mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-07-01 04:22:11 +00:00
Tweaking
- Ciscoasa, update py package - Cowrie, remove build artifact - Dicompot, harden image - Dionaea, hardening, update for py3.12
This commit is contained in:
t3chn0m4g3
parent
21a16a6c1c
commit
626b657082
6 changed files with 57 additions and 42 deletions
|
|
@ -1,19 +1,19 @@
|
||||||
FROM alpine:3.20 AS builder
|
FROM alpine:3.20 AS builder
|
||||||
#
|
#
|
||||||
# Install packages
|
# Install packages
|
||||||
RUN apk --no-cache -U add build-base \
|
RUN apk --no-cache add \
|
||||||
|
build-base \
|
||||||
git \
|
git \
|
||||||
libffi \
|
libffi \
|
||||||
libffi-dev \
|
libffi-dev \
|
||||||
openssl \
|
openssl \
|
||||||
openssl-dev \
|
openssl-dev \
|
||||||
py3-cryptography \
|
|
||||||
py3-pip \
|
py3-pip \
|
||||||
python3 \
|
python3 \
|
||||||
python3-dev && \
|
python3-dev && \
|
||||||
#
|
#
|
||||||
# Get and install packages
|
# Get and install packages
|
||||||
mkdir -p /opt/ && \
|
mkdir -p /opt/ && \
|
||||||
cd /opt/ && \
|
cd /opt/ && \
|
||||||
git clone https://github.com/t3chn0m4g3/ciscoasa_honeypot && \
|
git clone https://github.com/t3chn0m4g3/ciscoasa_honeypot && \
|
||||||
cd ciscoasa_honeypot && \
|
cd ciscoasa_honeypot && \
|
||||||
|
|
|
||||||
|
|
@ -58,6 +58,7 @@ RUN apk --no-cache -U add \
|
||||||
cd /home/cowrie/cowrie && \
|
cd /home/cowrie/cowrie && \
|
||||||
/usr/bin/twistd --uid=2000 --gid=2000 -y cowrie.tac --pidfile cowrie.pid cowrie &" && \
|
/usr/bin/twistd --uid=2000 --gid=2000 -y cowrie.tac --pidfile cowrie.pid cowrie &" && \
|
||||||
sleep 10 && \
|
sleep 10 && \
|
||||||
|
rm -rf /home/cowrie/cowrie/etc && \
|
||||||
#
|
#
|
||||||
# Clean up
|
# Clean up
|
||||||
apk del --purge build-base \
|
apk del --purge build-base \
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,8 @@
|
||||||
FROM golang:1.21-alpine AS builder
|
FROM golang:1.23-alpine AS builder
|
||||||
|
#
|
||||||
|
ENV GO111MODULE=on \
|
||||||
|
CGO_ENABLED=0 \
|
||||||
|
GOOS=linux
|
||||||
#
|
#
|
||||||
# Include dist
|
# Include dist
|
||||||
COPY dist/ /root/dist/
|
COPY dist/ /root/dist/
|
||||||
|
|
@ -7,32 +11,25 @@ COPY dist/ /root/dist/
|
||||||
RUN apk --no-cache -U add \
|
RUN apk --no-cache -U add \
|
||||||
build-base \
|
build-base \
|
||||||
git \
|
git \
|
||||||
g++ && \
|
g++
|
||||||
#
|
#
|
||||||
# Setup go, build dicompot
|
# Setup go, build dicompot
|
||||||
mkdir -p /opt/go && \
|
RUN git clone https://github.com/nsmfoo/dicompot.git && \
|
||||||
export GOPATH=/opt/go/ && \
|
|
||||||
cd /opt/go/ && \
|
|
||||||
git clone https://github.com/nsmfoo/dicompot.git && \
|
|
||||||
cd dicompot && \
|
cd dicompot && \
|
||||||
git checkout 41331194156bbb17078bcc1594f4952ac06a731e && \
|
git checkout 41331194156bbb17078bcc1594f4952ac06a731e && \
|
||||||
go mod download && \
|
cp /root/dist/go.mod . && \
|
||||||
go install -a -x github.com/nsmfoo/dicompot/server
|
pwd && ls -alR
|
||||||
|
WORKDIR /go/dicompot
|
||||||
|
RUN ls -alR
|
||||||
|
RUN go mod tidy
|
||||||
|
RUN go mod download
|
||||||
|
RUN go build -o dicompot github.com/nsmfoo/dicompot/server
|
||||||
#
|
#
|
||||||
FROM alpine:3.19
|
FROM scratch
|
||||||
#
|
#
|
||||||
# Setup dicompot
|
COPY --from=builder /go/dicompot/dicompot /opt/dicompot/dicompot
|
||||||
#
|
|
||||||
COPY --from=builder /opt/go/bin/server /opt/dicompot/server
|
|
||||||
COPY --from=builder /root/dist/dcm_pts/images /opt/dicompot/images
|
COPY --from=builder /root/dist/dcm_pts/images /opt/dicompot/images
|
||||||
#
|
|
||||||
# Setup user, groups and configs
|
|
||||||
#
|
|
||||||
RUN addgroup -g 2000 dicompot && \
|
|
||||||
adduser -S -s /bin/ash -u 2000 -D -g 2000 dicompot && \
|
|
||||||
chown -R dicompot:dicompot /opt/dicompot
|
|
||||||
#
|
|
||||||
# Start dicompot
|
|
||||||
WORKDIR /opt/dicompot
|
WORKDIR /opt/dicompot
|
||||||
USER dicompot:dicompot
|
USER 2000:2000
|
||||||
CMD ["./server","-ip","0.0.0.0","-dir","images","-log","/var/log/dicompot/dicompot.log"]
|
CMD ["-ip","0.0.0.0","-dir","images","-log","/var/log/dicompot/dicompot.log"]
|
||||||
|
ENTRYPOINT ["./dicompot"]
|
||||||
|
|
|
||||||
25
docker/dicompot/dist/go.mod
vendored
Normal file
25
docker/dicompot/dist/go.mod
vendored
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
module github.com/nsmfoo/dicompot
|
||||||
|
|
||||||
|
go 1.23
|
||||||
|
|
||||||
|
require (
|
||||||
|
github.com/grailbio/go-dicom v0.0.0-20190117035129-c30d9eaca591
|
||||||
|
github.com/mattn/go-colorable v0.1.6
|
||||||
|
github.com/sirupsen/logrus v1.6.0
|
||||||
|
github.com/snowzach/rotatefilehook v0.0.0-20180327172521-2f64f265f58c
|
||||||
|
)
|
||||||
|
|
||||||
|
require (
|
||||||
|
github.com/BurntSushi/toml v0.3.1 // indirect
|
||||||
|
github.com/gobwas/glob v0.0.0-20170212200151-51eb1ee00b6d // indirect
|
||||||
|
github.com/konsorten/go-windows-terminal-sequences v1.0.3 // indirect
|
||||||
|
github.com/mattn/go-isatty v0.0.12 // indirect
|
||||||
|
golang.org/x/sys v0.1.0 // indirect
|
||||||
|
golang.org/x/text v0.3.8 // indirect
|
||||||
|
gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
|
||||||
|
gopkg.in/yaml.v2 v2.3.0 // indirect
|
||||||
|
)
|
||||||
|
|
||||||
|
replace github.com/nsmfoo/dicompot => ../dicompot
|
||||||
|
|
||||||
|
replace github.com/golang/lint => ../../golang/lint
|
||||||
|
|
@ -16,6 +16,7 @@ services:
|
||||||
networks:
|
networks:
|
||||||
- dicompot_local
|
- dicompot_local
|
||||||
ports:
|
ports:
|
||||||
|
- "104:11112"
|
||||||
- "11112:11112"
|
- "11112:11112"
|
||||||
image: "dtagdevsec/dicompot:24.04"
|
image: "dtagdevsec/dicompot:24.04"
|
||||||
read_only: true
|
read_only: true
|
||||||
|
|
|
||||||
|
|
@ -1,20 +1,12 @@
|
||||||
FROM ubuntu:22.04
|
FROM ubuntu:24.04
|
||||||
ENV DEBIAN_FRONTEND noninteractive
|
ENV DEBIAN_FRONTEND noninteractive
|
||||||
#
|
#
|
||||||
# Include dist
|
# Include dist
|
||||||
COPY dist/ /root/dist/
|
COPY dist/ /root/dist/
|
||||||
#
|
#
|
||||||
# Check if APT_PROXY is set and configure apt to use the proxy
|
|
||||||
RUN bash -c 'if [ -n "${http_proxy}" ]; then \
|
|
||||||
echo "Using APT proxy at ${http_proxy}"; \
|
|
||||||
echo "Acquire::http::Proxy \"${http_proxy}\";" > /etc/apt/apt.conf.d/01proxy; \
|
|
||||||
else \
|
|
||||||
echo "APT proxy not configured, proceeding without proxy"; \
|
|
||||||
fi' && \
|
|
||||||
# bash -c 'echo "Acquire::http::Proxy::ports.ubuntu.com DIRECT;" > /etc/apt/apt.conf.d/99force-no-proxy' && \
|
|
||||||
#
|
|
||||||
# Determine arch, get and install packages
|
# Determine arch, get and install packages
|
||||||
ARCH=$(arch) && \
|
RUN ARCH=$(arch) && \
|
||||||
if [ "$ARCH" = "x86_64" ]; then ARCH="amd64"; fi && \
|
if [ "$ARCH" = "x86_64" ]; then ARCH="amd64"; fi && \
|
||||||
if [ "$ARCH" = "aarch64" ]; then ARCH="arm64"; fi && \
|
if [ "$ARCH" = "aarch64" ]; then ARCH="arm64"; fi && \
|
||||||
echo "$ARCH" && \
|
echo "$ARCH" && \
|
||||||
|
|
@ -49,14 +41,13 @@ RUN bash -c 'if [ -n "${http_proxy}" ]; then \
|
||||||
python3-dev \
|
python3-dev \
|
||||||
python3-boto3 \
|
python3-boto3 \
|
||||||
python3-bson \
|
python3-bson \
|
||||||
|
python3-setuptools \
|
||||||
python3-yaml \
|
python3-yaml \
|
||||||
fonts-liberation && \
|
fonts-liberation && \
|
||||||
#
|
#
|
||||||
# Get and install dionaea
|
# Get and install dionaea
|
||||||
# git clone --depth=1 https://github.com/dinotools/dionaea -b 0.11.0 /root/dionaea/ && \
|
git clone https://github.com/t3chn0m4g3/dionaea -b 0.11.1 /root/dionaea/ && \
|
||||||
git clone --depth=1 https://github.com/dinotools/dionaea /root/dionaea/ && \
|
|
||||||
cd /root/dionaea && \
|
cd /root/dionaea && \
|
||||||
git checkout 4e459f1b672a5b4c1e8335c0bff1b93738019215 && \
|
|
||||||
mkdir build && \
|
mkdir build && \
|
||||||
cd build && \
|
cd build && \
|
||||||
cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea .. && \
|
cmake -DCMAKE_INSTALL_PREFIX:PATH=/opt/dionaea .. && \
|
||||||
|
|
@ -66,7 +57,7 @@ RUN bash -c 'if [ -n "${http_proxy}" ]; then \
|
||||||
# Setup user and groups
|
# Setup user and groups
|
||||||
addgroup --gid 2000 dionaea && \
|
addgroup --gid 2000 dionaea && \
|
||||||
adduser --system --no-create-home --shell /bin/bash --uid 2000 --disabled-password --disabled-login --gid 2000 dionaea && \
|
adduser --system --no-create-home --shell /bin/bash --uid 2000 --disabled-password --disabled-login --gid 2000 dionaea && \
|
||||||
setcap cap_net_bind_service=+ep /opt/dionaea/bin/dionaea && \
|
setcap cap_net_bind_service=+ep /opt/dionaea/sbin/dionaea && \
|
||||||
#
|
#
|
||||||
# Supply configs and set permissions
|
# Supply configs and set permissions
|
||||||
chown -R dionaea:dionaea /opt/dionaea/var && \
|
chown -R dionaea:dionaea /opt/dionaea/var && \
|
||||||
|
|
@ -114,7 +105,7 @@ RUN bash -c 'if [ -n "${http_proxy}" ]; then \
|
||||||
libnetfilter-queue1 \
|
libnetfilter-queue1 \
|
||||||
libnl-3-200 \
|
libnl-3-200 \
|
||||||
libpcap0.8 \
|
libpcap0.8 \
|
||||||
libpython3.10 \
|
libpython3.12 \
|
||||||
libudns0 && \
|
libudns0 && \
|
||||||
#
|
#
|
||||||
apt-get autoremove --purge -y && \
|
apt-get autoremove --purge -y && \
|
||||||
|
|
@ -132,4 +123,4 @@ STOPSIGNAL SIGINT
|
||||||
# Dionaea sometimes hangs at 100% CPU usage, if detected container will become unhealthy and restarted by tpotinit
|
# Dionaea sometimes hangs at 100% CPU usage, if detected container will become unhealthy and restarted by tpotinit
|
||||||
HEALTHCHECK --interval=5m --timeout=30s --retries=3 CMD python3 /cpu_check.py $(pgrep -of dionaea) 99
|
HEALTHCHECK --interval=5m --timeout=30s --retries=3 CMD python3 /cpu_check.py $(pgrep -of dionaea) 99
|
||||||
USER dionaea:dionaea
|
USER dionaea:dionaea
|
||||||
CMD ["/opt/dionaea/bin/dionaea", "-u", "dionaea", "-g", "dionaea", "-c", "/opt/dionaea/etc/dionaea/dionaea.cfg"]
|
CMD ["/opt/dionaea/sbin/dionaea", "-u", "dionaea", "-g", "dionaea", "-c", "/opt/dionaea/etc/dionaea/dionaea.cfg"]
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue