continue working on installer

iso/installer/install.sh

@@ -2,7 +2,8 @@
 # T-Pot Universal Installer
 
 #### to do
-#### 1. use authorized keys config
+#### 1. ditch authorized keys config, use fail2ban
+#### 2. check for other services that might collide with the honeypots, if found abort install
 
 ##################################
 # Extract command line arguments #
@@ -63,11 +64,12 @@ for i in "$@"
         echo "Usage: $0 <options>"
         echo
         echo "--conf=<Path to \"tpot.conf\">"
-	echo "  Use this if you want to automatically deploy a T-Pot instance (--type=automatic implied)."
+	echo "  Use this if you want to automatically deploy a T-Pot instance (--type=auto implied)."
         echo "  A configuration example is available in \"tpotce/iso/installer/tpot.conf.dist\"."
         echo
         echo "--type=<[user, auto, iso]>"
         echo "  user, use this if you want to manually install a T-Pot on a Ubuntu 18.04 LTS machine."
+        echo "  auto, implied if a configuration file is passed as an argument for automatic deployment."
         echo "  iso, use this if you are a T-Pot developer and want to install a T-Pot from a pre-compiled iso."
         echo
 	exit
@@ -119,7 +121,8 @@ echo -n "### Checking for root: "
 if [ "$(whoami)" != "root" ];
   then
     echo "[ NOT OK ]"
-    echo "### Please run as root. Exiting."
+    echo "### Please run as root."
+    echo "### Example: sudo $0"
     exit
   else
     echo "[ OK ]"
@@ -253,9 +256,11 @@ fi
 ### ---> End proxy setup
 
 # Let's test the internet connection
-mySITESCOUNT=$(echo $mySITES | wc -w)
+if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
-j=0
+  then
-for i in $mySITES;
+    mySITESCOUNT=$(echo $mySITES | wc -w)
+    j=0
+    for i in $mySITES;
       do
         dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \
                --gauge "\n  Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <<EOF
@@ -277,6 +282,7 @@ EOF
              --gauge "\n  Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <<EOF
 EOF
     done;
+fi
 
 # Let's put cursor back in standard form
 tput cnorm
@@ -299,26 +305,25 @@ if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
   then
     while [ 1 != 2 ]
       do
-        myCONF_TPOT_USER=$(dialog --backtitle "$myBACKTITLE" --title "[ Existing linux user name ]" --inputbox "\nUsername (root is not allowed)" 9 50 "$(who am i | awk '{ print $1 }')" 3>&1 1>&2 2>&3 3>&-)
+        myCONF_TPOT_USER=$(dialog --backtitle "$myBACKTITLE" --title "[ Existing console user name ]" --inputbox "\nUsername (root is not allowed)" 9 50 "$(who am i | awk '{ print $1 }')" 3>&1 1>&2 2>&3 3>&-)
-        myCONF_TPOT_USER=$(echo $myUSER | tr -cd "[:alnum:]_.-")
+        myCONF_TPOT_USER=$(echo $myCONF_TPOT_USER | tr -cd "[:alnum:]_.-")
-        dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myUSER" 7 50
+        dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myCONF_TPOT_USER" 7 50
         myOK=$?
-        if [ "$myOK" = "0" ] && [ "$myUSER" != "root" ] && [ "$myUSER" != "" ];
+	if [ "$myOK" = "0" ] && [ "$myCONF_TPOT_USER" != "root" ] && [ "$myCONF_TPOT_USER" != "" ] && [ "$(cat /etc/passwd | grep -wc $myCONF_TPOT_USER)" == "1" ];
           then
             break
         fi
       done
 fi
 
-##### exit #####
+# Let's ask for a secure tsec password if installation type is iso
-exit
+if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ];
-
+  then
-# Let's ask for a secure tsec password
+    myCONF_TPOT_USER="tsec"
-myUSER="tsec"
+    myPASS1="pass1"
-myPASS1="pass1"
+    myPASS2="pass2"
-myPASS2="pass2"
+    mySECURE="0"
-mySECURE="0"
+    while [ "$myPASS1" != "$myPASS2"  ] && [ "$mySECURE" == "0" ]
-while [ "$myPASS1" != "$myPASS2"  ] && [ "$mySECURE" == "0" ]
       do
         while [ "$myPASS1" == "pass1"  ] || [ "$myPASS1" == "" ]
           do
@@ -348,62 +353,87 @@ while [ "$myPASS1" != "$myPASS2"  ] && [ "$mySECURE" == "0" ]
             fi
         fi
       done
-printf "%s" "$myUSER:$myPASS1" | chpasswd
+    printf "%s" "$myCONF_TPOT_USER:$myPASS1" | chpasswd
+fi
 
-# Let's ask for a web username with secure password
+# Let's ask for a web user credentials if deployment type is iso or user
-myOK="1"
+# In case of auto, credentials are created from config values
-myUSER="tsec"
+# Skip this step entirely if SENSOR flavor
-myPASS1="pass1"
+if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
-myPASS2="pass2"
+  then
-mySECURE="0"
+    myOK="1"
-while [ 1 != 2 ]
+    myCONF_WEB_USER="webuser"
+    myCONF_WEB_PW="pass1"
+    myCONF_WEB_PW2="pass2"
+    mySECURE="0"
+    while [ 1 != 2 ]
       do
-    myUSER=$(dialog --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-)
+        myCONF_WEB_USER=$(dialog --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-)
-    myUSER=$(echo $myUSER | tr -cd "[:alnum:]_.-")
+        myCONF_WEB_USER=$(echo $myCONF_WEB_USER | tr -cd "[:alnum:]_.-")
-    dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myUSER" 7 50
+        dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myCONF_WEB_USER" 7 50
         myOK=$?
-    if [ "$myOK" = "0" ] && [ "$myUSER" != "tsec" ] && [ "$myUSER" != "" ];
+        if [ "$myOK" = "0" ] && [ "$myCONF_WEB_USER" != "tsec" ] && [ "$myCONF_WEB_USER" != "" ];
           then
             break
         fi
       done
-while [ "$myPASS1" != "$myPASS2"  ] && [ "$mySECURE" == "0" ]
+    while [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2"  ] && [ "$mySECURE" == "0" ]
       do
-    while [ "$myPASS1" == "pass1"  ] || [ "$myPASS1" == "" ]
+        while [ "$myCONF_WEB_PW" == "pass1"  ] || [ "$myCONF_WEB_PW" == "" ]
           do
-        myPASS1=$(dialog --insecure --backtitle "$myBACKTITLE" \
+            myCONF_WEB_PW=$(dialog --insecure --backtitle "$myBACKTITLE" \
                              --title "[ Enter password for your web user ]" \
                              --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
           done
-        myPASS2=$(dialog --insecure --backtitle "$myBACKTITLE" \
+        myCONF_WEB_PW2=$(dialog --insecure --backtitle "$myBACKTITLE" \
                          --title "[ Repeat password for your web user ]" \
                          --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
-    if [ "$myPASS1" != "$myPASS2" ];
+        if [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2" ];
           then
             dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \
                    --msgbox "\nPlease re-enter your password." 7 60
-        myPASS1="pass1"
+            myCONF_WEB_PW="pass1"
-        myPASS2="pass2"
+            myCONF_WEB_PW2="pass2"
         fi
-    mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK")
+        mySECURE=$(printf "%s" "$myCONF_WEB_PW" | cracklib-check | grep -c "OK")
-    if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ];
+        if [ "$mySECURE" == "0" ] && [ "$myCONF_WEB_PW" == "$myCONF_WEB_PW2" ];
           then
             dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50
             myOK=$?
             if [ "$myOK" == "1" ];
               then
-            myPASS1="pass1"
+                myCONF_WEB_PW="pass1"
-            myPASS2="pass2"
+                myCONF_WEB_PW2="pass2"
             fi
         fi
       done
-mkdir -p /data/nginx/conf 2>&1
+fi
-htpasswd -b -c /data/nginx/conf/nginxpasswd "$myUSER" "$myPASS1" 2>&1 | dialog --title "[ Setting up user and password ]" $myPROGRESSBOXCONF;
+# If flavor is SENSOR do not write credentials
+if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
+  then
+    mkdir -p /data/nginx/conf 2>&1
+    htpasswd -b -c /data/nginx/conf/nginxpasswd "$myCONF_WEB_USER" "$myCONF_WEB_PW" 2>&1 | dialog --title "[ Setting up user and password ]" $myPROGRESSBOXCONF;
+fi
+
+################
+echo $myCONF_TPOT_FLAVOR
+echo $myCONF_TPOT_USER
+echo $myCONF_TPOT_PW
+echo $myCONF_WEB_USER
+echo $myCONF_WEB_PW
+
+
+##### exit #####
+exit
+
+# Put cursor in invisible mode
+tput civis
 
 # Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway)
-tput civis
+if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
-mkdir -p /data/nginx/cert 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF;
+  then
-openssl req \
+    mkdir -p /data/nginx/cert 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF;
+    openssl req \
             -nodes \
             -x509 \
             -sha512 \
@@ -412,11 +442,12 @@ openssl req \
             -out "/data/nginx/cert/nginx.crt" \
             -days 3650 \
             -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF;
+fi
 
 # Let's setup the ntp server
 if [ "$myCONF_NTP_USE" == "0" ];
   then
-dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF <<EOF
+    dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF <<EOF
 EOF
     cp $myCONF_NTP_CONF_FILE /etc/ntp.conf 2>&1 | dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF
 fi
@@ -424,10 +455,10 @@ fi
 # Let's setup 802.1x networking
 if [ "myCONF_PFX_USE" == "0" ];
   then
-dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF <<EOF
+    dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF <<EOF
 EOF
     cp $myCONF_PFX_FILE /etc/wpa_supplicant/ 2>&1 | dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF
-tee -a /etc/network/interfaces 2>&1>/dev/null <<EOF
+    tee -a /etc/network/interfaces 2>&1>/dev/null <<EOF
         wpa-driver wired
         wpa-conf /etc/wpa_supplicant/wired8021x.conf
 
@@ -443,7 +474,7 @@ tee -a /etc/network/interfaces 2>&1>/dev/null <<EOF
 #        wpa-conf /etc/wpa_supplicant/wireless8021x.conf
 EOF
 
-tee /etc/wpa_supplicant/wired8021x.conf 2>&1>/dev/null <<EOF
+    tee /etc/wpa_supplicant/wired8021x.conf 2>&1>/dev/null <<EOF
 ctrl_interface=/var/run/wpa_supplicant
 ctrl_interface_group=root
 eapol_version=1
@@ -457,7 +488,7 @@ network={
 }
 EOF
 
-tee /etc/wpa_supplicant/wireless8021x.conf 2>&1>/dev/null <<EOF
+    tee /etc/wpa_supplicant/wireless8021x.conf 2>&1>/dev/null <<EOF
 ctrl_interface=/var/run/wpa_supplicant
 ctrl_interface_group=root
 eapol_version=1
@@ -516,27 +547,23 @@ tee -a /etc/ssh/ssh_config 2>&1>/dev/null <<EOF
 UseRoaming no
 EOF
 
-# Let's pull some updates
-apt-get update -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF
-apt-get upgrade -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF
-
-# Let's clean up apt
-apt-get autoclean -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF
-apt-get autoremove -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF
-
 # Installing ctop, elasticdump, tpot
+if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
+  then
+    npm install https://github.com/taskrabbit/elasticsearch-dump#9fcc8cc -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF
+fi
 pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF
+hash -r 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF
 pip install elasticsearch-curator==5.4.1 2>&1 | dialog --title "[ Installing elasticsearch-curator ]" $myPROGRESSBOXCONF
 pip install yq==2.4.1 2>&1 | dialog --title "[ Installing yq ]" $myPROGRESSBOXCONF
-npm install https://github.com/taskrabbit/elasticsearch-dump#9fcc8cc -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF
 wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
 mv ctop /usr/bin/ 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
 chmod +x /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
 git clone https://github.com/dtag-dev-sec/tpotce -b 18.04 /opt/tpot 2>&1 | dialog --title "[ Cloning T-Pot ]" $myPROGRESSBOXCONF
 
-# Let's add a new user
+# Let's create the T-Pot user
-addgroup --gid 2000 tpot 2>&1 | dialog --title "[ Adding new user ]" $myPROGRESSBOXCONF
+addgroup --gid 2000 tpot 2>&1 | dialog --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF
-adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --title "[ Adding new user ]" $myPROGRESSBOXCONF
+adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF
 
 # Let's set the hostname
 a=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/a.txt)
@@ -705,6 +732,10 @@ EOF
 # Let's create ews.ip before reboot and prevent race condition for first start
 /opt/tpot/bin/updateip.sh 2>&1>/dev/null
 
+# Let's clean up apt
+apt-get autoclean -y 2>&1 | dialog --title "[ Cleaning up ]" $myPROGRESSBOXCONF
+apt-get autoremove -y 2>&1 | dialog --title "[ Cleaning up ]" $myPROGRESSBOXCONF
+
 # Final steps
 cp /opt/tpot/host/etc/rc.local /etc/rc.local 2>&1>/dev/null && \
 rm -rf /root/installer 2>&1>/dev/null && \

iso/installer/iso.conf.dist

@@ -1,14 +1,14 @@
 # makeiso configuration file
-myCONF_PROXY_USE="0"
+myCONF_PROXY_USE='0'
-myCONF_PROXY_IP="1.2.3.4"
+myCONF_PROXY_IP='1.2.3.4'
-myCONF_PROXY_PORT="3128"
+myCONF_PROXY_PORT='3128'
-myCONF_SSH_PUBKEY_USE="0"
+myCONF_SSH_PUBKEY_USE='0'
-myCONF_SSH_PUBKEY_FILE="/"
+myCONF_SSH_PUBKEY_FILE='/'
-myCONF_PFX_USE="0"
+myCONF_PFX_USE='0'
-myCONF_PFX_FILE="/"
+myCONF_PFX_FILE='/'
-myCONF_PFX_PW_USE="0"
+myCONF_PFX_PW_USE='0'
-myCONF_PFX_PW="<SECRET>"
+myCONF_PFX_PW='<SECRET>'
-myCONF_PFX_HOST_ID="<HOSTNAME>.<DOMAIN>"
+myCONF_PFX_HOST_ID='<HOSTNAME>.<DOMAIN>'
-myCONF_NTP_USE="0"
+myCONF_NTP_USE='0'
-myCONF_NTP_IP="1.2.3.4"
+myCONF_NTP_IP='1.2.3.4'
-myCONF_NTP_CONF_FILE="/"
+myCONF_NTP_CONF_FILE='/'

iso/installer/tpot.conf.dist

@@ -1,5 +1,7 @@
 # tpot configuration file
 # myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, EXPERIMENTAL, LEGACY]
-myCONF_TPOT_FLAVOR="STANDARD"
+myCONF_TPOT_FLAVOR='STANDARD'
-myCONF_TPOT_USER="tsec"
+myCONF_TPOT_USER='tsec'
-myCONF_TPOT_PW="$ecret123"
+myCONF_TPOT_PW='$ecret123'
+myCONF_WEB_USER='webuser'
+myCONF_WEB_PW='w3b$ecret'

makeiso.sh

@@ -225,19 +225,19 @@ done
 
 # Let's write the config file
 echo "# makeiso configuration file" > $myCONF_FILE
-echo "myCONF_PROXY_USE=\"$myCONF_PROXY_USE\"" >> $myCONF_FILE
+echo "myCONF_PROXY_USE=\'$myCONF_PROXY_USE\'" >> $myCONF_FILE
-echo "myCONF_PROXY_IP=\"$myCONF_PROXY_IP\"" >> $myCONF_FILE
+echo "myCONF_PROXY_IP=\'$myCONF_PROXY_IP\'" >> $myCONF_FILE
-echo "myCONF_PROXY_PORT=\"$myCONF_PROXY_PORT\"" >> $myCONF_FILE
+echo "myCONF_PROXY_PORT=\'$myCONF_PROXY_PORT\'" >> $myCONF_FILE
-echo "myCONF_SSH_PUBKEY_USE=\"$myCONF_SSH_PUBKEY_USE\"" >> $myCONF_FILE
+echo "myCONF_SSH_PUBKEY_USE=\'$myCONF_SSH_PUBKEY_USE\'" >> $myCONF_FILE
-echo "myCONF_SSH_PUBKEY_FILE=\"/root/installer/keys/authorized_keys\"" >> $myCONF_FILE
+echo "myCONF_SSH_PUBKEY_FILE=\'/root/installer/keys/authorized_keys\'" >> $myCONF_FILE
-echo "myCONF_PFX_USE=\"$myCONF_PFX_USE\"" >> $myCONF_FILE
+echo "myCONF_PFX_USE=\'$myCONF_PFX_USE\'" >> $myCONF_FILE
-echo "myCONF_PFX_FILE=\"/root/installer/keys/8021x.pfx\"" >> $myCONF_FILE
+echo "myCONF_PFX_FILE=\'/root/installer/keys/8021x.pfx\'" >> $myCONF_FILE
-echo "myCONF_PFX_PW_USE=\"$myCONF_PFX_PW_USE\"" >> $myCONF_FILE
+echo "myCONF_PFX_PW_USE=\'$myCONF_PFX_PW_USE\'" >> $myCONF_FILE
-echo "myCONF_PFX_PW=\"$myCONF_PFX_PW\"" >> $myCONF_FILE
+echo "myCONF_PFX_PW=\'$myCONF_PFX_PW\'" >> $myCONF_FILE
-echo "myCONF_PFX_HOST_ID=\"$myCONF_PFX_HOST_ID\"" >> $myCONF_FILE
+echo "myCONF_PFX_HOST_ID=\'$myCONF_PFX_HOST_ID\'" >> $myCONF_FILE
-echo "myCONF_NTP_USE=\"$myCONF_NTP_USE\"" >> $myCONF_FILE
+echo "myCONF_NTP_USE=\'$myCONF_NTP_USE\'" >> $myCONF_FILE
-echo "myCONF_NTP_IP=\"$myCONF_NTP_IP\"" >> $myCONF_FILE
+echo "myCONF_NTP_IP=\'$myCONF_NTP_IP\'" >> $myCONF_FILE
-echo "myCONF_NTP_CONF_FILE=\"/root/installer/ntp.conf\"" >> $myCONF_FILE
+echo "myCONF_NTP_CONF_FILE=\'/root/installer/ntp.conf\'" >> $myCONF_FILE
 
 # Let's download Ubuntu Minimal ISO
 if [ ! -f $myUBUNTUISO ]