diff --git a/docker/ciscoasa/Dockerfile b/docker/ciscoasa/Dockerfile index 448dac29..6be4b00e 100644 --- a/docker/ciscoasa/Dockerfile +++ b/docker/ciscoasa/Dockerfile @@ -5,13 +5,11 @@ ADD dist/ /root/dist/ # Setup env and apt RUN apk -U upgrade && \ - apk add bash \ - build-base \ + apk add build-base \ git \ libffi-dev \ openssl-dev \ - python3-dev \ - procps && \ + python3-dev && \ # Setup user addgroup -g 2000 ciscoasa && \ @@ -34,9 +32,11 @@ RUN apk -U upgrade && \ python3-dev && \ apk add libffi \ openssl \ - python3 + python3 && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* -# Start elasticsearch-head +# Start ciscoasa WORKDIR /tmp/ciscoasa/ USER ciscoasa:ciscoasa CMD cp -R /opt/ciscoasa_honeypot/* /tmp/ciscoasa && exec python3 asa_server.py --enable_ssl --verbose >> /var/log/ciscoasa/ciscoasa.log 2>&1 diff --git a/docker/ciscoasa/docker-compose.yml b/docker/ciscoasa/docker-compose.yml index 227b1203..65ef87fe 100644 --- a/docker/ciscoasa/docker-compose.yml +++ b/docker/ciscoasa/docker-compose.yml @@ -1,5 +1,3 @@ -# T-Pot (Standard) -# For docker-compose ... version: '2.2' networks: diff --git a/docker/conpot/Dockerfile b/docker/conpot/Dockerfile index d7ce7d1c..361c075f 100644 --- a/docker/conpot/Dockerfile +++ b/docker/conpot/Dockerfile @@ -4,7 +4,7 @@ FROM alpine ADD dist/ /root/dist/ # Setup apt -RUN apk -U --no-cache add bash \ +RUN apk -U --no-cache add \ build-base \ cython-dev \ file \ @@ -51,7 +51,8 @@ RUN apk -U --no-cache add bash \ adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot && \ # Clean up - apk del --purge build-base \ + apk del --purge \ + build-base \ cython-dev \ file \ git \ diff --git a/docker/conpot/dist/conpot.bin b/docker/conpot/dist/conpot.bin deleted file mode 100644 index 5d6dea9e..00000000 --- a/docker/conpot/dist/conpot.bin +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/python -# EASY-INSTALL-SCRIPT: 'Conpot==0.5.1','conpot' -__import__('gevent.monkey').monkey.patch_all() -__requires__ = 'Conpot==0.5.1' -__import__('pkg_resources').run_script('Conpot==0.5.1', 'conpot') diff --git a/docker/cowrie/Dockerfile b/docker/cowrie/Dockerfile index c68ae958..b1918bdb 100644 --- a/docker/cowrie/Dockerfile +++ b/docker/cowrie/Dockerfile @@ -4,52 +4,60 @@ FROM alpine ADD dist/ /root/dist/ # Get and install dependencies & packages -RUN apk -U upgrade && \ - apk add build-base \ - git \ - gmp-dev \ - libffi-dev \ - mpc1-dev \ - mpfr-dev \ - openssl-dev \ - procps \ - python \ - python-dev \ - py-mysqldb \ - py-pip \ - py-requests \ - py-setuptools && \ +RUN apk -U --no-cache add \ + build-base \ + git \ + gmp-dev \ + libcap \ + libffi-dev \ + mpc1-dev \ + mpfr-dev \ + openssl-dev \ + python \ + python-dev \ + py-mysqldb \ + py-pip \ + py-requests \ + py-setuptools && \ # Setup user addgroup -g 2000 cowrie && \ - adduser -S -s /bin/bash -u 2000 -D -g 2000 cowrie && \ + adduser -S -s /bin/ash -u 2000 -D -g 2000 cowrie && \ # Install cowrie from git - git clone https://github.com/micheloosterhof/cowrie.git /home/cowrie/cowrie/ && \ + git clone https://github.com/micheloosterhof/cowrie /home/cowrie/cowrie/ && \ cd /home/cowrie/cowrie && \ - pip install --no-cache-dir --upgrade cffi && \ - pip install --no-cache-dir -U -r requirements.txt && \ + pip install --no-cache-dir --upgrade cffi pip && \ + pip install --no-cache-dir --upgrade -r requirements.txt && \ -# Setup user, groups and configs +# Setup configs + setcap cap_net_bind_service=+ep /usr/bin/python2.7 && \ cp /root/dist/cowrie.cfg /home/cowrie/cowrie/cowrie.cfg && \ - cp /root/dist/userdb.txt /home/cowrie/cowrie/data/userdb.txt && \ - chown cowrie:cowrie -R /home/cowrie/* && \ + chown cowrie:cowrie -R /home/cowrie/* /usr/lib/python2.7/site-packages/twisted/plugins && \ + +# Start Cowrie once to prevent dropin.cache errors upon container start caused by read-only filesystem + su - cowrie -c "export PYTHONPATH=/home/cowrie/cowrie && \ + cd /home/cowrie/cowrie && \ + /usr/bin/twistd --uid=2000 --gid=2000 -y cowrie.tac --pidfile cowrie.pid cowrie &" && \ + sleep 10 && \ # Clean up - rm -rf /root/* && \ - apk del --purge git \ - py-pip \ - mpfr-dev \ - mpc1-dev \ - libffi-dev \ - build-base \ - py-mysqldb \ + apk del --purge build-base \ + git \ gmp-dev \ - python-dev && \ - rm -rf /var/cache/apk/* + libcap \ + libffi-dev \ + mpc1-dev \ + mpfr-dev \ + python-dev \ + py-mysqldb \ + py-pip && \ + rm -rf /root/* && \ + rm -rf /var/cache/apk/* && \ + rm -rf /home/cowrie/cowrie/cowrie.pid # Start cowrie ENV PYTHONPATH /home/cowrie/cowrie WORKDIR /home/cowrie/cowrie USER cowrie:cowrie -CMD ["/usr/bin/twistd", "--nodaemon", "-y", "cowrie.tac", "--pidfile", "var/run/cowrie.pid", "cowrie"] +CMD ["/usr/bin/twistd", "--nodaemon", "-y", "cowrie.tac", "--pidfile", "/tmp/cowrie/cowrie.pid", "cowrie"] diff --git a/docker/cowrie/dist/cowrie.cfg b/docker/cowrie/dist/cowrie.cfg index 1a3a03fa..2124f5e4 100644 --- a/docker/cowrie/dist/cowrie.cfg +++ b/docker/cowrie/dist/cowrie.cfg @@ -1,472 +1,25 @@ -# -# Cowrie configuration file (cowrie.cfg) -# - -# ============================================================================ -# General Honeypot Options -# ============================================================================ [honeypot] - -# Sensor name is used to identify this Cowrie instance. Used by the database -# logging modules such as mysql. -# -# If not specified, the logging modules will instead use the IP address of the -# server as the sensor name. -# -# (default: not specified) -#sensor_name=t-pot - -# Hostname for the honeypot. Displayed by the shell prompt of the virtual -# environment -# -# (default: svr04) hostname = ubuntu - - -# Directory where to save log files in. -# -# (default: log) -log_path = log - - -# Directory where to save downloaded artifacts in. -# -# (default: dl) -download_path = dl - - -# Directory for miscellaneous data files, such as the password database. -# -# (default: data_path) -data_path = data - - -# Directory where virtual file contents are kept in. -# -# This is only used by commands like 'cat' to display the contents of files. -# Adding files here is not enough for them to appear in the honeypot - the -# actual virtual filesystem is kept in filesystem_file (see below) -# -# (default: honeyfs) -contents_path = honeyfs - - -# File in the Python pickle format containing the virtual filesystem. -# -# This includes the filenames, paths, permissions for the Cowrie filesystem, -# but not the file contents. This is created by the bin/createfs utility from -# a real template linux installation. -# -# (default: fs.pickle) -filesystem_file = data/fs.pickle - - -# Directory for creating simple commands that only output text. -# -# The command must be placed under this directory with the proper path, such -# as: -# txtcmds/usr/bin/vi -# The contents of the file will be the output of the command when run inside -# the honeypot. -# -# In addition to this, the file must exist in the virtual filesystem -# -# (default: txtcmds) -txtcmds_path = txtcmds - - -# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'. -# A value of 0 means no limit. If the file size is known to be too big from the start, -# the file will not be stored on disk at all. -# -# (default: 0) -#download_limit_size = 10485760 - - -# TTY logging will log a transcript of the complete terminal interaction in UML -# compatible format. -# (default: true) -ttylog = true - - - -# ============================================================================ -# Network Specific Options -# ============================================================================ - - -# IP address to bind to when opening outgoing connections. Used by wget and -# curl commands. -# -# (default: not specified) -#out_addr = 0.0.0.0 - - -# Fake address displayed as the address of the incoming connection. -# This doesn't affect logging, and is only used by honeypot commands such as -# 'w' and 'last' -# -# If not specified, the actual IP address is displayed instead (default -# behaviour). -# -# (default: not specified) -#fake_addr = 192.168.66.254 - - -# The IP address on which this machine is reachable on from the internet. -# Useful if you use portforwarding or other mechanisms. If empty, Cowrie -# will determine by itself. Used in 'netstat' output -# -#internet_facing_ip = 9.9.9.9 - - -# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1) -# IP address is obtained by querying http://myip.threatstream.com report_public_ip = true - - - -# ============================================================================ -# Authentication Specific Options -# ============================================================================ - - -# Class that implements the checklogin() method. -# -# Class must be defined in cowrie/core/auth.py -# Default is the 'UserDB' class which uses the password database. -# -# Alternatively the 'AuthRandom' class can be used, which will let -# a user login after a random number of attempts. -# It will also cache username/password combinations that allow login. -# -#auth_class = UserDB - -# When AuthRandom is used also set the -# auth_class_parameters: , , -# for example: 2, 5, 10 = allows access after randint(2,5) attempts -# and cache 10 combinations. -# auth_class = AuthRandom auth_class_parameters = 2, 5, 10 - - -# No authentication checking at all -# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method -# this allows the requested user in without any verification at all -# -# (default: false) -#auth_none_enabled = false - - - -# ============================================================================ -# Historical SSH Specific Options -# historical options in [honeypot] that have not yet been moved to [ssh] -# ============================================================================ - -# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) reported_ssh_port = 22 +data_path = /tmp/cowrie/data - - -# ============================================================================ -# SSH Specific Options -# ============================================================================ [ssh] - -# Enable SSH support -# (default: true) -enabled = true - - -# Public and private SSH key files. If these don't exist, they are created -# automatically. -rsa_public_key = etc/ssh_host_rsa_key.pub -rsa_private_key = etc/ssh_host_rsa_key -dsa_public_key = etc/ssh_host_dsa_key.pub -dsa_private_key = etc/ssh_host_dsa_key - -# SSH Version String -# -# Use these to disguise your honeypot from a simple SSH version scan -# Examples: -# SSH-2.0-OpenSSH_5.1p1 Debian-5 -# SSH-1.99-OpenSSH_4.3 -# SSH-1.99-OpenSSH_4.7 -# SSH-1.99-Sun_SSH_1.1 -# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1 -# SSH-2.0-OpenSSH_4.3 -# SSH-2.0-OpenSSH_4.6 -# SSH-2.0-OpenSSH_5.1p1 Debian-5 -# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901 -# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5 -# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6 -# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 -# SSH-2.0-OpenSSH_5.5p1 Debian-6 -# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1 -# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2 -# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 -# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 -# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 -# SSH-2.0-OpenSSH_5.9 -# -# (default: "SSH-2.0-SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2") version = SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 +listen_endpoints = tcp:22:interface=0.0.0.0 - -# IP addresses to listen for incoming SSH connections. -# -# (default: 0.0.0.0) = any IPv4 address -#listen_addr = 0.0.0.0 -# (use :: for listen to all IPv6 and IPv4 addresses) -#listen_addr = :: - - -# Port to listen for incoming SSH connections. -# -# (default: 2222) -#listen_port = 22 - - -# sftp_enabled enables the sftp subsystem -sftp_enabled = true - - -# Enable SSH direct-tcpip forwarding -# (default: true) -forwarding = true - - -# This enables redirecting forwarding requests to another address -# Useful for forwarding protocols to other honeypots -# (default: false) -forward_redirect = false - - -# Configure where to forward the data to. -# forward_redirect_ = : - -# Redirect http/https -forward_redirect_80 = 127.0.0.1:8000 -forward_redirect_443 = 127.0.0.1:8443 - -# To record SMTP traffic, install an SMTP honeypoint. -# (e.g https://github.com/awhitehatter/mailoney), run -# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525 -forward_redirect_25 = 127.0.0.1:12525 -forward_redirect_587 = 127.0.0.1:12525 - - - -# ============================================================================ -# Telnet Specific Options -# ============================================================================ [telnet] - -# Enable Telnet support, disabled by default enabled = true - -# IP addresses to listen for incoming Telnet connections. -# -# (default: 0.0.0.0) = any IPv4 address -#listen_addr = 0.0.0.0 -# (use :: for listen to all IPv6 and IPv4 addresses) -#listen_addr = :: - - -# Port to listen for incoming Telnet connections. -# -# (default: 2223) -#listen_port = 23 - -# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie) +listen_endpoints = tcp:23:interface=0.0.0.0 reported_port = 23 - - -# ============================================================================ -# Database logging Specific Options -# ============================================================================ - -# XMPP Logging -# Log to an xmpp server. -# -#[database_xmpp] -#server = sensors.carnivore.it -#user = anonymous@sensors.carnivore.it -#password = anonymous -#muc = dionaea.sensors.carnivore.it -#signal_createsession = cowrie-events -#signal_connectionlost = cowrie-events -#signal_loginfailed = cowrie-events -#signal_loginsucceeded = cowrie-events -#signal_command = cowrie-events -#signal_clientversion = cowrie-events -#debug=true - - - -# ============================================================================ -# Output Plugins -# These provide an extensible mechanism to send audit log entries to third -# parties. The audit entries contain information on clients connecting to -# the honeypot. -# ============================================================================ - - -# JSON based logging module -# [output_jsonlog] +enabled = true logfile = log/cowrie.json - -# Supports logging to Elasticsearch -# This is a simple early release -# -#[output_elasticsearch] -#host = localhost -#port = 9200 -#index = cowrie -#type = cowrie - - -# Send login attemp information to SANS DShield -# See https://isc.sans.edu/ssh.html -# You must signup for an api key. -# Once registered, find your details at: https://isc.sans.edu/myaccount.html -# -#[output_dshield] -#userid = userid_here -#auth_key = auth_key_here -#batch_size = 100 - - -# Local Syslog output module -# -# This sends log messages to the local syslog daemon. -# Facility can be: -# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7. -# -# Format can be: -# text, cef -# -#[output_localsyslog] -#facility = USER -#format = text - - -# Text output -# This writes audit log entries to a text file -# -# Format can be: -# text, cef -# [output_textlog] +enabled = false logfile = log/cowrie-textlog.log format = text - - -# MySQL logging module -# Database structure for this module is supplied in doc/sql/mysql.sql -# -# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev -# MySQL logging requires an extra Python module: pip install mysql-python -# -#[output_mysql] -#host = localhost -#database = cowrie -#username = cowrie -#password = secret -#port = 3306 -#debug = false - -# Rethinkdb output module -# Rethinkdb output module requires extra Python module: pip install rethinkdb - -#[output_rethinkdblog] -#host = 127.0.0.1 -#port = 28015 -#table = output -#password = -#db = cowrie - -# SQLite3 logging module -# -# Logging to SQLite3 database. To init the database, use the script -# doc/sql/sqlite3.sql: -# sqlite3 < doc/sql/sqlite3.sql -# -#[output_sqlite] -#db_file = cowrie.db - -# MongoDB logging module -# -# MongoDB logging requires an extra Python module: pip install pymongo -# -#[output_mongodb] -#connection_string = mongodb://username:password@host:port/database -#database = dbname - - -# Splunk SDK output module - Legacy. Requires Splunk API installed -# This sends logs directly to Splunk using the Python REST SDK -# -#[output_splunklegacy] -#host = localhost -#port = 8889 -#username = admin -#password = password -#index = cowrie - - -# Splunk HTTP Event Collector (HEC) output module -# Sends JSON directly to Splunk over HTTPS -# mandatory fields: url, token -# optional fields: index, source, sourcetype, host -# -#[output_splunk] -#url = https://localhost:8088/services/collector/event -#token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8 -#index = cowrie -#sourcetype = cowrie -#source = cowrie - - -# HPFeeds -# -#[output_hpfeeds] -#server = hpfeeds.mysite.org -#port = 10000 -#identifier = abc123 -#secret = secret -#debug=false - - -# VirusTotal output module -# You must signup for an api key. -# -#[output_virustotal] -#api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -# - -#[output_slack] -# This will produce a _lot_ of messages - you have been warned.... -#channel = channel_that_events_should_be_posted_in -#token = slack_token_for_your_bot -##debug=true - - -# https://csirtg.io -# You must signup for an api key. -# -#[output_csirtg] -#username=wes -#feed=scanners -#description=random scanning activity -#token=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef - - -#[output_socketlog] -#address = 127.0.0.1:9000 -#timeout = 5 diff --git a/docker/cowrie/dist/userdb.txt b/docker/cowrie/dist/userdb.txt deleted file mode 100644 index ca66dff4..00000000 --- a/docker/cowrie/dist/userdb.txt +++ /dev/null @@ -1 +0,0 @@ -root:0:password diff --git a/docker/cowrie/docker-compose.yml b/docker/cowrie/docker-compose.yml index 48dd8a31..9e77a102 100644 --- a/docker/cowrie/docker-compose.yml +++ b/docker/cowrie/docker-compose.yml @@ -1,5 +1,3 @@ -# T-Pot (Standard) -# For docker-compose ... version: '2.2' networks: @@ -12,12 +10,16 @@ services: build: . container_name: cowrie restart: always + tmpfs: + - /tmp/cowrie:uid=2000,gid=2000 + - /tmp/cowrie/data:uid=2000,gid=2000 networks: - cowrie_local ports: - - "22:2222" - - "23:2223" + - "22:22" + - "23:23" image: "dtagdevsec/cowrie:1804" + read_only: true volumes: - /data/cowrie/downloads:/home/cowrie/cowrie/dl - /data/cowrie/keys:/home/cowrie/cowrie/etc diff --git a/docker/elk/docker-compose.yml b/docker/elk/docker-compose.yml index 41982e52..3019cab0 100644 --- a/docker/elk/docker-compose.yml +++ b/docker/elk/docker-compose.yml @@ -7,6 +7,7 @@ services: # ELK services ## Elasticsearch service elasticsearch: + build: elasticsearch/. container_name: elasticsearch restart: always environment: @@ -30,6 +31,7 @@ services: ## Kibana service kibana: + build: kibana/. container_name: kibana restart: always stop_signal: SIGKILL @@ -42,6 +44,7 @@ services: ## Logstash service logstash: + build: logstash/. container_name: logstash restart: always depends_on: @@ -57,6 +60,7 @@ services: ## Elasticsearch-head service head: + build: head/. container_name: head restart: always depends_on: diff --git a/docker/elk/logstash/Dockerfile b/docker/elk/logstash/Dockerfile index 06508007..ee29daa9 100644 --- a/docker/elk/logstash/Dockerfile +++ b/docker/elk/logstash/Dockerfile @@ -5,17 +5,17 @@ ADD dist/ /root/dist/ # Setup env and apt RUN apk -U upgrade && \ - apk add bash \ - curl \ - git \ - libc6-compat \ - libzmq \ - openjdk8-jre \ - procps \ - wget && \ + apk --no-cache add \ + bash \ + curl \ + git \ + libc6-compat \ + libzmq \ + openjdk8-jre \ + wget && \ # Get and install packages - git clone https://github.com/dtag-dev-sec/listbot /etc/listbot && \ + git clone --depth=1 https://github.com/dtag-dev-sec/listbot /etc/listbot && \ cd /root/dist/ && \ mkdir -p /usr/share/logstash/ && \ wget https://artifacts.elastic.co/downloads/logstash/logstash-6.2.4.tar.gz && \ @@ -42,11 +42,13 @@ RUN apk -U upgrade && \ # Clean up apk del --purge wget && \ - rm -rf /root/* + rm -rf /root/* && \ + rm -rf /var/cache/apk/* # Healthcheck HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600' # Start logstash #USER logstash:logstash -CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf +#CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf +CMD exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf diff --git a/docker/elk/logstash/dist/update.sh b/docker/elk/logstash/dist/update.sh index 16251a55..a68dadf0 100644 --- a/docker/elk/logstash/dist/update.sh +++ b/docker/elk/logstash/dist/update.sh @@ -8,5 +8,5 @@ trap fuCLEANUP EXIT # Download updated translation maps cd /etc/listbot -git pull +git pull --all --depth=1 cd / diff --git a/docker/elk/logstash/docker-compose.yml b/docker/elk/logstash/docker-compose.yml index 9878a17a..fb21ac66 100644 --- a/docker/elk/logstash/docker-compose.yml +++ b/docker/elk/logstash/docker-compose.yml @@ -1,5 +1,3 @@ -# T-Pot (Standard) -# For docker-compose ... version: '2.2' services: