start prepping for ipphoney

docker/ipphoney/Dockerfile

@@ -0,0 +1,48 @@
+FROM alpine:latest
+#
+# Include dist
+ADD dist/ /root/dist/
+#
+# Install packages
+RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \
+    apk -U add \
+             build-base \
+	     ca-certificates \
+             git \
+	     libcap \
+             libffi-dev \
+	     openssl \
+             openssl-dev \
+	     postgresql-dev \
+             py3-mysqlclient \
+             py3-requests \
+	     py3-pip \
+             python3 \
+             python3-dev && \
+    mkdir -p /opt && \
+    cd /opt/ && \
+    git clone --depth=1 https://gitlab.com/bontchev/ipphoney.git/ && \
+    cd ipphoney && \
+    pip3 install -r requirements.txt && \
+    setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \
+#
+# Setup user, groups and configs
+    addgroup -g 2000 ipphoney && \
+    adduser -S -H -s /bin/ash -u 2000 -D -g 2000 ipphoney && \
+    mv /root/dist/honeypot.cfg /opt/ipphoney/etc/ && \
+#
+# Clean up
+    apk del --purge build-base \
+                    git \
+                    libffi-dev \
+		    openssl-dev \
+		    postgresql-dev \
+		    python3-dev && \
+    rm -rf /root/* && \
+    rm -rf /var/cache/apk/*
+#
+# Start ipphoney
+STOPSIGNAL SIGINT
+USER ipphoney:ipphoney
+WORKDIR /opt/ipphoney/
+CMD ["/usr/bin/python3","ipphoney.py"]

docker/ipphoney/dist/honeypot.cfg

@@ -0,0 +1,312 @@
+# DO NOT EDIT THIS FILE!
+# Changes to default files will be lost on update and are difficult to
+# manage and support.
+#
+# Please make any changes to system defaults by overriding them in
+# honeypot.cfg
+#
+# To override a specific setting, copy the name of the stanza and
+# setting to the file where you wish to override it.
+
+# ============================================================================
+# General Honeypot Options
+# ============================================================================
+[honeypot]
+
+# Sensor name is used to identify this honeypot instance. Used by the database
+# logging modules such as JSON.
+#
+# If not specified, the logging modules will instead use the host name of the
+# server as the sensor name.
+#
+# (default: the name of the local machine)
+#sensor_name = myhostname
+
+# Name of the web server on the simulated printer.
+#
+# (default: Lexmark_Web_Server)
+server_name = Lexmark_Web_Server
+
+# Directory where to save log files in.
+# Log files are <log_filename>.YYYY-MM-DD in that directory
+#
+# (default: log)
+log_path = log
+
+# Log file name
+#
+# (default: stdout)
+#log_filename =
+
+# Directory containing the response files
+#
+# (default: responses)
+#responses_dir = responses
+
+# Directory where to save downloaded artifacts in.
+#
+# (default: dl)
+#download_path = dl
+
+# Whether to save the files sent for printing
+# (default: true)
+#download_files = true
+
+# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
+# A value of 0 means no limit. If the file size is known to be too big from the start,
+# the file will not be stored on disk at all.
+#
+# (default: 0)
+#download_limit_size = 0
+
+# ============================================================================
+# Network Specific Options
+# ============================================================================
+
+# Port to listen for incoming connections.
+#
+# (default: 631)
+#listen_port = 631
+
+# Site to query for one's public IP address
+#
+# (default: https://ident.me)
+#public_ip_url = https://ident.me
+
+# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
+# IP address is obtained by querying public_ip_url
+#
+# (default: false)
+#report_public_ip = false
+
+
+# ============================================================================
+# Output Plugins
+# These provide an extensible mechanism to send audit log entries to third
+# parties. The audit entries contain information on clients connecting to
+# the honeypot.
+#
+# Output entries need to start with 'output_' and have the 'enabled' entry.
+# ============================================================================
+
+# CouchDB logging module
+#
+#[output_couch]
+#enabled = false
+#host = localhost
+#port = 5984
+#username = ipphoney
+#password = secret
+#database = ipphoney
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# Elasticsearch logging module
+#
+#[output_elastic]
+#enabled = false
+#host = localhost
+#port = 9200
+#index = ipphoney
+#
+# type has been deprecated since ES 6.0.0
+# use _doc which is the default type. See
+# https://stackoverflow.com/a/53688626 for
+# more information
+#
+#type = _doc
+#
+# set pipeline = geoip to map src_ip to
+# geo location data. You can use a custom
+# pipeline but you must ensure it exists
+# in elasticsearch.
+#
+#pipeline = geoip
+#
+# Authentication. When x-pack.security is enabled
+# in ES, default users have been created and requests
+# must be authenticated.
+#
+# Credentials
+#
+#username = ipphoney
+#password = secret
+#
+# TLS encryption. Communications between the client (ipphoney) 
+# and the ES server should naturally be protected by encryption
+# if requests are authenticated (to prevent from man-in-the-middle 
+# attacks). The following options are then paramount
+# if username and password are provided.
+#
+# use ssl/tls
+#ssl = true
+# verify SSL certificates
+#verify_certs = true
+# Path to trusted CA certs on disk
+#ca_certs = /path/to/cert/file/elastic_ca.crt
+
+# HPFeeds
+#
+# Note the lack of "s" at the end:
+[output_hpfeed]
+enabled = false
+#server = hpfeeds.mysite.org
+#tlscert = /path/to/tls/cert/file
+#port = 10000
+#identifier = abc123
+#secret = secret
+#channel = ipphoney
+
+# InfluxDB 2.0 logging module
+#
+#[output_influx2]
+#enabled = false
+#host = hostname
+#token = token
+#org = organization
+#bucket = ipphoney
+
+# JSON based logging module
+#
+[output_jsonlog]
+enabled = true
+logfile = log/ipphoney.json
+epoch_timestamp = false
+
+# MongoDB logging module
+#
+#[output_mongodb]
+#enabled = false
+#host = 127.0.0.1
+#port = 27017
+#username = ipphoney
+#password = secret
+#database = ipphoney
+# Note: .format(username, password, host, port, database) is done
+#  on the following string; make sure that there are 5 placeholders ({}) in it
+#connection_string = mongodb://{}:{}@{}:{}/{}
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# MySQL logging module
+# Database structure for this module is supplied in docs/sql/mysql.sql
+#
+# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
+# MySQL logging requires an extra Python module: pip install mysql-python
+#
+#[output_mysql]
+#enabled = false
+#host = localhost
+#database = ipphoney
+#username = ipphoney
+#password = secret
+#port = 3306
+#debug = false
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# PostgreSQL logging module
+#
+#[output_postgres]
+#enabled = false
+#host = hostname
+#username = ipphoney
+#password = secret
+#port = 5432
+#database = ipphoney
+#debug = false
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# RedisDB logging module
+#
+#[output_redisdb]
+#enabled = false
+#host = 127.0.0.1
+#port = 6379
+# DB of the redis server. Defaults to 0
+#db = 0
+# Password of the redis server. Defaults to None
+#password = secret
+# Name of the list to push to or the channel to publish to. Required
+#keyname = ipphoney
+# Method to use when sending data to redis.
+# Can be one of [lpush, rpush, publish]. Defaults to lpush
+#send_method = lpush
+
+# SQLite3 logging module
+#
+# Logging to SQLite3 database. To init the database, use the script
+# docs/sql/sqlite3.sql:
+#     sqlite3 <db_file> < docs/sql/sqlite3.sql
+#
+#[output_sqlite]
+#enabled = false
+#debug = false
+#db_file = data/ipphoney.db
+# Whether to store geolocation data in the database
+#geoip = true
+# Location of the databases used for geolocation
+#geoip_citydb = data/GeoLite2-City.mmdb
+#geoip_asndb = data/GeoLite2-ASN.mmdb
+
+# Local Syslog output module
+#
+# This sends log messages to the local syslog daemon.
+#
+#[output_localsyslog]
+#enabled = false
+# Facility can be:
+# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
+#
+# default: USER
+#facility = USER
+
+# Text output
+# This writes audit log entries to a text file
+#
+#[output_textlog]
+#enabled = false
+#logfile = log/ipphoney.txt
+
+
+# TODO:
+
+# Rethinkdb output module
+#
+#[output_rethinkdblog]
+#enabled = false
+#host = 127.0.0.1
+#port = 28015
+#table = events
+#db = ipphoney
+#password =
+
+# InfluxDB logging module
+#
+#[output_influx]
+#enabled = false
+#host = 127.0.0.1
+#port = 8086
+#database_name = ipphoney
+#retention_policy_duration = 12w
+
+# Kafka logging module
+#
+#[output_kafka]
+#enabled = false
+#host = 127.0.0.1
+#port = 9092
+#topic = ipphoney
+

docker/ipphoney/docker-compose.yml

@@ -0,0 +1,20 @@
+version: '2.3'
+
+networks:
+  ipphoney_local:
+
+services:
+
+# Ipphoney service
+  ipphoney:
+    build: .
+    container_name: ipphoney
+    restart: always
+    networks:
+     - ipphoney_local
+    ports:
+     - "631:631"
+    image: "dtagdevsec/ipphoney:2006"
+    read_only: true
+    volumes:
+     - /data/ipphoney/log:/opt/ipphoney/log