diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md new file mode 100644 index 00000000..8f023d3e --- /dev/null +++ b/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,38 @@ +# Contribution + +Thank you for your decision to contribute to T-Pot. + +## Issues + +Please feel free to post your problems, ideas and issues [here](https://github.com/dtag-dev-sec/tpotce/issues). We will try to answer ASAP, but to speed things up we encourage you to ... +- [ ] Use the [search function](https://github.com/dtag-dev-sec/tpotce/issues?utf8=%E2%9C%93&q=) first +- [ ] Check the [FAQ](#faq) +- [ ] Provide [basic support information](#info) with regard to your issue + +Thank you :smiley: + +- + + +### FAQ + +##### Where can I find the honeypot logs? +###### The honeypot logs are located in `/data/`. You have to login via ssh and run `sudo cd /data/`. Do not change any permissions here or T-Pot will fail to work. + +- + + + +### Baisc support information + +- What T-Pot version are you currtently using? +- Are you running on a Intel NUC or a VM? +- How long has your installation been running? +- Did you install any upgrades or packages? +- Did you modify any scripts? +- Have you turned persistence on/off? +- How much RAM available (login via ssh and run `htop`)? +- How much stress are the CPUs under (login via ssh and run `htop`)? +- How much swap space is being used (login via ssh and run `htop`)? +- How much free disk space is available (login via ssh and run `sudo df -h`)? +- What is the current container status (login via ssh and run `sudo start.sh`)? diff --git a/installer/bin/check.sh b/installer/bin/check.sh index 0878e3e5..ddb46217 100755 --- a/installer/bin/check.sh +++ b/installer/bin/check.sh @@ -19,20 +19,23 @@ touch /var/run/check.lock myUPTIME=$(awk '{print int($1/60)}' /proc/uptime) for i in $myIMAGES do - myCIDSTATUS=$(docker exec $i supervisorctl status) - if [ $? -ne 0 ]; - then - myCIDSTATUS=1 - else - myCIDSTATUS=$(echo $myCIDSTATUS | egrep -c "(STOPPED|FATAL)") - fi - if [ $myUPTIME -gt 4 ] && [ $myCIDSTATUS -gt 0 ]; - then - echo "Restarting "$i"." - systemctl stop $i - sleep 5 - systemctl start $i - fi + if [ "$i" != "ui-for-docker" ] && [ "$i" != "netdata" ]; + then + myCIDSTATUS=$(docker exec $i supervisorctl status) + if [ $? -ne 0 ]; + then + myCIDSTATUS=1 + else + myCIDSTATUS=$(echo $myCIDSTATUS | egrep -c "(STOPPED|FATAL)") + fi + if [ $myUPTIME -gt 4 ] && [ $myCIDSTATUS -gt 0 ]; + then + echo "Restarting "$i"." + systemctl stop $i + sleep 5 + systemctl start $i + fi + fi done rm /var/run/check.lock diff --git a/installer/bin/clean.sh b/installer/bin/clean.sh old mode 100644 new mode 100755 diff --git a/installer/bin/dps.sh b/installer/bin/dps.sh new file mode 100755 index 00000000..b0f064ae --- /dev/null +++ b/installer/bin/dps.sh @@ -0,0 +1,2 @@ +#/bin/bash +docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" -f status=running -f status=exited | GREP_COLORS='mt=01;35' egrep --color=always "(^[_a-z-]+ |$)|$" | GREP_COLORS='mt=01;32' egrep --color=always "(Up[ 0-9a-Z ]+ |$)|$" | GREP_COLORS='mt=01;31' egrep --color=always "(Exited[ \(0-9\) ]+ [0-9a-Z ]+ ago|$)|$" diff --git a/installer/bin/status.sh b/installer/bin/status.sh index ecdb4e05..e39280cf 100755 --- a/installer/bin/status.sh +++ b/installer/bin/status.sh @@ -42,7 +42,10 @@ echo CPU temp: $(sensors | grep "Physical" | awk '{ print $4 }') echo for i in $myIMAGES do - echo "======| Container:" $i "|======" - docker exec $i supervisorctl status | GREP_COLORS='mt=01;32' egrep --color=always "(RUNNING)|$" | GREP_COLORS='mt=01;31' egrep --color=always "(STOPPED|FATAL)|$" - echo + if [ "$i" != "ui-for-docker" ] && [ "$i" != "netdata" ]; + then + echo "======| Container:" $i "|======" + docker exec $i supervisorctl status | GREP_COLORS='mt=01;32' egrep --color=always "(RUNNING)|$" | GREP_COLORS='mt=01;31' egrep --color=always "(STOPPED|FATAL)|$" + echo + fi done diff --git a/installer/data/ews/conf/ews.cfg b/installer/data/ews/conf/ews.cfg index bfa7bdcb..b9bfe123 100644 --- a/installer/data/ews/conf/ews.cfg +++ b/installer/data/ews/conf/ews.cfg @@ -4,7 +4,7 @@ spooldir = /opt/ewsposter/spool/ logdir = /opt/ewsposter/log/ del_malware_after_send = false send_malware = true -sendlimit = 10 +sendlimit = 400 contact = your_email_address proxy = ip = diff --git a/installer/data/imgcfg/all_images.conf b/installer/data/imgcfg/all_images.conf index 3ad1fae5..1722a2ae 100644 --- a/installer/data/imgcfg/all_images.conf +++ b/installer/data/imgcfg/all_images.conf @@ -7,3 +7,5 @@ emobility glastopf honeytrap suricata +netdata +ui-for-docker diff --git a/installer/data/imgcfg/industrial_images.conf b/installer/data/imgcfg/industrial_images.conf index c3980d26..ea3eced4 100644 --- a/installer/data/imgcfg/industrial_images.conf +++ b/installer/data/imgcfg/industrial_images.conf @@ -2,3 +2,5 @@ conpot elk emobility suricata +netdata +ui-for-docker diff --git a/installer/data/imgcfg/tpot_images.conf b/installer/data/imgcfg/tpot_images.conf index 3ef98bff..80bb6599 100644 --- a/installer/data/imgcfg/tpot_images.conf +++ b/installer/data/imgcfg/tpot_images.conf @@ -5,3 +5,5 @@ elk glastopf honeytrap suricata +netdata +ui-for-docker diff --git a/installer/data/systemd/elk.service b/installer/data/systemd/elk.service index 6bc917bd..62f0b4ed 100644 --- a/installer/data/systemd/elk.service +++ b/installer/data/systemd/elk.service @@ -8,7 +8,7 @@ Restart=always ExecStartPre=-/usr/bin/docker stop elk ExecStartPre=-/usr/bin/docker rm -v elk ExecStartPre=/bin/bash -c '/usr/bin/clean.sh elk' -ExecStart=/usr/bin/docker run --name=elk -v /data:/data -v /var/log:/data/host/log -p 127.0.0.1:64296:8080 -p 127.0.0.1:64297:9200 --rm=true dtagdevsec/elk:latest1610 +ExecStart=/usr/bin/docker run --name=elk -v /data:/data -v /var/log:/data/host/log -p 127.0.0.1:64296:5601 -p 127.0.0.1:64298:9200 --rm=true dtagdevsec/elk:latest1610 ExecStop=/usr/bin/docker stop elk [Install] diff --git a/installer/data/systemd/honeytrap.service b/installer/data/systemd/honeytrap.service index 0a39b976..946d26a4 100644 --- a/installer/data/systemd/honeytrap.service +++ b/installer/data/systemd/honeytrap.service @@ -8,10 +8,15 @@ Restart=always ExecStartPre=-/usr/bin/docker stop honeytrap ExecStartPre=-/usr/bin/docker rm -v honeytrap ExecStartPre=/bin/bash -c '/usr/bin/clean.sh honeytrap off' -ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,42,80,135,443,445,1433,3306,5060,5061 -j NFQUEUE +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295,64296,64297,64298,64299,64300,64301 -j NFQUEUE +ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 81,102,161,502,8080,9200 -j NFQUEUE ExecStart=/usr/bin/docker run --name honeytrap --cap-add=NET_ADMIN --net=host --rm=true -v /data/honeytrap:/data/honeytrap -v /data/ews:/data/ews dtagdevsec/honeytrap:latest1610 ExecStop=/usr/bin/docker stop honeytrap -ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 81,102,161,502,8080,9200 -j NFQUEUE +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295,64296,64297,64298,64299,64300,64301 -j NFQUEUE +ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,42,80,135,443,445,1433,3306,5060,5061 -j NFQUEUE [Install] WantedBy=multi-user.target + diff --git a/installer/data/systemd/netdata.service b/installer/data/systemd/netdata.service new file mode 100644 index 00000000..f6e1abfa --- /dev/null +++ b/installer/data/systemd/netdata.service @@ -0,0 +1,14 @@ +[Unit] +Description=netdata +Requires=docker.service +After=docker.service + +[Service] +Restart=always +ExecStartPre=-/usr/bin/docker stop netdata +ExecStartPre=-/usr/bin/docker rm -v netdata +ExecStart=/usr/bin/docker run --name netdata --net=host --cap-add=SYS_PTRACE --rm=true -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /var/run/docker.sock:/var/run/docker.sock dtagdevsec/netdata:latest1610 +ExecStop=/usr/bin/docker stop netdata + +[Install] +WantedBy=multi-user.target diff --git a/installer/data/systemd/ui-for-docker.service b/installer/data/systemd/ui-for-docker.service new file mode 100644 index 00000000..0fd35b5d --- /dev/null +++ b/installer/data/systemd/ui-for-docker.service @@ -0,0 +1,14 @@ +[Unit] +Description=ui-for-docker +Requires=docker.service +After=docker.service + +[Service] +Restart=always +ExecStartPre=-/usr/bin/docker stop ui-for-docker +ExecStartPre=-/usr/bin/docker rm -v ui-for-docker +ExecStart=/usr/bin/docker run --name ui-for-docker --rm=true -v /var/run/docker.sock:/var/run/docker.sock -p 127.0.0.1:64299:9000 dtagdevsec/ui-for-docker:latest1610 +ExecStop=/usr/bin/docker stop ui-for-docker + +[Install] +WantedBy=multi-user.target diff --git a/installer/data/systemd/wetty.service b/installer/data/systemd/wetty.service new file mode 100644 index 00000000..5f6b9717 --- /dev/null +++ b/installer/data/systemd/wetty.service @@ -0,0 +1,13 @@ +[Unit] +Description=wetty +Requires=sshd.service +After=sshd.service + +[Service] +Restart=always +User=tsec +Group=tsec +ExecStart=/usr/bin/node /usr/local/lib/node_modules/wetty/app.js -p 64300 --host 127.0.0.1 --sshhost 127.0.0.1 --sshport 64295 + +[Install] +WantedBy=multi-user.target diff --git a/installer/etc/issue b/installer/etc/issue index 6e0dbd43..114e1fa5 100644 --- a/installer/etc/issue +++ b/installer/etc/issue @@ -1,7 +1,5 @@ T-Pot 16.10 (development) Hostname: \n -IP: - ___________ _____________________________ \\__ ___/ \\______ \\_____ \\__ ___/ @@ -10,6 +8,9 @@ ___________ _____________________________ |____| |____| \\_______ /____| \\/ + IP: +SSH: +WEB: -CTRL+ALT+F2 - Display current container status -CTRL+ALT+F1 - Return to this screen + + diff --git a/installer/etc/nginx/nginxpasswd b/installer/etc/nginx/nginxpasswd new file mode 100644 index 00000000..e69de29b diff --git a/installer/etc/nginx/ssl/dhparam4096.pem b/installer/etc/nginx/ssl/dhparam4096.pem new file mode 100644 index 00000000..78cbf6d7 --- /dev/null +++ b/installer/etc/nginx/ssl/dhparam4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEAiHmfakVLOStSULBdaTbZY/zeFyEeQ19GY9Z5CJg06dIIgIzhxk9L +4xsQdQk8giKOjP6SfX0ZgF5CYaurQ3ljYlP0UlAQQo9+fEErbqj3hCzAxtIpd6Yj +SV6zFdnSjwxWuKAPPywiQNljnHH+Y1KBdbl5VQ9gC3ehtaLo1A4y8q96f6fC5rGU +nfgw4lTxLvPD7NwaOdFTCyK8tTxvUGNJIvf7805IxZ0BvAiBuVaXStaMcqf5BHLP +fYpvIiVaCrtto4elu18nL0tf2CN5n9ai4hlr0nPmNrE/Zrrur78Re5F4Ien9kr4d +xabXvVJJQa9j2NdQO7vk7Cz/dAIiqt/1XKFhll4TTYBqrFVXIwF+FNx636zyOjcO +nlZk/V+IL/UTPnZOv2PGt5+WetvJJubi6B9XgOgVLduI07woAp5qnRJJt6fJW1aA +M86By6WLy5P31Py6eFj8nYgj1V703XgQ5lESKYpeVgqA0bh7daNzOCoGQvvUKlTP +RTu6fs7clw5ta4yYUyvuIKTngH5yGBNdTuP0GWo6Y+Dy1BctVwl2xSw+FhYeuIf/ +EB2A3129H59HhbWyNH337+1dfntHfQRXBsT0YSyDxPurI5/FNGcmw+GZEYk4BB8j +g7TwH3GBjbKnjnr7SnhanqmWgybgQw6oR9gDC399eR4LiOk9sbxpX1MCAQI= +-----END DH PARAMETERS----- diff --git a/installer/etc/nginx/ssl/gen-cert.sh b/installer/etc/nginx/ssl/gen-cert.sh new file mode 100755 index 00000000..388e51ee --- /dev/null +++ b/installer/etc/nginx/ssl/gen-cert.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# Got root? +myWHOAMI=$(whoami) +if [ "$myWHOAMI" != "root" ] + then + echo "Need to run as root ..." + exit +fi + +openssl req -nodes -x509 -sha512 -newkey rsa:8192 -keyout "nginx.key" -out "nginx.crt" -days 3650 + diff --git a/installer/etc/nginx/ssl/gen-dhparam.sh b/installer/etc/nginx/ssl/gen-dhparam.sh new file mode 100755 index 00000000..b4af43e6 --- /dev/null +++ b/installer/etc/nginx/ssl/gen-dhparam.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# Got root? +myWHOAMI=$(whoami) +if [ "$myWHOAMI" != "root" ] + then + echo "Need to run as root ..." + exit +fi + +if [ "$1" = "2048" ] || [ "$1" = "4096" ] || [ "$1" = "8192" ] + then + openssl dhparam -outform PEM -out dhparam$1.pem $1 + else + echo "Usage: ./gen-dhparam [2048, 4096, 8192]..." +fi diff --git a/installer/etc/nginx/tpotweb.conf b/installer/etc/nginx/tpotweb.conf new file mode 100644 index 00000000..95a79ae0 --- /dev/null +++ b/installer/etc/nginx/tpotweb.conf @@ -0,0 +1,156 @@ +############################################ +### NGINX T-Pot configuration file by mo ### +############################################ + +################################### +### Allow for 60 reloads per minute +################################### +limit_req_zone $binary_remote_addr zone=base:1m rate=1r/s; + +server { + + ######################### + ### Basic server settings + ######################### + listen 64297 ssl http2; + ssl_protocols TLSv1.2; + server_name example.com; + error_page 300 301 302 400 401 402 403 404 500 501 502 503 504 /error.html; + + + ############################################## + ### Remove version number add different header + ############################################## + server_tokens off; + more_set_headers 'Server: apache'; + + + ############################################## + ### SSL settings and Cipher Suites + ############################################## + ssl_certificate /etc/nginx/ssl/nginx.crt; + ssl_certificate_key /etc/nginx/ssl/nginx.key; + + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!DHE:!SHA:!SHA256'; + ssl_ecdh_curve secp384r1; + ssl_dhparam /etc/nginx/ssl/dhparam4096.pem; + + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + + #################################### + ### OWASP recommendations / settings + #################################### + + ### Size Limits & Buffer Overflows + ### the size may be configured based on the needs. + client_body_buffer_size 100K; + client_header_buffer_size 1k; + client_max_body_size 100k; + large_client_header_buffers 2 1k; + + ### Mitigate Slow HHTP DoS Attack + ### Timeouts definition ## + client_body_timeout 10; + client_header_timeout 10; + keepalive_timeout 5 5; + send_timeout 10; + + ### X-Frame-Options is to prevent from clickJacking attack + add_header X-Frame-Options SAMEORIGIN; + + ### disable content-type sniffing on some browsers. + add_header X-Content-Type-Options nosniff; + + ### This header enables the Cross-site scripting (XSS) filter + add_header X-XSS-Protection "1; mode=block"; + + ### This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + + + ################################## + ### Restrict access and basic auth + ################################## + satisfy any; + + allow 127.0.0.1; + allow ::1; + deny all; + + auth_basic "closed site"; + auth_basic_user_file /etc/nginx/nginxpasswd; + + + ############################## + ### Limit brute-force attempts + ############################## + location = / { + limit_req zone=base burst=1 nodelay; + } + + + ################# + ### Proxied sites + ################# + + ### Kibana + location /kibana/ { + proxy_pass http://localhost:64296; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + rewrite /kibana/(.*)$ /$1 break; + } + + ### Head plugin + location /myhead/ { + proxy_pass http://localhost:64298/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + rewrite /myhead/(.*)$ /$1 break; + } + + ### ui-for-docker + location /ui { + proxy_pass http://localhost:64299; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection ""; + proxy_set_header Host $host; + proxy_redirect off; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + rewrite /ui/(.*)$ /$1 break; + } + + ### web tty + location /wetty { + proxy_pass http://127.0.0.1:64300/wetty; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 43200000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + } + + ### netdata + location /netdata/ { + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:64301; + proxy_http_version 1.1; + proxy_pass_request_headers on; + proxy_set_header Connection "keep-alive"; + proxy_store off; + rewrite /netdata/(.*)$ /$1 break; + } + +} diff --git a/installer/etc/rc.local b/installer/etc/rc.local index 58bf9e54..301a8abb 100755 --- a/installer/etc/rc.local +++ b/installer/etc/rc.local @@ -2,8 +2,10 @@ # Let's add the first local ip to the /etc/issue and external ip to ews.ip file source /etc/environment myLOCALIP=$(hostname -I | awk '{ print $1 }') -myEXTIP=$(curl myexternalip.com/raw) -sed -i "s#IP:.*#IP: $myLOCALIP, $myEXTIP#" /etc/issue +myEXTIP=$(curl -s myexternalip.com/raw) +sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue +sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue +sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue tee /data/ews/conf/ews.ip << EOF [MAIN] ip = $myEXTIP diff --git a/installer/home/2fa_enable.sh b/installer/home/2fa_enable.sh deleted file mode 100755 index 8ee97d8b..00000000 --- a/installer/home/2fa_enable.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -######################################################## -# T-Pot # -# Two-Factor-Authentication and SSH enable script # -# # -# v16.10.0 by mo, DTAG, 2016-05-12 # -######################################################## -myBACKTITLE="T-Pot - Two-Factor-Authentication and SSH enable script" - -# Let's ask if the user wants to enable two-factor ... -dialog --backtitle "$myBACKTITLE" --title "[ Enable 2FA? ]" --yesno "\nDo you want to enable Two-Factor-Authentication based on Google Authenticator for SSH?" 8 70 -my2FA=$? - -# Let's ask if the user wants to enable ssh ... -dialog --backtitle "$myBACKTITLE" --title "[ Enable SSH? ]" --yesno "\nDo you want to enable the SSH service?" 8 70 -mySSH=$? - -# Enable 2FA -if [ "$my2FA" = "0" ] && ! [ -f /etc/pam.d/sshd.bak ]; - then - clear - sudo sed -i.bak '\# PAM#aauth required pam_google_authenticator.so' /etc/pam.d/sshd - sudo sed -i.bak 's#ChallengeResponseAuthentication no#ChallengeResponseAuthentication yes#' /etc/ssh/sshd_config - google-authenticator -t -d -f -r 3 -R 30 -w 21 - echo "2FA enabled. Please press return to continue ..." - read - elif [ -f /etc/pam.d/sshd.bak ] - then - dialog --backtitle "$myBACKTITLE" --title "[ Already enabled ]" --msgbox "\nIt seems that Two-Factor-Authentication has already been enabled. Please run 'google-authenticator -t -d -f -r 3 -R 30 -w 21' if you want to rewrite your token." 8 70 -fi - -# Enable SSH -if [ "$mySSH" = "0" ] && [ "$(systemctl status ssh | grep -o dead)" = "dead" ]; - then - clear - sudo systemctl enable ssh - sudo systemctl start ssh - dialog --backtitle "$myBACKTITLE" --title "[ SSH enabled ]" --msgbox "\nThe SSH service has been enabled and is now reachable via port tcp/64295. Password authentication is disabled by default." 8 70 - elif [ "$(systemctl status ssh | grep -o dead)" = "" ] - then - dialog --backtitle "$myBACKTITLE" --title "[ Already enabled ]" --msgbox "\nIt seems that SSH has already been enabled." 8 70 -fi diff --git a/installer/install.sh b/installer/install.sh index 5a44ce72..4a9ca7ac 100755 --- a/installer/install.sh +++ b/installer/install.sh @@ -36,6 +36,17 @@ set -e exec 2> >(tee "install.err") exec > >(tee "install.log") +# Let's stop and disable ssh, nginx services +#fuECHO "### Disabling and stopping ssh, nginx services." +#systemctl disable ssh +#systemctl stop ssh +#systemctl disable nginx +#systemctl stop nginx + +# Let's disable NGINX default website +fuECHO "### Removing link to NGINX default website." +rm /etc/nginx/sites-enabled/default + # Let's setup the proxy for env if [ -f $myPROXYFILEPATH ]; then fuECHO "### Setting up the proxy." @@ -150,9 +161,26 @@ tee -a /etc/ssh/ssh_config < /dev/tty2 +#*/2 * * * * root status.sh > /dev/tty2 # Check if containers and services are up -*/5 * * * * root check.sh +*/5 * * * * root check.sh # Example for alerta-cli IP update -#*/5 * * * * root alerta --endpoint-url http://:/api delete --filters resource= && alerta --endpoint-url http://:/api send -e IP -r -E Production -s ok -S T-Pot -t \$(cat /data/elk/logstash/mylocal.ip) --status open +#*/5 * * * * root alerta --endpoint-url http://:/api delete --filters resource= && alerta --endpoint-url http://:/api send -e IP -r -E Production -s ok -S T-Pot -t \$(cat /data/elk/logstash/mylocal.ip) --status open # Check if updated images are available and download them -27 1 * * * root for i in \$(cat /data/images.conf); do docker pull dtagdevsec/\$i:latest1610; done +27 1 * * * root for i in \$(cat /data/images.conf); do docker pull dtagdevsec/\$i:latest1610; done # Restart docker service and containers -27 3 * * * root dcres.sh +27 3 * * * root dcres.sh # Delete elastic indices older than 90 days (kibana index is omitted by default) -27 4 * * * root docker exec elk bash -c '/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 90 --time-unit days --timestring \%Y.\%m.\%d' +27 4 * * * root docker exec elk bash -c '/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 90 --time-unit days --timestring \%Y.\%m.\%d' # Update IP and erase check.lock if it exists -27 15 * * * root /etc/rc.local +27 15 * * * root /etc/rc.local # Check for updated packages every sunday, upgrade and reboot -27 16 * * 0 root apt-get autoclean -y; apt-get autoremove -y; apt-get update -y; apt-get upgrade -y; sleep 5; reboot +27 16 * * 0 root apt-get autoclean -y; apt-get autoremove -y; apt-get update -y; apt-get upgrade -y; sleep 5; reboot EOF # Let's create some files and folders @@ -313,8 +346,6 @@ chmod 500 /root/tpot/bin/* chmod 600 /root/tpot/data/* chmod 644 /root/tpot/etc/issue chmod 755 /root/tpot/etc/rc.local -chmod 700 /root/tpot/home/* -chown tsec:tsec /root/tpot/home/* chmod 644 /root/tpot/data/systemd/* # Let's copy some files @@ -322,36 +353,27 @@ tar xvfz /root/tpot/data/elkbase.tgz -C / cp /root/tpot/data/elkbase.tgz /data/ cp -R /root/tpot/bin/* /usr/bin/ cp -R /root/tpot/data/* /data/ -cp /root/tpot/data/systemd/* /etc/systemd/system/ -cp -R /root/tpot/etc/issue /etc/ -cp -R /root/tpot/home/* /home/tsec/ +cp /root/tpot/data/systemd/* /etc/systemd/system/ +cp /root/tpot/etc/issue /etc/ +cp -R /root/tpot/etc/nginx/ssl /etc/nginx/ +cp /root/tpot/etc/nginx/tpotweb.conf /etc/nginx/sites-available/ cp /root/tpot/keys/authorized_keys /home/tsec/.ssh/authorized_keys +cp /root/tpot/usr/share/nginx/html/* /usr/share/nginx/html/ for i in $(cat /data/images.conf); do systemctl enable $i; done +systemctl enable wetty + +# Let's enable T-Pot website +fuECHO "### Enabling T-Pot website." +ln -s /etc/nginx/sites-available/tpotweb.conf /etc/nginx/sites-enabled/tpotweb.conf # Let's take care of some files and permissions chmod 760 -R /data chown tpot:tpot -R /data chmod 600 /home/tsec/.ssh/authorized_keys -chown tsec:tsec /home/tsec/*.sh /home/tsec/.ssh /home/tsec/.ssh/authorized_keys - -# Let's pull some updates -fuECHO "### Pulling Updates." -apt-get update -y - -# Installing upgrades -fuECHO "### Installing Upgrades." -apt-get upgrade -y - -# Installing alerta-cli -fuECHO "### Installing alerta-cli." -pip install alerta - -# Let's clean up apt -apt-get autoclean -y -apt-get autoremove -y +chown tsec:tsec /home/tsec/.ssh /home/tsec/.ssh/authorized_keys # Let's replace "quiet splash" options, set a console font for more screen canvas and update grub sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"#GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0"#' /etc/default/grub @@ -373,15 +395,51 @@ sed -i 's#\#force_color_prompt=yes#force_color_prompt=yes#' /home/tsec/.bashrc sed -i 's#\#force_color_prompt=yes#force_color_prompt=yes#' /root/.bashrc # Let's create ews.ip before reboot and prevent race condition for first start +source /etc/environment myLOCALIP=$(hostname -I | awk '{ print $1 }') -myEXTIP=$(curl myexternalip.com/raw) -sed -i "s#IP:.*#IP: $myLOCALIP, $myEXTIP#" /etc/issue +myEXTIP=$(curl -s myexternalip.com/raw) +sed -i "s#IP:.*#IP: $myLOCALIP ($myEXTIP)#" /etc/issue +sed -i "s#SSH:.*#SSH: ssh -l tsec -p 64295 $myLOCALIP#" /etc/issue +sed -i "s#WEB:.*#WEB: https://$myLOCALIP:64297#" /etc/issue tee /data/ews/conf/ews.ip << EOF [MAIN] ip = $myEXTIP EOF +echo $myLOCALIP > /data/elk/logstash/mylocal.ip chown tpot:tpot /data/ews/conf/ews.ip +# Let's ask user for web password +fuECHO "### Please enter a web user name and password." +myOK="n" +myUSER="tsec" +while [ 1 != 2 ] + do + read -p "Username (tsec not allowed): " myUSER + echo "Your username is: "$myUSER + read -p "OK (y/n)? " myOK + if [ "$myOK" = "y" ] && [ "$myUSER" != "tsec" ]; + then + break + fi + done +myPASS1="pass1" +myPASS2="pass2" +while [ "$myPASS1" != "$myPASS2" ] + do + read -s -p "Password: " myPASS1 + echo + read -s -p "Repeat password: " myPASS2 + echo + done +htpasswd -b -c /etc/nginx/nginxpasswd $myUSER $myPASS1 + +# Let's generate a SSL certificate +fuECHO "### Generating a self-signed-certificate for NGINX." +fuECHO "### If you are unsure you can use the default values." +mkdir -p /etc/nginx/ssl +openssl req -nodes -x509 -sha512 -newkey rsa:8192 -keyout "/etc/nginx/ssl/nginx.key" -out "/etc/nginx/ssl/nginx.crt" -days 3650 + # Final steps fuECHO "### Thanks for your patience. Now rebooting." -mv /root/tpot/etc/rc.local /etc/rc.local && rm -rf /root/tpot/ && chage -d 0 tsec && sleep 2 && reboot +#mv /root/tpot/etc/rc.local /etc/rc.local && rm -rf /root/tpot/ && chage -d 0 tsec && sleep 2 && reboot +mv /root/tpot/etc/rc.local /etc/rc.local && rm -rf /root/tpot/ && sleep 2 && reboot diff --git a/installer/usr/share/nginx/html/error.html b/installer/usr/share/nginx/html/error.html new file mode 100644 index 00000000..e69de29b diff --git a/installer/usr/share/nginx/html/favicon.ico b/installer/usr/share/nginx/html/favicon.ico new file mode 100644 index 00000000..a40c2372 Binary files /dev/null and b/installer/usr/share/nginx/html/favicon.ico differ diff --git a/installer/usr/share/nginx/html/index.html b/installer/usr/share/nginx/html/index.html new file mode 100644 index 00000000..107ee90f --- /dev/null +++ b/installer/usr/share/nginx/html/index.html @@ -0,0 +1,24 @@ + + + + + + T-Pot + + + + +
+
+

+ Kibana + Head + Docker + Console + Metrics +

+
+
+ + + diff --git a/installer/usr/share/nginx/html/style.css b/installer/usr/share/nginx/html/style.css new file mode 100644 index 00000000..1fd2b99f --- /dev/null +++ b/installer/usr/share/nginx/html/style.css @@ -0,0 +1,45 @@ +.btn { + -webkit-border-radius: 0; + -moz-border-radius: 0; + border-radius: 0px; + font-family: Arial; + color: #ffffff; + font-size: 20px; + background: #E20074; + padding: 10px 20px 10px 20px; + text-decoration: none; +} + +.btn:hover { + background: #c2c2c2; + text-decoration: none; +} + +.vertical-align { + position: relative; + top: 50%; + -webkit-transform: translateY(-50%); + -ms-transform: translateY(-50%); + transform: translateY(-50%); +} +.center { + margin: 0 auto; + text-align: center; +} +.modal { + background-color: #fff; + border: 5px solid #333; + width: 450px; + height: 300px; +} + +section { + display: block; + margin: 0 auto 1em; + position: absolute; + top: 0; + left: 0; + right: 0; + bottom: 0; + height: 100%; +} diff --git a/preseed/tpot.seed b/preseed/tpot.seed index fa517cde..c2e4ecdf 100755 --- a/preseed/tpot.seed +++ b/preseed/tpot.seed @@ -63,7 +63,7 @@ d-i passwd/root-login boolean false d-i passwd/make-user boolean true d-i passwd/user-fullname string tsec d-i passwd/username string tsec -d-i passwd/user-password-crypted password $1$jAw1TW8v$a2WFamxQJfpPYZmn4qJT71 +#d-i passwd/user-password-crypted password $1$jAw1TW8v$a2WFamxQJfpPYZmn4qJT71 d-i user-setup/encrypt-home boolean false ######################################## @@ -100,7 +100,7 @@ tasksel tasksel/first multiselect ubuntu-server ######################## ### Package Installation ######################## -d-i pkgsel/include string aufs-tools apparmor apt-transport-https bash-completion ca-certificates cgroupfs-mount curl dialog dstat ethtool genisoimage git htop iptables iw libpam-google-authenticator libltdl7 lm-sensors ntp openssh-server syslinux pv python-pip vim wireless-tools wpasupplicant +d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount curl dialog dstat ethtool genisoimage git html2text htop iptables iw libltdl7 lm-sensors man nginx-extras nodejs npm ntp openssh-server openssl syslinux psmisc pv python-pip vim wireless-tools wpasupplicant ################# ### Update Policy