Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-05-15 20:58:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

tweaking, hardening

Browse source
This commit is contained in:
Marco Ochse 2018-05-04 16:29:55 +00:00
parent 915d3f1b89
commit b1fbcd9532
12 changed files with 79 additions and 519 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
docker/ciscoasa/Dockerfile
View file

@ -5,13 +5,11 @@ ADD dist/ /root/dist/
# Setup env and apt # Setup env and apt
RUN apk -U upgrade && \ RUN apk -U upgrade && \
apk add bash \ apk add build-base \
build-base \
git \ git \
libffi-dev \ libffi-dev \
openssl-dev \ openssl-dev \
python3-dev \ python3-dev && \
procps && \
# Setup user # Setup user
addgroup -g 2000 ciscoasa && \ addgroup -g 2000 ciscoasa && \
@ -34,9 +32,11 @@ RUN apk -U upgrade && \
python3-dev && \ python3-dev && \
apk add libffi \ apk add libffi \
openssl \ openssl \
python3 python3 && \
rm -rf /root/* && \
rm -rf /var/cache/apk/*
# Start elasticsearch-head # Start ciscoasa
WORKDIR /tmp/ciscoasa/ WORKDIR /tmp/ciscoasa/
USER ciscoasa:ciscoasa USER ciscoasa:ciscoasa
CMD cp -R /opt/ciscoasa_honeypot/* /tmp/ciscoasa && exec python3 asa_server.py --enable_ssl --verbose >> /var/log/ciscoasa/ciscoasa.log 2>&1 CMD cp -R /opt/ciscoasa_honeypot/* /tmp/ciscoasa && exec python3 asa_server.py --enable_ssl --verbose >> /var/log/ciscoasa/ciscoasa.log 2>&1

2
docker/ciscoasa/docker-compose.yml
View file

@ -1,5 +1,3 @@
# T-Pot (Standard)
# For docker-compose ...
version: '2.2' version: '2.2'
networks: networks:

5
docker/conpot/Dockerfile
View file

@ -4,7 +4,7 @@ FROM alpine
ADD dist/ /root/dist/ ADD dist/ /root/dist/
# Setup apt # Setup apt
RUN apk -U --no-cache add bash \ RUN apk -U --no-cache add \
build-base \ build-base \
cython-dev \ cython-dev \
file \ file \
@ -51,7 +51,8 @@ RUN apk -U --no-cache add bash \
adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot && \ adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot && \
# Clean up # Clean up
apk del --purge build-base \ apk del --purge \
build-base \
cython-dev \ cython-dev \
file \ file \
git \ git \

5
docker/conpot/dist/conpot.bin vendored
View file

@ -1,5 +0,0 @@
#!/usr/bin/python
# EASY-INSTALL-SCRIPT: 'Conpot==0.5.1','conpot'
__import__('gevent.monkey').monkey.patch_all()
__requires__ = 'Conpot==0.5.1'
__import__('pkg_resources').run_script('Conpot==0.5.1', 'conpot')

74
docker/cowrie/Dockerfile
View file

@ -4,52 +4,60 @@ FROM alpine
ADD dist/ /root/dist/ ADD dist/ /root/dist/
# Get and install dependencies & packages # Get and install dependencies & packages
RUN apk -U upgrade && \ RUN apk -U --no-cache add \
apk add build-base \ build-base \
git \ git \
gmp-dev \ gmp-dev \
libffi-dev \ libcap \
mpc1-dev \ libffi-dev \
mpfr-dev \ mpc1-dev \
openssl-dev \ mpfr-dev \
procps \ openssl-dev \
python \ python \
python-dev \ python-dev \
py-mysqldb \ py-mysqldb \
py-pip \ py-pip \
py-requests \ py-requests \
py-setuptools && \ py-setuptools && \
# Setup user # Setup user
addgroup -g 2000 cowrie && \ addgroup -g 2000 cowrie && \
adduser -S -s /bin/bash -u 2000 -D -g 2000 cowrie && \ adduser -S -s /bin/ash -u 2000 -D -g 2000 cowrie && \
# Install cowrie from git # Install cowrie from git
git clone https://github.com/micheloosterhof/cowrie.git /home/cowrie/cowrie/ && \ git clone https://github.com/micheloosterhof/cowrie /home/cowrie/cowrie/ && \
cd /home/cowrie/cowrie && \ cd /home/cowrie/cowrie && \
pip install --no-cache-dir --upgrade cffi && \ pip install --no-cache-dir --upgrade cffi pip && \
pip install --no-cache-dir -U -r requirements.txt && \ pip install --no-cache-dir --upgrade -r requirements.txt && \
# Setup user, groups and configs # Setup configs
setcap cap_net_bind_service=+ep /usr/bin/python2.7 && \
cp /root/dist/cowrie.cfg /home/cowrie/cowrie/cowrie.cfg && \ cp /root/dist/cowrie.cfg /home/cowrie/cowrie/cowrie.cfg && \
cp /root/dist/userdb.txt /home/cowrie/cowrie/data/userdb.txt && \ chown cowrie:cowrie -R /home/cowrie/* /usr/lib/python2.7/site-packages/twisted/plugins && \
chown cowrie:cowrie -R /home/cowrie/* && \
# Start Cowrie once to prevent dropin.cache errors upon container start caused by read-only filesystem
su - cowrie -c "export PYTHONPATH=/home/cowrie/cowrie && \
cd /home/cowrie/cowrie && \
/usr/bin/twistd --uid=2000 --gid=2000 -y cowrie.tac --pidfile cowrie.pid cowrie &" && \
sleep 10 && \
# Clean up # Clean up
rm -rf /root/* && \ apk del --purge build-base \
apk del --purge git \ git \
py-pip \
mpfr-dev \
mpc1-dev \
libffi-dev \
build-base \
py-mysqldb \
gmp-dev \ gmp-dev \
python-dev && \ libcap \
rm -rf /var/cache/apk/* libffi-dev \
mpc1-dev \
mpfr-dev \
python-dev \
py-mysqldb \
py-pip && \
rm -rf /root/* && \
rm -rf /var/cache/apk/* && \
rm -rf /home/cowrie/cowrie/cowrie.pid
# Start cowrie # Start cowrie
ENV PYTHONPATH /home/cowrie/cowrie ENV PYTHONPATH /home/cowrie/cowrie
WORKDIR /home/cowrie/cowrie WORKDIR /home/cowrie/cowrie
USER cowrie:cowrie USER cowrie:cowrie
CMD ["/usr/bin/twistd", "--nodaemon", "-y", "cowrie.tac", "--pidfile", "var/run/cowrie.pid", "cowrie"] CMD ["/usr/bin/twistd", "--nodaemon", "-y", "cowrie.tac", "--pidfile", "/tmp/cowrie/cowrie.pid", "cowrie"]

457
docker/cowrie/dist/cowrie.cfg vendored
View file

@ -1,472 +1,25 @@
#
# Cowrie configuration file (cowrie.cfg)
#
# ============================================================================
# General Honeypot Options
# ============================================================================
[honeypot] [honeypot]
# Sensor name is used to identify this Cowrie instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# server as the sensor name.
#
# (default: not specified)
#sensor_name=t-pot
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment
#
# (default: svr04)
hostname = ubuntu hostname = ubuntu
# Directory where to save log files in.
#
# (default: log)
log_path = log
# Directory where to save downloaded artifacts in.
#
# (default: dl)
download_path = dl
# Directory for miscellaneous data files, such as the password database.
#
# (default: data_path)
data_path = data
# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs
# File in the Python pickle format containing the virtual filesystem.
#
# This includes the filenames, paths, permissions for the Cowrie filesystem,
# but not the file contents. This is created by the bin/createfs utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem_file = data/fs.pickle
# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
# txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual filesystem
#
# (default: txtcmds)
txtcmds_path = txtcmds
# Maximum file size (in bytes) for downloaded files to be stored in 'download_path'.
# A value of 0 means no limit. If the file size is known to be too big from the start,
# the file will not be stored on disk at all.
#
# (default: 0)
#download_limit_size = 10485760
# TTY logging will log a transcript of the complete terminal interaction in UML
# compatible format.
# (default: true)
ttylog = true
# ============================================================================
# Network Specific Options
# ============================================================================
# IP address to bind to when opening outgoing connections. Used by wget and
# curl commands.
#
# (default: not specified)
#out_addr = 0.0.0.0
# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254
# The IP address on which this machine is reachable on from the internet.
# Useful if you use portforwarding or other mechanisms. If empty, Cowrie
# will determine by itself. Used in 'netstat' output
#
#internet_facing_ip = 9.9.9.9
# Enable to log the public IP of the honeypot (useful if listening on 127.0.0.1)
# IP address is obtained by querying http://myip.threatstream.com
report_public_ip = true report_public_ip = true
# ============================================================================
# Authentication Specific Options
# ============================================================================
# Class that implements the checklogin() method.
#
# Class must be defined in cowrie/core/auth.py
# Default is the 'UserDB' class which uses the password database.
#
# Alternatively the 'AuthRandom' class can be used, which will let
# a user login after a random number of attempts.
# It will also cache username/password combinations that allow login.
#
#auth_class = UserDB
# When AuthRandom is used also set the
# auth_class_parameters: <min try>, <max try>, <maxcache>
# for example: 2, 5, 10 = allows access after randint(2,5) attempts
# and cache 10 combinations.
#
auth_class = AuthRandom auth_class = AuthRandom
auth_class_parameters = 2, 5, 10 auth_class_parameters = 2, 5, 10
# No authentication checking at all
# enabling 'auth_none' will enable the ssh2 'auth_none' authentication method
# this allows the requested user in without any verification at all
#
# (default: false)
#auth_none_enabled = false
# ============================================================================
# Historical SSH Specific Options
# historical options in [honeypot] that have not yet been moved to [ssh]
# ============================================================================
# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
reported_ssh_port = 22 reported_ssh_port = 22
data_path = /tmp/cowrie/data
# ============================================================================
# SSH Specific Options
# ============================================================================
[ssh] [ssh]
# Enable SSH support
# (default: true)
enabled = true
# Public and private SSH key files. If these don't exist, they are created
# automatically.
rsa_public_key = etc/ssh_host_rsa_key.pub
rsa_private_key = etc/ssh_host_rsa_key
dsa_public_key = etc/ssh_host_dsa_key.pub
dsa_private_key = etc/ssh_host_dsa_key
# SSH Version String
#
# Use these to disguise your honeypot from a simple SSH version scan
# Examples:
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-1.99-OpenSSH_4.3
# SSH-1.99-OpenSSH_4.7
# SSH-1.99-Sun_SSH_1.1
# SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1
# SSH-2.0-OpenSSH_4.3
# SSH-2.0-OpenSSH_4.6
# SSH-2.0-OpenSSH_5.1p1 Debian-5
# SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
# SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
# SSH-2.0-OpenSSH_5.5p1 Debian-6
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1
# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
# SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
# SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
# SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
# SSH-2.0-OpenSSH_5.9
#
# (default: "SSH-2.0-SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2")
version = SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 version = SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
listen_endpoints = tcp:22:interface=0.0.0.0
# IP addresses to listen for incoming SSH connections.
#
# (default: 0.0.0.0) = any IPv4 address
#listen_addr = 0.0.0.0
# (use :: for listen to all IPv6 and IPv4 addresses)
#listen_addr = ::
# Port to listen for incoming SSH connections.
#
# (default: 2222)
#listen_port = 22
# sftp_enabled enables the sftp subsystem
sftp_enabled = true
# Enable SSH direct-tcpip forwarding
# (default: true)
forwarding = true
# This enables redirecting forwarding requests to another address
# Useful for forwarding protocols to other honeypots
# (default: false)
forward_redirect = false
# Configure where to forward the data to.
# forward_redirect_<portnumber> = <redirect ip>:<redirect port>
# Redirect http/https
forward_redirect_80 = 127.0.0.1:8000
forward_redirect_443 = 127.0.0.1:8443
# To record SMTP traffic, install an SMTP honeypoint.
# (e.g https://github.com/awhitehatter/mailoney), run
# python mailoney.py -s yahoo.com -t schizo_open_relay -p 12525
forward_redirect_25 = 127.0.0.1:12525
forward_redirect_587 = 127.0.0.1:12525
# ============================================================================
# Telnet Specific Options
# ============================================================================
[telnet] [telnet]
# Enable Telnet support, disabled by default
enabled = true enabled = true
listen_endpoints = tcp:23:interface=0.0.0.0
# IP addresses to listen for incoming Telnet connections.
#
# (default: 0.0.0.0) = any IPv4 address
#listen_addr = 0.0.0.0
# (use :: for listen to all IPv6 and IPv4 addresses)
#listen_addr = ::
# Port to listen for incoming Telnet connections.
#
# (default: 2223)
#listen_port = 23
# Source Port to report in logs (useful if you use iptables to forward ports to Cowrie)
reported_port = 23 reported_port = 23
# ============================================================================
# Database logging Specific Options
# ============================================================================
# XMPP Logging
# Log to an xmpp server.
#
#[database_xmpp]
#server = sensors.carnivore.it
#user = anonymous@sensors.carnivore.it
#password = anonymous
#muc = dionaea.sensors.carnivore.it
#signal_createsession = cowrie-events
#signal_connectionlost = cowrie-events
#signal_loginfailed = cowrie-events
#signal_loginsucceeded = cowrie-events
#signal_command = cowrie-events
#signal_clientversion = cowrie-events
#debug=true
# ============================================================================
# Output Plugins
# These provide an extensible mechanism to send audit log entries to third
# parties. The audit entries contain information on clients connecting to
# the honeypot.
# ============================================================================
# JSON based logging module
#
[output_jsonlog] [output_jsonlog]
enabled = true
logfile = log/cowrie.json logfile = log/cowrie.json
# Supports logging to Elasticsearch
# This is a simple early release
#
#[output_elasticsearch]
#host = localhost
#port = 9200
#index = cowrie
#type = cowrie
# Send login attemp information to SANS DShield
# See https://isc.sans.edu/ssh.html
# You must signup for an api key.
# Once registered, find your details at: https://isc.sans.edu/myaccount.html
#
#[output_dshield]
#userid = userid_here
#auth_key = auth_key_here
#batch_size = 100
# Local Syslog output module
#
# This sends log messages to the local syslog daemon.
# Facility can be:
# KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, SYSLOG and LOCAL0 to LOCAL7.
#
# Format can be:
# text, cef
#
#[output_localsyslog]
#facility = USER
#format = text
# Text output
# This writes audit log entries to a text file
#
# Format can be:
# text, cef
#
[output_textlog] [output_textlog]
enabled = false
logfile = log/cowrie-textlog.log logfile = log/cowrie-textlog.log
format = text format = text
# MySQL logging module
# Database structure for this module is supplied in doc/sql/mysql.sql
#
# MySQL logging requires extra software: sudo apt-get install libmysqlclient-dev
# MySQL logging requires an extra Python module: pip install mysql-python
#
#[output_mysql]
#host = localhost
#database = cowrie
#username = cowrie
#password = secret
#port = 3306
#debug = false
# Rethinkdb output module
# Rethinkdb output module requires extra Python module: pip install rethinkdb
#[output_rethinkdblog]
#host = 127.0.0.1
#port = 28015
#table = output
#password =
#db = cowrie
# SQLite3 logging module
#
# Logging to SQLite3 database. To init the database, use the script
# doc/sql/sqlite3.sql:
# sqlite3 <db_file> < doc/sql/sqlite3.sql
#
#[output_sqlite]
#db_file = cowrie.db
# MongoDB logging module
#
# MongoDB logging requires an extra Python module: pip install pymongo
#
#[output_mongodb]
#connection_string = mongodb://username:password@host:port/database
#database = dbname
# Splunk SDK output module - Legacy. Requires Splunk API installed
# This sends logs directly to Splunk using the Python REST SDK
#
#[output_splunklegacy]
#host = localhost
#port = 8889
#username = admin
#password = password
#index = cowrie
# Splunk HTTP Event Collector (HEC) output module
# Sends JSON directly to Splunk over HTTPS
# mandatory fields: url, token
# optional fields: index, source, sourcetype, host
#
#[output_splunk]
#url = https://localhost:8088/services/collector/event
#token = 6A0EA6C6-8006-4E39-FC44-C35FF6E561A8
#index = cowrie
#sourcetype = cowrie
#source = cowrie
# HPFeeds
#
#[output_hpfeeds]
#server = hpfeeds.mysite.org
#port = 10000
#identifier = abc123
#secret = secret
#debug=false
# VirusTotal output module
# You must signup for an api key.
#
#[output_virustotal]
#api_key = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#
#[output_slack]
# This will produce a _lot_ of messages - you have been warned....
#channel = channel_that_events_should_be_posted_in
#token = slack_token_for_your_bot
##debug=true
# https://csirtg.io
# You must signup for an api key.
#
#[output_csirtg]
#username=wes
#feed=scanners
#description=random scanning activity
#token=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#[output_socketlog]
#address = 127.0.0.1:9000
#timeout = 5

1
docker/cowrie/dist/userdb.txt vendored
View file

@ -1 +0,0 @@
root:0:password

10
docker/cowrie/docker-compose.yml
View file

@ -1,5 +1,3 @@
# T-Pot (Standard)
# For docker-compose ...
version: '2.2' version: '2.2'
networks: networks:
@ -12,12 +10,16 @@ services:
build: . build: .
container_name: cowrie container_name: cowrie
restart: always restart: always
tmpfs:
- /tmp/cowrie:uid=2000,gid=2000
- /tmp/cowrie/data:uid=2000,gid=2000
networks: networks:
- cowrie_local - cowrie_local
ports: ports:
- "22:2222" - "22:22"
- "23:2223" - "23:23"
image: "dtagdevsec/cowrie:1804" image: "dtagdevsec/cowrie:1804"
read_only: true
volumes: volumes:
- /data/cowrie/downloads:/home/cowrie/cowrie/dl - /data/cowrie/downloads:/home/cowrie/cowrie/dl
- /data/cowrie/keys:/home/cowrie/cowrie/etc - /data/cowrie/keys:/home/cowrie/cowrie/etc

4
docker/elk/docker-compose.yml
View file

@ -7,6 +7,7 @@ services:
# ELK services # ELK services
## Elasticsearch service ## Elasticsearch service
elasticsearch: elasticsearch:
build: elasticsearch/.
container_name: elasticsearch container_name: elasticsearch
restart: always restart: always
environment: environment:
@ -30,6 +31,7 @@ services:
## Kibana service ## Kibana service
kibana: kibana:
build: kibana/.
container_name: kibana container_name: kibana
restart: always restart: always
stop_signal: SIGKILL stop_signal: SIGKILL
@ -42,6 +44,7 @@ services:
## Logstash service ## Logstash service
logstash: logstash:
build: logstash/.
container_name: logstash container_name: logstash
restart: always restart: always
depends_on: depends_on:
@ -57,6 +60,7 @@ services:
## Elasticsearch-head service ## Elasticsearch-head service
head: head:
build: head/.
container_name: head container_name: head
restart: always restart: always
depends_on: depends_on:

24
docker/elk/logstash/Dockerfile
View file

@ -5,17 +5,17 @@ ADD dist/ /root/dist/
# Setup env and apt # Setup env and apt
RUN apk -U upgrade && \ RUN apk -U upgrade && \
apk add bash \ apk --no-cache add \
curl \ bash \
git \ curl \
libc6-compat \ git \
libzmq \ libc6-compat \
openjdk8-jre \ libzmq \
procps \ openjdk8-jre \
wget && \ wget && \
# Get and install packages # Get and install packages
git clone https://github.com/dtag-dev-sec/listbot /etc/listbot && \ git clone --depth=1 https://github.com/dtag-dev-sec/listbot /etc/listbot && \
cd /root/dist/ && \ cd /root/dist/ && \
mkdir -p /usr/share/logstash/ && \ mkdir -p /usr/share/logstash/ && \
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.2.4.tar.gz && \ wget https://artifacts.elastic.co/downloads/logstash/logstash-6.2.4.tar.gz && \
@ -42,11 +42,13 @@ RUN apk -U upgrade && \
# Clean up # Clean up
apk del --purge wget && \ apk del --purge wget && \
rm -rf /root/* rm -rf /root/* && \
rm -rf /var/cache/apk/*
# Healthcheck # Healthcheck
HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600' HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600'
# Start logstash # Start logstash
#USER logstash:logstash #USER logstash:logstash
CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf #CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf
CMD exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf

2
docker/elk/logstash/dist/update.sh vendored
View file

@ -8,5 +8,5 @@ trap fuCLEANUP EXIT
# Download updated translation maps # Download updated translation maps
cd /etc/listbot cd /etc/listbot
git pull git pull --all --depth=1
cd / cd /

2
docker/elk/logstash/docker-compose.yml
View file

@ -1,5 +1,3 @@
# T-Pot (Standard)
# For docker-compose ...
version: '2.2' version: '2.2'
services: services: