From adee51bee54ef34360efe92be3dbed0f2b0aac20 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Tue, 16 Nov 2021 18:23:25 +0000 Subject: [PATCH 01/12] bump heralding to latest master --- docker/heralding/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/heralding/Dockerfile b/docker/heralding/Dockerfile index 23d8bce6..90438a02 100644 --- a/docker/heralding/Dockerfile +++ b/docker/heralding/Dockerfile @@ -10,7 +10,7 @@ RUN apk -U --no-cache add \ libcap \ libffi-dev \ openssl-dev \ - libzmq \ + py3-pyzmq \ postgresql-dev \ py3-pip \ python3 \ @@ -21,7 +21,7 @@ RUN apk -U --no-cache add \ cd /opt/ && \ git clone https://github.com/johnnykv/heralding && \ cd heralding && \ - git checkout 3f38976a2ab4d884d755b6324f2c71923ddadbdb && \ + git checkout c31f99c55c7318c09272d8d9998e560c3d4de9aa && \ pip3 install --upgrade pip && \ pip3 install --no-cache-dir -r requirements.txt && \ pip3 install --no-cache-dir . && \ From 591be0791b9711be965a0924533ffbab3189668b Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Thu, 18 Nov 2021 13:05:01 +0100 Subject: [PATCH 02/12] Fixes #939 https://stackoverflow.com/questions/28785383/how-to-disable-persistence-with-redis --- docker/tanner/redis/dist/redis.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/tanner/redis/dist/redis.conf b/docker/tanner/redis/dist/redis.conf index edfe45da..b85cf17c 100644 --- a/docker/tanner/redis/dist/redis.conf +++ b/docker/tanner/redis/dist/redis.conf @@ -1,2 +1,3 @@ bind 0.0.0.0 protected-mode no +save "" From d2cbf6ebbcbd47d874814f412c996b3ecc807fe5 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Thu, 18 Nov 2021 13:39:05 +0000 Subject: [PATCH 03/12] build fix for tanner --- docker/tanner/tanner/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/tanner/tanner/Dockerfile b/docker/tanner/tanner/Dockerfile index 3c29c4df..204ebe13 100644 --- a/docker/tanner/tanner/Dockerfile +++ b/docker/tanner/tanner/Dockerfile @@ -23,6 +23,7 @@ RUN apk -U --no-cache add \ # git checkout test && \ git checkout 20dabcbccc50f8878525677b925a4c9abcaf9f54 && \ sed -i 's/aioredis/aioredis==1.3.1/g' requirements.txt && \ + sed -i 's/^aiohttp$/aiohttp==3.7.4/g' requirements.txt && \ cp /root/dist/config.yaml /opt/tanner/tanner/data && \ pip3 install --no-cache-dir setuptools && \ pip3 install --no-cache-dir -r requirements.txt && \ From 81b8242c6848a187a12c81baf6db1eebe694c1b7 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Thu, 18 Nov 2021 13:48:02 +0000 Subject: [PATCH 04/12] bump ewsposter to latest master --- docker/ews/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/ews/Dockerfile b/docker/ews/Dockerfile index 47e431b4..a58be85f 100644 --- a/docker/ews/Dockerfile +++ b/docker/ews/Dockerfile @@ -25,8 +25,8 @@ RUN apk -U --no-cache add \ # Setup ewsposter git clone https://github.com/telekom-security/ewsposter /opt/ewsposter && \ cd /opt/ewsposter && \ -# git checkout 0502c39941bab10643502c27f7bd7eee301b21c0 && \ - git checkout 11ab4c8a0a1b63d4bca8c52c07f2eab520d0b257 && \ +# git checkout 11ab4c8a0a1b63d4bca8c52c07f2eab520d0b257 && \ + git checkout 17c08f3ae500d838c1528c9700e4430d5f6ad214 && \ mkdir -p /opt/ewsposter/spool /opt/ewsposter/log && \ # # Setup user and groups From 6c155ad87f80ed910483fe1388648eaa21a1b076 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Thu, 18 Nov 2021 19:55:44 +0000 Subject: [PATCH 05/12] add qeeqbox honeypots --- docker/honeypots/Dockerfile | 65 +++++++++++++++ docker/honeypots/dist/config.json | 120 ++++++++++++++++++++++++++++ docker/honeypots/docker-compose.yml | 42 ++++++++++ 3 files changed, 227 insertions(+) create mode 100644 docker/honeypots/Dockerfile create mode 100644 docker/honeypots/dist/config.json create mode 100644 docker/honeypots/docker-compose.yml diff --git a/docker/honeypots/Dockerfile b/docker/honeypots/Dockerfile new file mode 100644 index 00000000..1a87306a --- /dev/null +++ b/docker/honeypots/Dockerfile @@ -0,0 +1,65 @@ +FROM alpine:3.14 +# +# Include dist +ADD dist/ /root/dist/ +# +# Install packages +RUN apk -U add \ + build-base \ + freetds \ + freetds-dev \ + gcc \ + git \ + hiredis \ + jpeg-dev \ + libcap \ + libffi-dev \ + libpq \ + musl-dev \ + openssl \ + openssl-dev \ + postgresql-dev \ + py3-pip \ + python3 \ + python3-dev \ + zlib-dev && \ +# +# Install honeypots from GitHub and setup + mkdir -p /opt \ + /var/log/honeypots && \ + cd /opt/ && \ + #git clone https://github.com/qeeqbox/honeypots && \ + git clone https://github.com/t3chn0m4g3/honeypots && \ + cd honeypots && \ + #git checkout 7c654a3ef2c564ae6f1247bf302d652037080163 && \ + pip3 install --upgrade pip && \ + pip3 install hiredis && \ + pip3 install . && \ + setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \ +# +# Setup user, groups and configs + addgroup -g 2000 honeypots && \ + adduser -S -H -s /bin/ash -u 2000 -D -g 2000 honeypots && \ + chown honeypots:honeypots -R /opt/honeypots && \ + chown honeypots:honeypots -R /var/log/honeypots && \ + mv /root/dist/config.json /opt/honeypots/ && \ +# +# Clean up + apk del --purge build-base \ + freetds-dev \ + git \ + jpeg-dev \ + libffi-dev \ + openssl-dev \ + postgresql-dev \ + python3-dev \ + zlib-dev && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* +# +# Start honeypots +STOPSIGNAL SIGINT +USER honeypots:honeypots +WORKDIR /opt/honeypots/ +CMD python3 -m honeypots --setup all --config config.json +#CMD python3 -m honeypots --setup telnet --config config.json diff --git a/docker/honeypots/dist/config.json b/docker/honeypots/dist/config.json new file mode 100644 index 00000000..f7793c15 --- /dev/null +++ b/docker/honeypots/dist/config.json @@ -0,0 +1,120 @@ +{ + "logs":"file,terminal", + "logs_location":"/var/log/honeypots/", + "honeypots": { + "dns": { + "port": 53, + "ip": "0.0.0.0", + "username": "administrator", + "password": "123456" + }, + "ftp": { + "port": 21, + "ip": "0.0.0.0", + "username": "ftp", + "password": "anonymous" + }, + "httpproxy": { + "port": 8080, + "ip": "0.0.0.0", + "username": "admin", + "password": "admin" + }, + "http": { + "port": 80, + "ip": "0.0.0.0", + "username": "admin", + "password": "admin" + }, + "https": { + "port": 443, + "ip": "0.0.0.0", + "username": "admin", + "password": "admin" + }, + "imap": { + "port": 143, + "ip": "0.0.0.0", + "username": "root", + "password": "123456" + }, + "mysql": { + "port": 3306, + "ip": "0.0.0.0", + "username": "root", + "password": "123456" + }, + "pop3": { + "port": 110, + "ip": "0.0.0.0", + "username": "root", + "password": "123456" + }, + "postgres": { + "port": 5432, + "ip": "0.0.0.0", + "username": "postgres", + "password": "123456" + }, + "redis": { + "port": 6379, + "ip": "0.0.0.0", + "username": "root", + "password": "" + }, + "smb": { + "port": 445, + "ip": "0.0.0.0", + "username": "administrator", + "password": "123456" + }, + "smtp": { + "port": 25, + "ip": "0.0.0.0", + "username": "root", + "password": "123456" + }, + "socks5": { + "port": 1080, + "ip": "0.0.0.0", + "username": "admin", + "password": "admin" + }, + "ssh": { + "port": 22, + "ip": "0.0.0.0", + "username": "root", + "password": "123456" + }, + "telnet": { + "port": 23, + "ip": "0.0.0.0", + "username": "root", + "password": "123456" + }, + "vnc": { + "port": 5900, + "ip": "0.0.0.0", + "username": "administrator", + "password": "123456" + }, + "elastic": { + "port": 9200, + "ip": "0.0.0.0", + "username": "elastic", + "password": "123456" + }, + "mssql": { + "port": 1433, + "ip": "0.0.0.0", + "username": "sa", + "password": "" + }, + "ldap": { + "port": 389, + "ip": "0.0.0.0", + "username": "administrator", + "password": "123456" + } + } +} diff --git a/docker/honeypots/docker-compose.yml b/docker/honeypots/docker-compose.yml new file mode 100644 index 00000000..7bf3df65 --- /dev/null +++ b/docker/honeypots/docker-compose.yml @@ -0,0 +1,42 @@ +version: '2.3' + +networks: + honeypots_local: + +services: + +# Honeypots service + honeypots: + build: . + container_name: honeypots + stdin_open: true + tty: true + restart: always + tmpfs: + - /tmp:uid=2000,gid=2000 + networks: + - honeypots_local + ports: + - "21:21" + - "22:22" + - "23:23" + - "25:25" + - "53:53/udp" + - "80:80" + - "110:110" + - "143:143" + - "389:389" + - "443:443" + - "445:445" + - "1080:1080" + - "1433:1433" + - "3306:3306" + - "5432:5432" + - "5900:5900" + - "6379:6379" + - "8080:8080" + - "9200:9200" + image: "dtagdevsec/honeypots:2006" + read_only: true + volumes: + - /data/honeypots/log:/var/log/honeypots From e76a643296619027854c1efa6b3c4ab8e5b5231e Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Thu, 18 Nov 2021 20:58:17 +0100 Subject: [PATCH 06/12] Update Readme for new honeypots --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index fdfa70dd..5f7b5a9e 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ and includes dockerized versions of the following honeypots * [glutton](https://github.com/mushorg/glutton), * [heralding](https://github.com/johnnykv/heralding), * [hellpot](https://github.com/yunginnanet/HellPot), +* [honeypots](https://github.com/qeeqbox/honeypots), * [honeypy](https://github.com/foospidy/HoneyPy), * [honeysap](https://github.com/SecureAuthCorp/HoneySAP), * [honeytrap](https://github.com/armedpot/honeytrap/), @@ -104,6 +105,7 @@ In T-Pot we combine the dockerized honeypots ... * [glutton](https://github.com/mushorg/glutton), * [heralding](https://github.com/johnnykv/heralding), * [hellpot](https://github.com/yunginnanet/HellPot), +* [honeypots](https://github.com/qeeqbox/honeypots), * [honeypy](https://github.com/foospidy/HoneyPy), * [honeysap](https://github.com/SecureAuthCorp/HoneySAP), * [honeytrap](https://github.com/armedpot/honeytrap/), @@ -502,6 +504,8 @@ The software that T-Pot is built on uses the following licenses.
MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE)
Unlicense: [endlessh](https://github.com/skeeto/endlessh/blob/master/UNLICENSE)
Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license) +
AGPL-3.0: [honeypots](https://github.com/qeeqbox/honeypots/blob/main/LICENSE) + # Credits @@ -530,6 +534,7 @@ Without open source and the fruitful development community (we are proud to be a * [glutton](https://github.com/mushorg/glutton/graphs/contributors) * [hellpot](https://github.com/yunginnanet/HellPot/graphs/contributors) * [heralding](https://github.com/johnnykv/heralding/graphs/contributors) +* [honeypots](https://github.com/qeeqbox/honeypots/graphs/contributors) * [honeypy](https://github.com/foospidy/HoneyPy/graphs/contributors) * [honeysap](https://github.com/SecureAuthCorp/HoneySAP/graphs/contributors) * [honeytrap](https://github.com/armedpot/honeytrap/graphs/contributors) From 6fb2fa783a68f3ff37cb0efa208ee7ca8a7d53f1 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Thu, 18 Nov 2021 21:32:48 +0100 Subject: [PATCH 07/12] update for new honeypots --- bin/clean.sh | 9 +++++++++ etc/logrotate/logrotate.conf | 1 + iso/installer/install.sh | 13 +++++++------ update.sh | 1 + 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/bin/clean.sh b/bin/clean.sh index 85f79245..f3538a4e 100755 --- a/bin/clean.sh +++ b/bin/clean.sh @@ -197,6 +197,14 @@ fuHERALDING () { chown tpot:tpot /data/heralding -R } +# Let's create a function to clean up and prepare honeypots data +fuHONEYPOTS () { + if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi + mkdir -p /data/honeypots/log + chmod 770 /data/honeypots -R + chown tpot:tpot /data/honeypots -R +} + # Let's create a function to clean up and prepare honeypy data fuHONEYPY () { if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi @@ -339,6 +347,7 @@ if [ "$myPERSISTENCE" = "on" ]; fuHERALDING fuHELLPOT fuHONEYSAP + fuHONEYPOTS fuHONEYPY fuHONEYTRAP fuIPPHONEY diff --git a/etc/logrotate/logrotate.conf b/etc/logrotate/logrotate.conf index 773bd997..5f2405b1 100644 --- a/etc/logrotate/logrotate.conf +++ b/etc/logrotate/logrotate.conf @@ -23,6 +23,7 @@ /data/heralding/log/*.log /data/heralding/log/*.csv /data/heralding/log/*.json +/data/honeypots/log/*.log /data/honeypy/log/*.log /data/honeysap/log/*.log /data/honeytrap/log/*.log diff --git a/iso/installer/install.sh b/iso/installer/install.sh index 32557aa0..34af3325 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -802,27 +802,28 @@ mkdir -vp /data/adbhoney/{downloads,log} \ /data/conpot/log \ /data/citrixhoneypot/logs \ /data/cowrie/{downloads,keys,misc,log,log/tty} \ - /data/ddospot/{bl,db,log} \ - /data/dicompot/{images,log} \ + /data/ddospot/{bl,db,log} \ + /data/dicompot/{images,log} \ /data/dionaea/{log,bistreams,binaries,rtp,roots,roots/ftp,roots/tftp,roots/www,roots/upnp} \ /data/elasticpot/log \ /data/elk/{data,log} \ - /data/endlessh/log \ + /data/endlessh/log \ /data/fatt/log \ /data/honeytrap/{log,attacks,downloads} \ /data/glutton/log \ - /data/hellpot/log \ + /data/hellpot/log \ /data/heralding/log \ + /data/honeypots/log \ /data/honeypy/log \ /data/honeysap/log \ - /data/ipphoney/log \ + /data/ipphoney/log \ /data/mailoney/log \ /data/medpot/log \ /data/nginx/{log,heimdall} \ /data/emobility/log \ /data/ews/conf \ /data/rdpy/log \ - /data/redishoneypot/log \ + /data/redishoneypot/log \ /data/spiderfoot \ /data/suricata/log \ /data/tanner/{log,files} \ diff --git a/update.sh b/update.sh index e5df7992..8b1aa432 100755 --- a/update.sh +++ b/update.sh @@ -239,6 +239,7 @@ mkdir -vp /data/adbhoney/{downloads,log} \ /data/glutton/log \ /data/hellpot/log \ /data/heralding/log \ + /data/honeypots/log \ /data/honeypy/log \ /data/honeysap/log \ /data/ipphoney/log \ From ce39e1bd4f7c05619adacdb6aa31d306e0b50911 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Fri, 19 Nov 2021 23:20:13 +0000 Subject: [PATCH 08/12] logstash logging for honeypots --- docker/elk/logstash/dist/logstash.conf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf index ae937fdf..3e356430 100644 --- a/docker/elk/logstash/dist/logstash.conf +++ b/docker/elk/logstash/dist/logstash.conf @@ -112,6 +112,13 @@ input { type => "Heralding" } +# Honeypots + file { + path => ["/data/honeypots/log/*.log"] + codec => json + type => "Honeypots" + } + # Honeypy file { path => ["/data/honeypy/log/json.log"] @@ -491,6 +498,13 @@ filter { } } +# Honeypots + if [type] == "Honeypots" { + date { + match => [ "timestamp", "ISO8601" ] + } + } + # Honeysap if [type] == "Honeysap" { date { From 3103c94355c4dd37cd97047e6c058b8a86d6a829 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Sat, 20 Nov 2021 13:08:35 +0000 Subject: [PATCH 09/12] add mini edition --- bin/tped.sh | 2 +- etc/compose/mini.yml | 256 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 257 insertions(+), 1 deletion(-) create mode 100644 etc/compose/mini.yml diff --git a/bin/tped.sh b/bin/tped.sh index 8c91fe0e..d7394be0 100755 --- a/bin/tped.sh +++ b/bin/tped.sh @@ -29,7 +29,7 @@ for i in $myYMLS; do myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) " done -myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-) +myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 14 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-) if [ "$myEDITION" == "" ]; then echo "Have a nice day!" diff --git a/etc/compose/mini.yml b/etc/compose/mini.yml new file mode 100644 index 00000000..6fa694f7 --- /dev/null +++ b/etc/compose/mini.yml @@ -0,0 +1,256 @@ +# T-Pot (Collector) +# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton) +version: '2.3' + +networks: + cyberchef_local: + honeypots_local: + ewsposter_local: + spiderfoot_local: + +services: + +################## +#### Honeypots +################## + +# Honeypots service + honeypots: + container_name: honeypots + stdin_open: true + tty: true + restart: always + tmpfs: + - /tmp:uid=2000,gid=2000 + networks: + - honeypots_local + ports: + - "21:21" + - "22:22" + - "23:23" + - "25:25" + - "53:53/udp" + - "80:80" + - "110:110" + - "143:143" + - "389:389" + - "443:443" + - "445:445" + - "1080:1080" + - "1433:1433" + - "3306:3306" + - "5432:5432" + - "5900:5900" + - "6379:6379" + - "8080:8080" + - "9200:9200" + image: "dtagdevsec/honeypots:2006" + read_only: true + volumes: + - /data/honeypots/log:/var/log/honeypots + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + tmpfs: + - /tmp/honeytrap:uid=2000,gid=2000 + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:2006" + read_only: true + volumes: + - /data/honeytrap/attacks:/opt/honeytrap/var/attacks + - /data/honeytrap/downloads:/opt/honeytrap/var/downloads + - /data/honeytrap/log:/opt/honeytrap/var/log + + +################## +#### NSM +################## + +# Fatt service + fatt: + container_name: fatt + restart: always + network_mode: "host" + cap_add: + - NET_ADMIN + - SYS_NICE + - NET_RAW + image: "dtagdevsec/fatt:2006" + volumes: + - /data/fatt/log:/opt/fatt/log + +# P0f service + p0f: + container_name: p0f + restart: always + network_mode: "host" + image: "dtagdevsec/p0f:2006" + read_only: true + volumes: + - /data/p0f/log:/var/log/p0f + +# Suricata service + suricata: + container_name: suricata + restart: always + environment: + # For ET Pro ruleset replace "OPEN" with your OINKCODE + - OINKCODE=OPEN + network_mode: "host" + cap_add: + - NET_ADMIN + - SYS_NICE + - NET_RAW + image: "dtagdevsec/suricata:2006" + volumes: + - /data/suricata/log:/var/log/suricata + + +################## +#### Tools +################## + +# Cyberchef service + cyberchef: + container_name: cyberchef + restart: always + networks: + - cyberchef_local + ports: + - "127.0.0.1:64299:8000" + image: "dtagdevsec/cyberchef:2006" + read_only: true + +#### ELK +## Elasticsearch service + elasticsearch: + container_name: elasticsearch + restart: always + environment: + - bootstrap.memory_lock=true +# - ES_JAVA_OPTS=-Xms2048m -Xmx2048m + - ES_TMPDIR=/tmp + cap_add: + - IPC_LOCK + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 +# mem_limit: 4g + ports: + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elasticsearch:2006" + volumes: + - /data:/data + +## Kibana service + kibana: + container_name: kibana + restart: always + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64296:5601" + image: "dtagdevsec/kibana:2006" + +## Logstash service + logstash: + container_name: logstash + restart: always +# environment: +# - LS_JAVA_OPTS=-Xms2048m -Xmx2048m + depends_on: + elasticsearch: + condition: service_healthy + env_file: + - /opt/tpot/etc/compose/elk_environment + image: "dtagdevsec/logstash:2006" + volumes: + - /data:/data + +## Elasticsearch-head service + head: + container_name: head + restart: always + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64302:9100" + image: "dtagdevsec/head:2006" + read_only: true + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + networks: + - ewsposter_local + environment: + - EWS_HPFEEDS_ENABLE=false + - EWS_HPFEEDS_HOST=host + - EWS_HPFEEDS_PORT=port + - EWS_HPFEEDS_CHANNELS=channels + - EWS_HPFEEDS_IDENT=user + - EWS_HPFEEDS_SECRET=secret + - EWS_HPFEEDS_TLSCERT=false + - EWS_HPFEEDS_FORMAT=json + env_file: + - /opt/tpot/etc/compose/elk_environment + image: "dtagdevsec/ewsposter:2006" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Nginx service + nginx: + container_name: nginx + restart: always + environment: + ### If set to YES all changes within Heimdall will remain for the next start + ### Make sure to uncomment the corresponding volume statements below, or the setting will prevent a successful start of T-Pot. + - HEIMDALL_PERSIST=NO + tmpfs: + - /var/tmp/nginx/client_body + - /var/tmp/nginx/proxy + - /var/tmp/nginx/fastcgi + - /var/tmp/nginx/uwsgi + - /var/tmp/nginx/scgi + - /run + - /var/log/php7/ + - /var/lib/nginx/tmp:uid=100,gid=82 + - /var/lib/nginx/html/storage/logs:uid=100,gid=82 + - /var/lib/nginx/html/storage/framework/views:uid=100,gid=82 + network_mode: "host" + ports: + - "64297:64297" + - "127.0.0.1:64304:64304" + image: "dtagdevsec/nginx:2006" + read_only: true + volumes: + - /data/nginx/cert/:/etc/nginx/cert/:ro + - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro + - /data/nginx/log/:/var/log/nginx/ + ### Enable the following volumes if you set HEIMDALL_PERSIST=YES + # - /data/nginx/heimdall/database:/var/lib/nginx/html/database + # - /data/nginx/heimdall/storage:/var/lib/nginx/html/storage + +# Spiderfoot service + spiderfoot: + container_name: spiderfoot + restart: always + networks: + - spiderfoot_local + ports: + - "127.0.0.1:64303:8080" + image: "dtagdevsec/spiderfoot:2006" + volumes: + - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db From 2ee2d08e5a96da3dd2c779bf506bd84e36c4ec0c Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Sat, 20 Nov 2021 13:11:12 +0000 Subject: [PATCH 10/12] rename --- etc/compose/mini.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/compose/mini.yml b/etc/compose/mini.yml index 6fa694f7..d604ae03 100644 --- a/etc/compose/mini.yml +++ b/etc/compose/mini.yml @@ -1,4 +1,4 @@ -# T-Pot (Collector) +# T-Pot (Mini) # Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton) version: '2.3' From ff1c12e8480edee6e454457f8c5b4d04ebd5deaf Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Tue, 30 Nov 2021 16:04:58 +0100 Subject: [PATCH 11/12] Disable FATT submissions for now --- docker/ews/dist/ews.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/ews/dist/ews.cfg b/docker/ews/dist/ews.cfg index 79c0dcf9..8e6badad 100644 --- a/docker/ews/dist/ews.cfg +++ b/docker/ews/dist/ews.cfg @@ -134,7 +134,7 @@ nodeid = adbhoney-community-01 logfile = /data/adbhoney/log/adbhoney.json [FATT] -fatt = true +fatt = false nodeid = fatt-community-01 logfile = /data/fatt/log/fatt.log From 5f29516197f80369e72c84b581da369bf840dbba Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Wed, 8 Dec 2021 23:55:13 +0000 Subject: [PATCH 12/12] tweaking --- docker/elk/logstash/Dockerfile | 7 ++++++- docker/elk/logstash/dist/http.conf | 19 +++++++++++++++++++ docker/elk/logstash/dist/pipelines.yml | 4 ++++ docker/elk/logstash/docker-compose.yml | 3 +++ 4 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 docker/elk/logstash/dist/http.conf create mode 100644 docker/elk/logstash/dist/pipelines.yml diff --git a/docker/elk/logstash/Dockerfile b/docker/elk/logstash/Dockerfile index 26c9a568..72cf3fd2 100644 --- a/docker/elk/logstash/Dockerfile +++ b/docker/elk/logstash/Dockerfile @@ -31,7 +31,9 @@ RUN apk -U --no-cache add \ # For some reason Alpine 3.14 does not report the -x flag correctly and thus elasticsearch does not find java sed -i 's/! -x/! -e/g' /usr/share/logstash/bin/logstash.lib.sh && \ /usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \ + /usr/share/logstash/bin/logstash-plugin install logstash-input-http && \ /usr/share/logstash/bin/logstash-plugin install logstash-output-gelf && \ + /usr/share/logstash/bin/logstash-plugin install logstash-output-http && \ /usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \ # # Add and move files @@ -40,6 +42,8 @@ RUN apk -U --no-cache add \ chmod u+x /usr/bin/update.sh && \ mkdir -p /etc/logstash/conf.d && \ cp logstash.conf /etc/logstash/conf.d/ && \ + cp http.conf /etc/logstash/conf.d/ && \ + cp pipelines.yml /usr/share/logstash/config/pipelines.yml && \ cp tpot_es_template.json /etc/logstash/ && \ # # Setup user, groups and configs @@ -60,4 +64,5 @@ HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600' # Start logstash #USER logstash:logstash #CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution --log.level debug -CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution +#CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution +CMD update.sh && exec /usr/share/logstash/bin/logstash --config.reload.automatic --java-execution diff --git a/docker/elk/logstash/dist/http.conf b/docker/elk/logstash/dist/http.conf new file mode 100644 index 00000000..43773654 --- /dev/null +++ b/docker/elk/logstash/dist/http.conf @@ -0,0 +1,19 @@ +# Input section +input { + http { + id => "tpot" + host => "0.0.0.0" + port => "80" + } +} + +# Output section +output { + elasticsearch { + hosts => ["elasticsearch:9200"] + # With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana. + index => "logstash-%{+YYYY.MM.dd}" + template => "/etc/logstash/tpot_es_template.json" + } + +} diff --git a/docker/elk/logstash/dist/pipelines.yml b/docker/elk/logstash/dist/pipelines.yml new file mode 100644 index 00000000..8dc23e85 --- /dev/null +++ b/docker/elk/logstash/dist/pipelines.yml @@ -0,0 +1,4 @@ +- pipeline.id: logstash + path.config: "/etc/logstash/conf.d/logstash.conf" +- pipeline.id: http + path.config: "/etc/logstash/conf.d/http.conf" diff --git a/docker/elk/logstash/docker-compose.yml b/docker/elk/logstash/docker-compose.yml index ed94864b..8a044257 100644 --- a/docker/elk/logstash/docker-compose.yml +++ b/docker/elk/logstash/docker-compose.yml @@ -14,7 +14,10 @@ services: # condition: service_healthy env_file: - /opt/tpot/etc/compose/elk_environment + ports: + - "127.0.0.1:64305:80" image: "dtagdevsec/logstash:2006" volumes: - /data:/data # - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf +# - /root/tpotce/docker/elk/logstash/dist/http.conf:/etc/logstash/conf.d/http.conf