Add go-pot honeypot

compose/tarpit.yml

@@ -0,0 +1,368 @@
+# T-Pot: TARPIT
+networks:
+  endlessh_local:
+  go-pot_local:
+  hellpot_local:
+  heralding_local:
+  spiderfoot_local:
+  ewsposter_local:
+
+services:
+
+#########################################
+#### DEV
+#########################################
+#### T-Pot Init - Never delete this!
+#########################################
+
+# T-Pot Init Service
+  tpotinit:
+    container_name: tpotinit
+    env_file:
+      - .env
+    restart: always
+    stop_grace_period: 60s
+    tmpfs:
+      - /tmp/etc:uid=2000,gid=2000
+      - /tmp/:uid=2000,gid=2000
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+    image: ${TPOT_REPO}/tpotinit:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+      - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro
+      - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole
+      - ${TPOT_DATA_PATH}:/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+
+##################
+#### Honeypots
+##################
+
+# Endlessh service
+  endlessh:
+    container_name: endlessh
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - endlessh_local
+    ports:
+     - "22:2222"
+    image: ${TPOT_REPO}/endlessh:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/endlessh/log:/var/log/endlessh
+
+# Go-pot service
+  go-pot:
+    container_name: go-pot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - go-pot_local
+    ports:
+      - "8080:8080"
+    image: ${TPOT_REPO}/go-pot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/go-pot/log:/opt/go-pot/log/
+
+# Hellpot service
+  hellpot:
+    container_name: hellpot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - hellpot_local
+    ports:
+     - "80:8080"
+    image: ${TPOT_REPO}/hellpot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/hellpot/log:/var/log/hellpot
+
+# Heralding service
+  heralding:
+    container_name: heralding
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /tmp/heralding:uid=2000,gid=2000
+    networks:
+     - heralding_local
+    ports:
+    # - "21:21"
+    # - "22:22"
+    # - "23:23"
+    # - "25:25"
+    # - "80:80"
+     - "110:110"
+     - "143:143"
+    # - "443:443"
+     - "465:465"
+     - "993:993"
+     - "995:995"
+    # - "3306:3306"
+    # - "3389:3389"
+     - "1080:1080"
+     - "5432:5432"
+     - "5900:5900"
+    image: ${TPOT_REPO}/heralding:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/heralding/log:/var/log/heralding
+
+
+
+##################
+#### NSM
+##################
+
+# Fatt service
+  fatt:
+    container_name: fatt
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/fatt:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/fatt/log:/opt/fatt/log
+
+# P0f service
+  p0f:
+    container_name: p0f
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    network_mode: "host"
+    image: ${TPOT_REPO}/p0f:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/p0f/log:/var/log/p0f
+
+# Suricata service
+  suricata:
+    container_name: suricata
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - OINKCODE=${OINKCODE:-OPEN} # Default to OPEN if unset or NULL (value provided by T-Pot .env)
+    # Loading external Rules from URL
+    # - FROMURL="https://username:password@yoururl.com|https://username:password@otherurl.com"
+    network_mode: "host"
+    cap_add:
+     - NET_ADMIN
+     - SYS_NICE
+     - NET_RAW
+    image: ${TPOT_REPO}/suricata:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/suricata/log:/var/log/suricata
+
+
+##################
+#### Tools 
+##################
+
+#### ELK
+## Elasticsearch service
+  elasticsearch:
+    container_name: elasticsearch
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - bootstrap.memory_lock=true
+     - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
+     - ES_TMPDIR=/tmp
+    cap_add:
+     - IPC_LOCK
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    mem_limit: 4g
+    ports:
+     - "127.0.0.1:64298:9200"
+    image: ${TPOT_REPO}/elasticsearch:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Kibana service
+  kibana:
+    container_name: kibana
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    mem_limit: 1g
+    ports:
+     - "127.0.0.1:64296:5601"
+    image: ${TPOT_REPO}/kibana:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Logstash service
+  logstash:
+    container_name: logstash
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - LS_JAVA_OPTS=-Xms1024m -Xmx1024m
+     - TPOT_TYPE=${TPOT_TYPE:-HIVE}
+     - TPOT_HIVE_USER=${TPOT_HIVE_USER}
+     - TPOT_HIVE_IP=${TPOT_HIVE_IP}
+     - LS_SSL_VERIFICATION=${LS_SSL_VERIFICATION:-full}
+    ports:
+     - "127.0.0.1:64305:64305"
+    mem_limit: 2g
+    image: ${TPOT_REPO}/logstash:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+
+## Map Redis Service
+  map_redis:
+    container_name: map_redis
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/redis:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+
+## Map Web Service
+  map_web:
+    container_name: map_web
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=AttackMapServer.py
+    stop_signal: SIGKILL
+    tty: true
+    ports:
+     - "127.0.0.1:64299:64299"
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+
+## Map Data Service
+  map_data:
+    container_name: map_data
+    restart: always
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    environment:
+     - MAP_COMMAND=DataServer_v2.py
+     - TPOT_ATTACKMAP_TEXT=${TPOT_ATTACKMAP_TEXT}
+     - TZ=${TPOT_ATTACKMAP_TEXT_TIMEZONE}
+    stop_signal: SIGKILL
+    tty: true
+    image: ${TPOT_REPO}/map:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+#### /ELK
+
+# Ewsposter service
+  ewsposter:
+    container_name: ewsposter
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - ewsposter_local
+    environment:
+     - EWS_HPFEEDS_ENABLE=false
+     - EWS_HPFEEDS_HOST=host
+     - EWS_HPFEEDS_PORT=port
+     - EWS_HPFEEDS_CHANNELS=channels
+     - EWS_HPFEEDS_IDENT=user
+     - EWS_HPFEEDS_SECRET=secret
+     - EWS_HPFEEDS_TLSCERT=false
+     - EWS_HPFEEDS_FORMAT=json
+    image: ${TPOT_REPO}/ewsposter:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}:/data
+     - ${TPOT_DATA_PATH}/ews/conf/ews.ip:/opt/ewsposter/ews.ip
+
+# Nginx service
+  nginx:
+    container_name: nginx
+    restart: always
+    environment:
+      - TPOT_OSTYPE=${TPOT_OSTYPE}
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    tmpfs:
+     - /var/tmp/nginx/client_body
+     - /var/tmp/nginx/proxy
+     - /var/tmp/nginx/fastcgi
+     - /var/tmp/nginx/uwsgi
+     - /var/tmp/nginx/scgi
+     - /run
+     - /var/lib/nginx/tmp:uid=100,gid=82
+    network_mode: "host"
+    ports:
+     - "64297:64297"
+    image: ${TPOT_REPO}/nginx:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/nginx/cert/:/etc/nginx/cert/:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/conf/lswebpasswd:/etc/nginx/lswebpasswd:ro
+     - ${TPOT_DATA_PATH}/nginx/log/:/var/log/nginx/
+
+# Spiderfoot service
+  spiderfoot:
+    container_name: spiderfoot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - spiderfoot_local
+    ports:
+     - "127.0.0.1:64303:8080"
+    image: ${TPOT_REPO}/spiderfoot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    volumes:
+     - ${TPOT_DATA_PATH}/spiderfoot:/home/spiderfoot/.spiderfoot

compose/tpot_services.yml

@@ -18,6 +18,7 @@ networks:
   elasticpot_local:
   endlessh_local:
   galah_local:
+  go-pot_local:
   hellpot_local:
   heralding_local:
   honeypots_local:
@@ -445,6 +446,23 @@ services:
      # - ${TPOT_DATA_PATH}/glutton/log:/var/log/glutton
      # - ${TPOT_DATA_PATH}/glutton/payloads:/opt/glutton/payloads
 
+# Go-pot service
+  go-pot:
+    container_name: go-pot
+    restart: always
+    depends_on:
+      tpotinit:
+        condition: service_healthy
+    networks:
+     - go-pot_local
+    ports:
+      - "8080:8080"
+    image: ${TPOT_REPO}/go-pot:${TPOT_VERSION}
+    pull_policy: ${TPOT_PULL_POLICY}
+    read_only: true
+    volumes:
+     - ${TPOT_DATA_PATH}/go-pot/log:/opt/go-pot/log/
+
 # Hellpot service
   hellpot:
     container_name: hellpot

docker/elk/logstash/dist/http_output.conf

@@ -113,6 +113,13 @@ input {
     type => "Glutton"
   }
 
+# Go-pot
+  file {
+    path => ["/data/go-pot/log/go-pot.json"]
+    codec => json
+    type => "Go-pot"
+  }
+
 # Hellpot
   file {
     path => ["/data/hellpot/log/hellpot.log"]
@@ -482,6 +489,16 @@ filter {
     }
   }
 
+# Go-pot
+  if [type] == "Go-pot" {
+    if ! [dest_port] {
+      drop {}
+    }
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
 # Hellpot
   if [type] == "Hellpot" {
     date {

docker/elk/logstash/dist/logstash.conf

@@ -113,6 +113,13 @@ input {
     type => "Glutton"
   }
 
+# Go-pot
+  file {
+    path => ["/data/go-pot/log/go-pot.json"]
+    codec => json
+    type => "Go-pot"
+  }
+
 # Hellpot
   file {
     path => ["/data/hellpot/log/hellpot.log"]
@@ -474,6 +481,16 @@ filter {
     }
   }
 
+# Go-pot
+  if [type] == "Go-pot" {
+    if ! [dest_port] {
+      drop {}
+    }
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+  }
+
 # Glutton
   if [type] == "Glutton" {
     date {

docker/elk/map/Dockerfile

@@ -13,7 +13,7 @@ RUN apk --no-cache -U add \
 # Install from GitHub and setup
     mkdir -p /opt && \
     cd /opt/ && \
-    git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.2.2 && \
+    git clone https://github.com/t3chn0m4g3/t-pot-attack-map -b 2.2.3 && \
     cd t-pot-attack-map && \
     pip3 install --break-system-packages --upgrade pip && \
     pip3 install --break-system-packages -r requirements.txt && \

docker/go-pot/Dockerfile

@@ -0,0 +1,27 @@
+FROM golang:1.21-alpine AS builder
+RUN <<EOF
+apk -U add git
+mkdir -p /opt
+cd /opt
+git clone https://github.com/t3chn0m4g3/go-pot
+EOF
+WORKDIR /opt/go-pot
+#
+RUN go get github.com/ua-parser/uap-go/uaparser
+RUN go mod download
+RUN CGO_ENABLED=0 GOOS=linux go build -o /opt/go-pot/go-pot
+#
+FROM alpine:3.20
+#
+COPY --from=builder /opt/go-pot/go-pot /opt/go-pot/go-pot
+COPY --from=builder /opt/go-pot/config.yml /opt/go-pot/config.yml
+#
+# Setup user, groups and configs
+RUN <<EOF
+addgroup -g 2000 go-pot
+adduser -S -s /bin/ash -u 2000 -D -g 2000 go-pot
+EOF
+#
+WORKDIR /opt/go-pot
+CMD ["start", "--host", "0.0.0.0", "--config-file", "config.yml"]
+ENTRYPOINT ["./go-pot"]

docker/go-pot/docker-compose.yml

@@ -0,0 +1,20 @@
+networks:
+  go-pot_local:
+
+services:
+
+# Go-pot service
+  go-pot:
+    build: .
+    container_name: go-pot
+    restart: always
+#    cpu_count: 1
+#    cpus: 0.25
+    networks:
+     - go-pot_local
+    ports:
+      - "8080:8080"
+    image: dtagdevsec/go-pot:24.04
+    read_only: true
+    volumes:
+     - $HOME/tpotce/data/go-pot/log/:/opt/go-pot/log/

docker/tpotinit/dist/bin/clean.sh

@@ -206,7 +206,7 @@ fuGALAH () {
   chown tpot:tpot /data/galah/ -R
 }
 
-# Let's create a function to clean up and prepare glastopf data
+# Let's create a function to clean up and prepare glutton data
 fuGLUTTON () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi
   mkdir -vp /data/glutton/{log,payloads}
@@ -214,6 +214,14 @@ fuGLUTTON () {
   chown tpot:tpot /data/glutton -R
 }
 
+# Let's create a function to clean up and prepare go-pot data
+fuGOPOT () {
+  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/go-pot/*; fi
+  mkdir -vp /data/go-pot/log
+  chmod 770 /data/go-pot -R
+  chown tpot:tpot /data/go-pot -R
+}
+
 # Let's create a function to clean up and prepare hellpot data
 fuHELLPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
@@ -392,6 +400,7 @@ fuENDLESSH
 fuFATT
 fuGALAH
 fuGLUTTON
+fuGOPOT
 fuHERALDING
 fuHELLPOT
 fuHONEYSAP

docker/tpotinit/dist/etc/logrotate/logrotate.conf

@@ -21,6 +21,7 @@
 /data/galah/log/*.json
 /data/glutton/log/*.log
 /data/glutton/log/*.err
+/data/go-pot/log/*.json
 /data/hellpot/log/*.log
 /data/heralding/log/*.log
 /data/heralding/log/*.csv