Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-10-14 12:29:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Numerous Changes - Multiple Conpot Honeypots Successful - See Full Desc.

Browse source 
Numerous changes completed to successfully have multiple Conpot Honeypots in operation

- Fix Dockerfile Build Failures by adding py-gevent and py-snmp to APK where required
- Build new dedicated images for Conpot via Default, Kamstrup and Guardian Templates
- Reconfigure IP Tables Rules
- Update all YML files with new configuration to download new Conpot images instead of T-Pot Default Conpot Image
- Configure Environment Variables in Docker Files for Image Builds
- Fix missing IPTable rule/configuration for 5060/udp for Dionaea
- Successfully test via NMAP that ports 102, 161/udp, 502, 623/udp, 10001, 47808/udp, and 50100 are open and functioning correctly

KNOWN ISSUE:
Conpot data is not available on dashboard/visualisations due to changes required for Logstash configuration.
This commit is contained in:
UncleRaymondo 2018-03-13 13:36:09 +11:00
parent d18cad95dd
commit 85d23150b8
17 changed files with 91 additions and 95 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
bin/clean.sh
View file

@ -65,32 +65,11 @@ logrotate -s $mySTATUS $myCONF
}
# Let's create a function to clean up and prepare conpot data
fuCONPOT_DEFAULT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot_default/*; fi
mkdir -p /data/conpot_default/log
chmod 760 /data/conpot_default -R
chown tpot:tpot /data/conpot_default -R
}
fuCONPOT_KAMSTRUP () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot_kamstrup/*; fi
mkdir -p /data/conpot_kamstrup/log
chmod 760 /data/conpot_kamstrup -R
chown tpot:tpot /data/conpot_kamstrup -R
}
fuCONPOT_GUARDIANAST () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot_guardianast/*; fi
mkdir -p /data/conpot_guardianast/log
chmod 760 /data/conpot_guardianast -R
chown tpot:tpot /data/conpot_guardianast -R
}
fuCONPOT_IEC104 () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot_IEC104/*; fi
mkdir -p /data/conpot_IEC104/log
chmod 760 /data/conpot_IEC104 -R
chown tpot:tpot /data/conpot_IEC104 -R
fuCONPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
mkdir -p /data/conpot/log
chmod 760 /data/conpot -R
chown tpot:tpot /data/conpot -R
}
# Let's create a function to clean up and prepare cowrie data
@ -222,10 +201,7 @@ if [ "$myPERSISTENCE" = "on" ];
fuLOGROTATE
else
echo "Cleaning up and preparing data folders."
fuCONPOT_DEFAULT
fuCONPOT_KAMSTRUP
fuCONPOT_GUARDIANAST
fuCONPOT_IEC104
fuCONPOT
fuCOWRIE
fuDIONAEA
fuELASTICPOT

13
docker/conpot_default/Dockerfile
View file

@ -4,6 +4,9 @@ MAINTAINER MO
# Include dist
ADD dist/ /root/dist/
# Define Environment Variables
ENV CONPOT_TEMPLATE="default" CONPOT_LOG="/var/log/conpot/conpot_default.log" CONPOT_CONFIG="/etc/conpot/conpot_default.cfg"
# Setup apt
RUN apk -U add bash \
build-base \
@ -18,6 +21,8 @@ RUN apk -U add bash \
pkgconfig \
python \
python-dev \
py-gevent \
py-snmp \
py-cffi && \
# Setup ConPot
@ -32,9 +37,9 @@ RUN apk -U add bash \
# Setup user, groups and configs
addgroup -g 2000 conpot_default && \
adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot_default && \
mkdir -p /etc/conpot_default /var/log/conpot_default && \
mv /root/dist/conpot_default.cfg /etc/conpot_default/conpot_default.cfg && \
mv /root/dist/default/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot_default/templates/default/ && \
mkdir -p /etc/conpot /var/log/conpot && \
mv /root/dist/conpot.cfg /etc/conpot/conpot_default.cfg && \
mv /root/dist/default/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot/templates/default/ && \
# Clean up
apk del build-base \
@ -51,4 +56,4 @@ RUN apk -U add bash \
rm -rf /var/cache/apk/*
# Run supervisor upon container start
CMD ["/usr/bin/conpot", "--template", "default", "--logfile", "/var/log/conpot_default/conpot_default.log", "--config", "/etc/conpot_default/conpot_default.cfg"]
CMD /usr/bin/conpot --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

2
docker/conpot_default/dist/conpot_default.cfg → docker/conpot_default/dist/conpot.cfg vendored
View file

@ -10,7 +10,7 @@ group = conpot_default
[json]
enabled = True
filename = /var/log/conpot_default/conpot_default.json
filename = /var/log/conpot/conpot_default.json
[sqlite]
enabled = False

4
docker/conpot_default/dist/requirements.txt vendored
View file

@ -1,6 +1,6 @@
gevent>=1.0
pysnmp==4.3.5
pysmi==0.1.3
pysnmp==4.4.4
pysmi==0.2.2
lxml
bottle
jinja2

11
docker/conpot_default/docker-compose.yml
View file

@ -1,4 +1,4 @@
version: '2.1'
version: '2.0'
networks:
conpot_default_local:
@ -14,9 +14,10 @@ services:
ports:
- "102:102"
- "502:502"
- "2404:2404"
- "47808:47808"
- "623:623/udp"
- "47808:47808/udp"
- "161:161/udp"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_default:1710"
volumes:
- /data/conpot_default/log:/var/log/conpot_default
- /data/conpot/log:/var/log/conpot

15
docker/conpot_guardianast/Dockerfile
View file

@ -4,6 +4,9 @@ MAINTAINER MO
# Include dist
ADD dist/ /root/dist/
# Define Environment Variables
ENV CONPOT_TEMPLATE="guardian_ast" CONPOT_LOG="/var/log/conpot/conpot_guardian_ast.log" CONPOT_CONFIG="/etc/conpot/conpot_guardian_ast.cfg"
# Setup apt
RUN apk -U add bash \
build-base \
@ -18,6 +21,8 @@ RUN apk -U add bash \
pkgconfig \
python \
python-dev \
py-gevent \
py-snmp \
py-cffi && \
# Setup ConPot
@ -32,9 +37,9 @@ RUN apk -U add bash \
# Setup user, groups and configs
addgroup -g 2000 conpot_guardian_ast && \
adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot_guardian_ast && \
mkdir -p /etc/conpot_guardian_ast /var/log/conpot_guardian_ast && \
mv /root/dist/conpot_guardian_ast.cfg /etc/conpot_guardian_ast/conpot_guardian_ast.cfg && \
mv /root/dist/guardian_ast/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot_guardian_ast/templates/guardian_ast/ && \
mkdir -p /etc/conpot /var/log/conpot && \
mv /root/dist/conpot.cfg /etc/conpot/conpot_guardian_ast.cfg && \
mv /root/dist/guardian_ast/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot/templates/guardian_ast/ && \
# Clean up
apk del build-base \
@ -45,10 +50,10 @@ RUN apk -U add bash \
libxslt-dev \
mariadb-dev \
pkgconfig \
python-dev \
python-dev \
py-cffi && \
rm -rf /root/* && \
rm -rf /var/cache/apk/*
# Run supervisor upon container start
CMD ["/usr/bin/conpot", "--template", "guardian_ast", "--logfile", "/var/log/conpot_guardian_ast/conpot_guardian_ast.log", "--config", "/etc/conpot_guardian_ast/conpot_guardian_ast.cfg"]
CMD /usr/bin/conpot --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

2
docker/conpot_guardianast/dist/conpot_guardian_ast.cfg → docker/conpot_guardianast/dist/conpot.cfg vendored
View file

@ -10,7 +10,7 @@ group = conpot_guardian_ast
[json]
enabled = True
filename = /var/log/conpot_guardian_ast/conpot_guardian_ast.json
filename = /var/log/conpot/conpot_guardian_ast.json
[sqlite]
enabled = False

4
docker/conpot_guardianast/dist/requirements.txt vendored
View file

@ -1,6 +1,6 @@
gevent>=1.0
pysnmp==4.3.5
pysmi==0.1.3
pysnmp==4.4.4
pysmi==0.2.2
lxml
bottle
jinja2

7
docker/conpot_guardianast/docker-compose.yml
View file

@ -1,4 +1,4 @@
version: '2.1'
version: '2.0'
networks:
conpot_guardianast_local:
@ -13,6 +13,7 @@ services:
- conpot_guardianast_local
ports:
- "10001:10001"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymodo/conpot_guardianast:1710"
volumes:
- /data/conpot_guardianast/log:/var/log/conpot_guardianast
- /data/conpot/log:/var/log/conpot

15
docker/conpot_kamstrup/Dockerfile
View file

@ -4,6 +4,9 @@ MAINTAINER MO
# Include dist
ADD dist/ /root/dist/
# Define Environment Variables
ENV CONPOT_TEMPLATE="kamstrup_382" CONPOT_LOG="/var/log/conpot/conpot_kamstrup.log" CONPOT_CONFIG="/etc/conpot/conpot_kamstrup.cfg"
# Setup apt
RUN apk -U add bash \
build-base \
@ -18,6 +21,8 @@ RUN apk -U add bash \
pkgconfig \
python \
python-dev \
py-gevent \
py-snmp \
py-cffi && \
# Setup ConPot
@ -32,9 +37,9 @@ RUN apk -U add bash \
# Setup user, groups and configs
addgroup -g 2000 conpot_kamstrup && \
adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot_kamstrup && \
mkdir -p /etc/conpot_kamstrup /var/log/conpot_kamstrup && \
mv /root/dist/conpot_kamstrup.cfg /etc/conpot_kamstrup/conpot_kamstrup.cfg && \
mv /root/dist/kamstrup_382/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot_kamstrup/templates/kamstrup_382/ && \
mkdir -p /etc/conpot /var/log/conpot && \
mv /root/dist/conpot.cfg /etc/conpot/conpot_kamstrup.cfg && \
mv /root/dist/kamstrup_382/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot/templates/kamstrup_382/ && \
# Clean up
apk del build-base \
@ -45,10 +50,10 @@ RUN apk -U add bash \
libxslt-dev \
mariadb-dev \
pkgconfig \
python-dev \
python-dev \
py-cffi && \
rm -rf /root/* && \
rm -rf /var/cache/apk/*
# Run supervisor upon container start
CMD ["/usr/bin/conpot", "--template", "kamstrup_382", "--logfile", "/var/log/conpot_kamstrup/conpot_kamstrup.log", "--config", "/etc/conpot_kamstrup/conpot_kamstrup.cfg"]
CMD /usr/bin/conpot --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

2
docker/conpot_kamstrup/dist/conpot_kamstrup.cfg → docker/conpot_kamstrup/dist/conpot.cfg vendored
View file

@ -10,7 +10,7 @@ group = conpot_kamstrup
[json]
enabled = True
filename = /var/log/conpot_kamstrup/conpot_kamstrup.json
filename = /var/log/conpot/conpot_kamstrup.json
[sqlite]
enabled = False

4
docker/conpot_kamstrup/dist/requirements.txt vendored
View file

@ -1,6 +1,6 @@
gevent>=1.0
pysnmp==4.3.5
pysmi==0.1.3
pysnmp==4.4.4
pysmi==0.2.2
lxml
bottle
jinja2

7
docker/conpot_kamstrup/docker-compose.yml
View file

@ -1,4 +1,4 @@
version: '2.1'
version: '2.0'
networks:
conpot_kamstrup_local:
@ -14,6 +14,7 @@ services:
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_kamstrup:1710"
volumes:
- /data/conpot_kamstrup/log:/var/log/conpot_kamstrup
- /data/conpot/log:/var/log/conpot

19
etc/compose/all.yml
View file

@ -29,9 +29,10 @@ services:
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_kamstrup:1710"
volumes:
- /data/conpot_kamstrup_local/log:/var/log/conpot_kamstrup_local
- /data/conpot/log:/var/log/conpot
# Conpot service - Default Template
conpot_default:
@ -42,12 +43,13 @@ services:
ports:
- "102:102"
- "502:502"
- "2404:2404"
- "47808:47808"
- "623:623/udp"
- "47808:47808/udp"
- "161:161/udp"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_default:1710"
volumes:
- /data/conpot_default_local/log:/var/log/conpot_default_local
- /data/conpot/log:/var/log/conpot
# Conpot service - Guardian AST Template
conpot_guardian_ast:
@ -57,9 +59,10 @@ services:
- conpot_guardian_ast_local
ports:
- "10001:10001"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_guardianast:1710"
volumes:
- /data/conpot_guardian_ast_local/log:/var/log/conpot_guardian_ast_local
- /data/conpot/log:/var/log/conpot
# Cowrie service
cowrie:

19
etc/compose/industrial.yml
View file

@ -22,9 +22,10 @@ services:
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_kamstrup:1710"
volumes:
- /data/conpot_kamstrup_local/log:/var/log/conpot_kamstrup_local
- /data/conpot/log:/var/log/conpot
# Conpot service - Default Template
conpot_default:
@ -35,12 +36,13 @@ services:
ports:
- "102:102"
- "502:502"
- "2404:2404"
- "47808:47808"
- "623:623/udp"
- "47808:47808/udp"
- "161:161/udp"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_default:1710"
volumes:
- /data/conpot_default_local/log:/var/log/conpot_default_local
- /data/conpot/log:/var/log/conpot
# Conpot service - Guardian AST Template
conpot_guardian_ast:
@ -50,9 +52,10 @@ services:
- conpot_guardian_ast_local
ports:
- "10001:10001"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_guardianast:1710"
volumes:
- /data/conpot_guardian_ast_local/log:/var/log/conpot_guardian_ast_local
- /data/conpot/log:/var/log/conpot
# ELK services
## Elasticsearch service

8
etc/logrotate/logrotate.conf
View file

@ -1,9 +1,5 @@
/data/conpot_default/log/conpot.json
/data/conpot_default/log/conpot.log
/data/conpot_kamstrup/log/conpot.json
/data/conpot_kamstrup/log/conpot.log
/data/conpot_guardianast/log/conpot.json
/data/conpot_guardianast/log/conpot.log
/data/conpot/log/conpot_*.json
/data/conpot/log/conpot_*.log
/data/cowrie/log/cowrie.json
/data/cowrie/log/cowrie-textlog.log
/data/cowrie/log/lastlog.txt

18
host/etc/systemd/tpot.service
View file

@ -37,8 +37,8 @@ ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 64295:64303
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 102,502,2404,10001,47808 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p udp -m multiport --dports 69,161,5060 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 102,502,10001 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p udp -m multiport --dports 69,161,623,5060,47808 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
# Compose T-Pot up
@ -48,14 +48,14 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color
ExecStop=/usr/local/bin/docker-compose -f /opt/tpot/etc/tpot.yml down -v
# Remove only previously set iptables rules
ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p udp -m multiport --dports 69,161,623,5060,47808 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 102,502,10001 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
ExecStartPre=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 102,502,2404,10001,47808 -j ACCEPT
ExecStartPre=/sbin/iptables -w -D INPUT -p udp -m multiport --dports 69,161,5060 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
[Install]