work on permissions, folders and tpotinit

docker/tpotinit/dist/bin/clean.sh

@@ -42,8 +42,8 @@ fuLOGROTATE () {
 # Ensure correct permissions and ownerships for logrotate to run without issues
 chmod 770 /data/ -R
 chown tpot:tpot /data -R
-chmod 644 /data/nginx/conf -R
-chmod 644 /data/nginx/cert -R
+chmod 774 /data/nginx/conf -R
+chmod 774 /data/nginx/cert -R
 
 # Run logrotate with force (-f) first, so the status file can be written and race conditions (with tar) be avoided
 logrotate -f -s $mySTATUS $myCONF
@@ -74,10 +74,23 @@ chown tpot:tpot $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONA
 logrotate -s $mySTATUS $myCONF
 }
 
+# Let's create a function to clean up and prepare tpotinit data
+fuTPOTINIT () {
+  mkdir -vp /data/ews/conf \
+            /data/tpot/etc/{compose,logrotate} \
+            /tmp/etc/
+  chmod 770 /data/ews/ -R
+  chmod 770 /data/tpot/ -R
+  chmod 770 /tmp/etc/ -R
+  chown tpot:tpot /data/ews/ -R
+  chown tpot:tpot /data/tpot/ -R
+  chown tpot:tpot /tmp/etc/ -R
+}
+
 # Let's create a function to clean up and prepare honeytrap data
 fuADBHONEY () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/adbhoney/*; fi
-  mkdir -p /data/adbhoney/log/ /data/adbhoney/downloads/
+  mkdir -vp /data/adbhoney/{downloads,log}
   chmod 770 /data/adbhoney/ -R
   chown tpot:tpot /data/adbhoney/ -R
 }
@@ -85,7 +98,7 @@ fuADBHONEY () {
 # Let's create a function to clean up and prepare ciscoasa data
 fuCISCOASA () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ciscoasa/*; fi
-  mkdir -p /data/ciscoasa/log
+  mkdir -vp /data/ciscoasa/log
   chmod 770 /data/ciscoasa -R
   chown tpot:tpot /data/ciscoasa -R
 }
@@ -93,7 +106,7 @@ fuCISCOASA () {
 # Let's create a function to clean up and prepare citrixhoneypot data
 fuCITRIXHONEYPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi
-  mkdir -p /data/citrixhoneypot/logs/
+  mkdir -vp /data/citrixhoneypot/logs/
   chmod 770 /data/citrixhoneypot/ -R
   chown tpot:tpot /data/citrixhoneypot/ -R
 }
@@ -101,7 +114,7 @@ fuCITRIXHONEYPOT () {
 # Let's create a function to clean up and prepare conpot data
 fuCONPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
-  mkdir -p /data/conpot/log
+  mkdir -vp /data/conpot/log
   chmod 770 /data/conpot -R
   chown tpot:tpot /data/conpot -R
 }
@@ -109,7 +122,7 @@ fuCONPOT () {
 # Let's create a function to clean up and prepare cowrie data
 fuCOWRIE () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/cowrie/*; fi
-  mkdir -p /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/
+  mkdir -vp /data/cowrie/{downloads,keys,misc,log,log/tty}
   chmod 770 /data/cowrie -R
   chown tpot:tpot /data/cowrie -R
 }
@@ -117,7 +130,7 @@ fuCOWRIE () {
 # Let's create a function to clean up and prepare ddospot data
 fuDDOSPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
-  mkdir -p /data/ddospot/bl /data/ddospot/db /data/ddospot/log
+  mkdir -vp /data/ddospot/{bl,db,log}
   chmod 770 /data/ddospot -R
   chown tpot:tpot /data/ddospot -R
 }
@@ -125,8 +138,7 @@ fuDDOSPOT () {
 # Let's create a function to clean up and prepare dicompot data
 fuDICOMPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
-  mkdir -p /data/dicompot/log
-  mkdir -p /data/dicompot/images
+  mkdir -vp /data/dicompot/{images,log}
   chmod 770 /data/dicompot -R
   chown tpot:tpot /data/dicompot -R
 }
@@ -134,7 +146,12 @@ fuDICOMPOT () {
 # Let's create a function to clean up and prepare dionaea data
 fuDIONAEA () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi
-  mkdir -p /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp
+  mkdir -vp /data/dionaea/{log,bistreams,binaries,rtp,roots,roots/ftp,roots/tftp,roots/www,roots/upnp}
+  touch /data/dionaea/dionaea-errors.log
+  touch /data/dionaea/sipaccounts.sqlite
+  touch /data/dionaea/sipaccounts.sqlite-journal
+  touch /data/dionaea/log/dionaea.json
+  touch /data/dionaea/log/dionaea.sqlite
   chmod 770 /data/dionaea -R
   chown tpot:tpot /data/dionaea -R
 }
@@ -142,7 +159,7 @@ fuDIONAEA () {
 # Let's create a function to clean up and prepare elasticpot data
 fuELASTICPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elasticpot/*; fi
-  mkdir -p /data/elasticpot/log
+  mkdir -vp /data/elasticpot/log
   chmod 770 /data/elasticpot -R
   chown tpot:tpot /data/elasticpot -R
 }
@@ -152,7 +169,7 @@ fuELK () {
   # ELK data will be kept for <= 90 days, check /etc/crontab for curator modification
   # ELK daemon log files will be removed
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elk/log/*; fi
-  mkdir -p /data/elk
+  mkdir -vp /data/elk/{data,log}
   chmod 770 /data/elk -R
   chown tpot:tpot /data/elk -R
 }
@@ -160,7 +177,7 @@ fuELK () {
 # Let's create a function to clean up and prepare endlessh data
 fuENDLESSH () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
-  mkdir -p /data/endlessh/log
+  mkdir -vp /data/endlessh/log
   chmod 770 /data/endlessh -R
   chown tpot:tpot /data/endlessh -R
 }
@@ -168,7 +185,7 @@ fuENDLESSH () {
 # Let's create a function to clean up and prepare fatt data
 fuFATT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
-  mkdir -p /data/fatt/log
+  mkdir -vp /data/fatt/log
   chmod 770 -R /data/fatt
   chown tpot:tpot -R /data/fatt
 }
@@ -176,7 +193,7 @@ fuFATT () {
 # Let's create a function to clean up and prepare glastopf data
 fuGLUTTON () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi
-  mkdir -p /data/glutton/log
+  mkdir -vp /data/glutton/log
   chmod 770 /data/glutton -R
   chown tpot:tpot /data/glutton -R
 }
@@ -184,7 +201,7 @@ fuGLUTTON () {
 # Let's create a function to clean up and prepare hellpot data
 fuHELLPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
-  mkdir -p /data/hellpot/log
+  mkdir -vp /data/hellpot/log
   chmod 770 /data/hellpot -R
   chown tpot:tpot /data/hellpot -R
 }
@@ -192,7 +209,7 @@ fuHELLPOT () {
 # Let's create a function to clean up and prepare heralding data
 fuHERALDING () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
-  mkdir -p /data/heralding/log
+  mkdir -vp /data/heralding/log
   chmod 770 /data/heralding -R
   chown tpot:tpot /data/heralding -R
 }
@@ -200,7 +217,7 @@ fuHERALDING () {
 # Let's create a function to clean up and prepare honeypots data
 fuHONEYPOTS () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
-  mkdir -p /data/honeypots/log
+  mkdir -vp /data/honeypots/log
   chmod 770 /data/honeypots -R
   chown tpot:tpot /data/honeypots -R
 }
@@ -208,7 +225,7 @@ fuHONEYPOTS () {
 # Let's create a function to clean up and prepare honeysap data
 fuHONEYSAP () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeysap/*; fi
-  mkdir -p /data/honeysap/log
+  mkdir -vp /data/honeysap/log
   chmod 770 /data/honeysap -R
   chown tpot:tpot /data/honeysap -R
 }
@@ -216,7 +233,7 @@ fuHONEYSAP () {
 # Let's create a function to clean up and prepare honeytrap data
 fuHONEYTRAP () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi
-  mkdir -p /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/
+  mkdir -vp /data/honeytrap/{log,attacks,downloads}
   chmod 770 /data/honeytrap/ -R
   chown tpot:tpot /data/honeytrap/ -R
 }
@@ -224,7 +241,7 @@ fuHONEYTRAP () {
 # Let's create a function to clean up and prepare ipphoney data
 fuIPPHONEY () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi
-  mkdir -p /data/ipphoney/log
+  mkdir -vp /data/ipphoney/log
   chmod 770 /data/ipphoney -R
   chown tpot:tpot /data/ipphoney -R
 }
@@ -232,7 +249,7 @@ fuIPPHONEY () {
 # Let's create a function to clean up and prepare log4pot data
 fuLOG4POT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
-  mkdir -p /data/log4pot/log
+  mkdir -vp /data/log4pot/{log,payloads}
   chmod 770 /data/log4pot -R
   chown tpot:tpot /data/log4pot -R
 }
@@ -240,7 +257,7 @@ fuLOG4POT () {
 # Let's create a function to clean up and prepare mailoney data
 fuMAILONEY () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
-  mkdir -p /data/mailoney/log/
+  mkdir -vp /data/mailoney/log/
   chmod 770 /data/mailoney/ -R
   chown tpot:tpot /data/mailoney/ -R
 }
@@ -248,7 +265,7 @@ fuMAILONEY () {
 # Let's create a function to clean up and prepare mailoney data
 fuMEDPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/medpot/*; fi
-  mkdir -p /data/medpot/log/
+  mkdir -vp /data/medpot/log/
   chmod 770 /data/medpot/ -R
   chown tpot:tpot /data/medpot/ -R
 }
@@ -256,23 +273,17 @@ fuMEDPOT () {
 # Let's create a function to clean up nginx logs
 fuNGINX () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/nginx/log/*; fi
+  mkdir -vp /data/nginx/{cert,conf,log}
   touch /data/nginx/log/error.log
-  chmod 644 /data/nginx/conf -R
-  chmod 644 /data/nginx/cert -R
-}
-
-# Let's create a function to clean up and prepare rdpy data
-fuRDPY () {
-  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/rdpy/*; fi
-  mkdir -p /data/rdpy/log/
-  chmod 770 /data/rdpy/ -R
-  chown tpot:tpot /data/rdpy/ -R
+  chmod 774 /data/nginx/conf -R
+  chmod 774 /data/nginx/cert -R
+  chown tpot:tpot /data/nginx -R
 }
 
 # Let's create a function to clean up and prepare redishoneypot data
 fuREDISHONEYPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
-  mkdir -p /data/redishoneypot/log
+  mkdir -vp /data/redishoneypot/log
   chmod 770 /data/redishoneypot -R
   chown tpot:tpot /data/redishoneypot -R
 }
@@ -280,14 +291,14 @@ fuREDISHONEYPOT () {
 # Let's create a function to clean up and prepare sentrypeer data
 fuSENTRYPEER () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi
-  mkdir -p /data/sentrypeer/log
+  mkdir -vp /data/sentrypeer/log
   chmod 770 /data/sentrypeer -R
   chown tpot:tpot /data/sentrypeer -R
 }
 
 # Let's create a function to prepare spiderfoot db
 fuSPIDERFOOT () {
-  mkdir -p /data/spiderfoot
+  mkdir -vp /data/spiderfoot
   touch /data/spiderfoot/spiderfoot.db
   chmod 770 -R /data/spiderfoot
   chown tpot:tpot -R /data/spiderfoot
@@ -296,7 +307,7 @@ fuSPIDERFOOT () {
 # Let's create a function to clean up and prepare suricata data
 fuSURICATA () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/suricata/*; fi
-  mkdir -p /data/suricata/log
+  mkdir -vp /data/suricata/log
   chmod 770 -R /data/suricata
   chown tpot:tpot -R /data/suricata
 }
@@ -304,7 +315,7 @@ fuSURICATA () {
 # Let's create a function to clean up and prepare p0f data
 fuP0F () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/p0f/*; fi
-  mkdir -p /data/p0f/log
+  mkdir -vp /data/p0f/log
   chmod 770 -R /data/p0f
   chown tpot:tpot -R /data/p0f
 }
@@ -312,7 +323,7 @@ fuP0F () {
 # Let's create a function to clean up and prepare p0f data
 fuTANNER () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/tanner/*; fi
-  mkdir -p /data/tanner/log /data/tanner/files
+  mkdir -vp /data/tanner/{log,files}
   chmod 770 -R /data/tanner
   chown tpot:tpot -R /data/tanner
 }
@@ -320,7 +331,7 @@ fuTANNER () {
 # Let's create a function to clean up and prepare wordpot data
 fuWORDPOT () {
   if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/wordpot/log; fi
-  mkdir -p /data/wordpot/log
+  mkdir -vp /data/wordpot/log
   chmod 770 /data/wordpot -R
   chown tpot:tpot /data/wordpot -R
 }
@@ -345,8 +356,11 @@ if [ "$myPERSISTENCE" = "on" ];
   then
     echo "Persistence enabled, now rotating and compressing logs."
     fuLOGROTATE
-  else
-    echo "Cleaning up and preparing data folders."
+fi
+
+echo  
+echo "Checking and preparing data folders."
+fuTPOTINIT
 fuADBHONEY
 fuCISCOASA
 fuCITRIXHONEYPOT
@@ -371,11 +385,9 @@ if [ "$myPERSISTENCE" = "on" ];
 fuMEDPOT
 fuNGINX
 fuREDISHONEYPOT
-    fuRDPY
 fuSENTRYPEER
 fuSPIDERFOOT
 fuSURICATA
 fuP0F
 fuTANNER
 fuWORDPOT
-  fi

docker/tpotinit/dist/entrypoint.sh

@@ -35,15 +35,18 @@ check_safety() {
 # Function to check the safety of the WEB_USER variable
 check_web_user_safety() {
     local web_user="$1"
+    local IFS=$'\n'  # Set the Internal Field Separator (IFS) to newline for the loop
 
+    # Iterate over each line in web_user
+    for user in $web_user; do
         # Allow alphanumeric, $, ., /, and : for WEB_USER (to accommodate htpasswd hash)
-    if [[ ! $web_user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]]; 
-      then
-        echo "# Error: Unsafe characters detected in WEB_USER."
+        if [[ ! $user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]]; then
+            echo "# Error: Unsafe characters / wrong format detected in WEB_USER for user $user."
             echo
             echo "# Aborting"
             exit 1
         fi
+    done
 }
 
 # Function to validate specific variable formats
@@ -67,6 +70,14 @@ validate_format() {
     esac
 }
 
+create_web_users() {
+    echo
+    echo "# Creating web user from .env ..."
+    echo
+    echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
+    touch /data/nginx/conf/lswebpasswd
+}
+
 # Validate environment variables
 for var in TPOT_BLACKHOLE TPOT_PERSISTENCE TPOT_ATTACKMAP_TEXT TPOT_ATTACKMAP_TEXT_TIMEZONE TPOT_REPO TPOT_VERSION TPOT_PULL_POLICY TPOT_OSTYPE; 
   do
@@ -103,6 +114,7 @@ if [ -f "/data/uuid" ];
   then
     figlet "Initializing ..."
     figlet "T-Pot: ${TPOT_VERSION}"
+    create_web_users
     echo
     echo "# Data folder is present, just cleaning up, please be patient ..."
     echo
@@ -123,11 +135,7 @@ if [ -f "/data/uuid" ];
     echo
     echo "# Setting up data folder structure ..."
     echo
-    mkdir -vp /data/ews/conf \
-              /data/nginx/{cert,conf,log} \
-              /data/tpot/etc/compose/ \
-              /data/tpot/etc/logrotate/ \
-              /tmp/etc/
+    /opt/tpot/bin/clean.sh off
     echo
     echo "# Generating self signed certificate ..."
     echo
@@ -143,15 +151,11 @@ if [ -f "/data/uuid" ];
           -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' \
           -addext "subjectAltName = IP:${myINTIP}"
     echo
-    echo "# Creating web user from tpot.env, make sure to erase the password from the .env ..."
-    echo
-    echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
-    touch /data/nginx/conf/lswebpasswd
+    create_web_users
     echo
     echo "# Extracting objects, final touches and permissions ..."
     echo
     tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C /
-    /opt/tpot/bin/clean.sh off
     uuidgen > /data/uuid
 fi
 
@@ -164,16 +168,19 @@ if [ "${myOSTYPE}" == "linuxkit" ];
   else
     if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ ! -f "/etc/blackhole/mass_scanner.txt" ];
       then
+        echo
         echo "# Adding Blackhole routes."
         /opt/tpot/bin/blackhole.sh add
         echo
     fi
     if [ "${TPOT_BLACKHOLE}" == "DISABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ];
       then
+        echo
         echo "# Removing Blackhole routes."
         /opt/tpot/bin/blackhole.sh del
         echo
       else
+        echo
         echo "# Blackhole is not active."
     fi
 fi
@@ -189,9 +196,9 @@ echo
 echo "# Updating permissions ..."
 echo
 chown -R tpot:tpot /data
-chmod -R 777 /data
-#chmod 644 -R /data/nginx/conf
-#chmod 644 -R /data/nginx/cert
+chmod -R 770 /data
+chmod 774 -R /data/nginx/conf
+chmod 774 -R /data/nginx/cert
 
 # Update interface settings (p0f and Suricata) and setup iptables to support NFQ based honeypots (glutton, honeytrap)
 ### This is currently not supported on Docker for Desktop, only on Docker Engine for Linux

docker/tpotinit/dist/etc/logrotate/logrotate.conf

@@ -33,12 +33,12 @@
 /data/medpot/log/*.log
 /data/nginx/log/*.log
 /data/p0f/log/p0f.json
-/data/rdpy/log/rdpy.log
 /data/redishoneypot/log/*.log
 /data/sentrypeer/log/*.json
 /data/suricata/log/*.log
 /data/suricata/log/*.json
 /data/tanner/log/*.json
+/data/wordpot/log/*.log
 {
 	su tpot tpot
         copytruncate