Merge pull request #576 from dtag-dev-sec/dev

Dev

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 20203010
+- **Add 2FA to Cockpit**
+  - Just run `2fa.sh` to enable two factor authentication in Cockpit.
+- **Find fastest mirror with netselect-apt**
+  - Netselect-apt will find the fastest mirror close to you (outgoing ICMP required).
+
 ## 20200309
 - **Bump Nextgen to 20.06**
   - All NextGen images have been rebuilt to their latest master.

README.md

@@ -387,7 +387,7 @@ In case you need external Admin UI access, forward TCP port 64294 to T-Pot, see
 In case you need external SSH access, forward TCP port 64295 to T-Pot, see below.
 In case you need external Web UI access, forward TCP port 64297 to T-Pot, see below.
 
-T-Pot requires outgoing git, http, https connections for updates (Debian, Docker, GitHub, PyPi) and attack submission (ewsposter, hpfeeds). Ports and availability may vary based on your geographical location.
+T-Pot requires outgoing git, http, https connections for updates (Debian, Docker, GitHub, PyPi) and attack submission (ewsposter, hpfeeds). Ports and availability may vary based on your geographical location. Also during first install outgoing ICMP is required additionally to find the closest and fastest mirror to you.
 
 <a name="updates"></a>
 # Updates
@@ -424,6 +424,8 @@ If you do not have a SSH client at hand and still want to access the machine via
 - user: **[tsec or user]** *you chose during one of the post install methods*
 - pass: **[password]** *you chose during the installation*
 
+You can also add two factor authentication to Cockpit just by running `2fa.sh` on the command line.
+
 ![Cockpit Terminal](doc/cockpit3.png)
 
 <a name="kibana"></a>

bin/2fa.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Make sure script is started as non-root.
+myWHOAMI=$(whoami)
+if [ "$myWHOAMI" = "root" ]
+  then
+    echo "Need to run as non-root ..."
+    echo ""
+    exit
+fi
+
+# set vars, check deps
+myPAM_COCKPIT_FILE="/etc/pam.d/cockpit"
+if ! [ -s "$myPAM_COCKPIT_FILE" ];
+  then
+    echo "### Cockpit PAM module config does not exist. Something went wrong."
+    echo ""
+    exit 1
+fi
+myPAM_COCKPIT_GA="
+
+# google authenticator for two-factor
+auth required pam_google_authenticator.so
+"
+myAUTHENTICATOR=$(which google-authenticator)
+if [ "$myAUTHENTICATOR" == "" ];
+  then
+    echo "### Could not locate google-authenticator, trying to install (if asked provide root password)."
+    echo ""
+    sudo apt-get update
+    sudo apt-get install -y libpam-google-authenticator
+    exec "$1" "$2"    
+    exit 1
+fi
+
+
+# write PAM changes 
+function fuWRITE_PAM_CHANGES {
+  myCHECK=$(cat $myPAM_COCKPIT_FILE | grep -c "google")
+  if ! [ "$myCHECK" == "0" ];
+    then
+      echo "### PAM config already enabled. Skipped."
+      echo ""
+    else
+      echo "### Updating PAM config for Cockpit (if asked provide root password)."
+      echo "$myPAM_COCKPIT_GA" | sudo tee -a $myPAM_COCKPIT_FILE
+      sudo systemctl restart cockpit
+  fi
+}
+
+# create 2fa
+function fuGEN_TOKEN {
+  echo "### Now generating token for Google Authenticator."
+  echo ""
+  google-authenticator -t -d -r 3 -R 30 -w 17
+}
+
+
+# main
+echo "### This script will enable Two Factor Authentication for Cockpit."
+echo ""
+echo "### Please download one of the many authenticator apps from the appstore of your choice."
+echo ""
+while true;
+  do
+    read -p "### Ready to start (y/n)? " myANSWER
+    case $myANSWER in
+      [Yy]* ) echo "### OK. Starting ..."; break;;
+      [Nn]* ) echo "### Exiting."; exit;;
+    esac
+done
+
+fuWRITE_PAM_CHANGES
+fuGEN_TOKEN
+
+echo "Done. Re-run this script by every user who needs Cockpit access."
+echo ""

iso/installer/install.sh

@@ -14,7 +14,7 @@ myLSB_STABLE_SUPPORTED="stretch buster"
 myLSB_TESTING_SUPPORTED="sid"
 myREMOTESITES="https://hub.docker.com https://github.com https://pypi.python.org https://debian.org"
 myPREINSTALLPACKAGES="aria2 apache2-utils cracklib-runtime curl dialog figlet fuse grc libcrack2 libpq-dev lsb-release netselect-apt net-tools software-properties-common toilet"
-myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
+myINSTALLPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
 myINFO="\
 ########################################
 ### T-Pot Installer for Debian (Sid) ###
@@ -279,21 +279,21 @@ function fuCHECKNET {
 # Install T-Pot dependencies
 function fuGET_DEPS {
   export DEBIAN_FRONTEND=noninteractive
-#  # Determine fastest mirror
-#  echo
-#  echo "### Determine fastest mirror for your location."
-#  echo
-#  netselect-apt -n -a amd64 unstable && cp sources.list /etc/apt/
-#  mySOURCESCHECK=$(cat /etc/apt/sources.list | grep -c unstable)
-#  if [ "$mySOURCESCHECK" == "0" ]
-#    then
-#      echo "### Automatic mirror selection failed, using main mirror."
+  # Determine fastest mirror
+  echo
+  echo "### Determine fastest mirror for your location."
+  echo
+  netselect-apt -n -a amd64 unstable && cp sources.list /etc/apt/
+  mySOURCESCHECK=$(cat /etc/apt/sources.list | grep -c unstable)
+  if [ "$mySOURCESCHECK" == "0" ]
+    then
+      echo "### Automatic mirror selection failed, using main mirror."
       # Point to Debian (Sid, unstable)
 tee /etc/apt/sources.list <<EOF
 deb http://deb.debian.org/debian unstable main contrib non-free
 deb-src http://deb.debian.org/debian unstable main contrib non-free
 EOF
-#  fi
+  fi
   echo
   echo "### Getting update information."
   echo

update.sh

@@ -183,7 +183,7 @@ function fuUPDATER () {
 export DEBIAN_FRONTEND=noninteractive
 echo "### Installing apt-fast"
 /bin/bash -c "$(curl -sL https://raw.githubusercontent.com/ilikenwf/apt-fast/master/quick-install.sh)"
-local myPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-elasticsearch-curator python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
+local myPACKAGES="aria2 apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker console-setup console-setup-linux cracklib-runtime curl debconf-utils dialog dnsutils docker.io docker-compose elasticsearch-curator ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq kbd libcrack2 libltdl7 libpam-google-authenticator man mosh multitail netselect-apt net-tools npm ntp openssh-server openssl pass pigz prips software-properties-common syslinux psmisc pv python3-elasticsearch-curator python3-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant"
 echo "### Removing pip based install of elasticsearch-curator"
 pip3 uninstall elasticsearch-curator -y
 hash -r