Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 04:52:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

tweaking, prepare for elk microservice

Browse source
This commit is contained in:
Marco Ochse 2017-05-03 20:55:18 +00:00
parent 8c475544b3
commit b36c63962d
8 changed files with 245 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
installer/bin/dps.sh
View file

@ -11,12 +11,15 @@ myIMAGES=$(cat /etc/tpot/tpot.yml | grep container_name | cut -d: -f2)
while true while true
do do
clear clear
echo ""
echo "======| System |======" echo "======| System |======"
echo Date:" "$(date) echo Date:" "$(date)
echo Uptime:" "$(uptime) echo Uptime:" "$(uptime)
echo CPU temp: $(sensors | grep "Physical" | awk '{ print $4 }') echo CPU temp: $(sensors | grep "Physical" | awk '{ print $4 }')
echo echo
echo "NAME CREATED PORTS" printf "NAME"
printf "%-15s STATUS"
printf "%-13s PORTS\n"
for i in $myIMAGES; do for i in $myIMAGES; do
mySTATUS=$(/usr/bin/docker ps -f name=$i --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" -f status=running -f status=exited | GREP_COLORS='mt=01;35' /bin/egrep --color=always "(^[_0-9a-z-]+ |$)|$" | GREP_COLORS='mt=01;32' /bin/egrep --color=always "(Up[ 0-9a-Z ]+ |$)|$" | GREP_COLORS='mt=01;31' /bin/egrep --color=always "(Exited[ \(0-9\) ]+ [0-9a-Z ]+ ago|$)|$" | tail -n 1) mySTATUS=$(/usr/bin/docker ps -f name=$i --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" -f status=running -f status=exited | GREP_COLORS='mt=01;35' /bin/egrep --color=always "(^[_0-9a-z-]+ |$)|$" | GREP_COLORS='mt=01;32' /bin/egrep --color=always "(Up[ 0-9a-Z ]+ |$)|$" | GREP_COLORS='mt=01;31' /bin/egrep --color=always "(Exited[ \(0-9\) ]+ [0-9a-Z ]+ ago|$)|$" | tail -n 1)
myDOWN=$(echo "$mySTATUS" | grep -c "NAMES") myDOWN=$(echo "$mySTATUS" | grep -c "NAMES")

1
installer/etc/rc.local
View file

@ -14,5 +14,4 @@ tee /etc/tpot/elk/environment << EOF
MY_EXTIP=$myEXTIP MY_EXTIP=$myEXTIP
MY_HOSTNAME=$HOSTNAME MY_HOSTNAME=$HOSTNAME
EOF EOF
echo $myLOCALIP > /data/elk/logstash/mylocal.ip
chown tpot:tpot /data/ews/conf/ews.ip chown tpot:tpot /data/ews/conf/ews.ip

89
installer/etc/tpot/compose/all.yml
View file

@ -1,12 +1,26 @@
# T-Pot (Everything) # T-Pot (Everything)
# For docker-compose version ... # For docker-compose ...
version: '2' version: '2'
networks:
conpot_local:
cowrie_local:
dionaea_local:
elasticpot_local:
emobility_local:
ewsposter_local:
glastopf_local:
spiderfoot_local:
ui-for-docker_local:
services: services:
# Conpot service # Conpot service
conpot: conpot:
container_name: conpot container_name: conpot
restart: always restart: always
networks:
- conpot_local
ports: ports:
- "1025:1025" - "1025:1025"
- "50100:50100" - "50100:50100"
@ -19,6 +33,8 @@ services:
cowrie: cowrie:
container_name: cowrie container_name: cowrie
restart: always restart: always
networks:
- cowrie_local
ports: ports:
- "22:2222" - "22:2222"
- "23:2223" - "23:2223"
@ -30,6 +46,8 @@ services:
dionaea: dionaea:
container_name: dionaea container_name: dionaea
restart: always restart: always
networks:
- dionaea_local
cap_add: cap_add:
- NET_BIND_SERVICE - NET_BIND_SERVICE
ports: ports:
@ -57,36 +75,77 @@ services:
elasticpot: elasticpot:
container_name: elasticpot container_name: elasticpot
restart: always restart: always
networks:
- elasticpot_local
ports: ports:
- "9200:9200" - "9200:9200"
image: "dtagdevsec/elasticpot:1706" image: "dtagdevsec/elasticpot:1706"
volumes: volumes:
- /data/elasticpot:/data/elasticpot - /data/elasticpot:/data/elasticpot
# ELK service # ELK services
elk: ## Elasticsearch service
container_name: elk elasticsearch:
container_name: elasticsearch
restart: always restart: always
env_file: environment:
- /etc/tpot/elk/environment - bootstrap.memory_lock=true
# - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
cap_add: cap_add:
- IPC_LOCK - IPC_LOCK
ulimits: ulimits:
memlock: -1 memlock:
nofile: 65536 soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
# mem_limit: 2g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:1706"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
- elasticsearch
ports: ports:
- "127.0.0.1:64296:5601" - "127.0.0.1:64296:5601"
- "127.0.0.1:64302:9100" image: "dtagdevsec/kibana:1706"
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elk:1706" ## Logstash service
logstash:
container_name: logstash
restart: always
depends_on:
- elasticsearch
env_file:
- /etc/tpot/elk/environment
image: "dtagdevsec/logstash:1706"
volumes: volumes:
- /data:/data - /data:/data
- /var/log:/data/host/log - /var/log:/data/host/log
## Elasticsearch-head service
head:
container_name: head
restart: always
depends_on:
- elasticsearch
ports:
- "127.0.0.1:64302:9100"
image: "dtagdevsec/head:1706"
# Emobility service # Emobility service
emobility: emobility:
container_name: emobility container_name: emobility
restart: always restart: always
networks:
- emobility_local
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
ports: ports:
@ -100,6 +159,8 @@ services:
ewsposter: ewsposter:
container_name: ewsposter container_name: ewsposter
restart: always restart: always
networks:
- ewsposter_local
image: "dtagdevsec/ewsposter:1706" image: "dtagdevsec/ewsposter:1706"
volumes: volumes:
- /data:/data - /data:/data
@ -109,6 +170,8 @@ services:
glastopf: glastopf:
container_name: glastopf container_name: glastopf
restart: always restart: always
networks:
- glastopf_local
ports: ports:
- "80:80" - "80:80"
image: "dtagdevsec/glastopf:1706" image: "dtagdevsec/glastopf:1706"
@ -147,6 +210,8 @@ services:
spiderfoot: spiderfoot:
container_name: spiderfoot container_name: spiderfoot
restart: always restart: always
networks:
- spiderfoot_local
ports: ports:
- "127.0.0.1:64303:8080" - "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:1706" image: "dtagdevsec/spiderfoot:1706"
@ -156,6 +221,8 @@ services:
container_name: ui-for-docker container_name: ui-for-docker
command: -H unix:///var/run/docker.sock --no-auth command: -H unix:///var/run/docker.sock --no-auth
restart: always restart: always
networks:
- ui-for-docker_local
ports: ports:
- "127.0.0.1:64299:9000" - "127.0.0.1:64299:9000"
image: "dtagdevsec/ui-for-docker:1706" image: "dtagdevsec/ui-for-docker:1706"

22
installer/etc/tpot/compose/hp.yml
View file

@ -1,12 +1,22 @@
# T-Pot (Standard) # T-Pot (Honeypots)
# For docker-compose version ... # For docker-compose ...
version: '2' version: '2'
networks:
cowrie_local:
dionaea_local:
elasticpot_local:
ewsposter_local:
glastopf_local:
services: services:
# Cowrie service # Cowrie service
cowrie: cowrie:
container_name: cowrie container_name: cowrie
restart: always restart: always
networks:
- cowrie_local
ports: ports:
- "22:2222" - "22:2222"
- "23:2223" - "23:2223"
@ -18,6 +28,8 @@ services:
dionaea: dionaea:
container_name: dionaea container_name: dionaea
restart: always restart: always
networks:
- dionaea_local
cap_add: cap_add:
- NET_BIND_SERVICE - NET_BIND_SERVICE
ports: ports:
@ -45,6 +57,8 @@ services:
elasticpot: elasticpot:
container_name: elasticpot container_name: elasticpot
restart: always restart: always
networks:
- elasticpot_local
ports: ports:
- "9200:9200" - "9200:9200"
image: "dtagdevsec/elasticpot:1706" image: "dtagdevsec/elasticpot:1706"
@ -55,6 +69,8 @@ services:
ewsposter: ewsposter:
container_name: ewsposter container_name: ewsposter
restart: always restart: always
networks:
- ewsposter_local
image: "dtagdevsec/ewsposter:1706" image: "dtagdevsec/ewsposter:1706"
volumes: volumes:
- /data:/data - /data:/data
@ -64,6 +80,8 @@ services:
glastopf: glastopf:
container_name: glastopf container_name: glastopf
restart: always restart: always
networks:
- glastopf_local
ports: ports:
- "80:80" - "80:80"
image: "dtagdevsec/glastopf:1706" image: "dtagdevsec/glastopf:1706"

79
installer/etc/tpot/compose/industrial.yml
View file

@ -1,12 +1,22 @@
# T-Pot (Everything) # T-Pot (Industrial)
# For docker-compose version ... # For docker-compose ...
version: '2' version: '2'
networks:
conpot_local:
emobility_local:
ewsposter_local:
spiderfoot_local:
ui-for-docker_local:
services: services:
# Conpot service # Conpot service
conpot: conpot:
container_name: conpot container_name: conpot
restart: always restart: always
networks:
- conpot_local
ports: ports:
- "1025:1025" - "1025:1025"
- "50100:50100" - "50100:50100"
@ -15,30 +25,69 @@ services:
- /data/conpot:/data/conpot - /data/conpot:/data/conpot
- /data/ews:/data/ews - /data/ews:/data/ews
# ELK service # ELK services
elk: ## Elasticsearch service
container_name: elk elasticsearch:
container_name: elasticsearch
restart: always restart: always
env_file: environment:
- /etc/tpot/elk/environment - bootstrap.memory_lock=true
# - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
cap_add: cap_add:
- IPC_LOCK - IPC_LOCK
ulimits: ulimits:
memlock: -1 memlock:
nofile: 65536 soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
# mem_limit: 2g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:1706"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
- elasticsearch
ports: ports:
- "127.0.0.1:64296:5601" - "127.0.0.1:64296:5601"
- "127.0.0.1:64302:9100" image: "dtagdevsec/kibana:1706"
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elk:1706" ## Logstash service
logstash:
container_name: logstash
restart: always
depends_on:
- elasticsearch
env_file:
- /etc/tpot/elk/environment
image: "dtagdevsec/logstash:1706"
volumes: volumes:
- /data:/data - /data:/data
- /var/log:/data/host/log - /var/log:/data/host/log
## Elasticsearch-head service
head:
container_name: head
restart: always
depends_on:
- elasticsearch
ports:
- "127.0.0.1:64302:9100"
image: "dtagdevsec/head:1706"
# Emobility service # Emobility service
emobility: emobility:
container_name: emobility container_name: emobility
restart: always restart: always
networks:
- emobility_local
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
ports: ports:
@ -52,6 +101,8 @@ services:
ewsposter: ewsposter:
container_name: ewsposter container_name: ewsposter
restart: always restart: always
networks:
- ewsposter_local
image: "dtagdevsec/ewsposter:1706" image: "dtagdevsec/ewsposter:1706"
volumes: volumes:
- /data:/data - /data:/data
@ -76,6 +127,8 @@ services:
spiderfoot: spiderfoot:
container_name: spiderfoot container_name: spiderfoot
restart: always restart: always
networks:
- spiderfoot_local
ports: ports:
- "127.0.0.1:64303:8080" - "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:1706" image: "dtagdevsec/spiderfoot:1706"
@ -85,6 +138,8 @@ services:
container_name: ui-for-docker container_name: ui-for-docker
command: -H unix:///var/run/docker.sock --no-auth command: -H unix:///var/run/docker.sock --no-auth
restart: always restart: always
networks:
- ui-for-docker_local
ports: ports:
- "127.0.0.1:64299:9000" - "127.0.0.1:64299:9000"
image: "dtagdevsec/ui-for-docker:1706" image: "dtagdevsec/ui-for-docker:1706"

83
installer/etc/tpot/compose/tpot.yml
View file

@ -1,12 +1,24 @@
# T-Pot (Standard) # T-Pot (Standard)
# For docker-compose version ... # For docker-compose ...
version: '2' version: '2'
networks:
cowrie_local:
dionaea_local:
elasticpot_local:
ewsposter_local:
glastopf_local:
spiderfoot_local:
ui-for-docker_local:
services: services:
# Cowrie service # Cowrie service
cowrie: cowrie:
container_name: cowrie container_name: cowrie
restart: always restart: always
networks:
- cowrie_local
ports: ports:
- "22:2222" - "22:2222"
- "23:2223" - "23:2223"
@ -18,6 +30,8 @@ services:
dionaea: dionaea:
container_name: dionaea container_name: dionaea
restart: always restart: always
networks:
- dionaea_local
cap_add: cap_add:
- NET_BIND_SERVICE - NET_BIND_SERVICE
ports: ports:
@ -45,36 +59,77 @@ services:
elasticpot: elasticpot:
container_name: elasticpot container_name: elasticpot
restart: always restart: always
networks:
- elasticpot_local
ports: ports:
- "9200:9200" - "9200:9200"
image: "dtagdevsec/elasticpot:1706" image: "dtagdevsec/elasticpot:1706"
volumes: volumes:
- /data/elasticpot:/data/elasticpot - /data/elasticpot:/data/elasticpot
# ELK service # ELK services
elk: ## Elasticsearch service
container_name: elk elasticsearch:
container_name: elasticsearch
restart: always restart: always
env_file: environment:
- /etc/tpot/elk/environment - bootstrap.memory_lock=true
# - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
cap_add: cap_add:
- IPC_LOCK - IPC_LOCK
ulimits: ulimits:
memlock: -1 memlock:
nofile: 65536 soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
# mem_limit: 2g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:1706"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
- elasticsearch
ports: ports:
- "127.0.0.1:64296:5601" - "127.0.0.1:64296:5601"
- "127.0.0.1:64302:9100" image: "dtagdevsec/kibana:1706"
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elk:1706" ## Logstash service
logstash:
container_name: logstash
restart: always
depends_on:
- elasticsearch
env_file:
- /etc/tpot/elk/environment
image: "dtagdevsec/logstash:1706"
volumes: volumes:
- /data:/data - /data:/data
- /var/log:/data/host/log - /var/log:/data/host/log
## Elasticsearch-head service
head:
container_name: head
restart: always
depends_on:
- elasticsearch
ports:
- "127.0.0.1:64302:9100"
image: "dtagdevsec/head:1706"
# Ewsposter service # Ewsposter service
ewsposter: ewsposter:
container_name: ewsposter container_name: ewsposter
restart: always restart: always
networks:
- ewsposter_local
image: "dtagdevsec/ewsposter:1706" image: "dtagdevsec/ewsposter:1706"
volumes: volumes:
- /data:/data - /data:/data
@ -84,6 +139,8 @@ services:
glastopf: glastopf:
container_name: glastopf container_name: glastopf
restart: always restart: always
networks:
- glastopf_local
ports: ports:
- "80:80" - "80:80"
image: "dtagdevsec/glastopf:1706" image: "dtagdevsec/glastopf:1706"
@ -122,6 +179,8 @@ services:
spiderfoot: spiderfoot:
container_name: spiderfoot container_name: spiderfoot
restart: always restart: always
networks:
- spiderfoot_local
ports: ports:
- "127.0.0.1:64303:8080" - "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:1706" image: "dtagdevsec/spiderfoot:1706"
@ -131,6 +190,8 @@ services:
container_name: ui-for-docker container_name: ui-for-docker
command: -H unix:///var/run/docker.sock --no-auth command: -H unix:///var/run/docker.sock --no-auth
restart: always restart: always
networks:
- ui-for-docker_local
ports: ports:
- "127.0.0.1:64299:9000" - "127.0.0.1:64299:9000"
image: "dtagdevsec/ui-for-docker:1706" image: "dtagdevsec/ui-for-docker:1706"

4
installer/etc/tpot/systemd/tpot.service
View file

@ -9,10 +9,12 @@ Restart=always
# Clear state from /data # Clear state from /data
ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh off' ExecStartPre=/bin/bash -c '/usr/share/tpot/bin/clean.sh off'
# Remove old containers and volumes # Remove old containers, images and volumes
ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml down -v
ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml rm -v ExecStartPre=/usr/bin/docker-compose -f /etc/tpot/tpot.yml rm -v
ExecStartPre=-/bin/bash -c 'docker volume rm $(docker volume ls -q)' ExecStartPre=-/bin/bash -c 'docker volume rm $(docker volume ls -q)'
ExecStartPre=-/bin/bash -c 'docker rmi $(docker images | grep "<none>" | awk \'{print $3}\')'
ExecStartPre=-/bin/bash -c 'docker rm -v $(docker ps -aq)'
# Get IF, disable offloading, enable promiscious mode for p0f and suricata # Get IF, disable offloading, enable promiscious mode for p0f and suricata
ExecStartPre=/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') rx off tx off' ExecStartPre=/bin/bash -c '/sbin/ethtool --offload $(/sbin/ip route | /bin/grep $(/bin/hostname -I | /usr/bin/awk \'{print $1 }\') | /usr/bin/awk \'{print $3 }\') rx off tx off'

6
installer/install.sh
View file

@ -409,9 +409,6 @@ dialog --title "[ Adding cronjobs ]" $myPROGRESSBOXCONF <<EOF
EOF EOF
tee -a /etc/crontab 2>&1>/dev/null <<EOF tee -a /etc/crontab 2>&1>/dev/null <<EOF
# Example for alerta-cli IP update
#*/5 * * * * root alerta --endpoint-url http://<ip>:<port>/api delete --filters resource=<host> && alerta --endpoint-url http://<ip>:<port>/api send -e IP -r <host> -E Production -s ok -S T-Pot -t \$(cat /data/elk/logstash/mylocal.ip) --status open
# Check if updated images are available and download them # Check if updated images are available and download them
27 1 * * * root /usr/bin/docker-compose -f /etc/tpot/tpot.yml pull 27 1 * * * root /usr/bin/docker-compose -f /etc/tpot/tpot.yml pull
@ -430,7 +427,7 @@ mkdir -p /data/conpot/log \
/data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/ \ /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/ \
/data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp \ /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp \
/data/elasticpot/log \ /data/elasticpot/log \
/data/elk/data /data/elk/log /data/elk/logstash/conf \ /data/elk/data /data/elk/log \
/data/glastopf /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \ /data/glastopf /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \
/data/emobility/log \ /data/emobility/log \
/data/ews/conf \ /data/ews/conf \
@ -510,7 +507,6 @@ tee /etc/tpot/elk/environment 2>&1>/dev/null <<EOF
MY_EXTIP=$myEXTIP MY_EXTIP=$myEXTIP
MY_HOSTNAME=$HOSTNAME MY_HOSTNAME=$HOSTNAME
EOF EOF
echo $myLOCALIP > /data/elk/logstash/mylocal.ip 2>&1>/dev/null
chown tpot:tpot /data/ews/conf/ews.ip 2>&1>/dev/null chown tpot:tpot /data/ews/conf/ews.ip 2>&1>/dev/null
# Final steps # Final steps