From 2201e072f6b97f065cebd00aca9872f7b7739983 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Thu, 12 Mar 2020 16:02:43 +0000 Subject: [PATCH 01/12] testing honeysap --- docker/honeysap/Dockerfile | 39 +++++++ docker/honeysap/dist/external_route_table.yml | 6 + docker/honeysap/dist/honeysap.yml | 103 ++++++++++++++++++ docker/honeysap/docker-compose.yml | 20 ++++ etc/compose/nextgen.yml | 15 +++ 5 files changed, 183 insertions(+) create mode 100644 docker/honeysap/Dockerfile create mode 100644 docker/honeysap/dist/external_route_table.yml create mode 100644 docker/honeysap/dist/honeysap.yml create mode 100644 docker/honeysap/docker-compose.yml diff --git a/docker/honeysap/Dockerfile b/docker/honeysap/Dockerfile new file mode 100644 index 00000000..d07e59d0 --- /dev/null +++ b/docker/honeysap/Dockerfile @@ -0,0 +1,39 @@ +FROM alpine:latest +# +# Include dist +ADD dist/ /root/dist/ +# +# Install packages +RUN sed -i 's/dl-cdn/dl-2/g' /etc/apk/repositories && \ + apk -U --no-cache add \ + build-base \ + git \ + libcap \ + python2 \ + python2-dev \ + py2-pip \ + tcpdump && \ +# +# Clone honeysap from git + git clone --depth=1 https://github.com/SecureAuthCorp/HoneySAP /opt/honeysap && \ + cd /opt/honeysap && \ + mkdir conf && \ + cp /root/dist/* conf/ && \ + python setup.py install && \ + pip install -r requirements-optional.txt && \ +# +# Setup user, groups and configs + addgroup -g 2000 honeysap && \ + adduser -S -s /bin/ash -u 2000 -D -g 2000 honeysap && \ + chown -R honeysap:honeysap /opt/honeysap && \ +# setcap cap_net_bind_service=+ep /opt/honeypy/env/bin/python && \ +# +# Clean up + apk del --purge git && \ + rm -rf /root/* \ + /var/cache/apk/* +# +# Set workdir and start honeysap +USER honeysap:honeysap +WORKDIR /opt/honeysap +CMD ["/opt/honeysap/bin/honeysap", "--config-file", "/opt/honeysap/conf/honeysap.yml"] diff --git a/docker/honeysap/dist/external_route_table.yml b/docker/honeysap/dist/external_route_table.yml new file mode 100644 index 00000000..be9e43fa --- /dev/null +++ b/docker/honeysap/dist/external_route_table.yml @@ -0,0 +1,6 @@ +# HoneSAP default external profile route table +# ============================================ +# + +# Allow any protocols to 10.0.0.100 port 3200 +- allow,any,10.0.0.100,3200, diff --git a/docker/honeysap/dist/honeysap.yml b/docker/honeysap/dist/honeysap.yml new file mode 100644 index 00000000..12d03e04 --- /dev/null +++ b/docker/honeysap/dist/honeysap.yml @@ -0,0 +1,103 @@ +# HoneSAP default external profile configuration +# ============================================== + +# Console logging configuration +# ----------------------------- + +# Level of console logging +verbose: 2 + +# Use colored output +colored_console: false + + +# Miscellaneous configuration +# --------------------------- + +# Enable reloading after a change in one of the configuration files +reload: true + +# Address to listen for all services +listener_address: 0.0.0.0 + + +# SAP instance configuration +# -------------------------- + +# Release version +release: "720" + + +# Services configuration +# ---------------------- + +services: + - + # SAP Router configuration + # ------------------------ + service: SAPRouterService + alias: ExternalSAPRouter + enabled: yes + listener_port: 3299 + + # Router version number + router_version: 40 + + # Router patch version + router_version_patch: 4 + + # Password for information requests. If present it will be required + info_password: + + # Wether the external administration would be enabled on this SAP Router + external_admin: false + + # Route table file + route_table: !include external_route_table.yml + + # Hostname for the SAP Router + hostname: saprouter + + - + # SAP Dispatcher configuration + # ---------------------------- + service: SAPDispatcherService + alias: InternalDispatcherService + enabled: yes + virtual: yes + listener_port: 3200 + listener_address: 10.0.0.100 + + # Name of the instance + instance: NSP + + # Client number + client_no: "001" + + # SID + sid: PRD + + # Hostname + hostname: uscasf-sap01 + + +# Feeds configuration +# ------------------- + +feeds: + - + feed: LogFeed + log_filename: log/honeysap-external.log + enabled: yes + - + feed: ConsoleFeed + enabled: yes + - + feed: HPFeed + channels: + - honeysap.events + feed_host: 10.250.250.20 + feed_port: 20000 + feed_ident: honeysap + feed_secret: password + enabled: no diff --git a/docker/honeysap/docker-compose.yml b/docker/honeysap/docker-compose.yml new file mode 100644 index 00000000..34068edf --- /dev/null +++ b/docker/honeysap/docker-compose.yml @@ -0,0 +1,20 @@ +version: '2.3' + +networks: + honeysap_local: + +services: + +# HoneySAP service + honeysap: + build: . + container_name: honeysap + restart: always + networks: + - honeysap_local + ports: + - "3299:3299" + - "8001:8001" + image: "dtagdevsec/honeysap:2006" + volumes: + - /data/honeysap/log:/opt/honeysap/log diff --git a/etc/compose/nextgen.yml b/etc/compose/nextgen.yml index a704247d..66de93dd 100644 --- a/etc/compose/nextgen.yml +++ b/etc/compose/nextgen.yml @@ -13,6 +13,7 @@ networks: cyberchef_local: heralding_local: honeypy_local: + honeysap_local: mailoney_local: medpot_local: rdpy_local: @@ -274,6 +275,20 @@ services: volumes: - /data/honeypy/log:/opt/honeypy/log +# HoneySAP service + honeysap: + build: . + container_name: honeysap + restart: always + networks: + - honeysap_local + ports: + - "3299:3299" + - "8001:8001" + image: "dtagdevsec/honeysap:2006" + volumes: + - /data/honeysap/log:/opt/honeysap/log + # Mailoney service mailoney: container_name: mailoney From 5badf352be6b92566743befe5c88aef9f2589cf0 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Sun, 15 Mar 2020 21:11:26 +0100 Subject: [PATCH 02/12] deal with changes in sid move to testing cockpit-docker removed upstream, remove here --- iso/installer/install.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/iso/installer/install.sh b/iso/installer/install.sh index ddad6764..32d13d81 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -14,17 +14,17 @@ myLSB_STABLE_SUPPORTED="stretch buster" myLSB_TESTING_SUPPORTED="sid" myREMOTESITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org" myPREINSTALLPACKAGES="aria2 apache2-utils cracklib-runtime curl dialog figlet fuse grc libcrack2 libpq-dev lsb-release netselect-apt net-tools software-properties-common toilet" -myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant" +myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant" myINFO="\ ######################################## -### T-Pot Installer for Debian (Sid) ### +### T-Pot Installer for Debian (testing) ### ######################################## Disclaimer: This script will install T-Pot on this system. By running the script you know what you are doing: 1. SSH will be reconfigured to tcp/64295. -2. Your Debian installation will be upgraded to Sid / unstable. +2. Your Debian installation will be upgraded to testing. 3. Please ensure other means of access to this system in case something goes wrong. 4. At best this script will be executed on the console instead through a SSH session. @@ -283,15 +283,15 @@ function fuGET_DEPS { echo echo "### Determine fastest mirror for your location." echo - netselect-apt -n -a amd64 unstable && cp sources.list /etc/apt/ - mySOURCESCHECK=$(cat /etc/apt/sources.list | grep -c unstable) + netselect-apt -n -a amd64 testing && cp sources.list /etc/apt/ + mySOURCESCHECK=$(cat /etc/apt/sources.list | grep -c testing) if [ "$mySOURCESCHECK" == "0" ] then echo "### Automatic mirror selection failed, using main mirror." - # Point to Debian (Sid, unstable) + # Point to Debian (testing) tee /etc/apt/sources.list < Date: Sun, 15 Mar 2020 21:13:07 +0100 Subject: [PATCH 03/12] Update update.sh --- update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update.sh b/update.sh index 9678a29b..7ecd1371 100755 --- a/update.sh +++ b/update.sh @@ -183,7 +183,7 @@ function fuUPDATER () { export DEBIAN_FRONTEND=noninteractive echo "### Installing apt-fast" /bin/bash -c "$(curl -sL https://raw.githubusercontent.com/ilikenwf/apt-fast/master/quick-install.sh)" -local myPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-elasticsearch-curator python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant" +local myPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-elasticsearch-curator python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant" echo "### Removing pip based install of elasticsearch-curator" pip3 uninstall elasticsearch-curator -y hash -r From 1452ca4e4c0ade958f8000563ae6bd2c9a57d539 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Sun, 15 Mar 2020 21:24:42 +0100 Subject: [PATCH 04/12] Update install.sh --- iso/installer/install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iso/installer/install.sh b/iso/installer/install.sh index 32d13d81..90aa7e59 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -11,7 +11,7 @@ myPROGRESSBOXCONF=" --backtitle "$myBACKTITLE" --progressbox 24 80" mySITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org" myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml" myLSB_STABLE_SUPPORTED="stretch buster" -myLSB_TESTING_SUPPORTED="sid" +myLSB_TESTING_SUPPORTED="testing" myREMOTESITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org" myPREINSTALLPACKAGES="aria2 apache2-utils cracklib-runtime curl dialog figlet fuse grc libcrack2 libpq-dev lsb-release netselect-apt net-tools software-properties-common toilet" myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant" @@ -690,7 +690,7 @@ hash -r # Cloning T-Pot from GitHub fuBANNER "Cloning T-Pot" -git clone https://github.com/dtag-dev-sec/tpotce /opt/tpot +git clone https://github.com/dtag-dev-sec/tpotce -b dev /opt/tpot # Let's create the T-Pot user fuBANNER "Create user" From 4409d9cdacb7fd7743be3728806036fe29531e83 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Sun, 15 Mar 2020 21:25:44 +0100 Subject: [PATCH 05/12] Update tpot.seed --- iso/preseed/tpot.seed | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iso/preseed/tpot.seed b/iso/preseed/tpot.seed index 11f8b1a8..c344daf0 100755 --- a/iso/preseed/tpot.seed +++ b/iso/preseed/tpot.seed @@ -131,7 +131,7 @@ in-target apt-get -y install grub-pc; \ in-target grub-install --force $(debconf-get partman-auto/disk); \ update-dev; \ in-target update-grub; \ -in-target git clone --depth=1 https://github.com/dtag-dev-sec/tpotce /opt/tpot; \ +in-target git clone --depth=1 https://github.com/dtag-dev-sec/tpotce -b dev /opt/tpot; \ in-target sed -i 's/allow-hotplug/auto/g' /etc/network/interfaces; \ #in-target apt-get -y remove exim4-base; \ #in-target apt-get -y autoremove; \ From 6a1f4f9aea75b829e9cd5685827dd3a51290f784 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Sun, 15 Mar 2020 21:27:33 +0100 Subject: [PATCH 06/12] Update update.sh --- update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update.sh b/update.sh index 7ecd1371..cecdddba 100755 --- a/update.sh +++ b/update.sh @@ -63,7 +63,7 @@ function fuSELFUPDATE () { echo "###### $myBLUE""No updates found in repository.""$myWHITE" return fi - myRESULT=$(git diff --name-only origin/master | grep update.sh) + myRESULT=$(git diff --name-only origin/dev | grep update.sh) if [ "$myRESULT" == "update.sh" ]; then echo "###### $myBLUE""Found newer version, will be pulling updates and restart myself.""$myWHITE" From 140a3d22acb8deb6c51234840dfa897623946b59 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Sun, 15 Mar 2020 21:28:46 +0100 Subject: [PATCH 07/12] Update update.sh --- update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update.sh b/update.sh index cecdddba..3f51ab23 100755 --- a/update.sh +++ b/update.sh @@ -82,7 +82,7 @@ echo # Let's check for version function fuCHECK_VERSION () { local myMINVERSION="19.03.0" -local myMASTERVERSION="19.03.2" +local myMASTERVERSION="19.03.3" echo echo "### Checking for Release ID" myRELEASE=$(lsb_release -i | grep Debian -c) From cc70144c41233ec3bf2f970d3977fdc7e77865c4 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Sun, 15 Mar 2020 21:29:10 +0100 Subject: [PATCH 08/12] Update version --- version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version index 5298669f..b9d985e2 100644 --- a/version +++ b/version @@ -1 +1 @@ -19.03.2 +19.03.3 From 67e70780bf6eb1fe73f15a3acf1fd90b89cc45b8 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Sun, 15 Mar 2020 21:10:28 +0000 Subject: [PATCH 09/12] tweaking for testing --- README.md | 14 +++++++------- iso/installer/install.sh | 10 +++++----- iso/isolinux/txt.cfg | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index fdf5e7aa..5fbdd2fd 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ![T-Pot](doc/tpotsocial.png) -T-Pot 19.03 runs on Debian (Sid), is based heavily on +T-Pot 19.03 runs on Debian (Testing), is based heavily on [docker](https://www.docker.com/), [docker-compose](https://docs.docker.com/compose/) @@ -78,8 +78,8 @@ Furthermore we use the following tools # Release Notes -- **Move from Ubuntu 18.04 to Debian (Sid)** - - For almost 5 years Ubuntu LTS versions were our distributions of choice. Last year we made a design choice for T-Pot to be closer to a rolling release model and thus allowing us to issue smaller changes and releases in a more timely manner. The distribution of choice is Debian (Sid / unstable) which will provide us with the latest advancements in a Debian based distribution. +- **Move from Ubuntu 18.04 to Debian (Testing)** + - For almost 5 years Ubuntu LTS versions were our distributions of choice. Last year we made a design choice for T-Pot to be closer to a rolling release model and thus allowing us to issue smaller changes and releases in a more timely manner. The distribution of choice is Debian (Testing) which will provide us with the latest advancements in a Debian based distribution. - **Include HoneyPy honeypot** - *HoneyPy* is now included in the NEXTGEN installation type - **Include Suricata 4.1.3** @@ -119,7 +119,7 @@ Furthermore we use the following tools - **Fix #332** - If T-Pot, opposed to the requirements, does not have full internet access netselect-apt fails to determine the fastest mirror as it needs ICMP and UDP outgoing. Should netselect-apt fail the default mirrors will be used. - **Improve install speed with apt-fast** - - Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package. + - Migrating from a stable base install to Debian (Testing) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package. - **HPFEEDS Opt-In commandline option** - Pass a hpfeeds config file as a commandline argument - hpfeeds config is saved in `/data/ews/conf/hpfeeds.cfg` @@ -133,7 +133,7 @@ Furthermore we use the following tools # Technical Concept -T-Pot is based on the network installer Debian (Stretch). During installation the whole system will be updated to Debian (Sid). +T-Pot is based on the network installer Debian (Stretch). During installation the whole system will be updated to Debian (Testing). The honeypot daemons as well as other support components being used have been containerized using [docker](http://docker.io). This allows us to run multiple honeypot daemons on the same network interface while maintaining a small footprint and constrain each honeypot within its own environment. @@ -302,7 +302,7 @@ In some cases it is necessary to install Debian 9.7 (Stretch) on your own: - Within your company you have to setup special policies, software etc. - You just like to stay on top of things. -The T-Pot Universal Installer will upgrade the system to Debian (Sid) and install all required T-Pot dependencies. +The T-Pot Universal Installer will upgrade the system to Debian (Testing) and install all required T-Pot dependencies. Just follow these steps: @@ -396,7 +396,7 @@ For the ones of you who want to live on the bleeding edge of T-Pot development w The Update script will: - **mercilessly** overwrite local changes to be in sync with the T-Pot master branch - - upgrade the system to the packages available in Debian (Sid) + - upgrade the system to the packages available in Debian (Testing) - update all resources to be in-sync with the T-Pot master branch - ensure all T-Pot relevant system files will be patched / copied into the original T-Pot state - restore your custom ews.cfg and HPFEED settings from `/data/ews/conf` diff --git a/iso/installer/install.sh b/iso/installer/install.sh index 90aa7e59..d9dd37b5 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -16,15 +16,15 @@ myREMOTESITES="https://hub.docker.com https://github.com https://pypi.python.org myPREINSTALLPACKAGES="aria2 apache2-utils cracklib-runtime curl dialog figlet fuse grc libcrack2 libpq-dev lsb-release netselect-apt net-tools software-properties-common toilet" myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant" myINFO="\ -######################################## -### T-Pot Installer for Debian (testing) ### -######################################## +############################################ +### T-Pot Installer for Debian (Testing) ### +############################################ Disclaimer: This script will install T-Pot on this system. By running the script you know what you are doing: 1. SSH will be reconfigured to tcp/64295. -2. Your Debian installation will be upgraded to testing. +2. Your Debian installation will be upgraded to Testing. 3. Please ensure other means of access to this system in case something goes wrong. 4. At best this script will be executed on the console instead through a SSH session. @@ -403,7 +403,7 @@ for i in "$@" echo " A configuration example is available in \"tpotce/iso/installer/tpot.conf.dist\"." echo echo "--type=<[user, auto, iso]>" - echo " user, use this if you want to manually install a T-Pot on a Debian (testing) machine." + echo " user, use this if you want to manually install a T-Pot on a Debian (Testing) machine." echo " auto, implied if a configuration file is passed as an argument for automatic deployment." echo " iso, use this if you are a T-Pot developer and want to install a T-Pot from a pre-compiled iso." echo diff --git a/iso/isolinux/txt.cfg b/iso/isolinux/txt.cfg index c6074097..75ef9b8e 100755 --- a/iso/isolinux/txt.cfg +++ b/iso/isolinux/txt.cfg @@ -1,6 +1,6 @@ default install label install - menu label ^T-Pot 19.03.1 (based on Debian Sid) + menu label ^T-Pot 19.03.3 (based on Debian Testing) menu default kernel linux append vga=788 initrd=initrd.gz console-setup/ask_detect=true -- From 80ee3cc5dd8437af03dba0110966195979aab278 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Sun, 15 Mar 2020 21:24:01 +0000 Subject: [PATCH 10/12] update elasticdump install location --- iso/installer/install.sh | 2 +- update.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/iso/installer/install.sh b/iso/installer/install.sh index d9dd37b5..5104e902 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -684,7 +684,7 @@ echo "UseRoaming no" | tee -a /etc/ssh/ssh_config # Installing elasticdump, yq fuBANNER "Installing pkgs" -npm install https://github.com/taskrabbit/elasticsearch-dump -g +npm install elasticdump -g pip3 install yq hash -r diff --git a/update.sh b/update.sh index 3f51ab23..cd6030bf 100755 --- a/update.sh +++ b/update.sh @@ -199,7 +199,7 @@ echo "docker.io docker.io/restart boolean true" | debconf-set-selections - echo "debconf debconf/frontend select noninteractive" | debconf-set-selections -v apt-fast -y dist-upgrade -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes dpkg --configure -a -npm install "https://github.com/taskrabbit/elasticsearch-dump" -g +npm install elasticdump -g pip3 install --upgrade yq hash -r echo "### Removing and holding back problematic packages ..." From 21d48ca2bb20339b33357fe08dca4ce4cfff22bf Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Sun, 15 Mar 2020 21:55:10 +0000 Subject: [PATCH 11/12] remove honeysap for testing --- etc/compose/nextgen.yml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/etc/compose/nextgen.yml b/etc/compose/nextgen.yml index 66de93dd..a704247d 100644 --- a/etc/compose/nextgen.yml +++ b/etc/compose/nextgen.yml @@ -13,7 +13,6 @@ networks: cyberchef_local: heralding_local: honeypy_local: - honeysap_local: mailoney_local: medpot_local: rdpy_local: @@ -275,20 +274,6 @@ services: volumes: - /data/honeypy/log:/opt/honeypy/log -# HoneySAP service - honeysap: - build: . - container_name: honeysap - restart: always - networks: - - honeysap_local - ports: - - "3299:3299" - - "8001:8001" - image: "dtagdevsec/honeysap:2006" - volumes: - - /data/honeysap/log:/opt/honeysap/log - # Mailoney service mailoney: container_name: mailoney From 62aae45dd635791defe5e4f30b4431fc6dff2015 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Mon, 16 Mar 2020 15:01:18 +0000 Subject: [PATCH 12/12] prepare for release 19.03.3 --- README.md | 63 +++------------------------------------- iso/installer/install.sh | 27 +++++++++-------- iso/isolinux/txt.cfg | 2 +- iso/preseed/tpot.seed | 2 +- update.sh | 2 +- 5 files changed, 20 insertions(+), 76 deletions(-) diff --git a/README.md b/README.md index 5fbdd2fd..897796e3 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ![T-Pot](doc/tpotsocial.png) -T-Pot 19.03 runs on Debian (Testing), is based heavily on +T-Pot 19.03 runs on Debian (Stable), is based heavily on [docker](https://www.docker.com/), [docker-compose](https://docs.docker.com/compose/) @@ -43,7 +43,6 @@ Furthermore we use the following tools # Table of Contents -- [Changelog](#changelog) - [Technical Concept](#concept) - [System Requirements](#requirements) - [Installation](#installation) @@ -76,64 +75,10 @@ Furthermore we use the following tools - [Testimonial](#testimonial) - [Fun Fact](#funfact) - -# Release Notes -- **Move from Ubuntu 18.04 to Debian (Testing)** - - For almost 5 years Ubuntu LTS versions were our distributions of choice. Last year we made a design choice for T-Pot to be closer to a rolling release model and thus allowing us to issue smaller changes and releases in a more timely manner. The distribution of choice is Debian (Testing) which will provide us with the latest advancements in a Debian based distribution. -- **Include HoneyPy honeypot** - - *HoneyPy* is now included in the NEXTGEN installation type -- **Include Suricata 4.1.3** - - Building *Suricata 4.1.3* from scratch to enable JA3 and overall better protocol support. -- **Update tools to the latest versions** - - ELK Stack 6.6.2 - - CyberChef 8.27.0 - - SpiderFoot v3.0 - - Cockpit 188 - - NGINX is now built to enforce TLS 1.3 on the T-Pot WebUI -- **Update honeypots** - - Where possible / feasible the honeypots have been updated to their latest versions. - - *Cowrie* now supports *HASSH* generated hashes which allows for an easier identification of an attacker accross IP adresses. - - *Heralding* now supports *SOCKS5* emulation. -- **Update Dashboards & Visualizations** - - *Offset Dashboard* added to easily spot changes in attacks on a single dashboard in 24h time window. - - *Cowrie Dashboard* modified to integrate *HASSH* support / visualizations. - - *HoneyPy Dashboard* added to support latest honeypot addition. - - *Suricata Dashboard* modified to integrate *JA3* support / visualizations. -- **Debian mirror selection** - - During base install you now have to manually select a mirror. - - Upon T-Pot install the mirror closest to you will be determined automatically, `netselect-apt` requires you to allow ICMP outbound. - - This solves peering problems for most of the users speeding up installation and updates. -- **Bugs** - - Fixed issue #298 where the import and export of objects on the shell did not work. - - Fixed issue #313 where Spiderfoot raised a KeyError, which was previously fixed in upstream. - - Fixed error in Suricata where path for reference.config changed. -- **Release Cycle** - - As far as possible we will integrate changes now faster into the master branch, eliminating the need for monolithic releases. The update feature will be continuously improved on that behalf. However this might not account for all feature changes. -- **HPFEEDS Opt-In** - - If you want to share your T-Pot data with a 3rd party HPFEEDS broker such as you can do so by runnning `hpfeeds_optin.sh` on T-Pot. -- **Update Feature** - - For the ones who like to live on the bleeding edge of T-Pot development there is now an update script available in `/opt/tpot/update.sh`. - - This feature is beta and is mostly intended to provide you with the latest development advances without the need of reinstalling T-Pot. -- **Deprecated tools** - - *ctop* will no longer be part of T-Pot. -- **Fix #332** - - If T-Pot, opposed to the requirements, does not have full internet access netselect-apt fails to determine the fastest mirror as it needs ICMP and UDP outgoing. Should netselect-apt fail the default mirrors will be used. -- **Improve install speed with apt-fast** - - Migrating from a stable base install to Debian (Testing) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package. -- **HPFEEDS Opt-In commandline option** - - Pass a hpfeeds config file as a commandline argument - - hpfeeds config is saved in `/data/ews/conf/hpfeeds.cfg` - - Update script restores hpfeeds config -- **Ansible T-Pot Deployment** - - Transitioned from bash script to all Ansible - - Reusable Ansible Playbook for OpenStack clouds - - Example Showcase with our Open Telekom Cloud - - Adaptable for other cloud providers - # Technical Concept -T-Pot is based on the network installer Debian (Stretch). During installation the whole system will be updated to Debian (Testing). +T-Pot is based on the network installer Debian (Stable). The honeypot daemons as well as other support components being used have been containerized using [docker](http://docker.io). This allows us to run multiple honeypot daemons on the same network interface while maintaining a small footprint and constrain each honeypot within its own environment. @@ -302,7 +247,7 @@ In some cases it is necessary to install Debian 9.7 (Stretch) on your own: - Within your company you have to setup special policies, software etc. - You just like to stay on top of things. -The T-Pot Universal Installer will upgrade the system to Debian (Testing) and install all required T-Pot dependencies. +The T-Pot Universal Installer will upgrade the system and install all required T-Pot dependencies. Just follow these steps: @@ -396,7 +341,7 @@ For the ones of you who want to live on the bleeding edge of T-Pot development w The Update script will: - **mercilessly** overwrite local changes to be in sync with the T-Pot master branch - - upgrade the system to the packages available in Debian (Testing) + - upgrade the system to the packages available in Debian (Stable) - update all resources to be in-sync with the T-Pot master branch - ensure all T-Pot relevant system files will be patched / copied into the original T-Pot state - restore your custom ews.cfg and HPFEED settings from `/data/ews/conf` diff --git a/iso/installer/install.sh b/iso/installer/install.sh index 5104e902..018be713 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -11,22 +11,21 @@ myPROGRESSBOXCONF=" --backtitle "$myBACKTITLE" --progressbox 24 80" mySITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org" myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml" myLSB_STABLE_SUPPORTED="stretch buster" -myLSB_TESTING_SUPPORTED="testing" +myLSB_TESTING_SUPPORTED="stable" myREMOTESITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org" myPREINSTALLPACKAGES="aria2 apache2-utils cracklib-runtime curl dialog figlet fuse grc libcrack2 libpq-dev lsb-release netselect-apt net-tools software-properties-common toilet" myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant" myINFO="\ -############################################ -### T-Pot Installer for Debian (Testing) ### -############################################ +########################################### +### T-Pot Installer for Debian (Stable) ### +########################################### Disclaimer: This script will install T-Pot on this system. By running the script you know what you are doing: 1. SSH will be reconfigured to tcp/64295. -2. Your Debian installation will be upgraded to Testing. -3. Please ensure other means of access to this system in case something goes wrong. -4. At best this script will be executed on the console instead through a SSH session. +2. Please ensure other means of access to this system in case something goes wrong. +3. At best this script will be executed on the console instead through a SSH session. ######################################## @@ -283,15 +282,15 @@ function fuGET_DEPS { echo echo "### Determine fastest mirror for your location." echo - netselect-apt -n -a amd64 testing && cp sources.list /etc/apt/ - mySOURCESCHECK=$(cat /etc/apt/sources.list | grep -c testing) + netselect-apt -n -a amd64 stable && cp sources.list /etc/apt/ + mySOURCESCHECK=$(cat /etc/apt/sources.list | grep -c stable) if [ "$mySOURCESCHECK" == "0" ] then echo "### Automatic mirror selection failed, using main mirror." - # Point to Debian (testing) + # Point to Debian (stable) tee /etc/apt/sources.list <" - echo " user, use this if you want to manually install a T-Pot on a Debian (Testing) machine." + echo " user, use this if you want to manually install a T-Pot on a Debian (Stable) machine." echo " auto, implied if a configuration file is passed as an argument for automatic deployment." echo " iso, use this if you are a T-Pot developer and want to install a T-Pot from a pre-compiled iso." echo @@ -690,7 +689,7 @@ hash -r # Cloning T-Pot from GitHub fuBANNER "Cloning T-Pot" -git clone https://github.com/dtag-dev-sec/tpotce -b dev /opt/tpot +git clone https://github.com/dtag-dev-sec/tpotce /opt/tpot # Let's create the T-Pot user fuBANNER "Create user" diff --git a/iso/isolinux/txt.cfg b/iso/isolinux/txt.cfg index 75ef9b8e..80b7bcd3 100755 --- a/iso/isolinux/txt.cfg +++ b/iso/isolinux/txt.cfg @@ -1,6 +1,6 @@ default install label install - menu label ^T-Pot 19.03.3 (based on Debian Testing) + menu label ^T-Pot 19.03.3 (based on Debian Stable) menu default kernel linux append vga=788 initrd=initrd.gz console-setup/ask_detect=true -- diff --git a/iso/preseed/tpot.seed b/iso/preseed/tpot.seed index c344daf0..11f8b1a8 100755 --- a/iso/preseed/tpot.seed +++ b/iso/preseed/tpot.seed @@ -131,7 +131,7 @@ in-target apt-get -y install grub-pc; \ in-target grub-install --force $(debconf-get partman-auto/disk); \ update-dev; \ in-target update-grub; \ -in-target git clone --depth=1 https://github.com/dtag-dev-sec/tpotce -b dev /opt/tpot; \ +in-target git clone --depth=1 https://github.com/dtag-dev-sec/tpotce /opt/tpot; \ in-target sed -i 's/allow-hotplug/auto/g' /etc/network/interfaces; \ #in-target apt-get -y remove exim4-base; \ #in-target apt-get -y autoremove; \ diff --git a/update.sh b/update.sh index cd6030bf..1b107313 100755 --- a/update.sh +++ b/update.sh @@ -63,7 +63,7 @@ function fuSELFUPDATE () { echo "###### $myBLUE""No updates found in repository.""$myWHITE" return fi - myRESULT=$(git diff --name-only origin/dev | grep update.sh) + myRESULT=$(git diff --name-only origin/master | grep update.sh) if [ "$myRESULT" == "update.sh" ]; then echo "###### $myBLUE""Found newer version, will be pulling updates and restart myself.""$myWHITE"