Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-01 12:32:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge pull request #223 from dtag-dev-sec/installer

Browse source 
Installer and lots of tweaking
This commit is contained in:
Marco Ochse 2018-06-23 23:42:15 +02:00 committed by GitHub
commit cad11c40a8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 584 additions and 552 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bin/updateip.sh
View file

@ -12,6 +12,7 @@ mySSHUSER=$(cat /etc/passwd | grep 1000 | cut -d ':' -f1)
sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue
sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue
sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue
sed -i "s#ADMIN:.*#ADMIN: https://$myLOCALIP:64294#" /etc/issue
tee /data/ews/conf/ews.ip << EOF tee /data/ews/conf/ews.ip << EOF
[MAIN] [MAIN]
ip = $myEXTIP ip = $myEXTIP
@ -21,8 +22,5 @@ MY_EXTIP=$myEXTIP
MY_INTIP=$myLOCALIP MY_INTIP=$myLOCALIP
MY_HOSTNAME=$HOSTNAME MY_HOSTNAME=$HOSTNAME
EOF EOF
tee /opt/tpot/etc/compose/wetty_environment << EOF
MY_SSHUSER=$mySSHUSER
EOF
chown tpot:tpot /data/ews/conf/ews.ip chown tpot:tpot /data/ews/conf/ews.ip
chmod 760 /data/ews/conf/ews.ip chmod 760 /data/ews/conf/ews.ip

41
docker/nginx/dist/conf/tpotweb.conf vendored
View file

@ -2,11 +2,6 @@
### NGINX T-Pot configuration file by mo ### ### NGINX T-Pot configuration file by mo ###
############################################ ############################################
###################################
### Allow for 60 reloads per minute
###################################
limit_req_zone $binary_remote_addr zone=base:1m rate=1r/s;
server { server {
######################### #########################
@ -39,16 +34,16 @@ server {
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
#################################### ####################################
### OWASP recommendations / settings ### OWASP recommendations / settings
#################################### ####################################
### Size Limits & Buffer Overflows ### Size Limits & Buffer Overflows
### the size may be configured based on the needs. ### the size may be configured based on the needs.
client_body_buffer_size 100K; client_body_buffer_size 128k;
client_header_buffer_size 1k; client_header_buffer_size 1k;
client_max_body_size 100k; client_max_body_size 256k;
large_client_header_buffers 2 1k; large_client_header_buffers 2 1k;
### Mitigate Slow HHTP DoS Attack ### Mitigate Slow HHTP DoS Attack
@ -89,14 +84,6 @@ server {
auth_basic_user_file /etc/nginx/nginxpasswd; auth_basic_user_file /etc/nginx/nginxpasswd;
##############################
### Limit brute-force attempts
##############################
location = / {
limit_req zone=base burst=1 nodelay;
}
################# #################
### Proxied sites ### Proxied sites
################# #################
@ -119,27 +106,6 @@ server {
rewrite /myhead/(.*)$ /$1 break; rewrite /myhead/(.*)$ /$1 break;
} }
### portainer
location /ui {
proxy_pass http://127.0.0.1:64299;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $host;
proxy_redirect off;
rewrite /ui/(.*)$ /$1 break;
}
### web tty
location /wetty {
proxy_pass http://127.0.0.1:64300/wetty;
}
### netdata
location /netdata/ {
proxy_pass http://localhost:64301;
rewrite /netdata/(.*)$ /$1 break;
}
### spiderfoot ### spiderfoot
location /spiderfoot { location /spiderfoot {
proxy_pass http://127.0.0.1:64303; proxy_pass http://127.0.0.1:64303;
@ -156,4 +122,5 @@ server {
location /scandelete { location /scandelete {
proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete; proxy_pass http://127.0.0.1:64303/spiderfoot/scandelete;
} }
} }

9
docker/nginx/dist/html/navbar.html vendored
View file

@ -10,12 +10,13 @@
<body bgcolor="#E20074"> <body bgcolor="#E20074">
<center> <center>
<a href="/tpotweb.html" target="_top" class="btn">Home</a> <a href="/tpotweb.html" target="_top" class="btn">Home</a>
<a href="/kibana" target="main" class="btn">Kibana</a> <script language="JavaScript">
document.write('<a href="' + window.location.protocol + '//' + window.location.hostname + ':64294' + '" target="_blank" class="btn">Cockpit</a> ' );
</script>
<a href="/myhead/" target="main" class="btn">ES Head</a> <a href="/myhead/" target="main" class="btn">ES Head</a>
<a href="/netdata/" target="_blank" class="btn">Netdata</a> <a href="/kibana" target="main" class="btn">Kibana</a>
<a href="/spiderfoot/" target="main" class="btn">Spiderfoot</a> <a href="/spiderfoot/" target="main" class="btn">Spiderfoot</a>
<a href="/ui/" target="main" class="btn">Portainer</a>
<a href="/wetty/" target="main" class="btn">WebTTY</a>
</center> </center>
</body> </body>
</html> </html>

46
etc/compose/collector.yml
View file

@ -171,26 +171,6 @@ services:
- /data:/data - /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Netdata service
netdata:
container_name: netdata
restart: always
network_mode: "host"
depends_on:
elasticsearch:
condition: service_healthy
cap_add:
- SYS_PTRACE
security_opt:
- apparmor=unconfined
ports:
- "64301:64301"
image: "dtagdevsec/netdata:1804"
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
# Nginx service # Nginx service
nginx: nginx:
container_name: nginx container_name: nginx
@ -212,20 +192,6 @@ services:
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/ - /data/nginx/log/:/var/log/nginx/
# Portainer service
portainer:
container_name: portainer
command: -H unix:///var/run/docker.sock --no-auth
restart: always
networks:
- portainer_local
ports:
- "127.0.0.1:64299:9000"
image: "dtagdevsec/portainer:1804"
read_only: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# Spiderfoot service # Spiderfoot service
spiderfoot: spiderfoot:
container_name: spiderfoot container_name: spiderfoot
@ -238,15 +204,3 @@ services:
volumes: volumes:
- /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db
# Wetty service
wetty:
container_name: wetty
restart: always
stop_signal: SIGKILL
network_mode: "host"
env_file:
- /opt/tpot/etc/compose/wetty_environment
tmpfs:
- /home/wetty/.ssh/:uid=2000,gid=2000
image: "dtagdevsec/wetty:1804"
read_only: true

46
etc/compose/experimental.yml
View file

@ -505,26 +505,6 @@ services:
- /data:/data - /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Netdata service
netdata:
container_name: netdata
restart: always
network_mode: "host"
depends_on:
elasticsearch:
condition: service_healthy
cap_add:
- SYS_PTRACE
security_opt:
- apparmor=unconfined
ports:
- "64301:64301"
image: "dtagdevsec/netdata:1804"
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
# Nginx service # Nginx service
nginx: nginx:
container_name: nginx container_name: nginx
@ -546,20 +526,6 @@ services:
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/ - /data/nginx/log/:/var/log/nginx/
# Portainer service
portainer:
container_name: portainer
command: -H unix:///var/run/docker.sock --no-auth
restart: always
networks:
- portainer_local
ports:
- "127.0.0.1:64299:9000"
image: "dtagdevsec/portainer:1804"
read_only: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# Spiderfoot service # Spiderfoot service
spiderfoot: spiderfoot:
container_name: spiderfoot container_name: spiderfoot
@ -572,15 +538,3 @@ services:
volumes: volumes:
- /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db
# Wetty service
wetty:
container_name: wetty
restart: always
stop_signal: SIGKILL
network_mode: "host"
env_file:
- /opt/tpot/etc/compose/wetty_environment
tmpfs:
- /home/wetty/.ssh/:uid=2000,gid=2000
image: "dtagdevsec/wetty:1804"
read_only: true

47
etc/compose/industrial.yml
View file

@ -324,26 +324,6 @@ services:
- /data:/data - /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Netdata service
netdata:
container_name: netdata
restart: always
network_mode: "host"
depends_on:
elasticsearch:
condition: service_healthy
cap_add:
- SYS_PTRACE
security_opt:
- apparmor=unconfined
ports:
- "64301:64301"
image: "dtagdevsec/netdata:1804"
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
# Nginx service # Nginx service
nginx: nginx:
container_name: nginx container_name: nginx
@ -365,20 +345,6 @@ services:
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/ - /data/nginx/log/:/var/log/nginx/
# Portainer service
portainer:
container_name: portainer
command: -H unix:///var/run/docker.sock --no-auth
restart: always
networks:
- portainer_local
ports:
- "127.0.0.1:64299:9000"
image: "dtagdevsec/portainer:1804"
read_only: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# Spiderfoot service # Spiderfoot service
spiderfoot: spiderfoot:
container_name: spiderfoot container_name: spiderfoot
@ -390,16 +356,3 @@ services:
image: "dtagdevsec/spiderfoot:1804" image: "dtagdevsec/spiderfoot:1804"
volumes: volumes:
- /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db
# Wetty service
wetty:
container_name: wetty
restart: always
stop_signal: SIGKILL
network_mode: "host"
env_file:
- /opt/tpot/etc/compose/wetty_environment
tmpfs:
- /home/wetty/.ssh/:uid=2000,gid=2000
image: "dtagdevsec/wetty:1804"
read_only: true

46
etc/compose/legacy.yml
View file

@ -290,26 +290,6 @@ services:
- /data:/data - /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Netdata service
netdata:
container_name: netdata
restart: always
network_mode: "host"
depends_on:
elasticsearch:
condition: service_healthy
cap_add:
- SYS_PTRACE
security_opt:
- apparmor=unconfined
ports:
- "64301:64301"
image: "dtagdevsec/netdata:1804"
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
# Nginx service # Nginx service
nginx: nginx:
container_name: nginx container_name: nginx
@ -331,20 +311,6 @@ services:
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/ - /data/nginx/log/:/var/log/nginx/
# Portainer service
portainer:
container_name: portainer
command: -H unix:///var/run/docker.sock --no-auth
restart: always
networks:
- portainer_local
ports:
- "127.0.0.1:64299:9000"
image: "dtagdevsec/portainer:1804"
read_only: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# Spiderfoot service # Spiderfoot service
spiderfoot: spiderfoot:
container_name: spiderfoot container_name: spiderfoot
@ -357,15 +323,3 @@ services:
volumes: volumes:
- /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db
# Wetty service
wetty:
container_name: wetty
restart: always
stop_signal: SIGKILL
network_mode: "host"
env_file:
- /opt/tpot/etc/compose/wetty_environment
tmpfs:
- /home/wetty/.ssh/:uid=2000,gid=2000
image: "dtagdevsec/wetty:1804"
read_only: true

47
etc/compose/standard.yml
View file

@ -16,7 +16,6 @@ networks:
vnclowpot_local: vnclowpot_local:
ewsposter_local: ewsposter_local:
spiderfoot_local: spiderfoot_local:
portainer_local:
services: services:
@ -505,26 +504,6 @@ services:
- /data:/data - /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Netdata service
netdata:
container_name: netdata
restart: always
network_mode: "host"
depends_on:
elasticsearch:
condition: service_healthy
cap_add:
- SYS_PTRACE
security_opt:
- apparmor=unconfined
ports:
- "64301:64301"
image: "dtagdevsec/netdata:1804"
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
# Nginx service # Nginx service
nginx: nginx:
container_name: nginx container_name: nginx
@ -546,20 +525,6 @@ services:
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/ - /data/nginx/log/:/var/log/nginx/
# Portainer service
portainer:
container_name: portainer
command: -H unix:///var/run/docker.sock --no-auth
restart: always
networks:
- portainer_local
ports:
- "127.0.0.1:64299:9000"
image: "dtagdevsec/portainer:1804"
read_only: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# Spiderfoot service # Spiderfoot service
spiderfoot: spiderfoot:
container_name: spiderfoot container_name: spiderfoot
@ -572,15 +537,3 @@ services:
volumes: volumes:
- /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db
# Wetty service
wetty:
container_name: wetty
restart: always
stop_signal: SIGKILL
network_mode: "host"
env_file:
- /opt/tpot/etc/compose/wetty_environment
tmpfs:
- /home/wetty/.ssh/:uid=2000,gid=2000
image: "dtagdevsec/wetty:1804"
read_only: true

17
host/etc/issue
View file

@ -1,12 +1,12 @@
 
┌─────────────────────────────────────────────────── ┌────────────────────────────────────────────────┐
│ _____ ____ _ _ ___ ___ _ _ │ │ _____ ____ _ _ ___ _ ___ │
│|_ _| | _ \\ ___ | |_ / |( _ ) / _ \\| || | │ │|_ _| | _ \\ ___ | |_ / |( _ ) / |/ _ \\ │
│ | |_____| |_) / _ \\| __| | |/ _ \\| | | | || |_  │ | |_____| |_) / _ \\| __| | |/ _ \\ | | | | |│
│ | |_____| __/ (_) | |_ | | (_) | |_| |__ _|│ │ | |_____| __/ (_) | |_ | | (_) || | |_| |│
│ |_| |_| \\___/ \\__| |_|\\___(_)___/ |_| │ │ |_| |_| \\___/ \\__| |_|\\___(_)_|\\___/ │
│ │ │ │
└─────────────────────────────────────────────────── └────────────────────────────────────────────────┘
,---- [ \n ] [ \d ] [ \t ] ,---- [ \n ] [ \d ] [ \t ]
@ -14,6 +14,7 @@
| IP: | IP:
| SSH: | SSH:
| WEB: | WEB:
| ADMIN:
| |
`---- `----

661
iso/installer/install.sh
View file

@ -1,23 +1,219 @@
#!/bin/bash #!/bin/bash
# T-Pot post install script # T-Pot Universal Installer
##################################
# Extract command line arguments #
##################################
myLSB=$(lsb_release -r | awk '{ print $2 }')
myLSB_SUPPORTED="18.04"
myINFO="\
############################################
### T-Pot Installer for Ubuntu $myLSB_SUPPORTED LTS ###
############################################
Disclaimer:
This script will install T-Pot on this system, by running the script you know what you are doing:
1. SSH will be reconfigured to tcp/64295
2. Some packages will be installed, some will be upgraded
3. Please ensure other means of access to this system in case something goes wrong.
4. At best this script well be executed on the console instead through a SSH session.
###########################################
Usage:
$0 --help - Help.
Example:
$0 --type=user - Best option for most users."
if [ "$myLSB" != "$myLSB_SUPPORTED" ];
then
echo "Aborting. Ubuntu $myLSB is not supported."
exit
fi
if [ "$1" == "" ];
then
echo "$myINFO"
exit
fi
for i in "$@"
do
case $i in
--conf=*)
myTPOT_CONF_FILE="${i#*=}"
shift
;;
--type=user)
myTPOT_DEPLOYMENT_TYPE="${i#*=}"
shift
;;
--type=auto)
myTPOT_DEPLOYMENT_TYPE="${i#*=}"
shift
;;
--type=iso)
myTPOT_DEPLOYMENT_TYPE="${i#*=}"
shift
;;
--help)
echo "Usage: $0 <options>"
echo
echo "--conf=<Path to \"tpot.conf\">"
echo " Use this if you want to automatically deploy a T-Pot instance (--type=auto implied)."
echo " A configuration example is available in \"tpotce/iso/installer/tpot.conf.dist\"."
echo
echo "--type=<[user, auto, iso]>"
echo " user, use this if you want to manually install a T-Pot on a Ubuntu 18.04 LTS machine."
echo " auto, implied if a configuration file is passed as an argument for automatic deployment."
echo " iso, use this if you are a T-Pot developer and want to install a T-Pot from a pre-compiled iso."
echo
exit
;;
*)
echo "$myINFO"
exit
;;
esac
done
###################################################
# Validate command line arguments and load config #
###################################################
# If a valid config file exists, set deployment type to "auto" and load the configuration
if [ "$myTPOT_DEPLOYMENT_TYPE" == "auto" ] && [ "$myTPOT_CONF_FILE" == "" ];
then
echo "Aborting. No configuration file given."
exit
fi
if [ -s "$myTPOT_CONF_FILE" ] && [ "$myTPOT_CONF_FILE" != "" ];
then
myTPOT_DEPLOYMENT_TYPE="auto"
if [ "$(head -n 1 $myTPOT_CONF_FILE | grep -c "# tpot")" == "1" ];
then
source "$myTPOT_CONF_FILE"
echo "$myCONF_PROXY_IP"
else
echo "Aborting. Config file \"$myTPOT_CONF_FILE\" not a T-Pot configuration file."
exit
fi
elif ! [ -s "$myTPOT_CONF_FILE" ] && [ "$myTPOT_CONF_FILE" != "" ];
then
echo "Aborting. Config file \"$myTPOT_CONF_FILE\" not found."
exit
fi
#######################
# Prepare environment #
#######################
# Got root?
function fuGOT_ROOT {
echo
echo -n "### Checking for root: "
if [ "$(whoami)" != "root" ];
then
echo "[ NOT OK ]"
echo "### Please run as root."
echo "### Example: sudo $0"
exit
else
echo "[ OK ]"
fi
}
# Let's check if all dependencies are met
function fuGET_DEPS {
local myPACKAGES="apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker curl dialog dnsutils docker.io docker-compose dstat ethtool fail2ban genisoimage git glances grc html2text htop ifupdown iptables iw jq libcrack2 libltdl7 lm-sensors man multitail net-tools npm ntp openssh-server openssl pass prips syslinux psmisc pv python-pip unattended-upgrades unzip vim wireless-tools wpasupplicant"
echo
echo "### Getting update information."
echo
apt-get -y update
echo
echo "### Upgrading packages."
echo
apt-get -y dist-upgrade
echo
echo "### Installing T-Pot dependencies."
echo
apt-get -y install $myPACKAGES
}
# Let's load dialog color theme
function fuDIALOG_SETUP {
echo
echo -n "### Checking for dialogrc: "
if [ -f "dialogrc" ];
then
echo "[ OK ]"
cp dialogrc /etc/
else
echo "[ NOT OK ]"
echo "### 'dialogrc' is missing. Please run 'install.sh' from within the setup folder."
fi
}
# Let's check for other services
function fuCHECK_PORTS {
if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
then
echo
echo "### Checking for active services."
echo
grc netstat -tulpen
echo
echo "### Please review your running services."
echo "### We will take care of SSH (22), but other services i.e. FTP (21), TELNET (23), SMTP (25), HTTP (80), HTTPS (443), etc."
echo "### might collide with T-Pot's honeypots and prevent T-Pot from starting successfully."
echo
while [ 1 != 2 ]
do
read -s -n 1 -p "Continue [y/n]? " mySELECT
echo
case "$mySELECT" in
[y,Y])
break
;;
[n,N])
exit
;;
esac
done
fi
}
# Prepare running the installer
echo "$myINFO" | head -n 3
fuGOT_ROOT
fuGET_DEPS
fuCHECK_PORTS
fuDIALOG_SETUP
#############
# Installer #
#############
# Set TERM, DIALOGRC # Set TERM, DIALOGRC
export TERM=linux export TERM=linux
export DIALOGRC=/etc/dialogrc export DIALOGRC=/etc/dialogrc
# Let's load dialog color theme #######################
cp /root/installer/dialogrc /etc/ # Global vars section #
#######################
# Some global vars
myPROXYFILEPATH="/root/installer/proxy"
myNTPCONFPATH="/root/installer/ntp"
myPFXPATH="/root/installer/keys/8021x.pfx"
myPFXPWPATH="/root/installer/keys/8021x.pw"
myPFXHOSTIDPATH="/root/installer/keys/8021x.id"
myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml"
myBACKTITLE="T-Pot-Installer" myBACKTITLE="T-Pot-Installer"
mySITES="https://index.docker.io https://github.com https://pypi.python.org https://ubuntu.com" myCONF_FILE="/root/installer/iso.conf"
myPROGRESSBOXCONF=" --backtitle "$myBACKTITLE" --progressbox 24 80" myPROGRESSBOXCONF=" --backtitle "$myBACKTITLE" --progressbox 24 80"
mySITES="https://hub.docker.com https://github.com https://pypi.python.org https://ubuntu.com"
myTPOTCOMPOSE="/opt/tpot/etc/tpot.yml"
#####################
# Functions section #
#####################
fuRANDOMWORD () { fuRANDOMWORD () {
local myWORDFILE="$1" local myWORDFILE="$1"
@ -27,17 +223,35 @@ fuRANDOMWORD () {
echo -n $(sed -n "$myNUM p" $myWORDFILE | tr -d \' | tr A-Z a-z) echo -n $(sed -n "$myNUM p" $myWORDFILE | tr -d \' | tr A-Z a-z)
} }
# Let's wait a few seconds to avoid interference with service messages # If this is a ISO installation we need to wait a few seconds to avoid interference with service messages
sleep 3 if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ];
tput civis then
dialog --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Wait to avoid interference with service messages ]" --pause "" 6 80 7 sleep 5
tput civis
dialog --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Wait to avoid interference with service messages ]" --pause "" 6 80 7
fi
# Let's setup the proxy for env # Let's load the iso config file if there is one
if [ -f $myPROXYFILEPATH ]; if [ -f $myCONF_FILE ];
then
dialog --backtitle "$myBACKTITLE" --title "[ Found personalized iso.config ]" --msgbox "\nYour personalized settings will be applied!" 7 47
source $myCONF_FILE
else
# dialog logic considers 1=false, 0=true
myCONF_PROXY_USE="1"
myCONF_PFX_USE="1"
myCONF_NTP_USE="1"
fi
### <--- Begin proxy setup
# If a proxy is set in iso.conf it needs to be setup.
# However, none of the other installation types will automatically take care of a proxy.
# Please open a feature request if you think this is something worth considering.
if [ "$myCONF_PROXY_USE" == "0" ];
then then
dialog --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF <<EOF dialog --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF <<EOF
EOF EOF
myPROXY=$(cat $myPROXYFILEPATH) myPROXY="http://$myCONF_PROXY_IP:$myCONF_PROXY_PORT"
tee -a /etc/environment 2>&1>/dev/null <<EOF tee -a /etc/environment 2>&1>/dev/null <<EOF
export http_proxy=$myPROXY export http_proxy=$myPROXY
export https_proxy=$myPROXY export https_proxy=$myPROXY
@ -54,7 +268,6 @@ Acquire::https::Proxy "$myPROXY";
EOF EOF
# Let's add proxy settings to docker defaults # Let's add proxy settings to docker defaults
myPROXY=$(cat $myPROXYFILEPATH)
tee -a /etc/default/docker 2>&1>/dev/null <<EOF tee -a /etc/default/docker 2>&1>/dev/null <<EOF
http_proxy=$myPROXY http_proxy=$myPROXY
https_proxy=$myPROXY https_proxy=$myPROXY
@ -67,167 +280,210 @@ EOF
systemctl stop docker 2>&1 | dialog --title "[ Stop docker service ]" $myPROGRESSBOXCONF systemctl stop docker 2>&1 | dialog --title "[ Stop docker service ]" $myPROGRESSBOXCONF
systemctl start docker 2>&1 | dialog --title "[ Start docker service ]" $myPROGRESSBOXCONF systemctl start docker 2>&1 | dialog --title "[ Start docker service ]" $myPROGRESSBOXCONF
fi fi
### ---> End proxy setup
# Let's test the internet connection # Let's test the internet connection
mySITESCOUNT=$(echo $mySITES | wc -w) if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
j=0 then
for i in $mySITES; mySITESCOUNT=$(echo $mySITES | wc -w)
do j=0
dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ for i in $mySITES;
--gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <<EOF
EOF
curl --connect-timeout 5 -IsS $i 2>&1>/dev/null
if [ $? -ne 0 ];
then
dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nInternet connection test failed. This might indicate some problems with your connection. You can continue, but the installation might fail." 10 50
if [ $? = 1 ];
then
dialog --backtitle "$myBACKTITLE" --title "[ Abort ]" --msgbox "\nInstallation aborted. Exiting the installer." 7 50
exit
else
break;
fi;
fi;
let j+=1
dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \
--gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <<EOF
EOF
done;
# Let's ask user for install flavor
# Install types are TPOT, HP, INDUSTRIAL, ALL
tput cnorm
myFLAVOR=$(dialog --no-cancel --backtitle "$myBACKTITLE" --title "[ Choose Your T-Pot NG Edition ]" --menu \
"\nRequired: 6GB RAM, 128GB SSD\nRecommended: 8GB RAM, 256GB SSD" 15 70 7 \
"STANDARD" "Honeypots, ELK, NSM & Tools" \
"SENSOR" "Just Honeypots, EWS Poster & NSM" \
"INDUSTRIAL" "Conpot, RDPY, Vnclowpot, ELK, NSM & Tools" \
"COLLECTOR" "Heralding, ELK, NSM & Tools" \
"EXPERIMENTAL" "Experimental (Glutton instead of Honeytrap)" \
"LEGACY" "Standard Edition from previous release" 3>&1 1>&2 2>&3 3>&-)
# Let's ask for a secure tsec password
myUSER="tsec"
myPASS1="pass1"
myPASS2="pass2"
mySECURE="0"
while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ]
do
while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ]
do do
myPASS1=$(dialog --insecure --backtitle "$myBACKTITLE" \ dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \
--title "[ Enter password for console user (tsec) ]" \ --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <<EOF
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) EOF
done curl --connect-timeout 30 -IsS $i 2>&1>/dev/null
myPASS2=$(dialog --insecure --backtitle "$myBACKTITLE" \ if [ $? -ne 0 ];
--title "[ Repeat password for console user (tsec) ]" \
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
if [ "$myPASS1" != "$myPASS2" ];
then
dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \
--msgbox "\nPlease re-enter your password." 7 60
myPASS1="pass1"
myPASS2="pass2"
fi
mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK")
if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ];
then
dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50
myOK=$?
if [ "$myOK" == "1" ];
then then
dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nInternet connection test failed. This might indicate some problems with your connection. You can continue, but the installation might fail." 10 50
if [ $? = 1 ];
then
dialog --backtitle "$myBACKTITLE" --title "[ Abort ]" --msgbox "\nInstallation aborted. Exiting the installer." 7 50
exit
else
break;
fi;
fi;
let j+=1
dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \
--gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) <<EOF
EOF
done;
fi
# Let's put cursor back in standard form
tput cnorm
####################
# User interaction #
####################
# Let's ask the user for install flavor
if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
then
myCONF_TPOT_FLAVOR=$(dialog --no-cancel --backtitle "$myBACKTITLE" --title "[ Choose Your T-Pot NG Edition ]" --menu \
"\nRequired: 6GB RAM, 128GB SSD\nRecommended: 8GB RAM, 256GB SSD" 15 70 7 \
"STANDARD" "Honeypots, ELK, NSM & Tools" \
"SENSOR" "Just Honeypots, EWS Poster & NSM" \
"INDUSTRIAL" "Conpot, RDPY, Vnclowpot, ELK, NSM & Tools" \
"COLLECTOR" "Heralding, ELK, NSM & Tools" \
"EXPERIMENTAL" "Experimental (Glutton instead of Honeytrap)" \
"LEGACY" "Standard Edition from previous release" 3>&1 1>&2 2>&3 3>&-)
fi
# Let's ask for a username if installation type is user
if [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
then
while [ 1 != 2 ]
do
myCONF_TPOT_USER=$(dialog --backtitle "$myBACKTITLE" --title "[ Existing console user name ]" --inputbox "\nUsername (root is not allowed)" 9 50 "$(who am i | awk '{ print $1 }')" 3>&1 1>&2 2>&3 3>&-)
myCONF_TPOT_USER=$(echo $myCONF_TPOT_USER | tr -cd "[:alnum:]_.-")
dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myCONF_TPOT_USER" 7 50
myOK=$?
if [ "$myOK" = "0" ] && [ "$myCONF_TPOT_USER" != "root" ] && [ "$myCONF_TPOT_USER" != "" ] && [ "$(cat /etc/passwd | grep -wc $myCONF_TPOT_USER)" == "1" ];
then
break
fi
done
fi
# Let's ask for a secure tsec password if installation type is iso
if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ];
then
myCONF_TPOT_USER="tsec"
myPASS1="pass1"
myPASS2="pass2"
mySECURE="0"
while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ]
do
while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ]
do
myPASS1=$(dialog --insecure --backtitle "$myBACKTITLE" \
--title "[ Enter password for console user (tsec) ]" \
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
done
myPASS2=$(dialog --insecure --backtitle "$myBACKTITLE" \
--title "[ Repeat password for console user (tsec) ]" \
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
if [ "$myPASS1" != "$myPASS2" ];
then
dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \
--msgbox "\nPlease re-enter your password." 7 60
myPASS1="pass1" myPASS1="pass1"
myPASS2="pass2" myPASS2="pass2"
fi fi
fi mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK")
done if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ];
printf "%s" "$myUSER:$myPASS1" | chpasswd then
dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50
# Let's ask for a web username with secure password myOK=$?
myOK="1" if [ "$myOK" == "1" ];
myUSER="tsec" then
myPASS1="pass1" myPASS1="pass1"
myPASS2="pass2" myPASS2="pass2"
mySECURE="0" fi
while [ 1 != 2 ] fi
do
myUSER=$(dialog --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-)
myUSER=$(echo $myUSER | tr -cd "[:alnum:]_.-")
dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myUSER" 7 50
myOK=$?
if [ "$myOK" = "0" ] && [ "$myUSER" != "tsec" ] && [ "$myUSER" != "" ];
then
break
fi
done
while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ]
do
while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ]
do
myPASS1=$(dialog --insecure --backtitle "$myBACKTITLE" \
--title "[ Enter password for your web user ]" \
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
done done
myPASS2=$(dialog --insecure --backtitle "$myBACKTITLE" \ printf "%s" "$myCONF_TPOT_USER:$myPASS1" | chpasswd
fi
# Let's ask for a web user credentials if deployment type is iso or user
# In case of auto, credentials are created from config values
# Skip this step entirely if SENSOR flavor
if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ];
then
myOK="1"
myCONF_WEB_USER="webuser"
myCONF_WEB_PW="pass1"
myCONF_WEB_PW2="pass2"
mySECURE="0"
while [ 1 != 2 ]
do
myCONF_WEB_USER=$(dialog --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-)
myCONF_WEB_USER=$(echo $myCONF_WEB_USER | tr -cd "[:alnum:]_.-")
dialog --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myCONF_WEB_USER" 7 50
myOK=$?
if [ "$myOK" = "0" ] && [ "$myCONF_WEB_USER" != "tsec" ] && [ "$myCONF_WEB_USER" != "" ];
then
break
fi
done
while [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2" ] && [ "$mySECURE" == "0" ]
do
while [ "$myCONF_WEB_PW" == "pass1" ] || [ "$myCONF_WEB_PW" == "" ]
do
myCONF_WEB_PW=$(dialog --insecure --backtitle "$myBACKTITLE" \
--title "[ Enter password for your web user ]" \
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
done
myCONF_WEB_PW2=$(dialog --insecure --backtitle "$myBACKTITLE" \
--title "[ Repeat password for your web user ]" \ --title "[ Repeat password for your web user ]" \
--passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-)
if [ "$myPASS1" != "$myPASS2" ]; if [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2" ];
then
dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \
--msgbox "\nPlease re-enter your password." 7 60
myPASS1="pass1"
myPASS2="pass2"
fi
mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK")
if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ];
then
dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50
myOK=$?
if [ "$myOK" == "1" ];
then then
myPASS1="pass1" dialog --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \
myPASS2="pass2" --msgbox "\nPlease re-enter your password." 7 60
myCONF_WEB_PW="pass1"
myCONF_WEB_PW2="pass2"
fi fi
fi mySECURE=$(printf "%s" "$myCONF_WEB_PW" | cracklib-check | grep -c "OK")
done if [ "$mySECURE" == "0" ] && [ "$myCONF_WEB_PW" == "$myCONF_WEB_PW2" ];
mkdir -p /data/nginx/conf 2>&1 then
htpasswd -b -c /data/nginx/conf/nginxpasswd "$myUSER" "$myPASS1" 2>&1 | dialog --title "[ Setting up user and password ]" $myPROGRESSBOXCONF; dialog --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50
myOK=$?
if [ "$myOK" == "1" ];
then
myCONF_WEB_PW="pass1"
myCONF_WEB_PW2="pass2"
fi
fi
done
fi
# If flavor is SENSOR do not write credentials
if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
then
mkdir -p /data/nginx/conf 2>&1
htpasswd -b -c /data/nginx/conf/nginxpasswd "$myCONF_WEB_USER" "$myCONF_WEB_PW" 2>&1 | dialog --title "[ Setting up user and password ]" $myPROGRESSBOXCONF;
fi
########################
# Installation section #
########################
# Put cursor in invisible mode
tput civis
# Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway) # Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway)
tput civis if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
mkdir -p /data/nginx/cert 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; then
openssl req \ mkdir -p /data/nginx/cert 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF;
-nodes \ openssl req \
-x509 \ -nodes \
-sha512 \ -x509 \
-newkey rsa:8192 \ -sha512 \
-keyout "/data/nginx/cert/nginx.key" \ -newkey rsa:8192 \
-out "/data/nginx/cert/nginx.crt" \ -keyout "/data/nginx/cert/nginx.key" \
-days 3650 \ -out "/data/nginx/cert/nginx.crt" \
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; -days 3650 \
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' 2>&1 | dialog --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF;
fi
# Let's setup the ntp server # Let's setup the ntp server
if [ -f $myNTPCONFPATH ]; if [ "$myCONF_NTP_USE" == "0" ];
then then
dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF <<EOF dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF <<EOF
EOF EOF
cp $myNTPCONFPATH /etc/ntp.conf 2>&1 | dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF cp $myCONF_NTP_CONF_FILE /etc/ntp.conf 2>&1 | dialog --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF
fi fi
# Let's setup 802.1x networking # Let's setup 802.1x networking
if [ -f $myPFXPATH ]; if [ "myCONF_PFX_USE" == "0" ];
then then
dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF <<EOF dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF <<EOF
EOF EOF
cp $myPFXPATH /etc/wpa_supplicant/ 2>&1 | dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF cp $myCONF_PFX_FILE /etc/wpa_supplicant/ 2>&1 | dialog --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF
if [ -f $myPFXPWPATH ]; tee -a /etc/network/interfaces 2>&1>/dev/null <<EOF
then
dialog --title "[ Setting up 802.1x password ]" $myPROGRESSBOXCONF <<EOF
EOF
myPFXPW=$(cat $myPFXPWPATH)
fi
myPFXHOSTID=$(cat $myPFXHOSTIDPATH)
tee -a /etc/network/interfaces 2>&1>/dev/null <<EOF
wpa-driver wired wpa-driver wired
wpa-conf /etc/wpa_supplicant/wired8021x.conf wpa-conf /etc/wpa_supplicant/wired8021x.conf
@ -243,7 +499,7 @@ tee -a /etc/network/interfaces 2>&1>/dev/null <<EOF
# wpa-conf /etc/wpa_supplicant/wireless8021x.conf # wpa-conf /etc/wpa_supplicant/wireless8021x.conf
EOF EOF
tee /etc/wpa_supplicant/wired8021x.conf 2>&1>/dev/null <<EOF tee /etc/wpa_supplicant/wired8021x.conf 2>&1>/dev/null <<EOF
ctrl_interface=/var/run/wpa_supplicant ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root ctrl_interface_group=root
eapol_version=1 eapol_version=1
@ -251,13 +507,13 @@ ap_scan=1
network={ network={
key_mgmt=IEEE8021X key_mgmt=IEEE8021X
eap=TLS eap=TLS
identity="host/$myPFXHOSTID" identity="host/$myCONF_PFX_HOST_ID"
private_key="/etc/wpa_supplicant/8021x.pfx" private_key="/etc/wpa_supplicant/8021x.pfx"
private_key_passwd="$myPFXPW" private_key_passwd="$myCONF_PFX_PW"
} }
EOF EOF
tee /etc/wpa_supplicant/wireless8021x.conf 2>&1>/dev/null <<EOF tee /etc/wpa_supplicant/wireless8021x.conf 2>&1>/dev/null <<EOF
ctrl_interface=/var/run/wpa_supplicant ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root ctrl_interface_group=root
eapol_version=1 eapol_version=1
@ -268,9 +524,9 @@ network={
pairwise=CCMP pairwise=CCMP
group=CCMP group=CCMP
eap=TLS eap=TLS
identity="host/$myPFXHOSTID" identity="host/$myCONF_PFX_HOST_ID"
private_key="/etc/wpa_supplicant/8021x.pfx" private_key="/etc/wpa_supplicant/8021x.pfx"
private_key_passwd="$myPFXPW" private_key_passwd="$myCONF_PFX_PW"
} }
EOF EOF
fi fi
@ -316,27 +572,22 @@ tee -a /etc/ssh/ssh_config 2>&1>/dev/null <<EOF
UseRoaming no UseRoaming no
EOF EOF
# Let's pull some updates # Installing ctop, elasticdump, tpot, yq
apt-get update -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ];
apt-get upgrade -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF then
npm install https://github.com/taskrabbit/elasticsearch-dump#9fcc8cc -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF
# Let's clean up apt fi
apt-get autoclean -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF
apt-get autoremove -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOXCONF
# Installing ctop, elasticdump, tpot
pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF
hash -r 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF
pip install elasticsearch-curator==5.4.1 2>&1 | dialog --title "[ Installing elasticsearch-curator ]" $myPROGRESSBOXCONF pip install elasticsearch-curator==5.4.1 2>&1 | dialog --title "[ Installing elasticsearch-curator ]" $myPROGRESSBOXCONF
pip install yq==2.4.1 2>&1 | dialog --title "[ Installing yq ]" $myPROGRESSBOXCONF pip install yq==2.4.1 2>&1 | dialog --title "[ Installing yq ]" $myPROGRESSBOXCONF
npm install https://github.com/taskrabbit/elasticsearch-dump#9fcc8cc -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
mv ctop /usr/bin/ 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
chmod +x /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF chmod +x /usr/bin/ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
git clone https://github.com/dtag-dev-sec/tpotce -b 18.04 /opt/tpot 2>&1 | dialog --title "[ Cloning T-Pot ]" $myPROGRESSBOXCONF git clone https://github.com/dtag-dev-sec/tpotce -b 18.04 /opt/tpot 2>&1 | dialog --title "[ Cloning T-Pot ]" $myPROGRESSBOXCONF
# Let's add a new user # Let's create the T-Pot user
addgroup --gid 2000 tpot 2>&1 | dialog --title "[ Adding new user ]" $myPROGRESSBOXCONF addgroup --gid 2000 tpot 2>&1 | dialog --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF
adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --title "[ Adding new user ]" $myPROGRESSBOXCONF adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF
# Let's set the hostname # Let's set the hostname
a=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/a.txt) a=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/a.txt)
@ -345,18 +596,12 @@ myHOST=$a$n
hostnamectl set-hostname $myHOST 2>&1 | dialog --title "[ Setting new hostname ]" $myPROGRESSBOXCONF hostnamectl set-hostname $myHOST 2>&1 | dialog --title "[ Setting new hostname ]" $myPROGRESSBOXCONF
sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts 2>&1 | dialog --title "[ Setting new hostname ]" $myPROGRESSBOXCONF sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts 2>&1 | dialog --title "[ Setting new hostname ]" $myPROGRESSBOXCONF
# Let's patch sshd_config # Let's patch cockpit.socket, sshd_config
sed -i 's#ListenStream=9090#ListeStream=64294#' /etc/systemd/system/sockets.target.wants/cockpit.socket 2>&1 | dialog --title "[ Cockpit listen on tcp/64294 ]" $myPROGRESSBOXCONF
sed -i 's#\#Port 22#Port 64295#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF sed -i 's#\#Port 22#Port 64295#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF
sed -i 's#\#PasswordAuthentication yes#PasswordAuthentication no#' /etc/ssh/sshd_config 2>&1 | dialog --title "[ SSH password authentication only from RFC1918 networks ]" $myPROGRESSBOXCONF
tee -a /etc/ssh/sshd_config 2>&1>/dev/null <<EOF
# Let's make sure only myCONF_TPOT_FLAVOR images will be downloaded and started
Match address 127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 case $myCONF_TPOT_FLAVOR in
PasswordAuthentication yes
EOF
# Let's make sure only myFLAVOR images will be downloaded and started
case $myFLAVOR in
STANDARD) STANDARD)
echo "### Preparing STANDARD flavor installation." echo "### Preparing STANDARD flavor installation."
cp /opt/tpot/etc/compose/standard.yml $myTPOTCOMPOSE 2>&1>/dev/null cp /opt/tpot/etc/compose/standard.yml $myTPOTCOMPOSE 2>&1>/dev/null
@ -422,6 +667,35 @@ net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
EOF EOF
# Let's setup fail2ban config
dialog --title "[ Setup fail2ban config ]" $myPROGRESSBOXCONF <<EOF
EOF
tee /etc/fail2ban/jail.d/tpot.conf 2>&1>/dev/null <<EOF
[DEFAULT]
ignore-ip = 127.0.0.1/8
bantime = 3600
findtime = 600
maxretry = 5
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = 64297
logpath = /data/nginx/log/error.log
[pam-generic]
enabled = true
port = 64294
filter = pam-generic
logpath = /var/log/auth.log
[sshd]
enabled = true
port = 64295
filter = sshd
logpath = /var/log/auth.log
EOF
# Let's add some cronjobs # Let's add some cronjobs
dialog --title "[ Adding cronjobs ]" $myPROGRESSBOXCONF <<EOF dialog --title "[ Adding cronjobs ]" $myPROGRESSBOXCONF <<EOF
EOF EOF
@ -467,9 +741,8 @@ touch /data/spiderfoot/spiderfoot.db 2>&1 | dialog --title "[ Creating some file
# Let's copy some files # Let's copy some files
tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / 2>&1 | dialog --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF
cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF
cp /opt/tpot/host/etc/issue /etc/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF cp /opt/tpot/host/etc/issue /etc/ 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF
cp /root/installer/keys/authorized_keys /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Copy configs ]" $myPROGRESSBOXCONF
systemctl enable tpot 2>&1 | dialog --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF systemctl enable tpot 2>&1 | dialog --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF
# Let's take care of some files and permissions # Let's take care of some files and permissions
@ -477,8 +750,6 @@ chmod 760 -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $m
chown tpot:tpot -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF chown tpot:tpot -R /data 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
chmod 644 -R /data/nginx/conf 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF chmod 644 -R /data/nginx/conf 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
chmod 644 -R /data/nginx/cert 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF chmod 644 -R /data/nginx/cert 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
chmod 600 /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
chown tsec:tsec /home/tsec/.ssh /home/tsec/.ssh/authorized_keys 2>&1 | dialog --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF
# Let's replace "quiet splash" options, set a console font for more screen canvas and update grub # Let's replace "quiet splash" options, set a console font for more screen canvas and update grub
sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"#GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0"#' /etc/default/grub 2>&1>/dev/null sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"#GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0"#' /etc/default/grub 2>&1>/dev/null
@ -505,6 +776,10 @@ EOF
# Let's create ews.ip before reboot and prevent race condition for first start # Let's create ews.ip before reboot and prevent race condition for first start
/opt/tpot/bin/updateip.sh 2>&1>/dev/null /opt/tpot/bin/updateip.sh 2>&1>/dev/null
# Let's clean up apt
apt-get autoclean -y 2>&1 | dialog --title "[ Cleaning up ]" $myPROGRESSBOXCONF
apt-get autoremove -y 2>&1 | dialog --title "[ Cleaning up ]" $myPROGRESSBOXCONF
# Final steps # Final steps
cp /opt/tpot/host/etc/rc.local /etc/rc.local 2>&1>/dev/null && \ cp /opt/tpot/host/etc/rc.local /etc/rc.local 2>&1>/dev/null && \
rm -rf /root/installer 2>&1>/dev/null && \ rm -rf /root/installer 2>&1>/dev/null && \

12
iso/installer/iso.conf.dist Normal file
View file

@ -0,0 +1,12 @@
# makeiso configuration file
myCONF_PROXY_USE='0'
myCONF_PROXY_IP='1.2.3.4'
myCONF_PROXY_PORT='3128'
myCONF_PFX_USE='0'
myCONF_PFX_FILE='/'
myCONF_PFX_PW_USE='0'
myCONF_PFX_PW='<SECRET>'
myCONF_PFX_HOST_ID='<HOSTNAME>.<DOMAIN>'
myCONF_NTP_USE='0'
myCONF_NTP_IP='1.2.3.4'
myCONF_NTP_CONF_FILE='/'

7
iso/installer/tpot.conf.dist Normal file
View file

@ -0,0 +1,7 @@
# tpot configuration file
# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, EXPERIMENTAL, LEGACY]
myCONF_TPOT_FLAVOR='STANDARD'
myCONF_TPOT_USER='tsec'
myCONF_TPOT_PW='$ecret123'
myCONF_WEB_USER='webuser'
myCONF_WEB_PW='w3b$ecret'

2
iso/preseed/tpot.seed
View file

@ -101,7 +101,7 @@ tasksel tasksel/first multiselect ubuntu-server
######################## ########################
### Package Installation ### Package Installation
######################## ########################
d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dnsutils docker.io docker-compose dstat ethtool genisoimage git glances grc html2text htop ifupdown iptables iw jq libcrack2 libltdl7 lm-sensors man net-tools npm ntp openssh-server openssl pass prips syslinux psmisc pv python-pip unzip vim wireless-tools wpasupplicant d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker curl dialog dnsutils docker.io docker-compose dstat ethtool fail2ban genisoimage git glances grc html2text htop ifupdown iptables iw jq libcrack2 libltdl7 lm-sensors man multitail net-tools npm ntp openssh-server openssl pass prips syslinux psmisc pv python-pip unzip vim wireless-tools wpasupplicant
################# #################
### Update Policy ### Update Policy

151
makeiso.sh
View file

@ -1,8 +1,8 @@
#!/bin/bash #!/bin/bash
# Set TERM, DIALOGRC # Set TERM, DIALOGRC
export DIALOGRC=/etc/dialogrc
export TERM=linux export TERM=linux
export DIALOGRC=/etc/dialogrc
# Let's define some global vars # Let's define some global vars
myBACKTITLE="T-Pot - ISO Creator" myBACKTITLE="T-Pot - ISO Creator"
@ -14,14 +14,13 @@ myTPOTISO="tpot.iso"
myTPOTDIR="tpotiso" myTPOTDIR="tpotiso"
myTPOTSEED="iso/preseed/tpot.seed" myTPOTSEED="iso/preseed/tpot.seed"
myPACKAGES="dialog genisoimage syslinux syslinux-utils pv udisks2" myPACKAGES="dialog genisoimage syslinux syslinux-utils pv udisks2"
myAUTHKEYSPATH="iso/installer/keys/authorized_keys" myAUTHKEYSFILE="iso/installer/keys/authorized_keys"
myPFXPATH="iso/installer/keys/8021x.pfx" myPFXFILE="iso/installer/keys/8021x.pfx"
myPFXPWPATH="iso/installer/keys/8021x.pw"
myPFXHOSTIDPATH="iso/installer/keys/8021x.id"
myINSTALLERPATH="iso/installer/install.sh" myINSTALLERPATH="iso/installer/install.sh"
myPROXYCONFIG="iso/installer/proxy" myNTPCONFFILE="iso/installer/ntp.conf"
myNTPCONFPATH="iso/installer/ntp"
myTMP="tmp" myTMP="tmp"
myCONF_FILE="iso/installer/iso.conf"
myCONF_DEFAULT_FILE="iso/installer/iso.conf.dist"
# Got root? # Got root?
myWHOAMI=$(whoami) myWHOAMI=$(whoami)
@ -32,13 +31,32 @@ if [ "$myWHOAMI" != "root" ]
exit exit
fi fi
# Let's check if all dependencies are met
myINST=""
for myDEPS in $myPACKAGES;
do
myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
if [ "$myOK" != "ok" ]
then
myINST=$(echo $myINST $myDEPS)
fi
done
if [ "$myINST" != "" ]
then
apt-get update -y
for myDEPS in $myINST;
do
apt-get install $myDEPS -y
done
fi
# Let's load dialog color theme # Let's load dialog color theme
cp host/etc/dialogrc /etc/ cp host/etc/dialogrc /etc/
# Let's clean up at the end or if something goes wrong ... # Let's clean up at the end or if something goes wrong ...
function fuCLEANUP { function fuCLEANUP {
rm -rf $myTMP $myTPOTDIR $myPROXYCONFIG $myPFXPATH $myPFXPWPATH $myPFXHOSTIDPATH $myNTPCONFPATH rm -rf $myTMP $myTPOTDIR $myPFXFILE $myNTPCONFFILE $myCONF_FILE
echo > $myAUTHKEYSPATH echo > $myAUTHKEYSFILE
if [ -f $myTPOTSEED.bak ]; if [ -f $myTPOTSEED.bak ];
then then
mv $myTPOTSEED.bak $myTPOTSEED mv $myTPOTSEED.bak $myTPOTSEED
@ -64,25 +82,6 @@ function valid_ip()
return $stat return $stat
} }
# Let's check if all dependencies are met
myINST=""
for myDEPS in $myPACKAGES;
do
myOK=$(dpkg -s $myDEPS | grep ok | awk '{ print $3 }');
if [ "$myOK" != "ok" ]
then
myINST=$(echo $myINST $myDEPS)
fi
done
if [ "$myINST" != "" ]
then
apt-get update -y
for myDEPS in $myINST;
do
apt-get install $myDEPS -y
done
fi
# Let's ask if the user wants to run the script ... # Let's ask if the user wants to run the script ...
dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nDownload latest supported Ubuntu Mini ISO and build the T-Pot Install Image." 8 50 dialog --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nDownload latest supported Ubuntu Mini ISO and build the T-Pot Install Image." 8 50
mySTART=$? mySTART=$?
@ -91,50 +90,36 @@ if [ "$mySTART" = "1" ];
exit exit
fi fi
# Let's load the default config file
if [ -f $myCONF_DEFAULT_FILE ];
then
source $myCONF_DEFAULT_FILE
fi
# Let's ask the user for a proxy ... # Let's ask the user for a proxy ...
while true; while true;
do do
dialog --backtitle "$myBACKTITLE" --title "[ Proxy Settings ]" --yesno "\nDo you want to configure a proxy?" 7 50 dialog --backtitle "$myBACKTITLE" --title "[ Proxy Settings ]" --yesno "\nDo you want to configure a proxy?" 7 50
myADDPROXY=$? myCONF_PROXY_USE=$?
if [ "$myADDPROXY" = "0" ] if [ "$myCONF_PROXY_USE" = "0" ]
then then
myIPRESULT="false" myIPRESULT="false"
while [ "$myIPRESULT" = "false" ]; while [ "$myIPRESULT" = "false" ];
do do
myPROXYIP=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "Proxy IP?" --inputbox "" 7 50 "1.2.3.4" 3>&1 1>&2 2>&3 3>&-) myCONF_PROXY_IP=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "Proxy IP?" --inputbox "" 7 50 "$myCONF_PROXY_IP" 3>&1 1>&2 2>&3 3>&-)
if valid_ip $myPROXYIP; then myIPRESULT="true"; fi if valid_ip $myCONF_PROXY_IP; then myIPRESULT="true"; fi
done done
myPORTRESULT="false" myPORTRESULT="false"
while [ "$myPORTRESULT" = "false" ]; while [ "$myPORTRESULT" = "false" ];
do do
myPROXYPORT=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "Proxy Port (i.e. 3128)?" --inputbox "" 7 50 "3128" 3>&1 1>&2 2>&3 3>&-) myCONF_PROXY_PORT=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "Proxy Port (i.e. 3128)?" --inputbox "" 7 50 "$myCONF_PROXY_PORT" 3>&1 1>&2 2>&3 3>&-)
if [[ $myPROXYPORT =~ ^-?[0-9]+$ ]] && [ $myPROXYPORT -gt 0 ] && [ $myPROXYPORT -lt 65536 ]; then myPORTRESULT="true"; fi if [[ $myCONF_PROXY_PORT =~ ^-?[0-9]+$ ]] && [ $myCONF_PROXY_PORT -gt 0 ] && [ $myCONF_PROXY_PORT -lt 65536 ]; then myPORTRESULT="true"; fi
done done
echo http://$myPROXYIP:$myPROXYPORT > $myPROXYCONFIG sed -i.bak 's#d-i mirror/http/proxy.*#d-i mirror/http/proxy string http://'$myCONF_PROXY_IP':'$myCONF_PROXY_PORT'/#' $myTPOTSEED
sed -i.bak 's#d-i mirror/http/proxy.*#d-i mirror/http/proxy string http://'$myPROXYIP':'$myPROXYPORT'/#' $myTPOTSEED
break break
else else
break myCONF_PROXY_IP=""
fi myCONF_PROXY_PORT=""
done
# Let's ask the user for ssh keys ...
while true;
do
dialog --backtitle "$myBACKTITLE" --title "[ Add ssh keys? ]" --yesno "\nDo you want to add public key(s) to authorized_keys file?" 8 50
myADDKEYS=$?
if [ "$myADDKEYS" = "0" ]
then
myKEYS=$(dialog --backtitle "$myBACKTITLE" --fselect "/" 15 50 3>&1 1>&2 2>&3 3>&-)
if [ -f "$myKEYS" ]
then
cat $myKEYS > $myAUTHKEYSPATH
break
else
dialog --backtitle "$myBACKTITLE" --title "[ Try again! ]" --msgbox "\nThis is no regular file." 7 50;
fi
else
echo > $myAUTHKEYSPATH
break break
fi fi
done done
@ -143,27 +128,30 @@ done
while true; while true;
do do
dialog --backtitle "$myBACKTITLE" --title "[ Need 802.1x auth? ]" --yesno "\nDo you want to add a 802.1x host certificate?" 7 50 dialog --backtitle "$myBACKTITLE" --title "[ Need 802.1x auth? ]" --yesno "\nDo you want to add a 802.1x host certificate?" 7 50
myADDPFX=$? myCONF_PFX_USE=$?
if [ "$myADDPFX" = "0" ] if [ "$myCONF_PFX_USE" = "0" ]
then then
myPFX=$(dialog --backtitle "$myBACKTITLE" --fselect "/" 15 50 3>&1 1>&2 2>&3 3>&-) myCONF_PFX_FILE=$(dialog --backtitle "$myBACKTITLE" --fselect "$myCONF_PFX_FILE" 15 50 3>&1 1>&2 2>&3 3>&-)
if [ -f "$myPFX" ] if [ -f "$myCONF_PFX_FILE" ]
then then
cp $myPFX $myPFXPATH cp $myCONF_PFX_FILE $myPFXFILE
dialog --backtitle "$myBACKTITLE" --title "[ Password protected? ]" --yesno "\nDoes the certificate need your password?" 7 50 dialog --backtitle "$myBACKTITLE" --title "[ Password protected? ]" --yesno "\nDoes the certificate need your password?" 7 50
myADDPFXPW=$? myCONF_PFX_PW_USE=$?
if [ "$myADDPFXPW" = "0" ] if [ "$myCONF_PFX_PW_USE" = "0" ]
then then
myPFXPW=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Password?" 7 50 3>&1 1>&2 2>&3 3>&-) myCONF_PFX_PW=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Password?" 7 50 3>&1 1>&2 2>&3 3>&-)
echo $myPFXPW > $myPFXPWPATH else
myCONF_PFX_PW=""
fi fi
myPFXHOSTID=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Host ID?" 7 50 "<HOSTNAME>.<DOMAIN>" 3>&1 1>&2 2>&3 3>&-) myCONF_PFX_HOST_ID=$(dialog --backtitle "$myBACKTITLE" --no-cancel --inputbox "Host ID?" 7 50 "$myCONF_PFX_HOST_ID" 3>&1 1>&2 2>&3 3>&-)
echo $myPFXHOSTID > $myPFXHOSTIDPATH
break break
else else
dialog --backtitle "$myBACKTITLE" --title "[ Try again! ]" --msgbox "\nThis is no regular file." 7 50; dialog --backtitle "$myBACKTITLE" --title "[ Try again! ]" --msgbox "\nThis is no regular file." 7 50;
fi fi
else else
myCONF_PFX_FILE=""
myCONF_PFX_HOST_ID=""
myCONF_PFX_PW=""
break break
fi fi
done done
@ -172,16 +160,16 @@ done
while true; while true;
do do
dialog --backtitle "$myBACKTITLE" --title "[ NTP server? ]" --yesno "\nDo you want to configure a ntp server?" 7 50 dialog --backtitle "$myBACKTITLE" --title "[ NTP server? ]" --yesno "\nDo you want to configure a ntp server?" 7 50
myADDNTP=$? myCONF_NTP_USE=$?
if [ "$myADDNTP" = "0" ] if [ "$myCONF_NTP_USE" = "0" ]
then then
myIPRESULT="false" myIPRESULT="false"
while [ "$myIPRESULT" = "false" ]; while [ "$myIPRESULT" = "false" ];
do do
myNTPIP=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "NTP IP?" --inputbox "" 7 50 "1.2.3.4" 3>&1 1>&2 2>&3 3>&-) myCONF_NTP_IP=$(dialog --backtitle "$myBACKTITLE" --no-cancel --title "NTP IP?" --inputbox "" 7 50 "$myCONF_NTP_IP" 3>&1 1>&2 2>&3 3>&-)
if valid_ip $myNTPIP; then myIPRESULT="true"; fi if valid_ip $myCONF_NTP_IP; then myIPRESULT="true"; fi
done done
tee $myNTPCONFPATH <<EOF tee $myNTPCONFFILE <<EOF
driftfile /var/lib/ntp/ntp.drift driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats statistics loopstats peerstats clockstats
@ -189,7 +177,7 @@ filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable filegen clockstats file clockstats type day enable
server $myNTPIP server $myCONF_NTP_IP
restrict -4 default kod notrap nomodify nopeer noquery restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
@ -199,10 +187,25 @@ EOF
break break
else else
myCONF_NTP_IP=""
break break
fi fi
done done
# Let's write the config file
echo "# makeiso configuration file" > $myCONF_FILE
echo "myCONF_PROXY_USE=\"$myCONF_PROXY_USE\"" >> $myCONF_FILE
echo "myCONF_PROXY_IP=\"$myCONF_PROXY_IP\"" >> $myCONF_FILE
echo "myCONF_PROXY_PORT=\"$myCONF_PROXY_PORT\"" >> $myCONF_FILE
echo "myCONF_PFX_USE=\"$myCONF_PFX_USE\"" >> $myCONF_FILE
echo "myCONF_PFX_FILE=\"/root/installer/keys/8021x.pfx\"" >> $myCONF_FILE
echo "myCONF_PFX_PW_USE=\"$myCONF_PFX_PW_USE\"" >> $myCONF_FILE
echo "myCONF_PFX_PW=\"$myCONF_PFX_PW\"" >> $myCONF_FILE
echo "myCONF_PFX_HOST_ID=\"$myCONF_PFX_HOST_ID\"" >> $myCONF_FILE
echo "myCONF_NTP_USE=\"$myCONF_NTP_USE\"" >> $myCONF_FILE
echo "myCONF_NTP_IP=\"$myCONF_NTP_IP\"" >> $myCONF_FILE
echo "myCONF_NTP_CONF_FILE=\"/root/installer/ntp.conf\"" >> $myCONF_FILE
# Let's download Ubuntu Minimal ISO # Let's download Ubuntu Minimal ISO
if [ ! -f $myUBUNTUISO ] if [ ! -f $myUBUNTUISO ]
then then