From bbb708b988ed20fff3aa8c926c4c5ce1a7797060 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Sat, 6 Aug 2016 22:06:31 +0000 Subject: [PATCH] tweaking, bugfixes --- installer/bin/clean.sh | 0 installer/bin/dps.sh | 2 + installer/etc/nginx/tpotweb | 116 ----------------------- installer/etc/nginx/tpotweb.conf | 156 +++++++++++++++++++++++++++++++ installer/install.sh | 6 +- 5 files changed, 162 insertions(+), 118 deletions(-) mode change 100644 => 100755 installer/bin/clean.sh create mode 100755 installer/bin/dps.sh delete mode 100644 installer/etc/nginx/tpotweb create mode 100644 installer/etc/nginx/tpotweb.conf diff --git a/installer/bin/clean.sh b/installer/bin/clean.sh old mode 100644 new mode 100755 diff --git a/installer/bin/dps.sh b/installer/bin/dps.sh new file mode 100755 index 00000000..8033318b --- /dev/null +++ b/installer/bin/dps.sh @@ -0,0 +1,2 @@ +#/bin/bash +docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" -f status=running -f status=exited | GREP_COLORS='mt=01;35' egrep --color=always "(^[_a-z]+ |$)|$" | GREP_COLORS='mt=01;32' egrep --color=always "(Up[ 0-9a-Z]+ |$)|$" | GREP_COLORS='mt=01;31' egrep --color=always "(Exited[ \(0-9\)]+ [0-9a-Z ]+ ago|$)|$" diff --git a/installer/etc/nginx/tpotweb b/installer/etc/nginx/tpotweb deleted file mode 100644 index 1a241096..00000000 --- a/installer/etc/nginx/tpotweb +++ /dev/null @@ -1,116 +0,0 @@ -server { - listen 64297 ssl; - - server_name example.com; - server_tokens off; - - ssl_certificate /etc/nginx/ssl/nginx.crt; - ssl_certificate_key /etc/nginx/ssl/nginx.key; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - -# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; "; - - satisfy any; - - allow 127.0.0.1; - allow ::1; - deny all; - - auth_basic "closed site"; - auth_basic_user_file /etc/nginx/nginxpasswd; - -#proxy_buffering on; -#proxy_buffer_size 8k; -#proxy_buffers 48 8k; -#proxy_busy_buffers_size 8k; -#proxy_max_temp_file_size 4096m; -#proxy_temp_file_write_size 64k; - -#gzip on; -#gzip_disable "msie6"; - -#gzip_vary on; -#gzip_proxied any; -#gzip_comp_level 6; -#gzip_buffers 16 8k; -#gzip_http_version 1.1; -#gzip_min_length 256; -#gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon; - - -location /kibana/ { - proxy_pass http://localhost:64296; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - rewrite /kibana/(.*)$ /$1 break; - } - -location /myhead/ { - proxy_pass http://localhost:64298/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - rewrite /myhead/(.*)$ /$1 break; - } - -location /ui/ { - proxy_pass http://localhost:64299; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - rewrite /ui/(.*)$ /$1 break; - } - -location /at/ { - proxy_pass http://localhost:8022; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - rewrite /at/(.*)$ /$1 break; - } - - -#location /webmin/ { -# proxy_pass https://localhost:64300; -# proxy_redirect https://$host:$server_port/ https://$host:$server_port/webmin/; -# proxy_http_version 1.1; -# proxy_set_header Upgrade $http_upgrade; -# proxy_set_header Connection "upgrade"; -# proxy_set_header Host $http_host; -# rewrite /webmin/(.*)$ /$1 break; -# } - -location /wetty { - proxy_pass http://127.0.0.1:64300/wetty; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 43200000; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; -} - -location /netdata/ { - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:64301; - proxy_http_version 1.1; - proxy_pass_request_headers on; - proxy_set_header Connection "keep-alive"; - proxy_store off; - rewrite /netdata/(.*)$ /$1 break; - } - -} diff --git a/installer/etc/nginx/tpotweb.conf b/installer/etc/nginx/tpotweb.conf new file mode 100644 index 00000000..95a79ae0 --- /dev/null +++ b/installer/etc/nginx/tpotweb.conf @@ -0,0 +1,156 @@ +############################################ +### NGINX T-Pot configuration file by mo ### +############################################ + +################################### +### Allow for 60 reloads per minute +################################### +limit_req_zone $binary_remote_addr zone=base:1m rate=1r/s; + +server { + + ######################### + ### Basic server settings + ######################### + listen 64297 ssl http2; + ssl_protocols TLSv1.2; + server_name example.com; + error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html; + + + ############################################## + ### Remove version number add different header + ############################################## + server_tokens off; + more_set_headers 'Server: apache'; + + + ############################################## + ### SSL settings and Cipher Suites + ############################################## + ssl_certificate /etc/nginx/ssl/nginx.crt; + ssl_certificate_key /etc/nginx/ssl/nginx.key; + + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256'; + ssl_ecdh_curve secp384r1; + ssl_dhparam /etc/nginx/ssl/dhparam4096.pem; + + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + + #################################### + ### OWASP recommendations / settings + #################################### + + ### Size Limits & Buffer Overflows + ### the size may be configured based on the needs. + client_body_buffer_size 100K; + client_header_buffer_size 1k; + client_max_body_size 100k; + large_client_header_buffers 2 1k; + + ### Mitigate Slow HHTP DoS Attack + ### Timeouts definition ## + client_body_timeout 10; + client_header_timeout 10; + keepalive_timeout 5 5; + send_timeout 10; + + ### X-Frame-Options is to prevent from clickJacking attack + add_header X-Frame-Options SAMEORIGIN; + + ### disable content-type sniffing on some browsers. + add_header X-Content-Type-Options nosniff; + + ### This header enables the Cross-site scripting (XSS) filter + add_header X-XSS-Protection "1; mode=block"; + + ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + + + ################################## + ### Restrict access and basic auth + ################################## + satisfy any; + + allow 127.0.0.1; + allow ::1; + deny all; + + auth_basic "closed site"; + auth_basic_user_file /etc/nginx/nginxpasswd; + + + ############################## + ### Limit brute-force attempts + ############################## + location = / { + limit_req zone=base burst=1 nodelay; + } + + + ################# + ### Proxied sites + ################# + + ### Kibana + location /kibana/ { + proxy_pass http://localhost:64296; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + rewrite /kibana/(.*)$ /$1 break; + } + + ### Head plugin + location /myhead/ { + proxy_pass http://localhost:64298/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + rewrite /myhead/(.*)$ /$1 break; + } + + ### ui-for-docker + location /ui { + proxy_pass http://localhost:64299; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection ""; + proxy_set_header Host $host; + proxy_redirect off; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + rewrite /ui/(.*)$ /$1 break; + } + + ### web tty + location /wetty { + proxy_pass http://127.0.0.1:64300/wetty; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 43200000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + } + + ### netdata + location /netdata/ { + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:64301; + proxy_http_version 1.1; + proxy_pass_request_headers on; + proxy_set_header Connection "keep-alive"; + proxy_store off; + rewrite /netdata/(.*)$ /$1 break; + } + +} diff --git a/installer/install.sh b/installer/install.sh index eb5e15b6..25bbbf7b 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -168,8 +168,10 @@ apt-get autoremove -y # Installing alerta-cli, wetty fuECHO "### Installing alerta-cli." +pip install --upgrade pip pip install alerta fuECHO "### Installing wetty." +ln -s /usr/bin/nodejs /usr/bin/node npm install git://github.com/t3chn0m4g3/wetty -g # Let's install docker @@ -353,7 +355,7 @@ cp /root/tpot/data/systemd/* /etc/systemd/system/ cp -R /root/tpot/etc/issue /etc/ cp -R /root/tpot/etc/nginx/ssl /etc/nginx/ cp /root/tpot/etc/nginx/nginxpasswd /etc/nginx/ -cp /root/tpot/etc/nginx/tpotweb /etc/nginx/sites-available/ +cp /root/tpot/etc/nginx/tpotweb.conf /etc/nginx/sites-available/ cp -R /root/tpot/home/* /home/tsec/ cp /root/tpot/keys/authorized_keys /home/tsec/.ssh/authorized_keys cp /root/usr/share/nginx/html/* /usr/share/nginx/html/ @@ -365,7 +367,7 @@ done # Let's remove nginx default website and link t-pot website fuECHO "### Removing nginx default website and linking t-pot website." rm /etc/nginx/sites-enabled/default -ln -s /etc/nginx/sites-available/tpotweb /etc/nginx/sites-enabled/ +ln -s /etc/nginx/sites-available/tpotweb.conf /etc/nginx/sites-enabled/tpotweb.conf # Let's take care of some files and permissions chmod 760 -R /data