diff --git a/docker/ipphoney/Dockerfile b/docker/ipphoney/Dockerfile new file mode 100644 index 00000000..dfad9560 --- /dev/null +++ b/docker/ipphoney/Dockerfile @@ -0,0 +1,48 @@ +FROM alpine:latest +# +# Include dist +ADD dist/ /root/dist/ +# +# Install packages +RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \ + apk -U add \ + build-base \ + ca-certificates \ + git \ + libcap \ + libffi-dev \ + openssl \ + openssl-dev \ + postgresql-dev \ + py3-mysqlclient \ + py3-requests \ + py3-pip \ + python3 \ + python3-dev && \ + mkdir -p /opt && \ + cd /opt/ && \ + git clone --depth=1 https://gitlab.com/bontchev/ipphoney.git/ && \ + cd ipphoney && \ + pip3 install -r requirements.txt && \ + setcap cap_net_bind_service=+ep /usr/bin/python3.8 && \ +# +# Setup user, groups and configs + addgroup -g 2000 ipphoney && \ + adduser -S -H -s /bin/ash -u 2000 -D -g 2000 ipphoney && \ + mv /root/dist/honeypot.cfg /opt/ipphoney/etc/ && \ +# +# Clean up + apk del --purge build-base \ + git \ + libffi-dev \ + openssl-dev \ + postgresql-dev \ + python3-dev && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* +# +# Start ipphoney +STOPSIGNAL SIGINT +USER ipphoney:ipphoney +WORKDIR /opt/ipphoney/ +CMD ["/usr/bin/python3","ipphoney.py"] diff --git a/docker/ipphoney/dist/honeypot.cfg b/docker/ipphoney/dist/honeypot.cfg new file mode 100644 index 00000000..5cbc8ddc --- /dev/null +++ b/docker/ipphoney/dist/honeypot.cfg @@ -0,0 +1,312 @@ +# DO NOT EDIT THIS FILE! +# Changes to default files will be lost on update and are difficult to +# manage and support. +# +# Please make any changes to system defaults by overriding them in +# honeypot.cfg +# +# To override a specific setting, copy the name of the stanza and +# setting to the file where you wish to override it. + +# ============================================================================ +# General Honeypot Options +# ============================================================================ +[honeypot] + +# Sensor name is used to identify this honeypot instance. Used by the database +# logging modules such as JSON. +# +# If not specified, the logging modules will instead use the host name of the +# server as the sensor name. +# +# (default: the name of the local machine) +#sensor_name = myhostname + +# Name of the web server on the simulated printer. +# +# (default: Lexmark_Web_Server) +server_name = Lexmark_Web_Server + +# Directory where to save log files in. +# Log files are .YYYY-MM-DD in that directory +# +# (default: log) +log_path = log + +# Log file name +# +# (default: stdout) +#log_filename = + +# Directory containing the response files +# +# (default: responses) +#responses_dir = responses + +# Directory where to save downloaded artifacts in. +# +# (default: dl) +#download_path = dl + +# Whether to save the files sent for printing +# (default: true) +#download_files = true + +# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'. +# A value of 0 means no limit. If the file size is known to be too big from the start, +# the file will not be stored on disk at all. +# +# (default: 0) +#download_limit_size = 0 + +# ============================================================================ +# Network Specific Options +# ============================================================================ + +# Port to listen for incoming connections. +# +# (default: 631) +#listen_port = 631 + +# Site to query for one's public IP address +# +# (default: https://ident.me) +#public_ip_url = https://ident.me + +# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1) +# IP address is obtained by querying public_ip_url +# +# (default: false) +#report_public_ip = false + + +# ============================================================================ +# Output Plugins +# These provide an extensible mechanism to send audit log entries to third +# parties. The audit entries contain information on clients connecting to +# the honeypot. +# +# Output entries need to start with 'output_' and have the 'enabled' entry. +# ============================================================================ + +# CouchDB logging module +# +#[output_couch] +#enabled = false +#host = localhost +#port = 5984 +#username = ipphoney +#password = secret +#database = ipphoney +#geoip = true +# Location of the databases used for geolocation +#geoip_citydb = data/GeoLite2-City.mmdb +#geoip_asndb = data/GeoLite2-ASN.mmdb + +# Elasticsearch logging module +# +#[output_elastic] +#enabled = false +#host = localhost +#port = 9200 +#index = ipphoney +# +# type has been deprecated since ES 6.0.0 +# use _doc which is the default type. See +# https://stackoverflow.com/a/53688626 for +# more information +# +#type = _doc +# +# set pipeline = geoip to map src_ip to +# geo location data. You can use a custom +# pipeline but you must ensure it exists +# in elasticsearch. +# +#pipeline = geoip +# +# Authentication. When x-pack.security is enabled +# in ES, default users have been created and requests +# must be authenticated. +# +# Credentials +# +#username = ipphoney +#password = secret +# +# TLS encryption. Communications between the client (ipphoney) +# and the ES server should naturally be protected by encryption +# if requests are authenticated (to prevent from man-in-the-middle +# attacks). The following options are then paramount +# if username and password are provided. +# +# use ssl/tls +#ssl = true +# verify SSL certificates +#verify_certs = true +# Path to trusted CA certs on disk +#ca_certs = /path/to/cert/file/elastic_ca.crt + +# HPFeeds +# +# Note the lack of "s" at the end: +[output_hpfeed] +enabled = false +#server = hpfeeds.mysite.org +#tlscert = /path/to/tls/cert/file +#port = 10000 +#identifier = abc123 +#secret = secret +#channel = ipphoney + +# InfluxDB 2.0 logging module +# +#[output_influx2] +#enabled = false +#host = hostname +#token = token +#org = organization +#bucket = ipphoney + +# JSON based logging module +# +[output_jsonlog] +enabled = true +logfile = log/ipphoney.json +epoch_timestamp = false + +# MongoDB logging module +# +#[output_mongodb] +#enabled = false +#host = 127.0.0.1 +#port = 27017 +#username = ipphoney +#password = secret +#database = ipphoney +# Note: .format(username, password, host, port, database) is done +# on the following string; make sure that there are 5 placeholders ({}) in it +#connection_string = mongodb://{}:{}@{}:{}/{} +# Whether to store geolocation data in the database +#geoip = true +# Location of the databases used for geolocation +#geoip_citydb = data/GeoLite2-City.mmdb +#geoip_asndb = data/GeoLite2-ASN.mmdb + +# MySQL logging module +# Database structure for this module is supplied in docs/sql/mysql.sql +# +# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev +# MySQL logging requires an extra Python module: pip install mysql-python +# +#[output_mysql] +#enabled = false +#host = localhost +#database = ipphoney +#username = ipphoney +#password = secret +#port = 3306 +#debug = false +# Whether to store geolocation data in the database +#geoip = true +# Location of the databases used for geolocation +#geoip_citydb = data/GeoLite2-City.mmdb +#geoip_asndb = data/GeoLite2-ASN.mmdb + +# PostgreSQL logging module +# +#[output_postgres] +#enabled = false +#host = hostname +#username = ipphoney +#password = secret +#port = 5432 +#database = ipphoney +#debug = false +# Whether to store geolocation data in the database +#geoip = true +# Location of the databases used for geolocation +#geoip_citydb = data/GeoLite2-City.mmdb +#geoip_asndb = data/GeoLite2-ASN.mmdb + +# RedisDB logging module +# +#[output_redisdb] +#enabled = false +#host = 127.0.0.1 +#port = 6379 +# DB of the redis server. Defaults to 0 +#db = 0 +# Password of the redis server. Defaults to None +#password = secret +# Name of the list to push to or the channel to publish to. Required +#keyname = ipphoney +# Method to use when sending data to redis. +# Can be one of [lpush, rpush, publish]. Defaults to lpush +#send_method = lpush + +# SQLite3 logging module +# +# Logging to SQLite3 database. To init the database, use the script +# docs/sql/sqlite3.sql: +# sqlite3 < docs/sql/sqlite3.sql +# +#[output_sqlite] +#enabled = false +#debug = false +#db_file = data/ipphoney.db +# Whether to store geolocation data in the database +#geoip = true +# Location of the databases used for geolocation +#geoip_citydb = data/GeoLite2-City.mmdb +#geoip_asndb = data/GeoLite2-ASN.mmdb + +# Local Syslog output module +# +# This sends log messages to the local syslog daemon. +# +#[output_localsyslog] +#enabled = false +# Facility can be: +# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7. +# +# default: USER +#facility = USER + +# Text output +# This writes audit log entries to a text file +# +#[output_textlog] +#enabled = false +#logfile = log/ipphoney.txt + + +# TODO: + +# Rethinkdb output module +# +#[output_rethinkdblog] +#enabled = false +#host = 127.0.0.1 +#port = 28015 +#table = events +#db = ipphoney +#password = + +# InfluxDB logging module +# +#[output_influx] +#enabled = false +#host = 127.0.0.1 +#port = 8086 +#database_name = ipphoney +#retention_policy_duration = 12w + +# Kafka logging module +# +#[output_kafka] +#enabled = false +#host = 127.0.0.1 +#port = 9092 +#topic = ipphoney + diff --git a/docker/ipphoney/docker-compose.yml b/docker/ipphoney/docker-compose.yml new file mode 100644 index 00000000..69328fc0 --- /dev/null +++ b/docker/ipphoney/docker-compose.yml @@ -0,0 +1,20 @@ +version: '2.3' + +networks: + ipphoney_local: + +services: + +# Ipphoney service + ipphoney: + build: . + container_name: ipphoney + restart: always + networks: + - ipphoney_local + ports: + - "631:631" + image: "dtagdevsec/ipphoney:2006" + read_only: true + volumes: + - /data/ipphoney/log:/opt/ipphoney/log