T-Pot will download a db of known mass scanners and nullroute them
# ENABLED: T-Pot will download a db of known mass scanners and nullroute them.
# Be aware, this will put T-Pot off the map for stealth reasons and
# you will get less traffic. Routes will active until reboot and will
# be re-added with every T-Pot start until disabled.
# you will get less traffic. Routes will be active until next reboot
# and will be re-added with every T-Pot start until disabled.
# DISABLED: This is the default and no stealth efforts are in place.
TPOT_BLACKHOLE=DISABLED
@ -94,11 +111,11 @@ TPOT_DOCKER_ENV=./.env
# Docker-Compose file
TPOT_DOCKER_COMPOSE=./docker-compose.yml
# T-Pot Repo
# T-Pot Docker Repo
# Depending on where you are located you may choose between DockerHub and GHCR
# dtagdevsec: This will use the DockerHub image registry
# ghcr.io/telekom-security: This will use the GitHub container registry
TPOT_REPO=ghcr.io/telekom-security
TPOT_REPO=dtagdevsec
# T-Pot Version Tag
TPOT_VERSION=alpha

1
.gitignore vendored
View file

@ -2,3 +2,4 @@
data/
**/.DS_Store
.idea
install_tpot.log

2
docker/tpotinit/dist/bin/clean.sh vendored
View file

@ -20,7 +20,7 @@ echo $(ls $myFOLDER | wc -l)
# Let's create a function to rotate and compress logs
fuLOGROTATE () {
local mySTATUS="/opt/tpot/etc/logrotate/status"
local mySTATUS="/data/tpot/etc/logrotate/status"
local myCONF="/opt/tpot/etc/logrotate/logrotate.conf"
local myADBHONEYTGZ="/data/adbhoney/downloads.tgz"
local myADBHONEYDL="/data/adbhoney/downloads/"

113
docker/tpotinit/dist/entrypoint.sh vendored
View file

@ -1,6 +1,7 @@
#!/bin/bash
COMPOSE="/tmp/tpot/docker-compose.yml"
exec > >(tee /data/tpotinit.log) 2>&1
# Function to check if a variable is set, not empty
check_var() {
@ -10,7 +11,7 @@ check_var() {
# Check if variable is set and not empty
if [[ -z "$var_value" ]];
then
echo "# Error: $var_name is not set or empty."
echo "# Error: $var_name is not set or empty. Please check T-Pot config file (.env)."
echo
echo "# Aborting"
exit 1
@ -25,7 +26,7 @@ check_safety() {
# General safety check for most variables
if [[ $var_value =~ [^a-zA-Z0-9_/.:-] ]];
then
echo "# Error: Unsafe characters detected in $var_name."
echo "# Error: Unsafe characters detected in $var_name. Please check T-Pot config file (.env)."
echo
echo "# Aborting"
exit 1
@ -41,7 +42,7 @@ check_web_user_safety() {
for user in $web_user; do
# Allow alphanumeric, $, ., /, and : for WEB_USER (to accommodate htpasswd hash)
if [[ ! $user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]]; then
echo "# Error: Unsafe characters / wrong format detected in WEB_USER for user $user."
echo "# Error: Unsafe characters / wrong format detected in (LS_)WEB_USER for user $user. Please check T-Pot config file (.env)."
echo
echo "# Aborting"
exit 1
@ -58,7 +59,7 @@ validate_format() {
TPOT_BLACKHOLE|TPOT_PERSISTENCE|TPOT_ATTACKMAP_TEXT)
if ! [[ $var_value =~ ^(ENABLED|DISABLED|on|off|true|false)$ ]];
then
echo "# Error: Invalid value for $var_name. Expected ENABLED/DISABLED, on/off, true/false."
echo "# Error: Invalid value for $var_name. Expected ENABLED/DISABLED, on/off, true/false. Please check T-Pot config file (.env)."
echo
echo "# Aborting"
exit 1
@ -70,28 +71,49 @@ validate_format() {
esac
}
create_web_users() {
validate_ip_or_domain() {
local myCHECK=$1
# Regular expression for validating IPv4 addresses
local ipv4Regex='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
# Regular expression for validating domain names (including subdomains)
local domainRegex='^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$'
# Check if TPOT_HIVE_IP matches IPv4 or domain name
if [[ $myCHECK =~ $ipv4Regex ]]; then
echo "$myCHECK is a valid IPv4 address."
elif [[ $myCHECK =~ $domainRegex ]]; then
echo "$myCHECK is a valid domain name."
else
echo "# Error: $myCHECK is not a valid IPv4 address or domain name. Please check T-Pot config file (.env)."
echo
echo "# Creating web user from .env ..."
echo
echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
touch /data/nginx/conf/lswebpasswd
echo "# Aborting"
exit 1
fi
}
# Validate environment variables
for var in TPOT_BLACKHOLE TPOT_PERSISTENCE TPOT_ATTACKMAP_TEXT TPOT_ATTACKMAP_TEXT_TIMEZONE TPOT_REPO TPOT_VERSION TPOT_PULL_POLICY TPOT_OSTYPE;
do
check_var "$var"
check_safety "$var"
validate_format "$var"
done
validate_base64() {
local myCHECK=$1
# Specific check for WEB_USER
check_var "WEB_USER"
check_web_user_safety "$WEB_USER"
echo "# All settings seem to be valid."
# Base64 pattern match
if [[ $myCHECK =~ ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$ ]]; then
echo "$myCHECK is a valid Base64 string."
else
echo "$myCHECK is not a valid Base64 string. Please check T-Pot config file (.env)"
echo
echo "# Aborting"
exit 1
fi
}
create_web_users() {
echo
echo "# Creating passwd files based on .env configuration ..."
echo
echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
echo "${LS_WEB_USER}" > /data/nginx/conf/lswebpasswd
}
# Check for compatible OSType
echo
@ -101,7 +123,7 @@ myOSTYPE=$(uname -a | grep -Eo "linuxkit")
if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
then
echo "# Docker Desktop for macOS or Windows detected."
echo "# 1. You need to adjust the OSType in the hidden \".env\" file."
echo "# 1. You need to adjust the OSType the T-Pot config file (.env)."
echo "# 2. You need to use the macos or win docker compose file."
echo
echo "# Aborting."
@ -109,6 +131,44 @@ if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
exit 1
fi
# Validate environment variables
for var in TPOT_BLACKHOLE TPOT_PERSISTENCE TPOT_ATTACKMAP_TEXT TPOT_ATTACKMAP_TEXT_TIMEZONE TPOT_REPO TPOT_VERSION TPOT_PULL_POLICY TPOT_OSTYPE;
do
check_var "$var"
check_safety "$var"
validate_format "$var"
done
if [ "${TPOT_TYPE}" == "HIVE" ];
then
# No $ for check_var
check_var "WEB_USER"
check_web_user_safety "$WEB_USER"
TPOT_HIVE_USER=""
TPOT_HIVE_IP=""
if [ "${LS_WEB_USER}" == "" ];
then
echo "# Warning: No LS_WEB_USER detected! T-Pots of type SENSOR will not be able to submit logs to this HIVE."
echo
else
check_web_user_safety "$LS_WEB_USER"
fi
fi
if [ "${TPOT_TYPE}" == "SENSOR" ];
then
# No $ for check_var
check_var "TPOT_HIVE_USER"
check_var "TPOT_HIVE_IP"
validate_base64 "$TPOT_HIVE_USER"
validate_ip_or_domain "$TPOT_HIVE_IP"
WEB_USER=""
fi
echo
echo
echo "# All settings seem to be valid."
echo
# Data folder management
if [ -f "/data/uuid" ];
then
@ -124,15 +184,6 @@ if [ -f "/data/uuid" ];
figlet "Setting up ..."
figlet "T-Pot: ${TPOT_VERSION}"
echo
echo "# Checking for default user."
if [ "${WEB_USER}" == "change:me" ];
then
echo "# Please change WEB_USER in the hidden \".env\" file."
echo "# Aborting."
echo
exit 1
fi
echo
echo "# Setting up data folder structure ..."
echo
/opt/tpot/bin/clean.sh off

7
docker/tpotinit/docker-compose.yml
View file

@ -6,10 +6,13 @@ services:
tpotinit:
build: .
container_name: tpotinit
env_file:
- $HOME/tpotce/.env
restart: "no"
image: "dtagdevsec/tpotinit:dev"
# volumes:
image: "ghcr.io/telekom-security/tpotinit:alpha"
volumes:
# - /var/run/docker.sock:/var/run/docker.sock:ro
- $HOME/tpotce/data:/data
network_mode: "host"
cap_add:
- NET_ADMIN

29
env.example
View file

@ -4,17 +4,34 @@
# T-Pot Base Settings - Adjust to your needs. #
###############################################
# Set Web username and password here, it will be used to create the Nginx password file nginxpasswd.
# Set Web usernames and passwords here. This section will be used to create / update the Nginx password file nginxpasswd.
# <empty>: This is the default
# <'htpasswd encoded usernames / passwords'>:
# Use 'htpasswd -n <username>' to create the WEB_USER if you want to manually deploy T-Pot
# Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
# Copy the string and replace WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
WEB_USER='change:me'
# Multiple users are possible, example (notice the quotes!):
# WEB_USER='user1:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
# user2:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
WEB_USER=
# Set Logstash Web usernames and passwords here. This section will be used to create / update the Nginx password file lswebpasswd.
# The Lostsash Web usernames are used for T-Pot log ingestion via Logstash, each sensor should have its own user.
# <empty>: This is empty by default.
# <'htpasswd encoded usernames / passwords'>:
# Use 'htpasswd -n <username>' to create the LS_WEB_USER if you want to manually deploy T-Pot
# Example: 'htpasswd -n tsec' will print tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
# Copy the string and replace / add LS_WEB_USER='tsec:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
# Multiple users are possible, example (notice the quotes!):
# LS_WEB_USER='sensor1:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0
# sensor2:$apr1$TdJGdsss$6yLsxPmOcXb2kaEZ7lKva0'
LS_WEB_USER=
# T-Pot Blackhole
# ENABLED: T-Pot will download a db of known mass scanners and nullroute them
# ENABLED: T-Pot will download a db of known mass scanners and nullroute them.
# Be aware, this will put T-Pot off the map for stealth reasons and
# you will get less traffic. Routes will active until reboot and will
# be re-added with every T-Pot start until disabled.
# you will get less traffic. Routes will be active until next reboot
# and will be re-added with every T-Pot start until disabled.
# DISABLED: This is the default and no stealth efforts are in place.
TPOT_BLACKHOLE=DISABLED
@ -94,7 +111,7 @@ TPOT_DOCKER_ENV=./.env
# Docker-Compose file
TPOT_DOCKER_COMPOSE=./docker-compose.yml
# T-Pot Repo
# T-Pot Docker Repo
# Depending on where you are located you may choose between DockerHub and GHCR
# dtagdevsec: This will use the DockerHub image registry
# ghcr.io/telekom-security: This will use the GitHub container registry