Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-04-28 11:18:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

tweaking, bugfixes

Browse source
This commit is contained in:
t3chn0m4g3 2016-08-06 22:06:31 +00:00
parent 62b349eab3
commit bbb708b988
5 changed files with 162 additions and 118 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
installer/bin/clean.sh Normal file → Executable file
View file

2
installer/bin/dps.sh Executable file
View file

@ -0,0 +1,2 @@
#/bin/bash
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" -f status=running -f status=exited | GREP_COLORS='mt=01;35' egrep --color=always "(^[_a-z]+ |$)|$" | GREP_COLORS='mt=01;32' egrep --color=always "(Up[ 0-9a-Z]+ |$)|$" | GREP_COLORS='mt=01;31' egrep --color=always "(Exited[ \(0-9\)]+ [0-9a-Z ]+ ago|$)|$"

116
installer/etc/nginx/tpotweb
View file

@ -1,116 +0,0 @@
server {
listen 64297 ssl;
server_name example.com;
server_tokens off;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
satisfy any;
allow 127.0.0.1;
allow ::1;
deny all;
auth_basic "closed site";
auth_basic_user_file /etc/nginx/nginxpasswd;
#proxy_buffering on;
#proxy_buffer_size 8k;
#proxy_buffers 48 8k;
#proxy_busy_buffers_size 8k;
#proxy_max_temp_file_size 4096m;
#proxy_temp_file_write_size 64k;
#gzip on;
#gzip_disable "msie6";
#gzip_vary on;
#gzip_proxied any;
#gzip_comp_level 6;
#gzip_buffers 16 8k;
#gzip_http_version 1.1;
#gzip_min_length 256;
#gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
location /kibana/ {
proxy_pass http://localhost:64296;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
rewrite /kibana/(.*)$ /$1 break;
}
location /myhead/ {
proxy_pass http://localhost:64298/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
rewrite /myhead/(.*)$ /$1 break;
}
location /ui/ {
proxy_pass http://localhost:64299;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
rewrite /ui/(.*)$ /$1 break;
}
location /at/ {
proxy_pass http://localhost:8022;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
rewrite /at/(.*)$ /$1 break;
}
#location /webmin/ {
# proxy_pass https://localhost:64300;
# proxy_redirect https://$host:$server_port/ https://$host:$server_port/webmin/;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $http_host;
# rewrite /webmin/(.*)$ /$1 break;
# }
location /wetty {
proxy_pass http://127.0.0.1:64300/wetty;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 43200000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
}
location /netdata/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:64301;
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_store off;
rewrite /netdata/(.*)$ /$1 break;
}
}

156
installer/etc/nginx/tpotweb.conf Normal file
View file

@ -0,0 +1,156 @@
############################################
### NGINX T-Pot configuration file by mo ###
############################################
###################################
### Allow for 60 reloads per minute
###################################
limit_req_zone $binary_remote_addr zone=base:1m rate=1r/s;
server {
#########################
### Basic server settings
#########################
listen 64297 ssl http2;
ssl_protocols TLSv1.2;
server_name example.com;
error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html;
##############################################
### Remove version number add different header
##############################################
server_tokens off;
more_set_headers 'Server: apache';
##############################################
### SSL settings and Cipher Suites
##############################################
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256';
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/ssl/dhparam4096.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
####################################
### OWASP recommendations / settings
####################################
### Size Limits & Buffer Overflows
### the size may be configured based on the needs.
client_body_buffer_size 100K;
client_header_buffer_size 1k;
client_max_body_size 100k;
large_client_header_buffers 2 1k;
### Mitigate Slow HHTP DoS Attack
### Timeouts definition ##
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
### X-Frame-Options is to prevent from clickJacking attack
add_header X-Frame-Options SAMEORIGIN;
### disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;
### This header enables the Cross-site scripting (XSS) filter
add_header X-XSS-Protection "1; mode=block";
### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
##################################
### Restrict access and basic auth
##################################
satisfy any;
allow 127.0.0.1;
allow ::1;
deny all;
auth_basic "closed site";
auth_basic_user_file /etc/nginx/nginxpasswd;
##############################
### Limit brute-force attempts
##############################
location = / {
limit_req zone=base burst=1 nodelay;
}
#################
### Proxied sites
#################
### Kibana
location /kibana/ {
proxy_pass http://localhost:64296;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
rewrite /kibana/(.*)$ /$1 break;
}
### Head plugin
location /myhead/ {
proxy_pass http://localhost:64298/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
rewrite /myhead/(.*)$ /$1 break;
}
### ui-for-docker
location /ui {
proxy_pass http://localhost:64299;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
rewrite /ui/(.*)$ /$1 break;
}
### web tty
location /wetty {
proxy_pass http://127.0.0.1:64300/wetty;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 43200000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
}
### netdata
location /netdata/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:64301;
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_store off;
rewrite /netdata/(.*)$ /$1 break;
}
}

6
installer/install.sh
View file

@ -168,8 +168,10 @@ apt-get autoremove -y
# Installing alerta-cli, wetty
fuECHO "### Installing alerta-cli."
pip install --upgrade pip
pip install alerta
fuECHO "### Installing wetty."
ln -s /usr/bin/nodejs /usr/bin/node
npm install git://github.com/t3chn0m4g3/wetty -g
# Let's install docker
@ -353,7 +355,7 @@ cp /root/tpot/data/systemd/* /etc/systemd/system/
cp -R /root/tpot/etc/issue /etc/
cp -R /root/tpot/etc/nginx/ssl /etc/nginx/
cp /root/tpot/etc/nginx/nginxpasswd /etc/nginx/
cp /root/tpot/etc/nginx/tpotweb /etc/nginx/sites-available/
cp /root/tpot/etc/nginx/tpotweb.conf /etc/nginx/sites-available/
cp -R /root/tpot/home/* /home/tsec/
cp /root/tpot/keys/authorized_keys /home/tsec/.ssh/authorized_keys
cp /root/usr/share/nginx/html/* /usr/share/nginx/html/
@ -365,7 +367,7 @@ done
# Let's remove nginx default website and link t-pot website
fuECHO "### Removing nginx default website and linking t-pot website."
rm /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/tpotweb /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/tpotweb.conf /etc/nginx/sites-enabled/tpotweb.conf
# Let's take care of some files and permissions
chmod 760 -R /data