Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-05-13 19:58:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

cleanup, tweaking, updating

Browse source 
make tpotinit aware of sigterm events to unload blackhole routes, firewall rules
fixes #1204 where citrixhoneypot logs use logs instead of log folder
bump ELK stack to 8.12.2
add wordpot logs to logstash pipeline
bump t-pot attackmap to 2.2.0, alpine 3.19
This commit is contained in:
t3chn0m4g3 2024-03-12 17:03:43 +01:00
parent 1da35284be
commit 540d5574d1
36 changed files with 109 additions and 4356 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
compose/mac_win.yml
View file

@ -39,6 +39,7 @@ services:
env_file: env_file:
- .env - .env
restart: always restart: always
stop_grace_period: 60s
tmpfs: tmpfs:
- /tmp/etc:uid=2000,gid=2000 - /tmp/etc:uid=2000,gid=2000
- /tmp/:uid=2000,gid=2000 - /tmp/:uid=2000,gid=2000
@ -109,7 +110,7 @@ services:
pull_policy: ${TPOT_PULL_POLICY} pull_policy: ${TPOT_PULL_POLICY}
read_only: true read_only: true
volumes: volumes:
- ${TPOT_DATA_PATH}/citrixhoneypot/logs:/opt/citrixhoneypot/logs - ${TPOT_DATA_PATH}/citrixhoneypot/log:/opt/citrixhoneypot/logs
# Conpot IEC104 service # Conpot IEC104 service
conpot_IEC104: conpot_IEC104:

3
compose/mobile.yml
View file

@ -39,6 +39,7 @@ services:
env_file: env_file:
- .env - .env
restart: always restart: always
stop_grace_period: 60s
tmpfs: tmpfs:
- /tmp/etc:uid=2000,gid=2000 - /tmp/etc:uid=2000,gid=2000
- /tmp/:uid=2000,gid=2000 - /tmp/:uid=2000,gid=2000
@ -92,7 +93,7 @@ services:
pull_policy: ${TPOT_PULL_POLICY} pull_policy: ${TPOT_PULL_POLICY}
read_only: true read_only: true
volumes: volumes:
- ${TPOT_DATA_PATH}/citrixhoneypot/logs:/opt/citrixhoneypot/logs - ${TPOT_DATA_PATH}/citrixhoneypot/log:/opt/citrixhoneypot/logs
# Conpot IEC104 service # Conpot IEC104 service
conpot_IEC104: conpot_IEC104:

3
compose/raspberry_showcase.yml
View file

@ -39,6 +39,7 @@ services:
env_file: env_file:
- .env - .env
restart: always restart: always
stop_grace_period: 60s
tmpfs: tmpfs:
- /tmp/etc:uid=2000,gid=2000 - /tmp/etc:uid=2000,gid=2000
- /tmp/:uid=2000,gid=2000 - /tmp/:uid=2000,gid=2000
@ -92,7 +93,7 @@ services:
pull_policy: ${TPOT_PULL_POLICY} pull_policy: ${TPOT_PULL_POLICY}
read_only: true read_only: true
volumes: volumes:
- ${TPOT_DATA_PATH}/citrixhoneypot/logs:/opt/citrixhoneypot/logs - ${TPOT_DATA_PATH}/citrixhoneypot/log:/opt/citrixhoneypot/logs
# Conpot IEC104 service # Conpot IEC104 service
conpot_IEC104: conpot_IEC104:

3
compose/sensor.yml
View file

@ -37,6 +37,7 @@ services:
env_file: env_file:
- .env - .env
restart: always restart: always
stop_grace_period: 60s
tmpfs: tmpfs:
- /tmp/etc:uid=2000,gid=2000 - /tmp/etc:uid=2000,gid=2000
- /tmp/:uid=2000,gid=2000 - /tmp/:uid=2000,gid=2000
@ -108,7 +109,7 @@ services:
pull_policy: ${TPOT_PULL_POLICY} pull_policy: ${TPOT_PULL_POLICY}
read_only: true read_only: true
volumes: volumes:
- ${TPOT_DATA_PATH}/citrixhoneypot/logs:/opt/citrixhoneypot/logs - ${TPOT_DATA_PATH}/citrixhoneypot/log:/opt/citrixhoneypot/logs
# Conpot IEC104 service # Conpot IEC104 service
conpot_IEC104: conpot_IEC104:

3
compose/standard.yml
View file

@ -38,6 +38,7 @@ services:
env_file: env_file:
- .env - .env
restart: always restart: always
stop_grace_period: 60s
tmpfs: tmpfs:
- /tmp/etc:uid=2000,gid=2000 - /tmp/etc:uid=2000,gid=2000
- /tmp/:uid=2000,gid=2000 - /tmp/:uid=2000,gid=2000
@ -110,7 +111,7 @@ services:
pull_policy: ${TPOT_PULL_POLICY} pull_policy: ${TPOT_PULL_POLICY}
read_only: true read_only: true
volumes: volumes:
- ${TPOT_DATA_PATH}/citrixhoneypot/logs:/opt/citrixhoneypot/logs - ${TPOT_DATA_PATH}/citrixhoneypot/log:/opt/citrixhoneypot/logs
# Conpot IEC104 service # Conpot IEC104 service
conpot_IEC104: conpot_IEC104:

3
compose/tpot_services.yml
View file

@ -44,6 +44,7 @@ services:
env_file: env_file:
- .env - .env
restart: always restart: always
stop_grace_period: 60s
tmpfs: tmpfs:
- /tmp/etc:uid=2000,gid=2000 - /tmp/etc:uid=2000,gid=2000
- /tmp/:uid=2000,gid=2000 - /tmp/:uid=2000,gid=2000
@ -115,7 +116,7 @@ services:
pull_policy: ${TPOT_PULL_POLICY} pull_policy: ${TPOT_PULL_POLICY}
read_only: true read_only: true
volumes: volumes:
- ${TPOT_DATA_PATH}/citrixhoneypot/logs:/opt/citrixhoneypot/logs - ${TPOT_DATA_PATH}/citrixhoneypot/log:/opt/citrixhoneypot/logs
# Conpot IEC104 service # Conpot IEC104 service
conpot_IEC104: conpot_IEC104:

3
docker-compose.yml
View file

@ -38,6 +38,7 @@ services:
env_file: env_file:
- .env - .env
restart: always restart: always
stop_grace_period: 60s
tmpfs: tmpfs:
- /tmp/etc:uid=2000,gid=2000 - /tmp/etc:uid=2000,gid=2000
- /tmp/:uid=2000,gid=2000 - /tmp/:uid=2000,gid=2000
@ -110,7 +111,7 @@ services:
pull_policy: ${TPOT_PULL_POLICY} pull_policy: ${TPOT_PULL_POLICY}
read_only: true read_only: true
volumes: volumes:
- ${TPOT_DATA_PATH}/citrixhoneypot/logs:/opt/citrixhoneypot/logs - ${TPOT_DATA_PATH}/citrixhoneypot/log:/opt/citrixhoneypot/logs
# Conpot IEC104 service # Conpot IEC104 service
conpot_IEC104: conpot_IEC104:

2
docker/citrixhoneypot/docker-compose.yml
View file

@ -19,4 +19,4 @@ services:
image: "dtagdevsec/citrixhoneypot:alpha" image: "dtagdevsec/citrixhoneypot:alpha"
read_only: true read_only: true
volumes: volumes:
- $HOME/tpotce/data/citrixhoneypot/logs:/opt/citrixhoneypot/logs - $HOME/tpotce/data/citrixhoneypot/log:/opt/citrixhoneypot/logs

11
docker/elk/docker-compose.yml
View file

@ -26,7 +26,7 @@ services:
- "127.0.0.1:64298:9200" - "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha" image: "dtagdevsec/elasticsearch:alpha"
volumes: volumes:
- /data:/data - $HOME/tpotce/data:/data
## Kibana service ## Kibana service
kibana: kibana:
@ -37,6 +37,7 @@ services:
depends_on: depends_on:
elasticsearch: elasticsearch:
condition: service_healthy condition: service_healthy
mem_limit: 1g
ports: ports:
- "127.0.0.1:64296:5601" - "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha" image: "dtagdevsec/kibana:alpha"
@ -51,11 +52,9 @@ services:
depends_on: depends_on:
elasticsearch: elasticsearch:
condition: service_healthy condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/logstash:alpha" image: "dtagdevsec/logstash:alpha"
volumes: volumes:
- /data:/data - $HOME/tpotce/data:/data
# - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf # - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
# Map Redis Service # Map Redis Service
@ -76,8 +75,6 @@ services:
restart: always restart: always
environment: environment:
- MAP_COMMAND=AttackMapServer.py - MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL stop_signal: SIGKILL
tty: true tty: true
ports: ports:
@ -92,8 +89,6 @@ services:
restart: always restart: always
environment: environment:
- MAP_COMMAND=DataServer_v2.py - MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL stop_signal: SIGKILL
tty: true tty: true
image: "dtagdevsec/map:alpha" image: "dtagdevsec/map:alpha"

2
docker/elk/elasticsearch/Dockerfile
View file

@ -1,7 +1,7 @@
FROM ubuntu:22.04 FROM ubuntu:22.04
# #
# VARS # VARS
ENV ES_VER=8.6.2 ENV ES_VER=8.12.2
# #
# Include dist # Include dist
COPY dist/ /root/dist/ COPY dist/ /root/dist/

2
docker/elk/elasticsearch/docker-compose.yml
View file

@ -26,4 +26,4 @@ services:
- "127.0.0.1:64298:9200" - "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha" image: "dtagdevsec/elasticsearch:alpha"
volumes: volumes:
- /data:/data - $HOME/tpotce/data:/data

2
docker/elk/kibana/Dockerfile
View file

@ -1,7 +1,7 @@
FROM ubuntu:22.04 FROM ubuntu:22.04
# #
# VARS # VARS
ENV KB_VER=8.6.2 ENV KB_VER=8.12.2
# Include dist # Include dist
COPY dist/ /root/dist/ COPY dist/ /root/dist/
# #

2
docker/elk/logstash/Dockerfile
View file

@ -1,7 +1,7 @@
FROM ubuntu:22.04 FROM ubuntu:22.04
# #
# VARS # VARS
ENV LS_VER=8.6.2 ENV LS_VER=8.12.2
# Include dist # Include dist
COPY dist/ /root/dist/ COPY dist/ /root/dist/
# #

24
docker/elk/logstash/dist/http_output.conf vendored
View file

@ -38,7 +38,7 @@ input {
# CitrixHoneypot # CitrixHoneypot
file { file {
path => ["/data/citrixhoneypot/logs/server.log"] path => ["/data/citrixhoneypot/log/server.log"]
codec => json codec => json
type => "CitrixHoneypot" type => "CitrixHoneypot"
} }
@ -182,6 +182,13 @@ input {
type => "Tanner" type => "Tanner"
} }
# Wordpot
file {
path => ["/data/wordpot/log/wordpot.log"]
codec => json
type => "Wordpot"
}
} }
# Filter Section # Filter Section
@ -620,6 +627,13 @@ filter {
} }
} }
# Wordpot
if [type] == "Wordpot" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
# Drop if parse fails # Drop if parse fails
if "_grokparsefailure" in [tags] { drop {} } if "_grokparsefailure" in [tags] { drop {} }
if "_jsonparsefailure" in [tags] { drop {} } if "_jsonparsefailure" in [tags] { drop {} }
@ -639,13 +653,13 @@ if "_jsonparsefailure" in [tags] { drop {} }
cache_size => 10000 cache_size => 10000
source => "src_ip" source => "src_ip"
default_database_type => "City" default_database_type => "City"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb" # database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-City.mmdb"
} }
geoip { geoip {
cache_size => 10000 cache_size => 10000
source => "src_ip" source => "src_ip"
default_database_type => "ASN" default_database_type => "ASN"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb" # database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-ASN.mmdb"
} }
translate { translate {
refresh_interval => 86400 refresh_interval => 86400
@ -660,14 +674,14 @@ if "_jsonparsefailure" in [tags] { drop {} }
source => "t-pot_ip_ext" source => "t-pot_ip_ext"
target => "geoip_ext" target => "geoip_ext"
default_database_type => "City" default_database_type => "City"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb" # database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-City.mmdb"
} }
geoip { geoip {
cache_size => 10000 cache_size => 10000
source => "t-pot_ip_ext" source => "t-pot_ip_ext"
target => "geoip_ext" target => "geoip_ext"
default_database_type => "ASN" default_database_type => "ASN"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb" # database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-ASN.mmdb"
} }
} }

24
docker/elk/logstash/dist/logstash.conf vendored
View file

@ -38,7 +38,7 @@ input {
# CitrixHoneypot # CitrixHoneypot
file { file {
path => ["/data/citrixhoneypot/logs/server.log"] path => ["/data/citrixhoneypot/log/server.log"]
codec => json codec => json
type => "CitrixHoneypot" type => "CitrixHoneypot"
} }
@ -182,6 +182,13 @@ input {
type => "Tanner" type => "Tanner"
} }
# Wordpot
file {
path => ["/data/wordpot/log/wordpot.log"]
codec => json
type => "Wordpot"
}
} }
# Filter Section # Filter Section
@ -620,6 +627,13 @@ filter {
} }
} }
# Wordpot
if [type] == "Wordpot" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
# Drop if parse fails # Drop if parse fails
if "_grokparsefailure" in [tags] { drop {} } if "_grokparsefailure" in [tags] { drop {} }
if "_jsonparsefailure" in [tags] { drop {} } if "_jsonparsefailure" in [tags] { drop {} }
@ -639,13 +653,13 @@ if "_jsonparsefailure" in [tags] { drop {} }
cache_size => 10000 cache_size => 10000
source => "src_ip" source => "src_ip"
default_database_type => "City" default_database_type => "City"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb" # database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-City.mmdb"
} }
geoip { geoip {
cache_size => 10000 cache_size => 10000
source => "src_ip" source => "src_ip"
default_database_type => "ASN" default_database_type => "ASN"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb" # database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-ASN.mmdb"
} }
translate { translate {
refresh_interval => 86400 refresh_interval => 86400
@ -660,14 +674,14 @@ if "_jsonparsefailure" in [tags] { drop {} }
source => "t-pot_ip_ext" source => "t-pot_ip_ext"
target => "geoip_ext" target => "geoip_ext"
default_database_type => "City" default_database_type => "City"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-City.mmdb" # database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-City.mmdb"
} }
geoip { geoip {
cache_size => 10000 cache_size => 10000
source => "t-pot_ip_ext" source => "t-pot_ip_ext"
target => "geoip_ext" target => "geoip_ext"
default_database_type => "ASN" default_database_type => "ASN"
# database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.12-java/vendor/GeoLite2-ASN.mmdb" # database => "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-filter-geoip-7.2.13-java/vendor/GeoLite2-ASN.mmdb"
} }
} }

10
docker/elk/logstash/docker-compose.yml
View file

@ -12,13 +12,11 @@ services:
# depends_on: # depends_on:
# elasticsearch: # elasticsearch:
# condition: service_healthy # condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
ports: ports:
- "127.0.0.1:64305:64305" - "127.0.0.1:64305:64305"
image: "dtagdevsec/logstash:alpha" image: "dtagdevsec/logstash:alpha"
volumes: volumes:
- /data:/data - $HOME/tpotce/data:/data
# - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf # - /$HOME/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
# - /root/tpotce/docker/elk/logstash/dist/http.conf:/etc/logstash/conf.d/http.conf # - /$HOME/tpotce/docker/elk/logstash/dist/http.conf:/etc/logstash/conf.d/http.conf
# - /root/tpotce/docker/elk/logstash/dist/logstash.yml:/etc/logstash/conf.d/logstash.yml # - /$HOME/tpotce/docker/elk/logstash/dist/logstash.yml:/etc/logstash/conf.d/logstash.yml

34
docker/elk/map/Dockerfile
View file

@ -1,29 +1,23 @@
FROM alpine:3.17 FROM alpine:3.19
#
# Include dist
#COPY dist/ /root/dist/
# #
# Install packages # Install packages
RUN apk -U --no-cache add \ RUN apk -U --no-cache add \
build-base \ build-base \
git \ git \
libcap \ libcap \
py3-pip \ py3-pip \
python3 \ python3 \
python3-dev \ python3-dev \
tzdata && \ tzdata && \
# #
# Install from GitHub and setup # Install from GitHub and setup
mkdir -p /opt && \ mkdir -p /opt && \
cd /opt/ && \ cd /opt/ && \
git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.1.0 && \ git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.2.0 && \
cd t-pot-attack-map && \ cd t-pot-attack-map && \
# git checkout eaf8d123d72a62e4c12093e4e8487e10e6ef60f3 && \ pip3 install --break-system-packages --upgrade pip && \
# git branch -a && \ pip3 install --break-system-packages -r requirements.txt && \
# git checkout multi && \ setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \
pip3 install --upgrade pip && \
pip3 install -r requirements.txt && \
setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \
# #
# Setup user, groups and configs # Setup user, groups and configs
addgroup -g 2000 map && \ addgroup -g 2000 map && \
@ -32,8 +26,8 @@ RUN apk -U --no-cache add \
# #
# Clean up # Clean up
apk del --purge build-base \ apk del --purge build-base \
git \ git \
python3-dev && \ python3-dev && \
rm -rf /root/* /var/cache/apk/* /opt/t-pot-attack-map/.git rm -rf /root/* /var/cache/apk/* /opt/t-pot-attack-map/.git
# #
# Start T-Pot-Attack-Map # Start T-Pot-Attack-Map

2
docker/elk/map/dist/entrypoint.sh vendored
View file

@ -1,2 +0,0 @@
#!/bin/ash
sed -i "s/var hqLatLng = new L.LatLng(52.3058, 4.932);/var hqLatLng = new L.LatLng($MY_EXTIP_LAT, $MY_EXTIP_LONG);/g" /opt/geoip-attack-map/static/map.js

6
docker/elk/map/docker-compose.yml
View file

@ -21,8 +21,6 @@ services:
restart: always restart: always
environment: environment:
- MAP_COMMAND=AttackMapServer.py - MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL stop_signal: SIGKILL
tty: true tty: true
ports: ports:
@ -37,8 +35,8 @@ services:
restart: always restart: always
environment: environment:
- MAP_COMMAND=DataServer_v2.py - MAP_COMMAND=DataServer_v2.py
env_file: # - TPOT_ATTACKMAP_TEXT=${TPOT_ATTACKMAP_TEXT}
- /opt/tpot/etc/compose/elk_environment # - TZ=${TPOT_ATTACKMAP_TEXT_TIMEZONE}
stop_signal: SIGKILL stop_signal: SIGKILL
tty: true tty: true
image: "dtagdevsec/map:alpha" image: "dtagdevsec/map:alpha"

4
docker/tpotinit/Dockerfile
View file

@ -43,5 +43,5 @@ RUN apk --no-cache -U add \
WORKDIR /opt/tpot WORKDIR /opt/tpot
#HEALTHCHECK --interval=5s --timeout=30s --retries=3 CMD pgrep -f autoheal || exit 1 #HEALTHCHECK --interval=5s --timeout=30s --retries=3 CMD pgrep -f autoheal || exit 1
HEALTHCHECK --retries=1000 --interval=5s CMD test -f /tmp/success || exit 1 HEALTHCHECK --retries=1000 --interval=5s CMD test -f /tmp/success || exit 1
STOPSIGNAL SIGKILL STOPSIGNAL SIGTERM
CMD ["/opt/tpot/entrypoint.sh"] ENTRYPOINT ["/opt/tpot/entrypoint.sh"]

2
docker/tpotinit/dist/bin/clean.sh vendored
View file

@ -106,7 +106,7 @@ fuCISCOASA () {
# Let's create a function to clean up and prepare citrixhoneypot data # Let's create a function to clean up and prepare citrixhoneypot data
fuCITRIXHONEYPOT () { fuCITRIXHONEYPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi
mkdir -vp /data/citrixhoneypot/logs/ mkdir -vp /data/citrixhoneypot/log/
chmod 770 /data/citrixhoneypot/ -R chmod 770 /data/citrixhoneypot/ -R
chown tpot:tpot /data/citrixhoneypot/ -R chown tpot:tpot /data/citrixhoneypot/ -R
} }

29
docker/tpotinit/dist/bin/tpdclean.sh vendored
View file

@ -1,29 +0,0 @@
#!/bin/bash
# T-Pot Compose and Container Cleaner
# Set colors
myRED=""
myGREEN=""
myWHITE=""
# Only run with command switch
if [ "$1" != "-y" ]; then
echo $myRED"### WARNING"$myWHITE
echo ""
echo $myRED"###### This script is only intended for the tpot.service."$myWHITE
echo $myRED"###### Run <systemctl stop tpot> first and then <tpdclean.sh -y>."$myWHITE
echo $myRED"###### Be aware, all T-Pot container volumes and images will be removed."$myWHITE
echo ""
echo $myRED"### WARNING "$myWHITE
echo
exit
fi
# Remove old containers, images and volumes
docker-compose -f /opt/tpot/etc/tpot.yml down -v >> /dev/null 2>&1
docker-compose -f /opt/tpot/etc/tpot.yml rm -v >> /dev/null 2>&1
docker network rm $(docker network ls -q) >> /dev/null 2>&1
docker volume rm $(docker volume ls -q) >> /dev/null 2>&1
docker rm -v $(docker ps -aq) >> /dev/null 2>&1
docker rmi $(docker images | grep "<none>" | awk '{print $3}') >> /dev/null 2>&1
docker rmi $(docker images | grep "2203" | awk '{print $3}') >> /dev/null 2>&1
exit 0

56
docker/tpotinit/dist/bin/tped.sh vendored
View file

@ -1,56 +0,0 @@
#!/bin/bash
# Run as root only.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" != "root" ]
then
echo "Need to run as root ..."
exit
fi
# set backtitle, get filename
myBACKTITLE="T-Pot Edition Selection Tool"
myYMLS=$(cd /opt/tpot/etc/compose/ && ls -1 *.yml)
myLINK="/opt/tpot/etc/tpot.yml"
# Let's load docker images in parallel
function fuPULLIMAGES {
local myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml"
for name in $(cat $myTPOTCOMPOSE | grep -v '#' | grep image | cut -d'"' -f2 | uniq)
do
docker pull $name &
done
wait
echo
}
# setup menu
for i in $myYMLS;
do
myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) "
done
myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 18 50 1 $myITEMS 3>&1 1>&2 2>&3 3>&-)
if [ "$myEDITION" == "" ];
then
echo "Have a nice day!"
exit
fi
dialog --backtitle "$myBACKTITLE" --title "[ Activate now? ]" --yesno "\n$myEDITION" 7 50
myOK=$?
if [ "$myOK" == "0" ];
then
echo "OK - Activating and downloading latest images."
systemctl stop tpot
if [ "$(docker ps -aq)" != "" ];
then
docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
fi
rm -f $myLINK
ln -s /opt/tpot/etc/compose/$myEDITION $myLINK
fuPULLIMAGES
systemctl start tpot
echo "Done. Use \"dps.sh\" for monitoring"
else
echo "Have a nice day!"
fi

25
docker/tpotinit/dist/entrypoint.sh vendored
View file

@ -3,6 +3,25 @@
COMPOSE="/tmp/tpot/docker-compose.yml" COMPOSE="/tmp/tpot/docker-compose.yml"
exec > >(tee /data/tpotinit.log) 2>&1 exec > >(tee /data/tpotinit.log) 2>&1
# Function to handle SIGTERM
cleanup() {
echo "# SIGTERM received, cleaning up ..."
echo
echo "## ... removing firewall rules."
/opt/tpot/bin/rules.sh ${COMPOSE} unset
echo
if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ];
then
echo "## ... removing Blackhole routes."
/opt/tpot/bin/blackhole.sh del
echo
fi
kill -TERM "$PID"
echo "# Cleanup done."
echo
}
trap cleanup SIGTERM
# Function to check if a variable is set, not empty # Function to check if a variable is set, not empty
check_var() { check_var() {
local var_name="$1" local var_name="$1"
@ -315,7 +334,11 @@ if [ "${myOSTYPE}" != "linuxkit" ];
figlet "Autoheal" figlet "Autoheal"
echo "# Now monitoring healthcheck enabled containers to automatically restart them when unhealthy." echo "# Now monitoring healthcheck enabled containers to automatically restart them when unhealthy."
echo echo
exec /opt/tpot/autoheal.sh autoheal # exec /opt/tpot/autoheal.sh autoheal
/opt/tpot/autoheal.sh autoheal &
PID=$!
wait $PID
echo "# T-Pot Init and Autoheal were stopped. Exiting."
else else
echo echo
echo "# Docker Desktop for macOS or Windows detected, Conntrack feature is not supported." echo "# Docker Desktop for macOS or Windows detected, Conntrack feature is not supported."

260
docker/tpotinit/dist/etc/compose/collector.yml vendored
View file

@ -1,260 +0,0 @@
# T-Pot (Collector)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
heralding_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
- "21:21"
- "22:22"
- "23:23"
- "25:25"
- "80:80"
- "110:110"
- "143:143"
- "443:443"
- "465:465"
- "993:993"
- "995:995"
- "1080:1080"
- "3306:3306"
- "3389:3389"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:alpha"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:alpha"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:alpha"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:alpha"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:alpha"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:alpha"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:alpha"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
ports:
- "64297:64297"
- "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:alpha"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:alpha"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

141
docker/tpotinit/dist/etc/compose/hive.yml vendored
View file

@ -1,141 +0,0 @@
# T-Pot (Hive)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
spiderfoot_local:
services:
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
# mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
# mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms2048m -Xmx2048m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
ports:
- "127.0.0.1:64305:64305"
# mem_limit: 2g
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:alpha"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:alpha"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"
#### /ELK
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
ports:
- "64297:64297"
- "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:alpha"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:alpha"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

548
docker/tpotinit/dist/etc/compose/hive_sensor.yml vendored
View file

@ -1,548 +0,0 @@
# T-Pot (Hive_Sensor)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
adbhoney_local:
ciscoasa_local:
citrixhoneypot_local:
conpot_local_IEC104:
conpot_local_guardian_ast:
conpot_local_ipmi:
conpot_local_kamstrup_382:
cowrie_local:
ddospot_local:
dicompot_local:
dionaea_local:
elasticpot_local:
heralding_local:
ipphoney_local:
mailoney_local:
medpot_local:
redishoneypot_local:
tanner_local:
ewsposter_local:
sentrypeer_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Adbhoney service
adbhoney:
container_name: adbhoney
restart: always
networks:
- adbhoney_local
ports:
- "5555:5555"
image: "dtagdevsec/adbhoney:alpha"
read_only: true
volumes:
- /data/adbhoney/log:/opt/adbhoney/log
- /data/adbhoney/downloads:/opt/adbhoney/dl
# Ciscoasa service
ciscoasa:
container_name: ciscoasa
restart: always
tmpfs:
- /tmp/ciscoasa:uid=2000,gid=2000
networks:
- ciscoasa_local
ports:
- "5000:5000/udp"
- "8443:8443"
image: "dtagdevsec/ciscoasa:alpha"
read_only: true
volumes:
- /data/ciscoasa/log:/var/log/ciscoasa
# CitrixHoneypot service
citrixhoneypot:
container_name: citrixhoneypot
restart: always
networks:
- citrixhoneypot_local
ports:
- "443:443"
image: "dtagdevsec/citrixhoneypot:alpha"
read_only: true
volumes:
- /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
# Conpot IEC104 service
conpot_IEC104:
container_name: conpot_iec104
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
- CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
- CONPOT_TEMPLATE=IEC104
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_IEC104
ports:
- "161:161/udp"
- "2404:2404"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
- CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
- CONPOT_TEMPLATE=guardian_ast
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_guardian_ast
ports:
- "10001:10001"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
container_name: conpot_ipmi
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
- CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
- CONPOT_TEMPLATE=ipmi
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_ipmi
ports:
- "623:623/udp"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
container_name: conpot_kamstrup_382
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
- CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
- CONPOT_TEMPLATE=kamstrup_382
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_kamstrup_382
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Cowrie service
cowrie:
container_name: cowrie
restart: always
tmpfs:
- /tmp/cowrie:uid=2000,gid=2000
- /tmp/cowrie/data:uid=2000,gid=2000
networks:
- cowrie_local
ports:
- "22:22"
- "23:23"
image: "dtagdevsec/cowrie:alpha"
read_only: true
volumes:
- /data/cowrie/downloads:/home/cowrie/cowrie/dl
- /data/cowrie/keys:/home/cowrie/cowrie/etc
- /data/cowrie/log:/home/cowrie/cowrie/log
- /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
# Ddospot service
ddospot:
container_name: ddospot
restart: always
networks:
- ddospot_local
ports:
- "19:19/udp"
- "53:53/udp"
- "123:123/udp"
# - "161:161/udp"
- "1900:1900/udp"
image: "dtagdevsec/ddospot:alpha"
read_only: true
volumes:
- /data/ddospot/log:/opt/ddospot/ddospot/logs
- /data/ddospot/bl:/opt/ddospot/ddospot/bl
- /data/ddospot/db:/opt/ddospot/ddospot/db
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:alpha"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Dionaea service
dionaea:
container_name: dionaea
stdin_open: true
tty: true
restart: always
networks:
- dionaea_local
ports:
- "20:20"
- "21:21"
- "42:42"
- "69:69/udp"
- "81:81"
- "135:135"
# - "443:443"
- "445:445"
- "1433:1433"
- "1723:1723"
- "1883:1883"
- "3306:3306"
# - "5060:5060"
# - "5060:5060/udp"
# - "5061:5061"
- "27017:27017"
image: "dtagdevsec/dionaea:alpha"
read_only: true
volumes:
- /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
- /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
- /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
- /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
- /data/dionaea:/opt/dionaea/var/dionaea
- /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
- /data/dionaea/log:/opt/dionaea/var/log
- /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
# ElasticPot service
elasticpot:
container_name: elasticpot
restart: always
networks:
- elasticpot_local
ports:
- "9200:9200"
image: "dtagdevsec/elasticpot:alpha"
read_only: true
volumes:
- /data/elasticpot/log:/opt/elasticpot/log
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
- "110:110"
- "143:143"
# - "443:443"
- "465:465"
- "993:993"
- "995:995"
# - "3306:3306"
# - "3389:3389"
- "1080:1080"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:alpha"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:alpha"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
# Ipphoney service
ipphoney:
container_name: ipphoney
restart: always
networks:
- ipphoney_local
ports:
- "631:631"
image: "dtagdevsec/ipphoney:alpha"
read_only: true
volumes:
- /data/ipphoney/log:/opt/ipphoney/log
# Mailoney service
mailoney:
container_name: mailoney
restart: always
environment:
- HPFEEDS_SERVER=
- HPFEEDS_IDENT=user
- HPFEEDS_SECRET=pass
- HPFEEDS_PORT=20000
- HPFEEDS_CHANNELPREFIX=prefix
networks:
- mailoney_local
ports:
- "25:25"
image: "dtagdevsec/mailoney:alpha"
read_only: true
volumes:
- /data/mailoney/log:/opt/mailoney/logs
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:alpha"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
# Redishoneypot service
redishoneypot:
container_name: redishoneypot
restart: always
networks:
- redishoneypot_local
ports:
- "6379:6379"
image: "dtagdevsec/redishoneypot:alpha"
read_only: true
volumes:
- /data/redishoneypot/log:/var/log/redishoneypot
# SentryPeer service
sentrypeer:
container_name: sentrypeer
restart: always
# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
# the bad actors in its logs. Therefore this option is opt-in based.
# environment:
# - SENTRYPEER_PEER_TO_PEER=0
networks:
- sentrypeer_local
ports:
# - "4222:4222/udp"
- "5060:5060/udp"
# - "127.0.0.1:8082:8082"
image: "dtagdevsec/sentrypeer:alpha"
read_only: true
volumes:
- /data/sentrypeer/log:/var/log/sentrypeer
#### Snare / Tanner
## Tanner Redis Service
tanner_redis:
container_name: tanner_redis
restart: always
tty: true
networks:
- tanner_local
image: "dtagdevsec/redis:alpha"
read_only: true
## PHP Sandbox service
tanner_phpox:
container_name: tanner_phpox
restart: always
tty: true
networks:
- tanner_local
image: "dtagdevsec/phpox:alpha"
read_only: true
## Tanner API Service
tanner_api:
container_name: tanner_api
restart: always
tmpfs:
- /tmp/tanner:uid=2000,gid=2000
tty: true
networks:
- tanner_local
image: "dtagdevsec/tanner:alpha"
read_only: true
volumes:
- /data/tanner/log:/var/log/tanner
command: tannerapi
depends_on:
- tanner_redis
## Tanner Service
tanner:
container_name: tanner
restart: always
tmpfs:
- /tmp/tanner:uid=2000,gid=2000
tty: true
networks:
- tanner_local
image: "dtagdevsec/tanner:alpha"
command: tanner
read_only: true
volumes:
- /data/tanner/log:/var/log/tanner
- /data/tanner/files:/opt/tanner/files
depends_on:
- tanner_api
# - tanner_web
- tanner_phpox
## Snare Service
snare:
container_name: snare
restart: always
tty: true
networks:
- tanner_local
ports:
- "80:80"
image: "dtagdevsec/snare:alpha"
depends_on:
- tanner
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:alpha"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:alpha"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:alpha"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip

431
docker/tpotinit/dist/etc/compose/industrial.yml vendored
View file

@ -1,431 +0,0 @@
# T-Pot (Industrial)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
conpot_local_default:
conpot_local_IEC104:
conpot_local_guardian_ast:
conpot_local_ipmi:
conpot_local_kamstrup_382:
cowrie_local:
dicompot_local:
heralding_local:
medpot_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Conpot default service
conpot_default:
container_name: conpot_default
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_default.json
- CONPOT_LOG=/var/log/conpot/conpot_default.log
- CONPOT_TEMPLATE=default
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_default
ports:
- "69:69/udp"
- "80:80"
- "102:102"
- "161:161/udp"
- "502:502"
# - "623:623/udp"
- "21:21"
- "44818:44818"
- "47808:47808/udp"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot IEC104 service
conpot_IEC104:
container_name: conpot_iec104
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
- CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
- CONPOT_TEMPLATE=IEC104
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_IEC104
ports:
# - "161:161/udp"
- "2404:2404"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
- CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
- CONPOT_TEMPLATE=guardian_ast
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_guardian_ast
ports:
- "10001:10001"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
container_name: conpot_ipmi
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
- CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
- CONPOT_TEMPLATE=ipmi
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_ipmi
ports:
- "623:623/udp"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
container_name: conpot_kamstrup_382
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
- CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
- CONPOT_TEMPLATE=kamstrup_382
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_kamstrup_382
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Cowrie service
cowrie:
container_name: cowrie
restart: always
tmpfs:
- /tmp/cowrie:uid=2000,gid=2000
- /tmp/cowrie/data:uid=2000,gid=2000
networks:
- cowrie_local
ports:
- "22:22"
- "23:23"
image: "dtagdevsec/cowrie:alpha"
read_only: true
volumes:
- /data/cowrie/downloads:/home/cowrie/cowrie/dl
- /data/cowrie/keys:/home/cowrie/cowrie/etc
- /data/cowrie/log:/home/cowrie/cowrie/log
- /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:alpha"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
# - "110:110"
# - "143:143"
# - "443:443"
# - "465:465"
# - "993:993"
# - "995:995"
# - "3306:3306"
# - "3389:3389"
# - "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:alpha"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:alpha"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:alpha"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:alpha"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:alpha"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:alpha"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:alpha"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:alpha"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
ports:
- "64297:64297"
- "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:alpha"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:alpha"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

250
docker/tpotinit/dist/etc/compose/log4j.yml vendored
View file

@ -1,250 +0,0 @@
# T-Pot (Log4j)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
log4pot_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Log4pot service
log4pot:
container_name: log4pot
restart: always
tmpfs:
- /tmp:uid=2000,gid=2000
networks:
- log4pot_local
ports:
- "80:8080"
- "443:8080"
- "8080:8080"
- "9200:8080"
- "25565:8080"
image: "dtagdevsec/log4pot:alpha"
read_only: true
volumes:
- /data/log4pot/log:/var/log/log4pot/log
- /data/log4pot/payloads:/var/log/log4pot/payloads
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:alpha"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:alpha"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:alpha"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:alpha"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:alpha"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:alpha"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
ports:
- "64297:64297"
- "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:alpha"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:alpha"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

244
docker/tpotinit/dist/etc/compose/medical.yml vendored
View file

@ -1,244 +0,0 @@
# T-Pot (Medical)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
dicompot_local:
medpot_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:alpha"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:alpha"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:alpha"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:alpha"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:alpha"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:alpha"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:alpha"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
ports:
- "64297:64297"
- "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:alpha"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:alpha"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

271
docker/tpotinit/dist/etc/compose/mini.yml vendored
View file

@ -1,271 +0,0 @@
# T-Pot (Mini)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
honeypots_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# qHoneypots service
honeypots:
container_name: honeypots
stdin_open: true
tty: true
restart: always
tmpfs:
- /tmp:uid=2000,gid=2000
networks:
- honeypots_local
ports:
- "21:21"
- "22:22"
- "23:23"
- "25:25"
- "53:53/udp"
- "80:80"
- "110:110"
- "123:123"
- "143:143"
- "161:161"
- "389:389"
- "443:443"
- "445:445"
- "1080:1080"
- "1433:1433"
- "1521:1521"
- "3306:3306"
- "5060:5060"
- "5432:5432"
- "5900:5900"
- "6379:6379"
- "6667:6667"
- "8080:8080"
- "9200:9200"
- "11211:11211"
image: "dtagdevsec/honeypots:alpha"
read_only: true
volumes:
- /data/honeypots/log:/var/log/honeypots
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:alpha"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:alpha"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:alpha"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:alpha"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:alpha"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:alpha"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
ports:
- "64297:64297"
- "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:alpha"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:alpha"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

575
docker/tpotinit/dist/etc/compose/nextgen.yml vendored
View file

@ -1,575 +0,0 @@
# T-Pot (NextGen)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
adbhoney_local:
ciscoasa_local:
citrixhoneypot_local:
conpot_local_IEC104:
conpot_local_guardian_ast:
conpot_local_ipmi:
conpot_local_kamstrup_382:
ddospot_local:
dicompot_local:
dionaea_local:
elasticpot_local:
endlessh_local:
hellpot_local:
heralding_local:
ipphoney_local:
mailoney_local:
medpot_local:
redishoneypot_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Adbhoney service
adbhoney:
container_name: adbhoney
restart: always
networks:
- adbhoney_local
ports:
- "5555:5555"
image: "dtagdevsec/adbhoney:alpha"
read_only: true
volumes:
- /data/adbhoney/log:/opt/adbhoney/log
- /data/adbhoney/downloads:/opt/adbhoney/dl
# Ciscoasa service
ciscoasa:
container_name: ciscoasa
restart: always
tmpfs:
- /tmp/ciscoasa:uid=2000,gid=2000
networks:
- ciscoasa_local
ports:
- "5000:5000/udp"
- "8443:8443"
image: "dtagdevsec/ciscoasa:alpha"
read_only: true
volumes:
- /data/ciscoasa/log:/var/log/ciscoasa
# CitrixHoneypot service
citrixhoneypot:
container_name: citrixhoneypot
restart: always
networks:
- citrixhoneypot_local
ports:
- "443:443"
image: "dtagdevsec/citrixhoneypot:alpha"
read_only: true
volumes:
- /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
# Conpot IEC104 service
conpot_IEC104:
container_name: conpot_iec104
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
- CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
- CONPOT_TEMPLATE=IEC104
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_IEC104
ports:
- "161:161/udp"
- "2404:2404"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
- CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
- CONPOT_TEMPLATE=guardian_ast
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_guardian_ast
ports:
- "10001:10001"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
container_name: conpot_ipmi
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
- CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
- CONPOT_TEMPLATE=ipmi
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_ipmi
ports:
- "623:623/udp"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
container_name: conpot_kamstrup_382
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
- CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
- CONPOT_TEMPLATE=kamstrup_382
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_kamstrup_382
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Ddospot service
ddospot:
container_name: ddospot
restart: always
networks:
- ddospot_local
ports:
- "19:19/udp"
- "53:53/udp"
- "123:123/udp"
# - "161:161/udp"
- "1900:1900/udp"
image: "dtagdevsec/ddospot:alpha"
read_only: true
volumes:
- /data/ddospot/log:/opt/ddospot/ddospot/logs
- /data/ddospot/bl:/opt/ddospot/ddospot/bl
- /data/ddospot/db:/opt/ddospot/ddospot/db
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:alpha"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Dionaea service
dionaea:
container_name: dionaea
stdin_open: true
tty: true
restart: always
networks:
- dionaea_local
ports:
- "20:20"
- "21:21"
- "42:42"
- "69:69/udp"
- "81:81"
- "135:135"
# - "443:443"
- "445:445"
- "1433:1433"
- "1723:1723"
- "1883:1883"
- "3306:3306"
# - "5060:5060"
# - "5060:5060/udp"
# - "5061:5061"
- "27017:27017"
image: "dtagdevsec/dionaea:alpha"
read_only: true
volumes:
- /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
- /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
- /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
- /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
- /data/dionaea:/opt/dionaea/var/dionaea
- /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
- /data/dionaea/log:/opt/dionaea/var/log
- /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
# ElasticPot service
elasticpot:
container_name: elasticpot
restart: always
networks:
- elasticpot_local
ports:
- "9200:9200"
image: "dtagdevsec/elasticpot:alpha"
read_only: true
volumes:
- /data/elasticpot/log:/opt/elasticpot/log
# Endlessh service
endlessh:
container_name: endlessh
restart: always
networks:
- endlessh_local
ports:
- "22:2222"
image: "dtagdevsec/endlessh:alpha"
read_only: true
volumes:
- /data/endlessh/log:/var/log/endlessh
# Glutton service
glutton:
container_name: glutton
restart: always
tmpfs:
- /var/lib/glutton:uid=2000,gid=2000
- /run:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/glutton:alpha"
read_only: true
volumes:
- /data/glutton/log:/var/log/glutton
# - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
- "110:110"
- "143:143"
# - "443:443"
- "465:465"
- "993:993"
- "995:995"
# - "3306:3306"
# - "3389:3389"
- "1080:1080"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:alpha"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Ipphoney service
ipphoney:
container_name: ipphoney
restart: always
networks:
- ipphoney_local
ports:
- "631:631"
image: "dtagdevsec/ipphoney:alpha"
read_only: true
volumes:
- /data/ipphoney/log:/opt/ipphoney/log
# Mailoney service
mailoney:
container_name: mailoney
restart: always
environment:
- HPFEEDS_SERVER=
- HPFEEDS_IDENT=user
- HPFEEDS_SECRET=pass
- HPFEEDS_PORT=20000
- HPFEEDS_CHANNELPREFIX=prefix
networks:
- mailoney_local
ports:
- "25:25"
image: "dtagdevsec/mailoney:alpha"
read_only: true
volumes:
- /data/mailoney/log:/opt/mailoney/logs
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:alpha"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
# Redishoneypot service
redishoneypot:
container_name: redishoneypot
restart: always
networks:
- redishoneypot_local
ports:
- "6379:6379"
image: "dtagdevsec/redishoneypot:alpha"
read_only: true
volumes:
- /data/redishoneypot/log:/var/log/redishoneypot
# Hellpot service
hellpot:
container_name: hellpot
restart: always
networks:
- hellpot_local
ports:
- "80:8080"
image: "dtagdevsec/hellpot:alpha"
read_only: true
volumes:
- /data/hellpot/log:/var/log/hellpot
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:alpha"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:alpha"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:alpha"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:alpha"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:alpha"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
ports:
- "64297:64297"
- "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:alpha"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:alpha"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

535
docker/tpotinit/dist/etc/compose/sensor.yml vendored
View file

@ -1,535 +0,0 @@
# T-Pot (Sensor)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
adbhoney_local:
ciscoasa_local:
citrixhoneypot_local:
conpot_local_IEC104:
conpot_local_guardian_ast:
conpot_local_ipmi:
conpot_local_kamstrup_382:
cowrie_local:
ddospot_local:
dicompot_local:
dionaea_local:
elasticpot_local:
heralding_local:
ipphoney_local:
mailoney_local:
medpot_local:
redishoneypot_local:
tanner_local:
ewsposter_local:
sentrypeer_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Adbhoney service
adbhoney:
container_name: adbhoney
restart: always
networks:
- adbhoney_local
ports:
- "5555:5555"
image: "dtagdevsec/adbhoney:alpha"
read_only: true
volumes:
- /data/adbhoney/log:/opt/adbhoney/log
- /data/adbhoney/downloads:/opt/adbhoney/dl
# Ciscoasa service
ciscoasa:
container_name: ciscoasa
restart: always
tmpfs:
- /tmp/ciscoasa:uid=2000,gid=2000
networks:
- ciscoasa_local
ports:
- "5000:5000/udp"
- "8443:8443"
image: "dtagdevsec/ciscoasa:alpha"
read_only: true
volumes:
- /data/ciscoasa/log:/var/log/ciscoasa
# CitrixHoneypot service
citrixhoneypot:
container_name: citrixhoneypot
restart: always
networks:
- citrixhoneypot_local
ports:
- "443:443"
image: "dtagdevsec/citrixhoneypot:alpha"
read_only: true
volumes:
- /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
# Conpot IEC104 service
conpot_IEC104:
container_name: conpot_iec104
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
- CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
- CONPOT_TEMPLATE=IEC104
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_IEC104
ports:
- "161:161/udp"
- "2404:2404"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
- CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
- CONPOT_TEMPLATE=guardian_ast
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_guardian_ast
ports:
- "10001:10001"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
container_name: conpot_ipmi
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
- CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
- CONPOT_TEMPLATE=ipmi
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_ipmi
ports:
- "623:623/udp"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
container_name: conpot_kamstrup_382
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
- CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
- CONPOT_TEMPLATE=kamstrup_382
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_kamstrup_382
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Cowrie service
cowrie:
container_name: cowrie
restart: always
tmpfs:
- /tmp/cowrie:uid=2000,gid=2000
- /tmp/cowrie/data:uid=2000,gid=2000
networks:
- cowrie_local
ports:
- "22:22"
- "23:23"
image: "dtagdevsec/cowrie:alpha"
read_only: true
volumes:
- /data/cowrie/downloads:/home/cowrie/cowrie/dl
- /data/cowrie/keys:/home/cowrie/cowrie/etc
- /data/cowrie/log:/home/cowrie/cowrie/log
- /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
# Ddospot service
ddospot:
container_name: ddospot
restart: always
networks:
- ddospot_local
ports:
- "19:19/udp"
- "53:53/udp"
- "123:123/udp"
# - "161:161/udp"
- "1900:1900/udp"
image: "dtagdevsec/ddospot:alpha"
read_only: true
volumes:
- /data/ddospot/log:/opt/ddospot/ddospot/logs
- /data/ddospot/bl:/opt/ddospot/ddospot/bl
- /data/ddospot/db:/opt/ddospot/ddospot/db
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:alpha"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Dionaea service
dionaea:
container_name: dionaea
stdin_open: true
tty: true
restart: always
networks:
- dionaea_local
ports:
- "20:20"
- "21:21"
- "42:42"
- "69:69/udp"
- "81:81"
- "135:135"
# - "443:443"
- "445:445"
- "1433:1433"
- "1723:1723"
- "1883:1883"
- "3306:3306"
# - "5060:5060"
# - "5060:5060/udp"
# - "5061:5061"
- "27017:27017"
image: "dtagdevsec/dionaea:alpha"
read_only: true
volumes:
- /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
- /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
- /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
- /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
- /data/dionaea:/opt/dionaea/var/dionaea
- /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
- /data/dionaea/log:/opt/dionaea/var/log
- /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
# ElasticPot service
elasticpot:
container_name: elasticpot
restart: always
networks:
- elasticpot_local
ports:
- "9200:9200"
image: "dtagdevsec/elasticpot:alpha"
read_only: true
volumes:
- /data/elasticpot/log:/opt/elasticpot/log
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
- "110:110"
- "143:143"
# - "443:443"
- "465:465"
- "993:993"
- "995:995"
# - "3306:3306"
# - "3389:3389"
- "1080:1080"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:alpha"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:alpha"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
# Ipphoney service
ipphoney:
container_name: ipphoney
restart: always
networks:
- ipphoney_local
ports:
- "631:631"
image: "dtagdevsec/ipphoney:alpha"
read_only: true
volumes:
- /data/ipphoney/log:/opt/ipphoney/log
# Mailoney service
mailoney:
container_name: mailoney
restart: always
environment:
- HPFEEDS_SERVER=
- HPFEEDS_IDENT=user
- HPFEEDS_SECRET=pass
- HPFEEDS_PORT=20000
- HPFEEDS_CHANNELPREFIX=prefix
networks:
- mailoney_local
ports:
- "25:25"
image: "dtagdevsec/mailoney:alpha"
read_only: true
volumes:
- /data/mailoney/log:/opt/mailoney/logs
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:alpha"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
# Redishoneypot service
redishoneypot:
container_name: redishoneypot
restart: always
networks:
- redishoneypot_local
ports:
- "6379:6379"
image: "dtagdevsec/redishoneypot:alpha"
read_only: true
volumes:
- /data/redishoneypot/log:/var/log/redishoneypot
# SentryPeer service
sentrypeer:
container_name: sentrypeer
restart: always
# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
# the bad actors in its logs. Therefore this option is opt-in based.
# environment:
# - SENTRYPEER_PEER_TO_PEER=0
networks:
- sentrypeer_local
ports:
# - "4222:4222/udp"
- "5060:5060/udp"
# - "127.0.0.1:8082:8082"
image: "dtagdevsec/sentrypeer:alpha"
read_only: true
volumes:
- /data/sentrypeer/log:/var/log/sentrypeer
#### Snare / Tanner
## Tanner Redis Service
tanner_redis:
container_name: tanner_redis
restart: always
tty: true
networks:
- tanner_local
image: "dtagdevsec/redis:alpha"
read_only: true
## PHP Sandbox service
tanner_phpox:
container_name: tanner_phpox
restart: always
tty: true
networks:
- tanner_local
image: "dtagdevsec/phpox:alpha"
read_only: true
## Tanner API Service
tanner_api:
container_name: tanner_api
restart: always
tmpfs:
- /tmp/tanner:uid=2000,gid=2000
tty: true
networks:
- tanner_local
image: "dtagdevsec/tanner:alpha"
read_only: true
volumes:
- /data/tanner/log:/var/log/tanner
command: tannerapi
depends_on:
- tanner_redis
## Tanner Service
tanner:
container_name: tanner
restart: always
tmpfs:
- /tmp/tanner:uid=2000,gid=2000
tty: true
networks:
- tanner_local
image: "dtagdevsec/tanner:alpha"
command: tanner
read_only: true
volumes:
- /data/tanner/log:/var/log/tanner
- /data/tanner/files:/opt/tanner/files
depends_on:
- tanner_api
# - tanner_web
- tanner_phpox
## Snare Service
snare:
container_name: snare
restart: always
tty: true
networks:
- tanner_local
ports:
- "80:80"
image: "dtagdevsec/snare:alpha"
depends_on:
- tanner
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:alpha"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:alpha"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:alpha"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip

662
docker/tpotinit/dist/etc/compose/standard.yml vendored
View file

@ -1,662 +0,0 @@
# T-Pot (Standard)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
adbhoney_local:
ciscoasa_local:
citrixhoneypot_local:
conpot_local_IEC104:
conpot_local_guardian_ast:
conpot_local_ipmi:
conpot_local_kamstrup_382:
cowrie_local:
ddospot_local:
dicompot_local:
dionaea_local:
elasticpot_local:
heralding_local:
ipphoney_local:
mailoney_local:
medpot_local:
redishoneypot_local:
tanner_local:
ewsposter_local:
sentrypeer_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Adbhoney service
adbhoney:
container_name: adbhoney
restart: always
networks:
- adbhoney_local
ports:
- "5555:5555"
image: "dtagdevsec/adbhoney:alpha"
read_only: true
volumes:
- /data/adbhoney/log:/opt/adbhoney/log
- /data/adbhoney/downloads:/opt/adbhoney/dl
# Ciscoasa service
ciscoasa:
container_name: ciscoasa
restart: always
tmpfs:
- /tmp/ciscoasa:uid=2000,gid=2000
networks:
- ciscoasa_local
ports:
- "5000:5000/udp"
- "8443:8443"
image: "dtagdevsec/ciscoasa:alpha"
read_only: true
volumes:
- /data/ciscoasa/log:/var/log/ciscoasa
# CitrixHoneypot service
citrixhoneypot:
container_name: citrixhoneypot
restart: always
networks:
- citrixhoneypot_local
ports:
- "443:443"
image: "dtagdevsec/citrixhoneypot:alpha"
read_only: true
volumes:
- /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs
# Conpot IEC104 service
conpot_IEC104:
container_name: conpot_iec104
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json
- CONPOT_LOG=/var/log/conpot/conpot_IEC104.log
- CONPOT_TEMPLATE=IEC104
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_IEC104
ports:
- "161:161/udp"
- "2404:2404"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot guardian_ast service
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json
- CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log
- CONPOT_TEMPLATE=guardian_ast
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_guardian_ast
ports:
- "10001:10001"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot ipmi
conpot_ipmi:
container_name: conpot_ipmi
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json
- CONPOT_LOG=/var/log/conpot/conpot_ipmi.log
- CONPOT_TEMPLATE=ipmi
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_ipmi
ports:
- "623:623/udp"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot kamstrup_382
conpot_kamstrup_382:
container_name: conpot_kamstrup_382
restart: always
environment:
- CONPOT_CONFIG=/etc/conpot/conpot.cfg
- CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json
- CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log
- CONPOT_TEMPLATE=kamstrup_382
- CONPOT_TMP=/tmp/conpot
tmpfs:
- /tmp/conpot:uid=2000,gid=2000
networks:
- conpot_local_kamstrup_382
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:alpha"
read_only: true
volumes:
- /data/conpot/log:/var/log/conpot
# Cowrie service
cowrie:
container_name: cowrie
restart: always
tmpfs:
- /tmp/cowrie:uid=2000,gid=2000
- /tmp/cowrie/data:uid=2000,gid=2000
networks:
- cowrie_local
ports:
- "22:22"
- "23:23"
image: "dtagdevsec/cowrie:alpha"
read_only: true
volumes:
- /data/cowrie/downloads:/home/cowrie/cowrie/dl
- /data/cowrie/keys:/home/cowrie/cowrie/etc
- /data/cowrie/log:/home/cowrie/cowrie/log
- /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty
# Ddospot service
ddospot:
container_name: ddospot
restart: always
networks:
- ddospot_local
ports:
- "19:19/udp"
- "53:53/udp"
- "123:123/udp"
# - "161:161/udp"
- "1900:1900/udp"
image: "dtagdevsec/ddospot:alpha"
read_only: true
volumes:
- /data/ddospot/log:/opt/ddospot/ddospot/logs
- /data/ddospot/bl:/opt/ddospot/ddospot/bl
- /data/ddospot/db:/opt/ddospot/ddospot/db
# Dicompot service
# Get the Horos Client for testing: https://horosproject.org/
# Get Dicom images (CC BY 3.0): https://www.cancerimagingarchive.net/collections/
# Put images (which must be in Dicom DCM format or it will not work!) into /data/dicompot/images
dicompot:
container_name: dicompot
restart: always
networks:
- dicompot_local
ports:
- "11112:11112"
image: "dtagdevsec/dicompot:alpha"
read_only: true
volumes:
- /data/dicompot/log:/var/log/dicompot
# - /data/dicompot/images:/opt/dicompot/images
# Dionaea service
dionaea:
container_name: dionaea
stdin_open: true
tty: true
restart: always
networks:
- dionaea_local
ports:
- "20:20"
- "21:21"
- "42:42"
- "69:69/udp"
- "81:81"
- "135:135"
# - "443:443"
- "445:445"
- "1433:1433"
- "1723:1723"
- "1883:1883"
- "3306:3306"
# - "5060:5060"
# - "5060:5060/udp"
# - "5061:5061"
- "27017:27017"
image: "dtagdevsec/dionaea:alpha"
read_only: true
volumes:
- /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp
- /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp
- /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www
- /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp
- /data/dionaea:/opt/dionaea/var/dionaea
- /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries
- /data/dionaea/log:/opt/dionaea/var/log
- /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp
# ElasticPot service
elasticpot:
container_name: elasticpot
restart: always
networks:
- elasticpot_local
ports:
- "9200:9200"
image: "dtagdevsec/elasticpot:alpha"
read_only: true
volumes:
- /data/elasticpot/log:/opt/elasticpot/log
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
- "110:110"
- "143:143"
# - "443:443"
- "465:465"
- "993:993"
- "995:995"
# - "3306:3306"
# - "3389:3389"
- "1080:1080"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:alpha"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:alpha"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
# Ipphoney service
ipphoney:
container_name: ipphoney
restart: always
networks:
- ipphoney_local
ports:
- "631:631"
image: "dtagdevsec/ipphoney:alpha"
read_only: true
volumes:
- /data/ipphoney/log:/opt/ipphoney/log
# Mailoney service
mailoney:
container_name: mailoney
restart: always
environment:
- HPFEEDS_SERVER=
- HPFEEDS_IDENT=user
- HPFEEDS_SECRET=pass
- HPFEEDS_PORT=20000
- HPFEEDS_CHANNELPREFIX=prefix
networks:
- mailoney_local
ports:
- "25:25"
image: "dtagdevsec/mailoney:alpha"
read_only: true
volumes:
- /data/mailoney/log:/opt/mailoney/logs
# Medpot service
medpot:
container_name: medpot
restart: always
networks:
- medpot_local
ports:
- "2575:2575"
image: "dtagdevsec/medpot:alpha"
read_only: true
volumes:
- /data/medpot/log/:/var/log/medpot
# Redishoneypot service
redishoneypot:
container_name: redishoneypot
restart: always
networks:
- redishoneypot_local
ports:
- "6379:6379"
image: "dtagdevsec/redishoneypot:alpha"
read_only: true
volumes:
- /data/redishoneypot/log:/var/log/redishoneypot
# SentryPeer service
sentrypeer:
container_name: sentrypeer
restart: always
# SentryPeer offers to exchange bad actor data via DHT / P2P mode by setting the ENV to true (1)
# In some cases (i.e. internally deployed T-Pots) this might be confusing as SentryPeer will show
# the bad actors in its logs. Therefore this option is opt-in based.
# environment:
# - SENTRYPEER_PEER_TO_PEER=0
networks:
- sentrypeer_local
ports:
# - "4222:4222/udp"
- "5060:5060/udp"
# - "127.0.0.1:8082:8082"
image: "dtagdevsec/sentrypeer:alpha"
read_only: true
volumes:
- /data/sentrypeer/log:/var/log/sentrypeer
#### Snare / Tanner
## Tanner Redis Service
tanner_redis:
container_name: tanner_redis
restart: always
tty: true
networks:
- tanner_local
image: "dtagdevsec/redis:alpha"
read_only: true
## PHP Sandbox service
tanner_phpox:
container_name: tanner_phpox
restart: always
tty: true
networks:
- tanner_local
image: "dtagdevsec/phpox:alpha"
read_only: true
## Tanner API Service
tanner_api:
container_name: tanner_api
restart: always
tmpfs:
- /tmp/tanner:uid=2000,gid=2000
tty: true
networks:
- tanner_local
image: "dtagdevsec/tanner:alpha"
read_only: true
volumes:
- /data/tanner/log:/var/log/tanner
command: tannerapi
depends_on:
- tanner_redis
## Tanner Service
tanner:
container_name: tanner
restart: always
tmpfs:
- /tmp/tanner:uid=2000,gid=2000
tty: true
networks:
- tanner_local
image: "dtagdevsec/tanner:alpha"
command: tanner
read_only: true
volumes:
- /data/tanner/log:/var/log/tanner
- /data/tanner/files:/opt/tanner/files
depends_on:
- tanner_api
# - tanner_web
- tanner_phpox
## Snare Service
snare:
container_name: snare
restart: always
tty: true
networks:
- tanner_local
ports:
- "80:80"
image: "dtagdevsec/snare:alpha"
depends_on:
- tanner
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:alpha"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:alpha"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:alpha"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:alpha"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:alpha"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
ports:
- "64297:64297"
- "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:alpha"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:alpha"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

287
docker/tpotinit/dist/etc/compose/tarpit.yml vendored
View file

@ -1,287 +0,0 @@
# T-Pot (Tarpit)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
endlessh_local:
hellpot_local:
heralding_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Endlessh service
endlessh:
container_name: endlessh
restart: always
networks:
- endlessh_local
ports:
- "22:2222"
image: "dtagdevsec/endlessh:alpha"
read_only: true
volumes:
- /data/endlessh/log:/var/log/endlessh
# Heralding service
heralding:
container_name: heralding
restart: always
tmpfs:
- /tmp/heralding:uid=2000,gid=2000
networks:
- heralding_local
ports:
# - "21:21"
# - "22:22"
# - "23:23"
# - "25:25"
# - "80:80"
- "110:110"
- "143:143"
# - "443:443"
- "465:465"
- "993:993"
- "995:995"
# - "3306:3306"
# - "3389:3389"
- "1080:1080"
- "5432:5432"
- "5900:5900"
image: "dtagdevsec/heralding:alpha"
read_only: true
volumes:
- /data/heralding/log:/var/log/heralding
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:alpha"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
# Hellpot service
hellpot:
container_name: hellpot
restart: always
networks:
- hellpot_local
ports:
- "80:8080"
image: "dtagdevsec/hellpot:alpha"
read_only: true
volumes:
- /data/hellpot/log:/var/log/hellpot
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:alpha"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:alpha"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
# Loading externel Rules from URL
# - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:alpha"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
- ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:alpha"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
mem_limit: 1g
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:alpha"
## Logstash service
logstash:
container_name: logstash
restart: always
environment:
- LS_JAVA_OPTS=-Xms1024m -Xmx1024m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
mem_limit: 2g
image: "dtagdevsec/logstash:alpha"
volumes:
- /data:/data
## Map Redis Service
map_redis:
container_name: map_redis
restart: always
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/redis:alpha"
read_only: true
## Map Web Service
map_web:
container_name: map_web
restart: always
environment:
- MAP_COMMAND=AttackMapServer.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
ports:
- "127.0.0.1:64299:64299"
image: "dtagdevsec/map:alpha"
## Map Data Service
map_data:
container_name: map_data
restart: always
depends_on:
elasticsearch:
condition: service_healthy
environment:
- MAP_COMMAND=DataServer_v2.py
env_file:
- /opt/tpot/etc/compose/elk_environment
stop_signal: SIGKILL
tty: true
image: "dtagdevsec/map:alpha"
#### /ELK
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:alpha"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/lib/nginx/tmp:uid=100,gid=82
network_mode: "host"
ports:
- "64297:64297"
- "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:alpha"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:alpha"
volumes:
- /data/spiderfoot:/home/spiderfoot/.spiderfoot

3
docker/tpotinit/docker-compose.yml
View file

@ -8,7 +8,8 @@ services:
container_name: tpotinit container_name: tpotinit
env_file: env_file:
- $HOME/tpotce/.env - $HOME/tpotce/.env
restart: "no" restart: "no"
stop_grace_period: 60s
image: "dtagdevsec/tpotinit:alpha" image: "dtagdevsec/tpotinit:alpha"
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro