From 809d598076effdb987ec3007526cdb5d60342d37 Mon Sep 17 00:00:00 2001
From: t3chn0m4g3 <t3chn0m4g3@gmail.com>
Date: Tue, 10 Mar 2020 10:12:50 +0000
Subject: [PATCH 1/2] reactivate netselect-apt

automatic mirror detection needs ICMP
---
 iso/installer/install.sh | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/iso/installer/install.sh b/iso/installer/install.sh
index b1a420af..28c54ae1 100755
--- a/iso/installer/install.sh
+++ b/iso/installer/install.sh
@@ -279,21 +279,21 @@ function fuCHECKNET {
 # Install T-Pot dependencies
 function fuGET_DEPS {
   export DEBIAN_FRONTEND=noninteractive
-#  # Determine fastest mirror
-#  echo
-#  echo "### Determine fastest mirror for your location."
-#  echo
-#  netselect-apt -n -a amd64 unstable && cp sources.list /etc/apt/
-#  mySOURCESCHECK=$(cat /etc/apt/sources.list | grep -c unstable)
-#  if [ "$mySOURCESCHECK" == "0" ]
-#    then
-#      echo "### Automatic mirror selection failed, using main mirror."
-# Point to Debian (Sid, unstable)
+  # Determine fastest mirror
+  echo
+  echo "### Determine fastest mirror for your location."
+  echo
+  netselect-apt -n -a amd64 unstable && cp sources.list /etc/apt/
+  mySOURCESCHECK=$(cat /etc/apt/sources.list | grep -c unstable)
+  if [ "$mySOURCESCHECK" == "0" ]
+    then
+      echo "### Automatic mirror selection failed, using main mirror."
+      # Point to Debian (Sid, unstable)
 tee /etc/apt/sources.list <<EOF
 deb http://deb.debian.org/debian unstable main contrib non-free
 deb-src http://deb.debian.org/debian unstable main contrib non-free
 EOF
-#  fi
+  fi
   echo
   echo "### Getting update information."
   echo

From 857190ec20b32c2e1a8d1f60a184b675828121ad Mon Sep 17 00:00:00 2001
From: t3chn0m4g3 <t3chn0m4g3@gmail.com>
Date: Tue, 10 Mar 2020 15:39:16 +0000
Subject: [PATCH 2/2] add 2fa, update reamde and changelog

---
 CHANGELOG.md             |  6 ++++
 README.md                |  4 ++-
 bin/2fa.sh               | 77 ++++++++++++++++++++++++++++++++++++++++
 iso/installer/install.sh |  2 +-
 update.sh                |  2 +-
 5 files changed, 88 insertions(+), 3 deletions(-)
 create mode 100755 bin/2fa.sh

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 43ea56aa..da4fbee4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## 20203010
+- **Add 2FA to Cockpit**
+  - Just run `2fa.sh` to enable two factor authentication in Cockpit.
+- **Find fastest mirror with netselect-apt**
+  - Netselect-apt will find the fastest mirror close to you (outgoing ICMP required).
+
 ## 20200309
 - **Bump Nextgen to 20.06**
   - All NextGen images have been rebuilt to their latest master.
diff --git a/README.md b/README.md
index 32b7924f..fdf5e7aa 100644
--- a/README.md
+++ b/README.md
@@ -387,7 +387,7 @@ In case you need external Admin UI access, forward TCP port 64294 to T-Pot, see
 In case you need external SSH access, forward TCP port 64295 to T-Pot, see below.
 In case you need external Web UI access, forward TCP port 64297 to T-Pot, see below.
 
-T-Pot requires outgoing git, http, https connections for updates (Debian, Docker, GitHub, PyPi) and attack submission (ewsposter, hpfeeds). Ports and availability may vary based on your geographical location.
+T-Pot requires outgoing git, http, https connections for updates (Debian, Docker, GitHub, PyPi) and attack submission (ewsposter, hpfeeds). Ports and availability may vary based on your geographical location. Also during first install outgoing ICMP is required additionally to find the closest and fastest mirror to you.
 
 <a name="updates"></a>
 # Updates
@@ -424,6 +424,8 @@ If you do not have a SSH client at hand and still want to access the machine via
 - user: **[tsec or user]** *you chose during one of the post install methods*
 - pass: **[password]** *you chose during the installation*
 
+You can also add two factor authentication to Cockpit just by running `2fa.sh` on the command line.
+
 ![Cockpit Terminal](doc/cockpit3.png)
 
 <a name="kibana"></a>
diff --git a/bin/2fa.sh b/bin/2fa.sh
new file mode 100755
index 00000000..bbd82c8f
--- /dev/null
+++ b/bin/2fa.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Make sure script is started as non-root.
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" = "root" ]
+  then
+    echo "Need to run as non-root ..."
+    echo ""
+    exit
+fi
+
+# set vars, check deps
+myPAM_COCKPIT_FILE="/etc/pam.d/cockpit"
+if ! [ -s "$myPAM_COCKPIT_FILE" ];
+  then
+    echo "### Cockpit PAM module config does not exist. Something went wrong."
+    echo ""
+    exit 1
+fi
+myPAM_COCKPIT_GA="
+
+# google authenticator for two-factor
+auth required pam_google_authenticator.so
+"
+myAUTHENTICATOR=$(which google-authenticator)
+if [ "$myAUTHENTICATOR" == "" ];
+  then
+    echo "### Could not locate google-authenticator, trying to install (if asked provide root password)."
+    echo ""
+    sudo apt-get update
+    sudo apt-get install -y libpam-google-authenticator
+    exec "$1" "$2"    
+    exit 1
+fi
+
+
+# write PAM changes 
+function fuWRITE_PAM_CHANGES {
+  myCHECK=$(cat $myPAM_COCKPIT_FILE | grep -c "google")
+  if ! [ "$myCHECK" == "0" ];
+    then
+      echo "### PAM config already enabled. Skipped."
+      echo ""
+    else
+      echo "### Updating PAM config for Cockpit (if asked provide root password)."
+      echo "$myPAM_COCKPIT_GA" | sudo tee -a $myPAM_COCKPIT_FILE
+      sudo systemctl restart cockpit
+  fi
+}
+
+# create 2fa
+function fuGEN_TOKEN {
+  echo "### Now generating token for Google Authenticator."
+  echo ""
+  google-authenticator -t -d -r 3 -R 30 -w 17
+}
+
+
+# main
+echo "### This script will enable Two Factor Authentication for Cockpit."
+echo ""
+echo "### Please download one of the many authenticator apps from the appstore of your choice."
+echo ""
+while true;
+  do
+    read -p "### Ready to start (y/n)? " myANSWER
+    case $myANSWER in
+      [Yy]* ) echo "### OK. Starting ..."; break;;
+      [Nn]* ) echo "### Exiting."; exit;;
+    esac
+done
+
+fuWRITE_PAM_CHANGES
+fuGEN_TOKEN
+
+echo "Done. Re-run this script by every user who needs Cockpit access."
+echo ""
diff --git a/iso/installer/install.sh b/iso/installer/install.sh
index 28c54ae1..ddad6764 100755
--- a/iso/installer/install.sh
+++ b/iso/installer/install.sh
@@ -14,7 +14,7 @@ myLSB_STABLE_SUPPORTED="stretch buster"
 myLSB_TESTING_SUPPORTED="sid"
 myREMOTESITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org"
 myPREINSTALLPACKAGES="aria2 apache2-utils cracklib-runtime curl dialog figlet fuse grc libcrack2 libpq-dev lsb-release netselect-apt net-tools software-properties-common toilet"
-myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
+myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
 myINFO="\
 ########################################
 ### T-Pot Installer for Debian (Sid) ###
diff --git a/update.sh b/update.sh
index 5ad31dd3..9678a29b 100755
--- a/update.sh
+++ b/update.sh
@@ -183,7 +183,7 @@ function fuUPDATER () {
 export DEBIAN_FRONTEND=noninteractive
 echo "### Installing apt-fast"
 /bin/bash -c "$(curl -sL https://raw.githubusercontent.com/ilikenwf/apt-fast/master/quick-install.sh)"
-local myPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-elasticsearch-curator python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
+local myPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-elasticsearch-curator python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
 echo "### Removing pip based install of elasticsearch-curator"
 pip3 uninstall elasticsearch-curator -y
 hash -r