diff --git a/bin/rules.sh b/bin/rules.sh new file mode 100755 index 00000000..4412a62c --- /dev/null +++ b/bin/rules.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +### Vars, Ports for Standard services +myHOSTPORTS="64295" +myDOCKERCOMPOSEYML="$1" +myRULESFUNCTION="$2" + +function fuCHECKFORARGS { +### Check if args are present, if not throw error + +if [ "$myDOCKERCOMPOSEYML" != "" ] && ([ "$myRULESFUNCTION" == "set" ] || [ "$myRULESFUNCTION" == "unset" ]); + then + echo "All arguments met. Continuing." + else + echo "Usage: rules.sh <[set, unset]>" + exit +fi +} + +function fuNFQCHECK { +### Check if honeytrap is actively enabled in docker-compose.yml + +myNFQCHECK=$(grep -e '^\s*honeytrap:' $myDOCKERCOMPOSEYML | tr -d ': ' | wc -l) + +if [ "$myNFQCHECK" == "0" ]; + then + echo "No NFQ related honeypot detected, no firewall rules needed. Exiting." + exit + else + echo "Detected at least one NFQ based honeypot, firewall rules needed. Continuing." +fi +} + +function fuGETPORTS { +### Get ports from docker-compose.yml + +myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' ) +myDOCKERCOMPOSEPORTS+=" $myHOSTPORTS" +myRULESPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo $i; done | sort -gu) +} + +function fuSETRULES { +### Setting up iptables rules + +/sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT +/sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT + +for myPORT in $myRULESPORTS; do + /sbin/iptables -w -A INPUT -p tcp --dport $myPORT -j ACCEPT +done + +/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE +} + +function fuUNSETRULES { +### Removing iptables rules + +/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT +/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT + +for myPORT in $myRULESPORTS; do + /sbin/iptables -w -D INPUT -p tcp --dport $myPORT -j ACCEPT +done + +/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE +} + +# Main +fuCHECKFORARGS +fuNFQCHECK +fuGETPORTS + +if [ "$myRULESFUNCTION" == "set" ]; + then + fuSETRULES + else + fuUNSETRULES +fi diff --git a/etc/compose/tpot.yml b/etc/compose/tpot.yml index 8fa5021e..c0ac8fb9 100644 --- a/etc/compose/tpot.yml +++ b/etc/compose/tpot.yml @@ -206,6 +206,8 @@ services: - SYS_PTRACE security_opt: - apparmor=unconfined + ports: + - "64301:64301" image: "dtagdevsec/netdata:1710" volumes: - /proc:/host/proc:ro @@ -303,4 +305,6 @@ services: network_mode: "host" env_file: - /opt/tpot/etc/compose/wetty_environment + ports: + - "64300:64300" image: "dtagdevsec/wetty:1710" diff --git a/host/etc/systemd/tpot.service b/host/etc/systemd/tpot.service index 9389ab89..d6abc96a 100644 --- a/host/etc/systemd/tpot.service +++ b/host/etc/systemd/tpot.service @@ -31,13 +31,7 @@ ExecStartPre=-/bin/chmod 666 /var/run/docker.sock # Set iptables accept rules to avoid forwarding to honeytrap / NFQUEUE # Forward all other connections to honeytrap / NFQUEUE -ExecStartPre=/sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT -ExecStartPre=/sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE +ExecStartPre=/opt/tpot/bin/rules.sh /opt/tpot/etc/tpot.yml set # Compose T-Pot up ExecStart=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color @@ -46,13 +40,7 @@ ExecStart=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color ExecStop=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml down -v # Remove only previously set iptables rules -ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT -ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE +ExecStopPost=/opt/tpot/bin/rules.sh /opt/tpot/etc/tpot.yml unset [Install] WantedBy=multi-user.target diff --git a/iso/installer/install.sh b/iso/installer/install.sh index 4212da99..6f07c754 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -325,6 +325,7 @@ apt-get autoremove -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOX # Installing ctop, elasticdump, tpot pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF pip install elasticsearch-curator==5.4.1 2>&1 | dialog --title "[ Installing elasticsearch-curator ]" $myPROGRESSBOXCONF +pip install yq==2.4.1 2>&1 | dialog --title "[ Installing yq ]" $myPROGRESSBOXCONF npm install https://github.com/taskrabbit/elasticsearch-dump#ac9f62a -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF mv ctop /usr/bin/ 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF