diff --git a/etc/compose/all.yml b/etc/compose/all.yml deleted file mode 100644 index 33581fae..00000000 --- a/etc/compose/all.yml +++ /dev/null @@ -1,336 +0,0 @@ -# T-Pot (Everything) -# For docker-compose ... -version: '2.2' - -networks: - conpot_local: - cowrie_local: - dionaea_local: - elasticpot_local: - emobility_local: - ewsposter_local: - glastopf_local: - mailoney_local: - rdpy_local: - spiderfoot_local: - ui-for-docker_local: - vnclowpot_local: - -services: - -# Conpot service - conpot: - container_name: conpot - restart: always - networks: - - conpot_local - ports: - - "1025:1025" - - "50100:50100" - image: "dtagdevsec/conpot:1710" - volumes: - - /data/conpot/log:/var/log/conpot - -# Cowrie service - cowrie: - container_name: cowrie - restart: always - networks: - - cowrie_local - cap_add: - - NET_BIND_SERVICE - ports: - - "22:2222" - - "23:2223" - image: "dtagdevsec/cowrie:1710" - volumes: - - /data/cowrie/downloads:/home/cowrie/cowrie/dl - - /data/cowrie/keys:/home/cowrie/cowrie/etc - - /data/cowrie/log:/home/cowrie/cowrie/log - - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty - -# Dionaea service - dionaea: - container_name: dionaea - stdin_open: true - restart: always - networks: - - dionaea_local - cap_add: - - NET_BIND_SERVICE - ports: - - "20:20" - - "21:21" - - "42:42" - - "69:69/udp" - - "8081:80" - - "135:135" - - "443:443" - - "445:445" - - "1433:1433" - - "1723:1723" - - "1883:1883" - - "3306:3306" - - "5060:5060" - - "5060:5060/udp" - - "5061:5061" - - "27017:27017" - image: "dtagdevsec/dionaea:1710" - volumes: - - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp - - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp - - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www - - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp - - /data/dionaea:/opt/dionaea/var/dionaea - - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries - - /data/dionaea/log:/opt/dionaea/var/log - - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp - -# Elasticpot service - elasticpot: - container_name: elasticpot - restart: always - networks: - - elasticpot_local - ports: - - "9200:9200" - image: "dtagdevsec/elasticpot:1710" - volumes: - - /data/elasticpot/log:/opt/ElasticpotPY/log - -# ELK services -## Elasticsearch service - elasticsearch: - container_name: elasticsearch - restart: always - environment: - - bootstrap.memory_lock=true -# - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - cap_add: - - IPC_LOCK - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 -# mem_limit: 2g - ports: - - "127.0.0.1:64298:9200" - image: "dtagdevsec/elasticsearch:1710" - volumes: - - /data:/data - -## Kibana service - kibana: - container_name: kibana - restart: always - depends_on: - elasticsearch: - condition: service_healthy - ports: - - "127.0.0.1:64296:5601" - image: "dtagdevsec/kibana:1710" - -## Logstash service - logstash: - container_name: logstash - restart: always - depends_on: - elasticsearch: - condition: service_healthy - env_file: - - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/logstash:1710" - volumes: - - /data:/data - - /var/log:/data/host/log - -## Elasticsearch-head service - head: - container_name: head - restart: always - depends_on: - elasticsearch: - condition: service_healthy - ports: - - "127.0.0.1:64302:9100" - image: "dtagdevsec/head:1710" - -# Emobility service - emobility: - container_name: emobility - restart: always - networks: - - emobility_local - cap_add: - - NET_ADMIN - ports: - - "8080:8080" - image: "dtagdevsec/emobility:1710" - volumes: - - /data/emobility:/data/eMobility - - /data/ews:/data/ews - -# Ewsposter service - ewsposter: - container_name: ewsposter - restart: always - networks: - - ewsposter_local - env_file: - - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/ewsposter:1710" - volumes: - - /data:/data - - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip - -# Glastopf service - glastopf: - container_name: glastopf - restart: always - networks: - - glastopf_local - ports: - - "80:80" - image: "dtagdevsec/glastopf:1710" - volumes: - - /data/glastopf/db:/opt/glastopf/db - - /data/glastopf/log:/opt/glastopf/log - -# Honeytrap service - honeytrap: - container_name: honeytrap - restart: always - network_mode: "host" - cap_add: - - NET_ADMIN - image: "dtagdevsec/honeytrap:1710" - volumes: - - /data/honeytrap/attacks:/opt/honeytrap/var/attacks - - /data/honeytrap/downloads:/opt/honeytrap/var/downloads - - /data/honeytrap/log:/opt/honeytrap/var/log - -# Mailoney service - mailoney: - container_name: mailoney - restart: always - networks: - - mailoney_local - ports: - - "25:2525" - image: "dtagdevsec/mailoney:1710" - volumes: - - /data/mailoney/log:/opt/mailoney/logs - -# Netdata service - netdata: - container_name: netdata - restart: always - network_mode: "host" - depends_on: - elasticsearch: - condition: service_healthy - cap_add: - - SYS_PTRACE - security_opt: - - apparmor=unconfined - image: "dtagdevsec/netdata:1710" - volumes: - - /proc:/host/proc:ro - - /sys:/host/sys:ro - - /var/run/docker.sock:/var/run/docker.sock - -# Nginx service - nginx: - container_name: nginx - restart: always - network_mode: "host" - ports: - - "64297:64297" - image: "dtagdevsec/nginx:1710" - volumes: - - /data/nginx/cert/:/etc/nginx/cert/ - - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd - - /data/nginx/log/:/var/log/nginx/ - -# Rdpy service - rdpy: - container_name: rdpy - restart: always - networks: - - rdpy_local - ports: - - "3389:3389" - image: "dtagdevsec/rdpy:1710" - volumes: - - /data/rdpy/log:/var/log/rdpy - -# Spiderfoot service - spiderfoot: - container_name: spiderfoot - restart: always - networks: - - spiderfoot_local - ports: - - "127.0.0.1:64303:8080" - image: "dtagdevsec/spiderfoot:1710" - volumes: - - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db - -# Ui-for-docker service - ui-for-docker: - container_name: ui-for-docker - command: -H unix:///var/run/docker.sock --no-auth - restart: always - networks: - - ui-for-docker_local - ports: - - "127.0.0.1:64299:9000" - image: "dtagdevsec/ui-for-docker:1710" - volumes: - - /var/run/docker.sock:/var/run/docker.sock - -# Suricata service - suricata: - container_name: suricata - restart: always - network_mode: "host" - cap_add: - - NET_ADMIN - - SYS_NICE - - NET_RAW - image: "dtagdevsec/suricata:1710" - volumes: - - /data/suricata/log:/var/log/suricata - -# P0f service - p0f: - container_name: p0f - restart: always - network_mode: "host" - image: "dtagdevsec/p0f:1710" - volumes: - - /data/p0f/log:/var/log/p0f - -# Vnclowpot service - vnclowpot: - container_name: vnclowpot - restart: always - networks: - - vnclowpot_local - ports: - - "5900:5900" - image: "dtagdevsec/vnclowpot:1710" - volumes: - - /data/vnclowpot/log:/var/log/vnclowpot - -# Wetty service - wetty: - container_name: wetty - restart: always - network_mode: "host" - env_file: - - /opt/tpot/etc/compose/wetty_environment - image: "dtagdevsec/wetty:1710" diff --git a/etc/compose/collect.yml b/etc/compose/collector.yml similarity index 82% rename from etc/compose/collect.yml rename to etc/compose/collector.yml index d9a9c795..1586fc39 100644 --- a/etc/compose/collect.yml +++ b/etc/compose/collector.yml @@ -1,23 +1,108 @@ # T-Pot (Collector) -# For docker-compose ... -version: '2.2' +# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton) +version: '2.3' networks: - ewsposter_local: heralding_local: + ewsposter_local: spiderfoot_local: - ui-for-docker_local: + portainer_local: services: -# ELK services +################## +#### Honeypots +################## + +# Heralding service + heralding: + container_name: heralding + restart: always + stop_signal: SIGINT + tmpfs: + - /tmp/heralding:uid=2000,gid=2000 + networks: + - heralding_local + ports: + - "21:21" + - "22:22" + - "23:23" + - "25:25" + - "80:80" + - "110:110" + - "143:143" + - "443:443" + - "993:993" + - "995:995" + - "5432:5432" + - "5900:5900" + image: "dtagdevsec/heralding:1804" + read_only: true + volumes: + - /data/heralding/log:/var/log/heralding + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + tmpfs: + - /tmp/honeytrap:uid=2000,gid=2000 + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1804" + read_only: true + volumes: + - /data/honeytrap/attacks:/opt/honeytrap/var/attacks + - /data/honeytrap/downloads:/opt/honeytrap/var/downloads + - /data/honeytrap/log:/opt/honeytrap/var/log + + +################## +#### NSM +################## + +# P0f service + p0f: + container_name: p0f + restart: always + network_mode: "host" + image: "dtagdevsec/p0f:1804" + read_only: true + volumes: + - /data/p0f/log:/var/log/p0f + +# Suricata service + suricata: + container_name: suricata + restart: always + stop_signal: SIGINT + environment: + # For ET Pro ruleset replace "OPEN" with your OINKCODE + - OINKCODE=OPEN + network_mode: "host" + cap_add: + - NET_ADMIN + - SYS_NICE + - NET_RAW + image: "dtagdevsec/suricata:1804" + volumes: + - /data/suricata/log:/var/log/suricata + + +################## +#### Tools +################## + +#### ELK ## Elasticsearch service elasticsearch: container_name: elasticsearch restart: always environment: - bootstrap.memory_lock=true - - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" + - ES_JAVA_OPTS=-Xms1024m -Xmx1024m + - ES_TMPDIR=/tmp cap_add: - IPC_LOCK ulimits: @@ -27,7 +112,7 @@ services: nofile: soft: 65536 hard: 65536 - mem_limit: 2g + mem_limit: 4g ports: - "127.0.0.1:64298:9200" image: "dtagdevsec/elasticsearch:1804" @@ -38,6 +123,7 @@ services: kibana: container_name: kibana restart: always + stop_signal: SIGKILL depends_on: elasticsearch: condition: service_healthy @@ -75,6 +161,7 @@ services: ewsposter: container_name: ewsposter restart: always + stop_signal: SIGINT networks: - ewsposter_local env_file: @@ -84,47 +171,6 @@ services: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip -# Heralding service - heralding: - container_name: heralding - restart: always - environment: - - PYTHON_EGG_CACHE=/tmp/heralding - tmpfs: - - /tmp/heralding:exec - networks: - - heralding_local - ports: - - "21:21" - - "22:22" - - "23:23" - - "25:25" - - "80:80" - - "110:110" - - "143:143" - - "443:443" - - "993:993" - - "995:995" - - "5432:5432" - - "5900:5900" - image: "dtagdevsec/heralding:1804" - read_only: true - volumes: - - /data/heralding/log:/var/log/heralding - -# Honeytrap service - honeytrap: - container_name: honeytrap - restart: always - network_mode: "host" - cap_add: - - NET_ADMIN - image: "dtagdevsec/honeytrap:1804" - volumes: - - /data/honeytrap/attacks:/opt/honeytrap/var/attacks - - /data/honeytrap/downloads:/opt/honeytrap/var/downloads - - /data/honeytrap/log:/opt/honeytrap/var/log - # Netdata service netdata: container_name: netdata @@ -143,9 +189,9 @@ services: volumes: - /proc:/host/proc:ro - /sys:/host/sys:ro - - /var/run/docker.sock:/var/run/docker.sock + - /var/run/docker.sock:/var/run/docker.sock:ro -# nginx service +# Nginx service nginx: container_name: nginx restart: always @@ -166,6 +212,20 @@ services: - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/log/:/var/log/nginx/ +# Portainer service + portainer: + container_name: portainer + command: -H unix:///var/run/docker.sock --no-auth + restart: always + networks: + - portainer_local + ports: + - "127.0.0.1:64299:9000" + image: "dtagdevsec/portainer:1804" + read_only: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock + # Spiderfoot service spiderfoot: container_name: spiderfoot @@ -178,52 +238,15 @@ services: volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db -# Ui-for-docker service - ui-for-docker: - container_name: ui-for-docker - command: -H unix:///var/run/docker.sock --no-auth - restart: always - networks: - - ui-for-docker_local - ports: - - "127.0.0.1:64299:9000" - image: "dtagdevsec/ui-for-docker:1804" - read_only: true - volumes: - - /var/run/docker.sock:/var/run/docker.sock - -# Suricata service - suricata: - container_name: suricata - restart: always - environment: - # For ET Pro ruleset replace with your OINKCODE - - OINKCODE=OPEN - network_mode: "host" - cap_add: - - NET_ADMIN - - SYS_NICE - - NET_RAW - image: "dtagdevsec/suricata:1804" - volumes: - - /data/suricata/log:/var/log/suricata - -# P0f service - p0f: - container_name: p0f - restart: always - network_mode: "host" - image: "dtagdevsec/p0f:1804" - read_only: true - volumes: - - /data/p0f/log:/var/log/p0f - # Wetty service wetty: container_name: wetty restart: always + stop_signal: SIGKILL network_mode: "host" env_file: - /opt/tpot/etc/compose/wetty_environment + tmpfs: + - /home/wetty/.ssh/:uid=2000,gid=2000 image: "dtagdevsec/wetty:1804" read_only: true diff --git a/etc/compose/experimental.yml b/etc/compose/experimental.yml new file mode 100644 index 00000000..92f03a14 --- /dev/null +++ b/etc/compose/experimental.yml @@ -0,0 +1,586 @@ +# T-Pot (Experimental) +# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton) +version: '2.3' + +networks: + conpot_local_IEC104: + conpot_local_guardian_ast: + conpot_local_ipmi: + conpot_local_kamstrup_382: + cowrie_local: + elasticpot_local: + heralding_local: + mailoney_local: + rdpy_local: + tanner_local: + vnclowpot_local: + ewsposter_local: + spiderfoot_local: + portainer_local: + +services: + +################## +#### Honeypots +################## + +# Ciscoasa service + ciscoasa: + container_name: ciscoasa + restart: always + stop_signal: SIGINT + tmpfs: + - /tmp/ciscoasa:uid=2000,gid=2000 + network_mode: "host" + ports: + - "5000:5000/udp" + - "8443:8443" + image: "dtagdevsec/ciscoasa:1804" + read_only: true + volumes: + - /data/ciscoasa/log:/var/log/ciscoasa + +# Conpot IEC104 service + conpot_IEC104: + container_name: conpot_IEC104 + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json + - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log + - CONPOT_TEMPLATE=IEC104 + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_IEC104 + ports: + - "161:161" + - "2404:2404" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Conpot guardian_ast service + conpot_guardian_ast: + container_name: conpot_guardian_ast + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json + - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log + - CONPOT_TEMPLATE=guardian_ast + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_guardian_ast + ports: + - "10001:10001" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Conpot ipmi + conpot_ipmi: + container_name: conpot_ipmi + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json + - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log + - CONPOT_TEMPLATE=ipmi + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_ipmi + ports: + - "623:623" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Conpot kamstrup_382 + conpot_kamstrup_382: + container_name: conpot_kamstrup_382 + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json + - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log + - CONPOT_TEMPLATE=kamstrup_382 + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_kamstrup_382 + ports: + - "1025:1025" + - "50100:50100" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Cowrie service + cowrie: + container_name: cowrie + restart: always + tmpfs: + - /tmp/cowrie:uid=2000,gid=2000 + - /tmp/cowrie/data:uid=2000,gid=2000 + networks: + - cowrie_local + ports: + - "22:22" + - "23:23" + image: "dtagdevsec/cowrie:1804" + read_only: true + volumes: + - /data/cowrie/downloads:/home/cowrie/cowrie/dl + - /data/cowrie/keys:/home/cowrie/cowrie/etc + - /data/cowrie/log:/home/cowrie/cowrie/log + - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty + +# Dionaea service + dionaea: + container_name: dionaea + stdin_open: true + tty: true + restart: always + network_mode: "host" + ports: + - "20:20" + - "21:21" + - "42:42" + - "69:69/udp" + - "81:81" + - "135:135" + - "443:443" + - "445:445" + - "1433:1433" + - "1723:1723" + - "1883:1883" + - "3306:3306" + - "5060:5060" + - "5060:5060/udp" + - "5061:5061" + - "27017:27017" + image: "dtagdevsec/dionaea:1804" + read_only: true + volumes: + - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp + - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp + - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www + - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp + - /data/dionaea:/opt/dionaea/var/dionaea + - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries + - /data/dionaea/log:/opt/dionaea/var/log + - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp + +# Elasticpot service + elasticpot: + container_name: elasticpot + restart: always + stop_signal: SIGINT + networks: + - elasticpot_local + ports: + - "9200:9200" + image: "dtagdevsec/elasticpot:1804" + read_only: true + volumes: + - /data/elasticpot/log:/opt/ElasticpotPY/log + +# Heralding service + heralding: + container_name: heralding + restart: always + stop_signal: SIGINT + tmpfs: + - /tmp/heralding:uid=2000,gid=2000 + networks: + - heralding_local + ports: + # - "21:21" + # - "22:22" + # - "23:23" + # - "25:25" + # - "80:80" + - "110:110" + - "143:143" + # - "443:443" + - "993:993" + - "995:995" + - "5432:5432" + # - "5900:5900" + image: "dtagdevsec/heralding:1804" + read_only: true + volumes: + - /data/heralding/log:/var/log/heralding + +# Glutton service + glutton: + build: . + container_name: glutton + restart: always + tmpfs: + - /var/lib/glutton:uid=2000,gid=2000 + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/glutton:1804" + read_only: true + volumes: + - /data/glutton/log:/var/log/glutton + - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml + +# Mailoney service + mailoney: + container_name: mailoney + restart: always + environment: + - HPFEEDS_SERVER= + - HPFEEDS_IDENT=user + - HPFEEDS_SECRET=pass + - HPFEEDS_PORT=20000 + - HPFEEDS_CHANNELPREFIX=prefix + stop_signal: SIGINT + networks: + - mailoney_local + ports: + - "25:25" + image: "dtagdevsec/mailoney:1804" + read_only: true + volumes: + - /data/mailoney/log:/opt/mailoney/logs + +# Rdpy service + rdpy: + container_name: rdpy + extra_hosts: + - hpfeeds.example.com:127.0.0.1 + restart: always + environment: + - HPFEEDS_SERVER=hpfeeds.example.com + - HPFEEDS_IDENT=user + - HPFEEDS_SECRET=pass + - HPFEEDS_PORT=65000 + - SERVERID=id + networks: + - rdpy_local + ports: + - "3389:3389" + image: "dtagdevsec/rdpy:1804" + read_only: true + volumes: + - /data/rdpy/log:/var/log/rdpy + +#### Snare / Tanner +## Tanner Redis Service + tanner_redis: + container_name: tanner_redis + restart: always + stop_signal: SIGKILL + tty: true + networks: + - tanner_local + image: "dtagdevsec/redis:1804" + read_only: true + +## PHP Sandbox service + tanner_phpox: + container_name: tanner_phpox + restart: always + stop_signal: SIGKILL + tty: true + networks: + - tanner_local + image: "dtagdevsec/phpox:1804" + read_only: true + +## Tanner API Service + tanner_api: + container_name: tanner_api + restart: always + stop_signal: SIGKILL + tmpfs: + - /tmp/tanner:uid=2000,gid=2000 + tty: true + networks: + - tanner_local + image: "dtagdevsec/tanner:1804" + read_only: true + volumes: + - /data/tanner/log:/var/log/tanner + command: tannerapi + depends_on: + - tanner_redis + +## Tanner WEB Service + tanner_web: + container_name: tanner_web + restart: always + stop_signal: SIGKILL + tmpfs: + - /tmp/tanner:uid=2000,gid=2000 + tty: true + networks: + - tanner_local + image: "dtagdevsec/tanner:1804" + command: tannerweb + read_only: true + volumes: + - /data/tanner/log:/var/log/tanner + depends_on: + - tanner_redis + +## Tanner Service + tanner: + container_name: tanner + restart: always + stop_signal: SIGKILL + tmpfs: + - /tmp/tanner:uid=2000,gid=2000 + tty: true + networks: + - tanner_local + image: "dtagdevsec/tanner:1804" + command: tanner + read_only: true + volumes: + - /data/tanner/log:/var/log/tanner + - /data/tanner/files:/opt/tanner/files + depends_on: + - tanner_api + - tanner_web + - tanner_phpox + +## Snare Service + snare: + container_name: snare + restart: always + stop_signal: SIGKILL + tty: true + networks: + - tanner_local + ports: + - "80:80" + image: "dtagdevsec/snare:1804" + depends_on: + - tanner + +# Vnclowpot service + vnclowpot: + container_name: vnclowpot + restart: always + networks: + - vnclowpot_local + ports: + - "5900:5900" + image: "dtagdevsec/vnclowpot:1804" + read_only: true + volumes: + - /data/vnclowpot/log:/var/log/vnclowpot + + +################## +#### NSM +################## + +# P0f service + p0f: + container_name: p0f + restart: always + network_mode: "host" + image: "dtagdevsec/p0f:1804" + read_only: true + volumes: + - /data/p0f/log:/var/log/p0f + +# Suricata service + suricata: + container_name: suricata + restart: always + stop_signal: SIGINT + environment: + # For ET Pro ruleset replace "OPEN" with your OINKCODE + - OINKCODE=OPEN + network_mode: "host" + cap_add: + - NET_ADMIN + - SYS_NICE + - NET_RAW + image: "dtagdevsec/suricata:1804" + volumes: + - /data/suricata/log:/var/log/suricata + + +################## +#### Tools +################## + +#### ELK +## Elasticsearch service + elasticsearch: + container_name: elasticsearch + restart: always + environment: + - bootstrap.memory_lock=true + - ES_JAVA_OPTS=-Xms1024m -Xmx1024m + - ES_TMPDIR=/tmp + cap_add: + - IPC_LOCK + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + mem_limit: 4g + ports: + - "127.0.0.1:64298:9200" + image: "dtagdevsec/elasticsearch:1804" + volumes: + - /data:/data + +## Kibana service + kibana: + container_name: kibana + restart: always + stop_signal: SIGKILL + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64296:5601" + image: "dtagdevsec/kibana:1804" + +## Logstash service + logstash: + container_name: logstash + restart: always + depends_on: + elasticsearch: + condition: service_healthy + env_file: + - /opt/tpot/etc/compose/elk_environment + image: "dtagdevsec/logstash:1804" + volumes: + - /data:/data + - /var/log:/data/host/log + +## Elasticsearch-head service + head: + container_name: head + restart: always + depends_on: + elasticsearch: + condition: service_healthy + ports: + - "127.0.0.1:64302:9100" + image: "dtagdevsec/head:1804" + read_only: true + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + stop_signal: SIGINT + networks: + - ewsposter_local + env_file: + - /opt/tpot/etc/compose/elk_environment + image: "dtagdevsec/ewsposter:1804" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip + +# Netdata service + netdata: + container_name: netdata + restart: always + network_mode: "host" + depends_on: + elasticsearch: + condition: service_healthy + cap_add: + - SYS_PTRACE + security_opt: + - apparmor=unconfined + ports: + - "64301:64301" + image: "dtagdevsec/netdata:1804" + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + +# Nginx service + nginx: + container_name: nginx + restart: always + tmpfs: + - /var/tmp/nginx/client_body + - /var/tmp/nginx/proxy + - /var/tmp/nginx/fastcgi + - /var/tmp/nginx/uwsgi + - /var/tmp/nginx/scgi + - /run + network_mode: "host" + ports: + - "64297:64297" + image: "dtagdevsec/nginx:1804" + read_only: true + volumes: + - /data/nginx/cert/:/etc/nginx/cert/:ro + - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro + - /data/nginx/log/:/var/log/nginx/ + +# Portainer service + portainer: + container_name: portainer + command: -H unix:///var/run/docker.sock --no-auth + restart: always + networks: + - portainer_local + ports: + - "127.0.0.1:64299:9000" + image: "dtagdevsec/portainer:1804" + read_only: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock + +# Spiderfoot service + spiderfoot: + container_name: spiderfoot + restart: always + networks: + - spiderfoot_local + ports: + - "127.0.0.1:64303:8080" + image: "dtagdevsec/spiderfoot:1804" + volumes: + - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db + +# Wetty service + wetty: + container_name: wetty + restart: always + stop_signal: SIGKILL + network_mode: "host" + env_file: + - /opt/tpot/etc/compose/wetty_environment + tmpfs: + - /home/wetty/.ssh/:uid=2000,gid=2000 + image: "dtagdevsec/wetty:1804" + read_only: true diff --git a/etc/compose/hp.yml b/etc/compose/hp.yml deleted file mode 100644 index 10d07078..00000000 --- a/etc/compose/hp.yml +++ /dev/null @@ -1,157 +0,0 @@ -# T-Pot (HP) -# For docker-compose ... -version: '2.2' - -networks: - cowrie_local: - dionaea_local: - elasticpot_local: - ewsposter_local: - glastopf_local: - mailoney_local: - rdpy_local: - vnclowpot_local: - -services: - -# Cowrie service - cowrie: - container_name: cowrie - restart: always - networks: - - cowrie_local - cap_add: - - NET_BIND_SERVICE - ports: - - "22:2222" - - "23:2223" - image: "dtagdevsec/cowrie:1710" - volumes: - - /data/cowrie/downloads:/home/cowrie/cowrie/dl - - /data/cowrie/keys:/home/cowrie/cowrie/etc - - /data/cowrie/log:/home/cowrie/cowrie/log - - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty - -# Dionaea service - dionaea: - container_name: dionaea - stdin_open: true - restart: always - networks: - - dionaea_local - cap_add: - - NET_BIND_SERVICE - ports: - - "20:20" - - "21:21" - - "42:42" - - "69:69/udp" - - "8081:80" - - "135:135" - - "443:443" - - "445:445" - - "1433:1433" - - "1723:1723" - - "1883:1883" - - "3306:3306" - - "5060:5060" - - "5060:5060/udp" - - "5061:5061" - - "27017:27017" - image: "dtagdevsec/dionaea:1710" - volumes: - - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp - - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp - - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www - - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp - - /data/dionaea:/opt/dionaea/var/dionaea - - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries - - /data/dionaea/log:/opt/dionaea/var/log - - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp - -# Elasticpot service - elasticpot: - container_name: elasticpot - restart: always - networks: - - elasticpot_local - ports: - - "9200:9200" - image: "dtagdevsec/elasticpot:1710" - volumes: - - /data/elasticpot/log:/opt/ElasticpotPY/log - -# Ewsposter service - ewsposter: - container_name: ewsposter - restart: always - networks: - - ewsposter_local - env_file: - - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/ewsposter:1710" - volumes: - - /data:/data - - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip - -# Glastopf service - glastopf: - container_name: glastopf - restart: always - networks: - - glastopf_local - ports: - - "80:80" - image: "dtagdevsec/glastopf:1710" - volumes: - - /data/glastopf/db:/opt/glastopf/db - - /data/glastopf/log:/opt/glastopf/log - -# Honeytrap service - honeytrap: - container_name: honeytrap - restart: always - network_mode: "host" - cap_add: - - NET_ADMIN - image: "dtagdevsec/honeytrap:1710" - volumes: - - /data/honeytrap/attacks:/opt/honeytrap/var/attacks - - /data/honeytrap/downloads:/opt/honeytrap/var/downloads - - /data/honeytrap/log:/opt/honeytrap/var/log - -# Mailoney service - mailoney: - container_name: mailoney - restart: always - networks: - - mailoney_local - ports: - - "25:2525" - image: "dtagdevsec/mailoney:1710" - volumes: - - /data/mailoney/log:/opt/mailoney/logs - -# Rdpy service - rdpy: - container_name: rdpy - restart: always - networks: - - rdpy_local - ports: - - "3389:3389" - image: "dtagdevsec/rdpy:1710" - volumes: - - /data/rdpy/log:/var/log/rdpy - -# Vnclowpot service - vnclowpot: - container_name: vnclowpot - restart: always - networks: - - vnclowpot_local - ports: - - "5900:5900" - image: "dtagdevsec/vnclowpot:1710" - volumes: - - /data/vnclowpot/log:/var/log/vnclowpot diff --git a/etc/compose/industrial.yml b/etc/compose/industrial.yml index baeaa1dd..953ba4ee 100644 --- a/etc/compose/industrial.yml +++ b/etc/compose/industrial.yml @@ -1,6 +1,6 @@ -# T-Pot (Industrial, based on Conpot=[default, IEC104, guardian_ast, ipmi, kamstrup_382]) -# For docker-compose ... -version: '2.2' +# T-Pot (Industrial) +# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton) +version: '2.3' networks: conpot_local_default: @@ -8,26 +8,33 @@ networks: conpot_local_guardian_ast: conpot_local_ipmi: conpot_local_kamstrup_382: + cowrie_local: + rdpy_local: + vnclowpot_local: ewsposter_local: spiderfoot_local: - ui-for-docker_local: + portainer_local: services: +################## +#### Honeypots +################## + # Conpot default service conpot_default: + build: . container_name: conpot_default restart: always + stop_signal: SIGINT environment: - CONPOT_CONFIG=/etc/conpot/conpot.cfg - CONPOT_JSON_LOG=/var/log/conpot/conpot_default.json - CONPOT_LOG=/var/log/conpot/conpot_default.log - CONPOT_TEMPLATE=default - CONPOT_TMP=/tmp/conpot - - PYTHON_EGG_CACHE=/tmp/conpot tmpfs: - - /tmp/conpot:exec - # - /var/run/conpot/ + - /tmp/conpot:uid=2000,gid=2000 networks: - conpot_local_default ports: @@ -47,20 +54,19 @@ services: conpot_IEC104: container_name: conpot_IEC104 restart: always + stop_signal: SIGINT environment: - CONPOT_CONFIG=/etc/conpot/conpot.cfg - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log - CONPOT_TEMPLATE=IEC104 - CONPOT_TMP=/tmp/conpot - - PYTHON_EGG_CACHE=/tmp/conpot tmpfs: - - /tmp/conpot:exec - - /var/run/conpot/ + - /tmp/conpot:uid=2000,gid=2000 networks: - conpot_local_IEC104 ports: -# - "161:161" + - "161:161" - "2404:2404" image: "dtagdevsec/conpot:1804" read_only: true @@ -71,16 +77,15 @@ services: conpot_guardian_ast: container_name: conpot_guardian_ast restart: always + stop_signal: SIGINT environment: - CONPOT_CONFIG=/etc/conpot/conpot.cfg - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log - CONPOT_TEMPLATE=guardian_ast - CONPOT_TMP=/tmp/conpot - - PYTHON_EGG_CACHE=/tmp/conpot tmpfs: - - /tmp/conpot:exec - - /var/run/conpot/ + - /tmp/conpot:uid=2000,gid=2000 networks: - conpot_local_guardian_ast ports: @@ -94,16 +99,15 @@ services: conpot_ipmi: container_name: conpot_ipmi restart: always + stop_signal: SIGINT environment: - CONPOT_CONFIG=/etc/conpot/conpot.cfg - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log - CONPOT_TEMPLATE=ipmi - CONPOT_TMP=/tmp/conpot - - PYTHON_EGG_CACHE=/tmp/conpot tmpfs: - - /tmp/conpot:exec - - /var/run/conpot/ + - /tmp/conpot:uid=2000,gid=2000 networks: - conpot_local_ipmi ports: @@ -117,16 +121,15 @@ services: conpot_kamstrup_382: container_name: conpot_kamstrup_382 restart: always + stop_signal: SIGINT environment: - CONPOT_CONFIG=/etc/conpot/conpot.cfg - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log - CONPOT_TEMPLATE=kamstrup_382 - CONPOT_TMP=/tmp/conpot - - PYTHON_EGG_CACHE=/tmp/conpot tmpfs: - - /tmp/conpot:exec - - /var/run/conpot/ + - /tmp/conpot:uid=2000,gid=2000 networks: - conpot_local_kamstrup_382 ports: @@ -137,14 +140,122 @@ services: volumes: - /data/conpot/log:/var/log/conpot -# ELK services +# Cowrie service + cowrie: + container_name: cowrie + restart: always + tmpfs: + - /tmp/cowrie:uid=2000,gid=2000 + - /tmp/cowrie/data:uid=2000,gid=2000 + networks: + - cowrie_local + ports: + - "22:22" + - "23:23" + image: "dtagdevsec/cowrie:1804" + read_only: true + volumes: + - /data/cowrie/downloads:/home/cowrie/cowrie/dl + - /data/cowrie/keys:/home/cowrie/cowrie/etc + - /data/cowrie/log:/home/cowrie/cowrie/log + - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + tmpfs: + - /tmp/honeytrap:uid=2000,gid=2000 + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1804" + read_only: true + volumes: + - /data/honeytrap/attacks:/opt/honeytrap/var/attacks + - /data/honeytrap/downloads:/opt/honeytrap/var/downloads + - /data/honeytrap/log:/opt/honeytrap/var/log + +# Rdpy service + rdpy: + container_name: rdpy + extra_hosts: + - hpfeeds.example.com:127.0.0.1 + restart: always + environment: + - HPFEEDS_SERVER=hpfeeds.example.com + - HPFEEDS_IDENT=user + - HPFEEDS_SECRET=pass + - HPFEEDS_PORT=65000 + - SERVERID=id + networks: + - rdpy_local + ports: + - "3389:3389" + image: "dtagdevsec/rdpy:1804" + read_only: true + volumes: + - /data/rdpy/log:/var/log/rdpy + +# Vnclowpot service + vnclowpot: + container_name: vnclowpot + restart: always + networks: + - vnclowpot_local + ports: + - "5900:5900" + image: "dtagdevsec/vnclowpot:1804" + read_only: true + volumes: + - /data/vnclowpot/log:/var/log/vnclowpot + + +################## +#### NSM +################## + +# P0f service + p0f: + container_name: p0f + restart: always + network_mode: "host" + image: "dtagdevsec/p0f:1804" + read_only: true + volumes: + - /data/p0f/log:/var/log/p0f + +# Suricata service + suricata: + container_name: suricata + restart: always + stop_signal: SIGINT + environment: + # For ET Pro ruleset replace "OPEN" with your OINKCODE + - OINKCODE=OPEN + network_mode: "host" + cap_add: + - NET_ADMIN + - SYS_NICE + - NET_RAW + image: "dtagdevsec/suricata:1804" + volumes: + - /data/suricata/log:/var/log/suricata + + +################## +#### Tools +################## + +#### ELK ## Elasticsearch service elasticsearch: container_name: elasticsearch restart: always environment: - bootstrap.memory_lock=true -# - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - ES_JAVA_OPTS=-Xms1024m -Xmx1024m + - ES_TMPDIR=/tmp cap_add: - IPC_LOCK ulimits: @@ -154,10 +265,10 @@ services: nofile: soft: 65536 hard: 65536 -# mem_limit: 2g + mem_limit: 4g ports: - "127.0.0.1:64298:9200" - image: "dtagdevsec/elasticsearch:1710" + image: "dtagdevsec/elasticsearch:1804" volumes: - /data:/data @@ -165,12 +276,13 @@ services: kibana: container_name: kibana restart: always + stop_signal: SIGKILL depends_on: elasticsearch: condition: service_healthy ports: - "127.0.0.1:64296:5601" - image: "dtagdevsec/kibana:1710" + image: "dtagdevsec/kibana:1804" ## Logstash service logstash: @@ -181,7 +293,7 @@ services: condition: service_healthy env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/logstash:1710" + image: "dtagdevsec/logstash:1804" volumes: - /data:/data - /var/log:/data/host/log @@ -195,17 +307,19 @@ services: condition: service_healthy ports: - "127.0.0.1:64302:9100" - image: "dtagdevsec/head:1710" + image: "dtagdevsec/head:1804" + read_only: true # Ewsposter service ewsposter: container_name: ewsposter restart: always + stop_signal: SIGINT networks: - ewsposter_local env_file: - /opt/tpot/etc/compose/elk_environment - image: "dtagdevsec/ewsposter:1710" + image: "dtagdevsec/ewsposter:1804" volumes: - /data:/data - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip @@ -222,25 +336,49 @@ services: - SYS_PTRACE security_opt: - apparmor=unconfined - image: "dtagdevsec/netdata:1710" + ports: + - "64301:64301" + image: "dtagdevsec/netdata:1804" volumes: - /proc:/host/proc:ro - /sys:/host/sys:ro - - /var/run/docker.sock:/var/run/docker.sock + - /var/run/docker.sock:/var/run/docker.sock:ro # Nginx service nginx: container_name: nginx restart: always + tmpfs: + - /var/tmp/nginx/client_body + - /var/tmp/nginx/proxy + - /var/tmp/nginx/fastcgi + - /var/tmp/nginx/uwsgi + - /var/tmp/nginx/scgi + - /run network_mode: "host" ports: - "64297:64297" - image: "dtagdevsec/nginx:1710" + image: "dtagdevsec/nginx:1804" + read_only: true volumes: - - /data/nginx/cert/:/etc/nginx/cert/ - - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd + - /data/nginx/cert/:/etc/nginx/cert/:ro + - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro - /data/nginx/log/:/var/log/nginx/ +# Portainer service + portainer: + container_name: portainer + command: -H unix:///var/run/docker.sock --no-auth + restart: always + networks: + - portainer_local + ports: + - "127.0.0.1:64299:9000" + image: "dtagdevsec/portainer:1804" + read_only: true + volumes: + - /var/run/docker.sock:/var/run/docker.sock + # Spiderfoot service spiderfoot: container_name: spiderfoot @@ -249,50 +387,19 @@ services: - spiderfoot_local ports: - "127.0.0.1:64303:8080" - image: "dtagdevsec/spiderfoot:1710" + image: "dtagdevsec/spiderfoot:1804" volumes: - /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db -# Ui-for-docker service - ui-for-docker: - container_name: ui-for-docker - command: -H unix:///var/run/docker.sock --no-auth - restart: always - networks: - - ui-for-docker_local - ports: - - "127.0.0.1:64299:9000" - image: "dtagdevsec/ui-for-docker:1710" - volumes: - - /var/run/docker.sock:/var/run/docker.sock - -# Suricata service - suricata: - container_name: suricata - restart: always - network_mode: "host" - cap_add: - - NET_ADMIN - - SYS_NICE - - NET_RAW - image: "dtagdevsec/suricata:1710" - volumes: - - /data/suricata/log:/var/log/suricata - -# P0f service - p0f: - container_name: p0f - restart: always - network_mode: "host" - image: "dtagdevsec/p0f:1710" - volumes: - - /data/p0f/log:/var/log/p0f - # Wetty service wetty: container_name: wetty restart: always + stop_signal: SIGKILL network_mode: "host" env_file: - /opt/tpot/etc/compose/wetty_environment - image: "dtagdevsec/wetty:1710" + tmpfs: + - /home/wetty/.ssh/:uid=2000,gid=2000 + image: "dtagdevsec/wetty:1804" + read_only: true diff --git a/etc/compose/legacy.yml b/etc/compose/legacy.yml index 4922a878..7c11b663 100644 --- a/etc/compose/legacy.yml +++ b/etc/compose/legacy.yml @@ -163,7 +163,7 @@ services: volumes: - /data/rdpy/log:/var/log/rdpy -# vnclowpot service +# Vnclowpot service vnclowpot: container_name: vnclowpot restart: always diff --git a/etc/compose/ng.yml b/etc/compose/ng.yml index 9bbac11f..81acf822 100644 --- a/etc/compose/ng.yml +++ b/etc/compose/ng.yml @@ -24,6 +24,22 @@ services: #### Honeypots ################## +# Ciscoasa service + ciscoasa: + container_name: ciscoasa + restart: always + stop_signal: SIGINT + tmpfs: + - /tmp/ciscoasa:uid=2000,gid=2000 + network_mode: "host" + ports: + - "5000:5000/udp" + - "8443:8443" + image: "dtagdevsec/ciscoasa:1804" + read_only: true + volumes: + - /data/ciscoasa/log:/var/log/ciscoasa + # Conpot IEC104 service conpot_IEC104: container_name: conpot_IEC104 @@ -114,22 +130,6 @@ services: volumes: - /data/conpot/log:/var/log/conpot -# Ciscoasa service - ciscoasa: - container_name: ciscoasa - restart: always - stop_signal: SIGINT - tmpfs: - - /tmp/ciscoasa:uid=2000,gid=2000 - network_mode: "host" - ports: - - "5000:5000/udp" - - "8443:8443" - image: "dtagdevsec/ciscoasa:1804" - read_only: true - volumes: - - /data/ciscoasa/log:/var/log/ciscoasa - # Cowrie service cowrie: container_name: cowrie diff --git a/etc/compose/sensor.yml b/etc/compose/sensor.yml new file mode 100644 index 00000000..06b7af93 --- /dev/null +++ b/etc/compose/sensor.yml @@ -0,0 +1,443 @@ +# T-Pot (Sensor) +# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton) +version: '2.3' + +networks: + conpot_local_IEC104: + conpot_local_guardian_ast: + conpot_local_ipmi: + conpot_local_kamstrup_382: + cowrie_local: + elasticpot_local: + heralding_local: + mailoney_local: + rdpy_local: + tanner_local: + vnclowpot_local: + ewsposter_local: + spiderfoot_local: + portainer_local: + +services: + +################## +#### Honeypots +################## + +# Ciscoasa service + ciscoasa: + container_name: ciscoasa + restart: always + stop_signal: SIGINT + tmpfs: + - /tmp/ciscoasa:uid=2000,gid=2000 + network_mode: "host" + ports: + - "5000:5000/udp" + - "8443:8443" + image: "dtagdevsec/ciscoasa:1804" + read_only: true + volumes: + - /data/ciscoasa/log:/var/log/ciscoasa + +# Conpot IEC104 service + conpot_IEC104: + container_name: conpot_IEC104 + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_IEC104.json + - CONPOT_LOG=/var/log/conpot/conpot_IEC104.log + - CONPOT_TEMPLATE=IEC104 + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_IEC104 + ports: + - "161:161" + - "2404:2404" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Conpot guardian_ast service + conpot_guardian_ast: + container_name: conpot_guardian_ast + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_guardian_ast.json + - CONPOT_LOG=/var/log/conpot/conpot_guardian_ast.log + - CONPOT_TEMPLATE=guardian_ast + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_guardian_ast + ports: + - "10001:10001" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Conpot ipmi + conpot_ipmi: + container_name: conpot_ipmi + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_ipmi.json + - CONPOT_LOG=/var/log/conpot/conpot_ipmi.log + - CONPOT_TEMPLATE=ipmi + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_ipmi + ports: + - "623:623" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Conpot kamstrup_382 + conpot_kamstrup_382: + container_name: conpot_kamstrup_382 + restart: always + stop_signal: SIGINT + environment: + - CONPOT_CONFIG=/etc/conpot/conpot.cfg + - CONPOT_JSON_LOG=/var/log/conpot/conpot_kamstrup_382.json + - CONPOT_LOG=/var/log/conpot/conpot_kamstrup_382.log + - CONPOT_TEMPLATE=kamstrup_382 + - CONPOT_TMP=/tmp/conpot + tmpfs: + - /tmp/conpot:uid=2000,gid=2000 + networks: + - conpot_local_kamstrup_382 + ports: + - "1025:1025" + - "50100:50100" + image: "dtagdevsec/conpot:1804" + read_only: true + volumes: + - /data/conpot/log:/var/log/conpot + +# Cowrie service + cowrie: + container_name: cowrie + restart: always + tmpfs: + - /tmp/cowrie:uid=2000,gid=2000 + - /tmp/cowrie/data:uid=2000,gid=2000 + networks: + - cowrie_local + ports: + - "22:22" + - "23:23" + image: "dtagdevsec/cowrie:1804" + read_only: true + volumes: + - /data/cowrie/downloads:/home/cowrie/cowrie/dl + - /data/cowrie/keys:/home/cowrie/cowrie/etc + - /data/cowrie/log:/home/cowrie/cowrie/log + - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty + +# Dionaea service + dionaea: + container_name: dionaea + stdin_open: true + tty: true + restart: always + network_mode: "host" + ports: + - "20:20" + - "21:21" + - "42:42" + - "69:69/udp" + - "81:81" + - "135:135" + - "443:443" + - "445:445" + - "1433:1433" + - "1723:1723" + - "1883:1883" + - "3306:3306" + - "5060:5060" + - "5060:5060/udp" + - "5061:5061" + - "27017:27017" + image: "dtagdevsec/dionaea:1804" + read_only: true + volumes: + - /data/dionaea/roots/ftp:/opt/dionaea/var/dionaea/roots/ftp + - /data/dionaea/roots/tftp:/opt/dionaea/var/dionaea/roots/tftp + - /data/dionaea/roots/www:/opt/dionaea/var/dionaea/roots/www + - /data/dionaea/roots/upnp:/opt/dionaea/var/dionaea/roots/upnp + - /data/dionaea:/opt/dionaea/var/dionaea + - /data/dionaea/binaries:/opt/dionaea/var/dionaea/binaries + - /data/dionaea/log:/opt/dionaea/var/log + - /data/dionaea/rtp:/opt/dionaea/var/dionaea/rtp + +# Elasticpot service + elasticpot: + container_name: elasticpot + restart: always + stop_signal: SIGINT + networks: + - elasticpot_local + ports: + - "9200:9200" + image: "dtagdevsec/elasticpot:1804" + read_only: true + volumes: + - /data/elasticpot/log:/opt/ElasticpotPY/log + +# Heralding service + heralding: + container_name: heralding + restart: always + stop_signal: SIGINT + tmpfs: + - /tmp/heralding:uid=2000,gid=2000 + networks: + - heralding_local + ports: + # - "21:21" + # - "22:22" + # - "23:23" + # - "25:25" + # - "80:80" + - "110:110" + - "143:143" + # - "443:443" + - "993:993" + - "995:995" + - "5432:5432" + # - "5900:5900" + image: "dtagdevsec/heralding:1804" + read_only: true + volumes: + - /data/heralding/log:/var/log/heralding + +# Honeytrap service + honeytrap: + container_name: honeytrap + restart: always + tmpfs: + - /tmp/honeytrap:uid=2000,gid=2000 + network_mode: "host" + cap_add: + - NET_ADMIN + image: "dtagdevsec/honeytrap:1804" + read_only: true + volumes: + - /data/honeytrap/attacks:/opt/honeytrap/var/attacks + - /data/honeytrap/downloads:/opt/honeytrap/var/downloads + - /data/honeytrap/log:/opt/honeytrap/var/log + +# Mailoney service + mailoney: + container_name: mailoney + restart: always + environment: + - HPFEEDS_SERVER= + - HPFEEDS_IDENT=user + - HPFEEDS_SECRET=pass + - HPFEEDS_PORT=20000 + - HPFEEDS_CHANNELPREFIX=prefix + stop_signal: SIGINT + networks: + - mailoney_local + ports: + - "25:25" + image: "dtagdevsec/mailoney:1804" + read_only: true + volumes: + - /data/mailoney/log:/opt/mailoney/logs + +# Rdpy service + rdpy: + container_name: rdpy + extra_hosts: + - hpfeeds.example.com:127.0.0.1 + restart: always + environment: + - HPFEEDS_SERVER=hpfeeds.example.com + - HPFEEDS_IDENT=user + - HPFEEDS_SECRET=pass + - HPFEEDS_PORT=65000 + - SERVERID=id + networks: + - rdpy_local + ports: + - "3389:3389" + image: "dtagdevsec/rdpy:1804" + read_only: true + volumes: + - /data/rdpy/log:/var/log/rdpy + +#### Snare / Tanner +## Tanner Redis Service + tanner_redis: + container_name: tanner_redis + restart: always + stop_signal: SIGKILL + tty: true + networks: + - tanner_local + image: "dtagdevsec/redis:1804" + read_only: true + +## PHP Sandbox service + tanner_phpox: + container_name: tanner_phpox + restart: always + stop_signal: SIGKILL + tty: true + networks: + - tanner_local + image: "dtagdevsec/phpox:1804" + read_only: true + +## Tanner API Service + tanner_api: + container_name: tanner_api + restart: always + stop_signal: SIGKILL + tmpfs: + - /tmp/tanner:uid=2000,gid=2000 + tty: true + networks: + - tanner_local + image: "dtagdevsec/tanner:1804" + read_only: true + volumes: + - /data/tanner/log:/var/log/tanner + command: tannerapi + depends_on: + - tanner_redis + +## Tanner WEB Service + tanner_web: + container_name: tanner_web + restart: always + stop_signal: SIGKILL + tmpfs: + - /tmp/tanner:uid=2000,gid=2000 + tty: true + networks: + - tanner_local + image: "dtagdevsec/tanner:1804" + command: tannerweb + read_only: true + volumes: + - /data/tanner/log:/var/log/tanner + depends_on: + - tanner_redis + +## Tanner Service + tanner: + container_name: tanner + restart: always + stop_signal: SIGKILL + tmpfs: + - /tmp/tanner:uid=2000,gid=2000 + tty: true + networks: + - tanner_local + image: "dtagdevsec/tanner:1804" + command: tanner + read_only: true + volumes: + - /data/tanner/log:/var/log/tanner + - /data/tanner/files:/opt/tanner/files + depends_on: + - tanner_api + - tanner_web + - tanner_phpox + +## Snare Service + snare: + container_name: snare + restart: always + stop_signal: SIGKILL + tty: true + networks: + - tanner_local + ports: + - "80:80" + image: "dtagdevsec/snare:1804" + depends_on: + - tanner + +# Vnclowpot service + vnclowpot: + container_name: vnclowpot + restart: always + networks: + - vnclowpot_local + ports: + - "5900:5900" + image: "dtagdevsec/vnclowpot:1804" + read_only: true + volumes: + - /data/vnclowpot/log:/var/log/vnclowpot + + +################## +#### NSM +################## + +# P0f service + p0f: + container_name: p0f + restart: always + network_mode: "host" + image: "dtagdevsec/p0f:1804" + read_only: true + volumes: + - /data/p0f/log:/var/log/p0f + +# Suricata service + suricata: + container_name: suricata + restart: always + stop_signal: SIGINT + environment: + # For ET Pro ruleset replace "OPEN" with your OINKCODE + - OINKCODE=OPEN + network_mode: "host" + cap_add: + - NET_ADMIN + - SYS_NICE + - NET_RAW + image: "dtagdevsec/suricata:1804" + volumes: + - /data/suricata/log:/var/log/suricata + + +################## +#### Tools +################## + +# Ewsposter service + ewsposter: + container_name: ewsposter + restart: always + stop_signal: SIGINT + networks: + - ewsposter_local + env_file: + - /opt/tpot/etc/compose/elk_environment + image: "dtagdevsec/ewsposter:1804" + volumes: + - /data:/data + - /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip