Numerous Changes - Multiple Conpot Honeypots Successful - See Full Desc.

Numerous changes completed to successfully have multiple Conpot Honeypots in operation

- Fix Dockerfile Build Failures by adding py-gevent and py-snmp to APK where required
- Build new dedicated images for Conpot via Default, Kamstrup and Guardian Templates
- Reconfigure IP Tables Rules
- Update all YML files with new configuration to download new Conpot images instead of T-Pot Default Conpot Image
- Configure Environment Variables in Docker Files for Image Builds
- Fix missing IPTable rule/configuration for 5060/udp for Dionaea
- Successfully test via NMAP that ports 102, 161/udp, 502, 623/udp, 10001, 47808/udp, and 50100 are open and functioning correctly

KNOWN ISSUE:
Conpot data is not available on dashboard/visualisations due to changes required for Logstash configuration.

bin/clean.sh

@@ -65,32 +65,11 @@ logrotate -s $mySTATUS $myCONF
 }
 
 # Let's create a function to clean up and prepare conpot data
-fuCONPOT_DEFAULT () {
-  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot_default/*; fi
-  mkdir -p /data/conpot_default/log
-  chmod 760 /data/conpot_default -R
-  chown tpot:tpot /data/conpot_default -R
-}
-
-fuCONPOT_KAMSTRUP () {
-  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot_kamstrup/*; fi
-  mkdir -p /data/conpot_kamstrup/log
-  chmod 760 /data/conpot_kamstrup -R
-  chown tpot:tpot /data/conpot_kamstrup -R
-}
-
-fuCONPOT_GUARDIANAST () {
-  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot_guardianast/*; fi
-  mkdir -p /data/conpot_guardianast/log
-  chmod 760 /data/conpot_guardianast -R
-  chown tpot:tpot /data/conpot_guardianast -R
-}
-
-fuCONPOT_IEC104 () {
-  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot_IEC104/*; fi
-  mkdir -p /data/conpot_IEC104/log
-  chmod 760 /data/conpot_IEC104 -R
-  chown tpot:tpot /data/conpot_IEC104 -R
+fuCONPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
+  mkdir -p /data/conpot/log
+  chmod 760 /data/conpot -R
+  chown tpot:tpot /data/conpot -R
 }
 
 # Let's create a function to clean up and prepare cowrie data
@@ -222,10 +201,7 @@ if [ "$myPERSISTENCE" = "on" ];
     fuLOGROTATE
   else
     echo "Cleaning up and preparing data folders."
-    fuCONPOT_DEFAULT
-	fuCONPOT_KAMSTRUP
-	fuCONPOT_GUARDIANAST
-	fuCONPOT_IEC104
+    fuCONPOT
     fuCOWRIE
     fuDIONAEA
     fuELASTICPOT

docker/conpot_default/Dockerfile

@@ -4,6 +4,9 @@ MAINTAINER MO
 # Include dist
 ADD dist/ /root/dist/
 
+# Define Environment Variables
+ENV CONPOT_TEMPLATE="default" CONPOT_LOG="/var/log/conpot/conpot_default.log" CONPOT_CONFIG="/etc/conpot/conpot_default.cfg"
+
 # Setup apt
 RUN apk -U add bash \
                build-base \
@@ -18,6 +21,8 @@ RUN apk -U add bash \
                pkgconfig \
                python \
                python-dev \
+			   py-gevent \
+			   py-snmp \
                py-cffi && \
 
 # Setup ConPot
@@ -32,9 +37,9 @@ RUN apk -U add bash \
 # Setup user, groups and configs
     addgroup -g 2000 conpot_default && \
     adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot_default && \
-    mkdir -p /etc/conpot_default /var/log/conpot_default && \
-    mv /root/dist/conpot_default.cfg /etc/conpot_default/conpot_default.cfg && \
-    mv /root/dist/default/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot_default/templates/default/ && \
+    mkdir -p /etc/conpot /var/log/conpot && \
+    mv /root/dist/conpot.cfg /etc/conpot/conpot_default.cfg && \
+    mv /root/dist/default/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot/templates/default/ && \
 
 # Clean up
     apk del build-base \
@@ -51,4 +56,4 @@ RUN apk -U add bash \
     rm -rf /var/cache/apk/*
 
 # Run supervisor upon container start
-CMD ["/usr/bin/conpot", "--template", "default", "--logfile", "/var/log/conpot_default/conpot_default.log", "--config", "/etc/conpot_default/conpot_default.cfg"]
+CMD /usr/bin/conpot --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

docker/conpot_default/dist/conpot.cfg

@@ -10,7 +10,7 @@ group = conpot_default
 
 [json]
 enabled = True
-filename = /var/log/conpot_default/conpot_default.json
+filename = /var/log/conpot/conpot_default.json
 
 [sqlite]
 enabled = False

docker/conpot_default/dist/requirements.txt

@@ -1,6 +1,6 @@
 gevent>=1.0
-pysnmp==4.3.5
-pysmi==0.1.3
+pysnmp==4.4.4
+pysmi==0.2.2
 lxml
 bottle
 jinja2

docker/conpot_default/docker-compose.yml

@@ -1,4 +1,4 @@
-version: '2.1'
+version: '2.0'
 
 networks:
   conpot_default_local:
@@ -14,9 +14,10 @@ services:
     ports:
      - "102:102"
      - "502:502"
-     - "2404:2404"
-     - "47808:47808"
+     - "623:623/udp"
+     - "47808:47808/udp"
      - "161:161/udp"
-    image: "dtagdevsec/conpot:1710"
+#   image: "dtagdevsec/conpot:1710"
+    image: "uncleraymondo/conpot_default:1710"
     volumes:
-     - /data/conpot_default/log:/var/log/conpot_default
+     - /data/conpot/log:/var/log/conpot

docker/conpot_guardianast/Dockerfile

@@ -4,6 +4,9 @@ MAINTAINER MO
 # Include dist
 ADD dist/ /root/dist/
 
+# Define Environment Variables
+ENV CONPOT_TEMPLATE="guardian_ast" CONPOT_LOG="/var/log/conpot/conpot_guardian_ast.log" CONPOT_CONFIG="/etc/conpot/conpot_guardian_ast.cfg"
+
 # Setup apt
 RUN apk -U add bash \
                build-base \
@@ -18,6 +21,8 @@ RUN apk -U add bash \
                pkgconfig \
                python \
                python-dev \
+			   py-gevent \
+			   py-snmp \			   
                py-cffi && \
 
 # Setup ConPot
@@ -32,9 +37,9 @@ RUN apk -U add bash \
 # Setup user, groups and configs
     addgroup -g 2000 conpot_guardian_ast && \
     adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot_guardian_ast && \
-    mkdir -p /etc/conpot_guardian_ast /var/log/conpot_guardian_ast && \
-    mv /root/dist/conpot_guardian_ast.cfg /etc/conpot_guardian_ast/conpot_guardian_ast.cfg && \
-    mv /root/dist/guardian_ast/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot_guardian_ast/templates/guardian_ast/ && \
+    mkdir -p /etc/conpot /var/log/conpot && \
+    mv /root/dist/conpot.cfg /etc/conpot/conpot_guardian_ast.cfg && \
+    mv /root/dist/guardian_ast/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot/templates/guardian_ast/ && \
 
 # Clean up
     apk del build-base \
@@ -51,4 +56,4 @@ RUN apk -U add bash \
     rm -rf /var/cache/apk/*
 
 # Run supervisor upon container start
-CMD ["/usr/bin/conpot", "--template", "guardian_ast", "--logfile", "/var/log/conpot_guardian_ast/conpot_guardian_ast.log", "--config", "/etc/conpot_guardian_ast/conpot_guardian_ast.cfg"]
+CMD /usr/bin/conpot --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

docker/conpot_guardianast/dist/conpot.cfg

@@ -10,7 +10,7 @@ group = conpot_guardian_ast
 
 [json]
 enabled = True
-filename = /var/log/conpot_guardian_ast/conpot_guardian_ast.json
+filename = /var/log/conpot/conpot_guardian_ast.json
 
 [sqlite]
 enabled = False

docker/conpot_guardianast/dist/requirements.txt

@@ -1,6 +1,6 @@
 gevent>=1.0
-pysnmp==4.3.5
-pysmi==0.1.3
+pysnmp==4.4.4
+pysmi==0.2.2
 lxml
 bottle
 jinja2

docker/conpot_guardianast/docker-compose.yml

@@ -1,4 +1,4 @@
-version: '2.1'
+version: '2.0'
 
 networks:
   conpot_guardianast_local:
@@ -13,6 +13,7 @@ services:
      - conpot_guardianast_local
     ports:
      - "10001:10001"
-    image: "dtagdevsec/conpot:1710"
+#   image: "dtagdevsec/conpot:1710"
+    image: "uncleraymodo/conpot_guardianast:1710"
     volumes:
-     - /data/conpot_guardianast/log:/var/log/conpot_guardianast
+     - /data/conpot/log:/var/log/conpot

docker/conpot_kamstrup/Dockerfile

@@ -4,6 +4,9 @@ MAINTAINER MO
 # Include dist
 ADD dist/ /root/dist/
 
+# Define Environment Variables
+ENV CONPOT_TEMPLATE="kamstrup_382" CONPOT_LOG="/var/log/conpot/conpot_kamstrup.log" CONPOT_CONFIG="/etc/conpot/conpot_kamstrup.cfg"
+
 # Setup apt
 RUN apk -U add bash \
                build-base \
@@ -18,6 +21,8 @@ RUN apk -U add bash \
                pkgconfig \
                python \
                python-dev \
+			   py-gevent \
+			   py-snmp \			   
                py-cffi && \
 
 # Setup ConPot
@@ -32,9 +37,9 @@ RUN apk -U add bash \
 # Setup user, groups and configs
     addgroup -g 2000 conpot_kamstrup && \
     adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot_kamstrup && \
-    mkdir -p /etc/conpot_kamstrup /var/log/conpot_kamstrup && \
-    mv /root/dist/conpot_kamstrup.cfg /etc/conpot_kamstrup/conpot_kamstrup.cfg && \
-    mv /root/dist/kamstrup_382/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot_kamstrup/templates/kamstrup_382/ && \
+    mkdir -p /etc/conpot /var/log/conpot && \
+    mv /root/dist/conpot.cfg /etc/conpot/conpot_kamstrup.cfg && \
+    mv /root/dist/kamstrup_382/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot/templates/kamstrup_382/ && \
 
 # Clean up
     apk del build-base \
@@ -51,4 +56,4 @@ RUN apk -U add bash \
     rm -rf /var/cache/apk/*
 
 # Run supervisor upon container start
-CMD ["/usr/bin/conpot", "--template", "kamstrup_382", "--logfile", "/var/log/conpot_kamstrup/conpot_kamstrup.log", "--config", "/etc/conpot_kamstrup/conpot_kamstrup.cfg"]
+CMD /usr/bin/conpot --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

docker/conpot_kamstrup/dist/conpot.cfg

@@ -10,7 +10,7 @@ group = conpot_kamstrup
 
 [json]
 enabled = True
-filename = /var/log/conpot_kamstrup/conpot_kamstrup.json
+filename = /var/log/conpot/conpot_kamstrup.json
 
 [sqlite]
 enabled = False

docker/conpot_kamstrup/dist/requirements.txt

@@ -1,6 +1,6 @@
 gevent>=1.0
-pysnmp==4.3.5
-pysmi==0.1.3
+pysnmp==4.4.4
+pysmi==0.2.2
 lxml
 bottle
 jinja2

docker/conpot_kamstrup/docker-compose.yml

@@ -1,4 +1,4 @@
-version: '2.1'
+version: '2.0'
 
 networks:
   conpot_kamstrup_local:
@@ -14,6 +14,7 @@ services:
     ports:
      - "1025:1025"
      - "50100:50100"
-    image: "dtagdevsec/conpot:1710"
+#   image: "dtagdevsec/conpot:1710"
+    image: "uncleraymondo/conpot_kamstrup:1710"
     volumes:
-     - /data/conpot_kamstrup/log:/var/log/conpot_kamstrup
+     - /data/conpot/log:/var/log/conpot

etc/compose/all.yml

@@ -29,9 +29,10 @@ services:
     ports:
      - "1025:1025"
      - "50100:50100"
-    image: "dtagdevsec/conpot:1710"
+#   image: "dtagdevsec/conpot:1710"
+    image: "uncleraymondo/conpot_kamstrup:1710"
     volumes:
-     - /data/conpot_kamstrup_local/log:/var/log/conpot_kamstrup_local
+     - /data/conpot/log:/var/log/conpot
 
 # Conpot service - Default Template
   conpot_default:
@@ -42,12 +43,13 @@ services:
     ports:
      - "102:102"
      - "502:502"
-     - "2404:2404"
-     - "47808:47808"
+     - "623:623/udp"
+     - "47808:47808/udp"
      - "161:161/udp"
-    image: "dtagdevsec/conpot:1710"
+#   image: "dtagdevsec/conpot:1710"
+    image: "uncleraymondo/conpot_default:1710"
     volumes:
-     - /data/conpot_default_local/log:/var/log/conpot_default_local
+     - /data/conpot/log:/var/log/conpot
 
 # Conpot service - Guardian AST Template
   conpot_guardian_ast:
@@ -57,9 +59,10 @@ services:
      - conpot_guardian_ast_local
     ports:
      - "10001:10001"
-    image: "dtagdevsec/conpot:1710"
+#   image: "dtagdevsec/conpot:1710"
+    image: "uncleraymondo/conpot_guardianast:1710"
     volumes:
-     - /data/conpot_guardian_ast_local/log:/var/log/conpot_guardian_ast_local     
+     - /data/conpot/log:/var/log/conpot
      
 # Cowrie service
   cowrie:

etc/compose/industrial.yml

@@ -22,9 +22,10 @@ services:
     ports:
      - "1025:1025"
      - "50100:50100"
-    image: "dtagdevsec/conpot:1710"
+#   image: "dtagdevsec/conpot:1710"
+    image: "uncleraymondo/conpot_kamstrup:1710"
     volumes:
-     - /data/conpot_kamstrup_local/log:/var/log/conpot_kamstrup_local
+     - /data/conpot/log:/var/log/conpot
 
 # Conpot service - Default Template
   conpot_default:
@@ -35,12 +36,13 @@ services:
     ports:
      - "102:102"
      - "502:502"
-     - "2404:2404"
-     - "47808:47808"
+     - "623:623/udp"
+     - "47808:47808/udp"
      - "161:161/udp"
-    image: "dtagdevsec/conpot:1710"
+#   image: "dtagdevsec/conpot:1710"
+    image: "uncleraymondo/conpot_default:1710"
     volumes:
-     - /data/conpot_default_local/log:/var/log/conpot_default_local
+     - /data/conpot/log:/var/log/conpot
 
 # Conpot service - Guardian AST Template
   conpot_guardian_ast:
@@ -50,9 +52,10 @@ services:
      - conpot_guardian_ast_local
     ports:
      - "10001:10001"
-    image: "dtagdevsec/conpot:1710"
+#   image: "dtagdevsec/conpot:1710"
+    image: "uncleraymondo/conpot_guardianast:1710"
     volumes:
-     - /data/conpot_guardian_ast_local/log:/var/log/conpot_guardian_ast_local     
+     - /data/conpot/log:/var/log/conpot
 
 # ELK services
 ## Elasticsearch service

etc/logrotate/logrotate.conf

@@ -1,9 +1,5 @@
-/data/conpot_default/log/conpot.json
-/data/conpot_default/log/conpot.log
-/data/conpot_kamstrup/log/conpot.json
-/data/conpot_kamstrup/log/conpot.log
-/data/conpot_guardianast/log/conpot.json
-/data/conpot_guardianast/log/conpot.log
+/data/conpot/log/conpot_*.json
+/data/conpot/log/conpot_*.log
 /data/cowrie/log/cowrie.json
 /data/cowrie/log/cowrie-textlog.log
 /data/cowrie/log/lastlog.txt

host/etc/systemd/tpot.service

@@ -37,8 +37,8 @@ ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 64295:64303
 ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
 ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
 ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 102,502,2404,10001,47808 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p udp -m multiport --dports 69,161,5060 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 102,502,10001 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p udp -m multiport --dports 69,161,623,5060,47808 -j ACCEPT
 ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 
 # Compose T-Pot up
@@ -48,14 +48,14 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color
 ExecStop=/usr/local/bin/docker-compose -f /opt/tpot/etc/tpot.yml down -v
 
 # Remove only previously set iptables rules
-ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p udp -m multiport --dports 69,161,623,5060,47808 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 102,502,10001 -j ACCEPT
 ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 102,502,2404,10001,47808 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -D INPUT -p udp -m multiport --dports 69,161,5060 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
 ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 
 [Install]