Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-04-20 06:02:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

work on permissions, folders and tpotinit

Browse source
This commit is contained in:
t3chn0m4g3 2024-02-14 19:04:05 +01:00
parent ef2f5b3f93
commit efd5465837
3 changed files with 117 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

164
docker/tpotinit/dist/bin/clean.sh vendored
View file

@ -42,8 +42,8 @@ fuLOGROTATE () {
# Ensure correct permissions and ownerships for logrotate to run without issues # Ensure correct permissions and ownerships for logrotate to run without issues
chmod 770 /data/ -R chmod 770 /data/ -R
chown tpot:tpot /data -R chown tpot:tpot /data -R
chmod 644 /data/nginx/conf -R chmod 774 /data/nginx/conf -R
chmod 644 /data/nginx/cert -R chmod 774 /data/nginx/cert -R
# Run logrotate with force (-f) first, so the status file can be written and race conditions (with tar) be avoided # Run logrotate with force (-f) first, so the status file can be written and race conditions (with tar) be avoided
logrotate -f -s $mySTATUS $myCONF logrotate -f -s $mySTATUS $myCONF
@ -74,10 +74,23 @@ chown tpot:tpot $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONA
logrotate -s $mySTATUS $myCONF logrotate -s $mySTATUS $myCONF
} }
# Let's create a function to clean up and prepare tpotinit data
fuTPOTINIT () {
mkdir -vp /data/ews/conf \
/data/tpot/etc/{compose,logrotate} \
/tmp/etc/
chmod 770 /data/ews/ -R
chmod 770 /data/tpot/ -R
chmod 770 /tmp/etc/ -R
chown tpot:tpot /data/ews/ -R
chown tpot:tpot /data/tpot/ -R
chown tpot:tpot /tmp/etc/ -R
}
# Let's create a function to clean up and prepare honeytrap data # Let's create a function to clean up and prepare honeytrap data
fuADBHONEY () { fuADBHONEY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/adbhoney/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/adbhoney/*; fi
mkdir -p /data/adbhoney/log/ /data/adbhoney/downloads/ mkdir -vp /data/adbhoney/{downloads,log}
chmod 770 /data/adbhoney/ -R chmod 770 /data/adbhoney/ -R
chown tpot:tpot /data/adbhoney/ -R chown tpot:tpot /data/adbhoney/ -R
} }
@ -85,7 +98,7 @@ fuADBHONEY () {
# Let's create a function to clean up and prepare ciscoasa data # Let's create a function to clean up and prepare ciscoasa data
fuCISCOASA () { fuCISCOASA () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ciscoasa/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ciscoasa/*; fi
mkdir -p /data/ciscoasa/log mkdir -vp /data/ciscoasa/log
chmod 770 /data/ciscoasa -R chmod 770 /data/ciscoasa -R
chown tpot:tpot /data/ciscoasa -R chown tpot:tpot /data/ciscoasa -R
} }
@ -93,7 +106,7 @@ fuCISCOASA () {
# Let's create a function to clean up and prepare citrixhoneypot data # Let's create a function to clean up and prepare citrixhoneypot data
fuCITRIXHONEYPOT () { fuCITRIXHONEYPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi
mkdir -p /data/citrixhoneypot/logs/ mkdir -vp /data/citrixhoneypot/logs/
chmod 770 /data/citrixhoneypot/ -R chmod 770 /data/citrixhoneypot/ -R
chown tpot:tpot /data/citrixhoneypot/ -R chown tpot:tpot /data/citrixhoneypot/ -R
} }
@ -101,7 +114,7 @@ fuCITRIXHONEYPOT () {
# Let's create a function to clean up and prepare conpot data # Let's create a function to clean up and prepare conpot data
fuCONPOT () { fuCONPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
mkdir -p /data/conpot/log mkdir -vp /data/conpot/log
chmod 770 /data/conpot -R chmod 770 /data/conpot -R
chown tpot:tpot /data/conpot -R chown tpot:tpot /data/conpot -R
} }
@ -109,7 +122,7 @@ fuCONPOT () {
# Let's create a function to clean up and prepare cowrie data # Let's create a function to clean up and prepare cowrie data
fuCOWRIE () { fuCOWRIE () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/cowrie/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/cowrie/*; fi
mkdir -p /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/ mkdir -vp /data/cowrie/{downloads,keys,misc,log,log/tty}
chmod 770 /data/cowrie -R chmod 770 /data/cowrie -R
chown tpot:tpot /data/cowrie -R chown tpot:tpot /data/cowrie -R
} }
@ -117,7 +130,7 @@ fuCOWRIE () {
# Let's create a function to clean up and prepare ddospot data # Let's create a function to clean up and prepare ddospot data
fuDDOSPOT () { fuDDOSPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
mkdir -p /data/ddospot/bl /data/ddospot/db /data/ddospot/log mkdir -vp /data/ddospot/{bl,db,log}
chmod 770 /data/ddospot -R chmod 770 /data/ddospot -R
chown tpot:tpot /data/ddospot -R chown tpot:tpot /data/ddospot -R
} }
@ -125,8 +138,7 @@ fuDDOSPOT () {
# Let's create a function to clean up and prepare dicompot data # Let's create a function to clean up and prepare dicompot data
fuDICOMPOT () { fuDICOMPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
mkdir -p /data/dicompot/log mkdir -vp /data/dicompot/{images,log}
mkdir -p /data/dicompot/images
chmod 770 /data/dicompot -R chmod 770 /data/dicompot -R
chown tpot:tpot /data/dicompot -R chown tpot:tpot /data/dicompot -R
} }
@ -134,7 +146,12 @@ fuDICOMPOT () {
# Let's create a function to clean up and prepare dionaea data # Let's create a function to clean up and prepare dionaea data
fuDIONAEA () { fuDIONAEA () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi
mkdir -p /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp mkdir -vp /data/dionaea/{log,bistreams,binaries,rtp,roots,roots/ftp,roots/tftp,roots/www,roots/upnp}
touch /data/dionaea/dionaea-errors.log
touch /data/dionaea/sipaccounts.sqlite
touch /data/dionaea/sipaccounts.sqlite-journal
touch /data/dionaea/log/dionaea.json
touch /data/dionaea/log/dionaea.sqlite
chmod 770 /data/dionaea -R chmod 770 /data/dionaea -R
chown tpot:tpot /data/dionaea -R chown tpot:tpot /data/dionaea -R
} }
@ -142,7 +159,7 @@ fuDIONAEA () {
# Let's create a function to clean up and prepare elasticpot data # Let's create a function to clean up and prepare elasticpot data
fuELASTICPOT () { fuELASTICPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elasticpot/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elasticpot/*; fi
mkdir -p /data/elasticpot/log mkdir -vp /data/elasticpot/log
chmod 770 /data/elasticpot -R chmod 770 /data/elasticpot -R
chown tpot:tpot /data/elasticpot -R chown tpot:tpot /data/elasticpot -R
} }
@ -152,7 +169,7 @@ fuELK () {
# ELK data will be kept for <= 90 days, check /etc/crontab for curator modification # ELK data will be kept for <= 90 days, check /etc/crontab for curator modification
# ELK daemon log files will be removed # ELK daemon log files will be removed
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elk/log/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elk/log/*; fi
mkdir -p /data/elk mkdir -vp /data/elk/{data,log}
chmod 770 /data/elk -R chmod 770 /data/elk -R
chown tpot:tpot /data/elk -R chown tpot:tpot /data/elk -R
} }
@ -160,7 +177,7 @@ fuELK () {
# Let's create a function to clean up and prepare endlessh data # Let's create a function to clean up and prepare endlessh data
fuENDLESSH () { fuENDLESSH () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
mkdir -p /data/endlessh/log mkdir -vp /data/endlessh/log
chmod 770 /data/endlessh -R chmod 770 /data/endlessh -R
chown tpot:tpot /data/endlessh -R chown tpot:tpot /data/endlessh -R
} }
@ -168,7 +185,7 @@ fuENDLESSH () {
# Let's create a function to clean up and prepare fatt data # Let's create a function to clean up and prepare fatt data
fuFATT () { fuFATT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
mkdir -p /data/fatt/log mkdir -vp /data/fatt/log
chmod 770 -R /data/fatt chmod 770 -R /data/fatt
chown tpot:tpot -R /data/fatt chown tpot:tpot -R /data/fatt
} }
@ -176,7 +193,7 @@ fuFATT () {
# Let's create a function to clean up and prepare glastopf data # Let's create a function to clean up and prepare glastopf data
fuGLUTTON () { fuGLUTTON () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi
mkdir -p /data/glutton/log mkdir -vp /data/glutton/log
chmod 770 /data/glutton -R chmod 770 /data/glutton -R
chown tpot:tpot /data/glutton -R chown tpot:tpot /data/glutton -R
} }
@ -184,7 +201,7 @@ fuGLUTTON () {
# Let's create a function to clean up and prepare hellpot data # Let's create a function to clean up and prepare hellpot data
fuHELLPOT () { fuHELLPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
mkdir -p /data/hellpot/log mkdir -vp /data/hellpot/log
chmod 770 /data/hellpot -R chmod 770 /data/hellpot -R
chown tpot:tpot /data/hellpot -R chown tpot:tpot /data/hellpot -R
} }
@ -192,7 +209,7 @@ fuHELLPOT () {
# Let's create a function to clean up and prepare heralding data # Let's create a function to clean up and prepare heralding data
fuHERALDING () { fuHERALDING () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
mkdir -p /data/heralding/log mkdir -vp /data/heralding/log
chmod 770 /data/heralding -R chmod 770 /data/heralding -R
chown tpot:tpot /data/heralding -R chown tpot:tpot /data/heralding -R
} }
@ -200,7 +217,7 @@ fuHERALDING () {
# Let's create a function to clean up and prepare honeypots data # Let's create a function to clean up and prepare honeypots data
fuHONEYPOTS () { fuHONEYPOTS () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
mkdir -p /data/honeypots/log mkdir -vp /data/honeypots/log
chmod 770 /data/honeypots -R chmod 770 /data/honeypots -R
chown tpot:tpot /data/honeypots -R chown tpot:tpot /data/honeypots -R
} }
@ -208,7 +225,7 @@ fuHONEYPOTS () {
# Let's create a function to clean up and prepare honeysap data # Let's create a function to clean up and prepare honeysap data
fuHONEYSAP () { fuHONEYSAP () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeysap/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeysap/*; fi
mkdir -p /data/honeysap/log mkdir -vp /data/honeysap/log
chmod 770 /data/honeysap -R chmod 770 /data/honeysap -R
chown tpot:tpot /data/honeysap -R chown tpot:tpot /data/honeysap -R
} }
@ -216,7 +233,7 @@ fuHONEYSAP () {
# Let's create a function to clean up and prepare honeytrap data # Let's create a function to clean up and prepare honeytrap data
fuHONEYTRAP () { fuHONEYTRAP () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi
mkdir -p /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ mkdir -vp /data/honeytrap/{log,attacks,downloads}
chmod 770 /data/honeytrap/ -R chmod 770 /data/honeytrap/ -R
chown tpot:tpot /data/honeytrap/ -R chown tpot:tpot /data/honeytrap/ -R
} }
@ -224,7 +241,7 @@ fuHONEYTRAP () {
# Let's create a function to clean up and prepare ipphoney data # Let's create a function to clean up and prepare ipphoney data
fuIPPHONEY () { fuIPPHONEY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi
mkdir -p /data/ipphoney/log mkdir -vp /data/ipphoney/log
chmod 770 /data/ipphoney -R chmod 770 /data/ipphoney -R
chown tpot:tpot /data/ipphoney -R chown tpot:tpot /data/ipphoney -R
} }
@ -232,7 +249,7 @@ fuIPPHONEY () {
# Let's create a function to clean up and prepare log4pot data # Let's create a function to clean up and prepare log4pot data
fuLOG4POT () { fuLOG4POT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
mkdir -p /data/log4pot/log mkdir -vp /data/log4pot/{log,payloads}
chmod 770 /data/log4pot -R chmod 770 /data/log4pot -R
chown tpot:tpot /data/log4pot -R chown tpot:tpot /data/log4pot -R
} }
@ -240,7 +257,7 @@ fuLOG4POT () {
# Let's create a function to clean up and prepare mailoney data # Let's create a function to clean up and prepare mailoney data
fuMAILONEY () { fuMAILONEY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
mkdir -p /data/mailoney/log/ mkdir -vp /data/mailoney/log/
chmod 770 /data/mailoney/ -R chmod 770 /data/mailoney/ -R
chown tpot:tpot /data/mailoney/ -R chown tpot:tpot /data/mailoney/ -R
} }
@ -248,7 +265,7 @@ fuMAILONEY () {
# Let's create a function to clean up and prepare mailoney data # Let's create a function to clean up and prepare mailoney data
fuMEDPOT () { fuMEDPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/medpot/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/medpot/*; fi
mkdir -p /data/medpot/log/ mkdir -vp /data/medpot/log/
chmod 770 /data/medpot/ -R chmod 770 /data/medpot/ -R
chown tpot:tpot /data/medpot/ -R chown tpot:tpot /data/medpot/ -R
} }
@ -256,23 +273,17 @@ fuMEDPOT () {
# Let's create a function to clean up nginx logs # Let's create a function to clean up nginx logs
fuNGINX () { fuNGINX () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/nginx/log/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/nginx/log/*; fi
mkdir -vp /data/nginx/{cert,conf,log}
touch /data/nginx/log/error.log touch /data/nginx/log/error.log
chmod 644 /data/nginx/conf -R chmod 774 /data/nginx/conf -R
chmod 644 /data/nginx/cert -R chmod 774 /data/nginx/cert -R
} chown tpot:tpot /data/nginx -R
# Let's create a function to clean up and prepare rdpy data
fuRDPY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/rdpy/*; fi
mkdir -p /data/rdpy/log/
chmod 770 /data/rdpy/ -R
chown tpot:tpot /data/rdpy/ -R
} }
# Let's create a function to clean up and prepare redishoneypot data # Let's create a function to clean up and prepare redishoneypot data
fuREDISHONEYPOT () { fuREDISHONEYPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
mkdir -p /data/redishoneypot/log mkdir -vp /data/redishoneypot/log
chmod 770 /data/redishoneypot -R chmod 770 /data/redishoneypot -R
chown tpot:tpot /data/redishoneypot -R chown tpot:tpot /data/redishoneypot -R
} }
@ -280,14 +291,14 @@ fuREDISHONEYPOT () {
# Let's create a function to clean up and prepare sentrypeer data # Let's create a function to clean up and prepare sentrypeer data
fuSENTRYPEER () { fuSENTRYPEER () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi
mkdir -p /data/sentrypeer/log mkdir -vp /data/sentrypeer/log
chmod 770 /data/sentrypeer -R chmod 770 /data/sentrypeer -R
chown tpot:tpot /data/sentrypeer -R chown tpot:tpot /data/sentrypeer -R
} }
# Let's create a function to prepare spiderfoot db # Let's create a function to prepare spiderfoot db
fuSPIDERFOOT () { fuSPIDERFOOT () {
mkdir -p /data/spiderfoot mkdir -vp /data/spiderfoot
touch /data/spiderfoot/spiderfoot.db touch /data/spiderfoot/spiderfoot.db
chmod 770 -R /data/spiderfoot chmod 770 -R /data/spiderfoot
chown tpot:tpot -R /data/spiderfoot chown tpot:tpot -R /data/spiderfoot
@ -296,7 +307,7 @@ fuSPIDERFOOT () {
# Let's create a function to clean up and prepare suricata data # Let's create a function to clean up and prepare suricata data
fuSURICATA () { fuSURICATA () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/suricata/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/suricata/*; fi
mkdir -p /data/suricata/log mkdir -vp /data/suricata/log
chmod 770 -R /data/suricata chmod 770 -R /data/suricata
chown tpot:tpot -R /data/suricata chown tpot:tpot -R /data/suricata
} }
@ -304,7 +315,7 @@ fuSURICATA () {
# Let's create a function to clean up and prepare p0f data # Let's create a function to clean up and prepare p0f data
fuP0F () { fuP0F () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/p0f/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/p0f/*; fi
mkdir -p /data/p0f/log mkdir -vp /data/p0f/log
chmod 770 -R /data/p0f chmod 770 -R /data/p0f
chown tpot:tpot -R /data/p0f chown tpot:tpot -R /data/p0f
} }
@ -312,7 +323,7 @@ fuP0F () {
# Let's create a function to clean up and prepare p0f data # Let's create a function to clean up and prepare p0f data
fuTANNER () { fuTANNER () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/tanner/*; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/tanner/*; fi
mkdir -p /data/tanner/log /data/tanner/files mkdir -vp /data/tanner/{log,files}
chmod 770 -R /data/tanner chmod 770 -R /data/tanner
chown tpot:tpot -R /data/tanner chown tpot:tpot -R /data/tanner
} }
@ -320,7 +331,7 @@ fuTANNER () {
# Let's create a function to clean up and prepare wordpot data # Let's create a function to clean up and prepare wordpot data
fuWORDPOT () { fuWORDPOT () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/wordpot/log; fi if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/wordpot/log; fi
mkdir -p /data/wordpot/log mkdir -vp /data/wordpot/log
chmod 770 /data/wordpot -R chmod 770 /data/wordpot -R
chown tpot:tpot /data/wordpot -R chown tpot:tpot /data/wordpot -R
} }
@ -345,37 +356,38 @@ if [ "$myPERSISTENCE" = "on" ];
then then
echo "Persistence enabled, now rotating and compressing logs." echo "Persistence enabled, now rotating and compressing logs."
fuLOGROTATE fuLOGROTATE
else fi
echo "Cleaning up and preparing data folders."
fuADBHONEY echo
fuCISCOASA echo "Checking and preparing data folders."
fuCITRIXHONEYPOT fuTPOTINIT
fuCONPOT fuADBHONEY
fuCOWRIE fuCISCOASA
fuDDOSPOT fuCITRIXHONEYPOT
fuDICOMPOT fuCONPOT
fuDIONAEA fuCOWRIE
fuELASTICPOT fuDDOSPOT
fuELK fuDICOMPOT
fuENDLESSH fuDIONAEA
fuFATT fuELASTICPOT
fuGLUTTON fuELK
fuHERALDING fuENDLESSH
fuHELLPOT fuFATT
fuHONEYSAP fuGLUTTON
fuHONEYPOTS fuHERALDING
fuHONEYTRAP fuHELLPOT
fuIPPHONEY fuHONEYSAP
fuLOG4POT fuHONEYPOTS
fuMAILONEY fuHONEYTRAP
fuMEDPOT fuIPPHONEY
fuNGINX fuLOG4POT
fuREDISHONEYPOT fuMAILONEY
fuRDPY fuMEDPOT
fuSENTRYPEER fuNGINX
fuSPIDERFOOT fuREDISHONEYPOT
fuSURICATA fuSENTRYPEER
fuP0F fuSPIDERFOOT
fuTANNER fuSURICATA
fuWORDPOT fuP0F
fi fuTANNER
fuWORDPOT

49
docker/tpotinit/dist/entrypoint.sh vendored
View file

@ -35,15 +35,18 @@ check_safety() {
# Function to check the safety of the WEB_USER variable # Function to check the safety of the WEB_USER variable
check_web_user_safety() { check_web_user_safety() {
local web_user="$1" local web_user="$1"
local IFS=$'\n' # Set the Internal Field Separator (IFS) to newline for the loop
# Allow alphanumeric, $, ., /, and : for WEB_USER (to accommodate htpasswd hash) # Iterate over each line in web_user
if [[ ! $web_user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]]; for user in $web_user; do
then # Allow alphanumeric, $, ., /, and : for WEB_USER (to accommodate htpasswd hash)
echo "# Error: Unsafe characters detected in WEB_USER." if [[ ! $user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]]; then
echo echo "# Error: Unsafe characters / wrong format detected in WEB_USER for user $user."
echo "# Aborting" echo
exit 1 echo "# Aborting"
fi exit 1
fi
done
} }
# Function to validate specific variable formats # Function to validate specific variable formats
@ -67,6 +70,14 @@ validate_format() {
esac esac
} }
create_web_users() {
echo
echo "# Creating web user from .env ..."
echo
echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
touch /data/nginx/conf/lswebpasswd
}
# Validate environment variables # Validate environment variables
for var in TPOT_BLACKHOLE TPOT_PERSISTENCE TPOT_ATTACKMAP_TEXT TPOT_ATTACKMAP_TEXT_TIMEZONE TPOT_REPO TPOT_VERSION TPOT_PULL_POLICY TPOT_OSTYPE; for var in TPOT_BLACKHOLE TPOT_PERSISTENCE TPOT_ATTACKMAP_TEXT TPOT_ATTACKMAP_TEXT_TIMEZONE TPOT_REPO TPOT_VERSION TPOT_PULL_POLICY TPOT_OSTYPE;
do do
@ -103,6 +114,7 @@ if [ -f "/data/uuid" ];
then then
figlet "Initializing ..." figlet "Initializing ..."
figlet "T-Pot: ${TPOT_VERSION}" figlet "T-Pot: ${TPOT_VERSION}"
create_web_users
echo echo
echo "# Data folder is present, just cleaning up, please be patient ..." echo "# Data folder is present, just cleaning up, please be patient ..."
echo echo
@ -123,11 +135,7 @@ if [ -f "/data/uuid" ];
echo echo
echo "# Setting up data folder structure ..." echo "# Setting up data folder structure ..."
echo echo
mkdir -vp /data/ews/conf \ /opt/tpot/bin/clean.sh off
/data/nginx/{cert,conf,log} \
/data/tpot/etc/compose/ \
/data/tpot/etc/logrotate/ \
/tmp/etc/
echo echo
echo "# Generating self signed certificate ..." echo "# Generating self signed certificate ..."
echo echo
@ -143,15 +151,11 @@ if [ -f "/data/uuid" ];
-subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' \ -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' \
-addext "subjectAltName = IP:${myINTIP}" -addext "subjectAltName = IP:${myINTIP}"
echo echo
echo "# Creating web user from tpot.env, make sure to erase the password from the .env ..." create_web_users
echo
echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
touch /data/nginx/conf/lswebpasswd
echo echo
echo "# Extracting objects, final touches and permissions ..." echo "# Extracting objects, final touches and permissions ..."
echo echo
tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C /
/opt/tpot/bin/clean.sh off
uuidgen > /data/uuid uuidgen > /data/uuid
fi fi
@ -164,16 +168,19 @@ if [ "${myOSTYPE}" == "linuxkit" ];
else else
if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ ! -f "/etc/blackhole/mass_scanner.txt" ]; if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ ! -f "/etc/blackhole/mass_scanner.txt" ];
then then
echo
echo "# Adding Blackhole routes." echo "# Adding Blackhole routes."
/opt/tpot/bin/blackhole.sh add /opt/tpot/bin/blackhole.sh add
echo echo
fi fi
if [ "${TPOT_BLACKHOLE}" == "DISABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ]; if [ "${TPOT_BLACKHOLE}" == "DISABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ];
then then
echo
echo "# Removing Blackhole routes." echo "# Removing Blackhole routes."
/opt/tpot/bin/blackhole.sh del /opt/tpot/bin/blackhole.sh del
echo echo
else else
echo
echo "# Blackhole is not active." echo "# Blackhole is not active."
fi fi
fi fi
@ -189,9 +196,9 @@ echo
echo "# Updating permissions ..." echo "# Updating permissions ..."
echo echo
chown -R tpot:tpot /data chown -R tpot:tpot /data
chmod -R 777 /data chmod -R 770 /data
#chmod 644 -R /data/nginx/conf chmod 774 -R /data/nginx/conf
#chmod 644 -R /data/nginx/cert chmod 774 -R /data/nginx/cert
# Update interface settings (p0f and Suricata) and setup iptables to support NFQ based honeypots (glutton, honeytrap) # Update interface settings (p0f and Suricata) and setup iptables to support NFQ based honeypots (glutton, honeytrap)
### This is currently not supported on Docker for Desktop, only on Docker Engine for Linux ### This is currently not supported on Docker for Desktop, only on Docker Engine for Linux

2
docker/tpotinit/dist/etc/logrotate/logrotate.conf vendored
View file

@ -33,12 +33,12 @@
/data/medpot/log/*.log /data/medpot/log/*.log
/data/nginx/log/*.log /data/nginx/log/*.log
/data/p0f/log/p0f.json /data/p0f/log/p0f.json
/data/rdpy/log/rdpy.log
/data/redishoneypot/log/*.log /data/redishoneypot/log/*.log
/data/sentrypeer/log/*.json /data/sentrypeer/log/*.json
/data/suricata/log/*.log /data/suricata/log/*.log
/data/suricata/log/*.json /data/suricata/log/*.json
/data/tanner/log/*.json /data/tanner/log/*.json
/data/wordpot/log/*.log
{ {
su tpot tpot su tpot tpot
copytruncate copytruncate