From f7a65719bf508c600cd566fb4dc9ab67ae42be34 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Wed, 13 Feb 2019 17:09:23 +0100 Subject: [PATCH] tweaking --- iso/installer/install.sh | 16 +- iso/installer/install.sh.backup | 766 -------------------------------- iso/isolinux/txt.cfg | 2 +- iso/preseed/tpot.seed | 5 +- makeiso.sh | 7 +- 5 files changed, 16 insertions(+), 780 deletions(-) delete mode 100755 iso/installer/install.sh.backup diff --git a/iso/installer/install.sh b/iso/installer/install.sh index c689c802..34282d3a 100755 --- a/iso/installer/install.sh +++ b/iso/installer/install.sh @@ -548,7 +548,7 @@ fuBANNER "SSH roaming off" echo "UseRoaming no" 2>&1 | tee -a /etc/ssh/ssh_config # Installing ctop, elasticdump, tpot, yq -fuBANNER "Installing packages" +fuBANNER "Installing pkgs" npm install https://github.com/taskrabbit/elasticsearch-dump -g pip install --upgrade pip hash -r @@ -572,7 +572,7 @@ hostnamectl set-hostname $myHOST sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts # Let's patch cockpit.socket, sshd_config -fuBANNER "Adjust tcp ports" +fuBANNER "Adjust ports" sed -i 's#ListenStream=9090#ListenStream=64294#' /lib/systemd/system/cockpit.socket sed -i '/^port/Id' /etc/ssh/sshd_config echo "Port 64295" >> /etc/ssh/sshd_config @@ -621,7 +621,7 @@ myUPDATECHECK="APT::Periodic::Update-Package-Lists \"1\"; APT::Periodic::Download-Upgradeable-Packages \"0\"; APT::Periodic::AutocleanInterval \"7\"; " -fuBANNER "Modify update checks" +fuBANNER "Modify checks" echo "$myUPDATECHECK" | tee /etc/apt/apt.conf.d/10periodic # Let's make sure to reboot the system after a kernel panic @@ -635,7 +635,7 @@ net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 " -fuBANNER "Tweak systctl" +fuBANNER "Tweak sysctl" echo "$mySYSCTLCONF" | tee -a /etc/sysctl.conf # Let's setup fail2ban config @@ -695,7 +695,7 @@ fuBANNNER "Add cronjobs" echo "$myCRONJOBS" | tee -a /etc/crontab # Let's create some files and folders -fuBANNER "Create files & folders" +fuBANNER "Files & folders" mkdir -p /data/adbhoney/downloads /data/adbhoney/log \ /data/ciscoasa/log \ /data/conpot/log \ @@ -727,14 +727,14 @@ cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ systemctl enable tpot # Let's take care of some files and permissions -fuBANNER "Set permissions" +fuBANNER "Permissions" chmod 760 -R /data chown tpot:tpot -R /data chmod 644 -R /data/nginx/conf chmod 644 -R /data/nginx/cert # Let's replace "quiet splash" options, set a console font for more screen canvas and update grub -fuBANNER "Set options" +fuBANNER "Options" sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet"#GRUB_CMDLINE_LINUX_DEFAULT="quiet consoleblank=0"#' /etc/default/grub sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"#' /etc/default/grub update-grub 2>&1 @@ -748,7 +748,7 @@ update-initramfs -u sed -i 's#After=.*#After=systemd-tmpfiles-setup.service console-screen.service kbd.service local-fs.target#' /etc/systemd/system/multi-user.target.wants/console-setup.service # Let's enable a color prompt and add /opt/tpot/bin to path -fuBANNER "Setup prompts" +fuBANNER "Setup prompt" myROOTPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;1m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;1m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"' myUSERPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;2m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;2m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"' myROOTCOLORS="export LS_OPTIONS='--color=auto' diff --git a/iso/installer/install.sh.backup b/iso/installer/install.sh.backup deleted file mode 100755 index 4bd97edc..00000000 --- a/iso/installer/install.sh.backup +++ /dev/null @@ -1,766 +0,0 @@ -#!/bin/bash -# T-Pot Universal Installer - -################################## -# Extract command line arguments # -################################## - -myLSB=$(lsb_release -c | awk '{ print $2 }') -myLSB_STABLE_SUPPORTED="stretch" -myLSB_TESTING_SUPPORTED="sid" -myINFO="\ -########################################### -### T-Pot Installer for Debian unstable ### -########################################### - -Disclaimer: -This script will install T-Pot on this system, by running the script you know what you are doing: -1. SSH will be reconfigured to tcp/64295 -2. Some packages will be installed, some will be upgraded -3. Please ensure other means of access to this system in case something goes wrong. -4. At best this script well be executed on the console instead through a SSH session. - -########################################## - -Usage: - $0 --help - Help. - -Example: - $0 --type=user - Best option for most users." - -if [ "$myLSB" != "$myLSB_STABLE_SUPPORTED" ] && [ "$myLSB" != "$myLSB_TESTING_SUPPORTED" ]; - then - echo "Aborting. Debian $myLSB is not supported." - exit -fi -if [ "$1" == "" ]; - then - echo "$myINFO" - exit -fi -for i in "$@" - do - case $i in - --conf=*) - myTPOT_CONF_FILE="${i#*=}" - shift - ;; - --type=user) - myTPOT_DEPLOYMENT_TYPE="${i#*=}" - shift - ;; - --type=auto) - myTPOT_DEPLOYMENT_TYPE="${i#*=}" - shift - ;; - --type=iso) - myTPOT_DEPLOYMENT_TYPE="${i#*=}" - shift - ;; - --help) - echo "Usage: $0 " - echo - echo "--conf=" - echo " Use this if you want to automatically deploy a T-Pot instance (--type=auto implied)." - echo " A configuration example is available in \"tpotce/iso/installer/tpot.conf.dist\"." - echo - echo "--type=<[user, auto, iso]>" - echo " user, use this if you want to manually install a T-Pot on a Debian (testing) machine." - echo " auto, implied if a configuration file is passed as an argument for automatic deployment." - echo " iso, use this if you are a T-Pot developer and want to install a T-Pot from a pre-compiled iso." - echo - exit - ;; - *) - echo "$myINFO" - exit - ;; - esac - done - - -################################################### -# Validate command line arguments and load config # -################################################### - -# If a valid config file exists, set deployment type to "auto" and load the configuration -if [ "$myTPOT_DEPLOYMENT_TYPE" == "auto" ] && [ "$myTPOT_CONF_FILE" == "" ]; - then - echo "Aborting. No configuration file given." - exit -fi -if [ -s "$myTPOT_CONF_FILE" ] && [ "$myTPOT_CONF_FILE" != "" ]; - then - myTPOT_DEPLOYMENT_TYPE="auto" - if [ "$(head -n 1 $myTPOT_CONF_FILE | grep -c "# tpot")" == "1" ]; - then - source "$myTPOT_CONF_FILE" - else - echo "Aborting. Config file \"$myTPOT_CONF_FILE\" not a T-Pot configuration file." - exit - fi - elif ! [ -s "$myTPOT_CONF_FILE" ] && [ "$myTPOT_CONF_FILE" != "" ]; - then - echo "Aborting. Config file \"$myTPOT_CONF_FILE\" not found." - exit -fi - - -####################### -# Prepare environment # -####################### - -# Got root? -function fuGOT_ROOT { -echo -echo -n "### Checking for root: " -if [ "$(whoami)" != "root" ]; - then - echo "[ NOT OK ]" - echo "### Please run as root." - echo "### Example: sudo $0" - exit - else - echo "[ OK ]" -fi -} - -# Let's check if all dependencies are met -function fuGET_DEPS { -local myPACKAGES="apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker curl debconf-utils dialog dnsutils docker.io docker-compose dstat ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq libcrack2 libltdl7 lm-sensors man mosh multitail net-tools npm ntp openssh-server openssl pass prips software-properties-common syslinux psmisc pv python-pip toilet unattended-upgrades unzip vim wget wireless-tools wpasupplicant" -export DEBIAN_FRONTEND=noninteractive -apt-get -y update -apt-get -y install libpq-dev software-properties-common -tee /etc/apt/sources.list 2>&1>/dev/null <&1 | tee -a /etc/environment | dialog --keep-window --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF - source /etc/environment - - # Let's setup the proxy for apt - echo "$myPROXY_APT" 2>&1 | tee /etc/apt/apt.conf | dialog --keep-window --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF - - # Let's add proxy settings to docker defaults - echo "$myPROXY_DOCKER" 2>&1 | tee -a /etc/default/docker | dialog --keep-window --title "[ Setting up the proxy ]" $myPROGRESSBOXCONF - - # Let's restart docker for proxy changes to take effect - systemctl stop docker 2>&1 | dialog --keep-window --title "[ Stop docker service ]" $myPROGRESSBOXCONF - systemctl start docker 2>&1 | dialog --keep-window --title "[ Start docker service ]" $myPROGRESSBOXCONF -fi -### ---> End proxy setup - -# Let's test the internet connection -if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; - then - mySITESCOUNT=$(echo $mySITES | wc -w) - j=0 - for i in $mySITES; - do - curl --connect-timeout 30 -IsS $i 2>&1>/dev/null | dialog --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ - --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) - if [ $? -ne 0 ]; - then - dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Continue? ]" --yesno "\nInternet connection test failed. This might indicate some problems with your connection. You can continue, but the installation might fail." 10 50 - if [ $? = 1 ]; - then - dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Abort ]" --msgbox "\nInstallation aborted. Exiting the installer." 7 50 - exit - else - break; - fi; - fi; - let j+=1 - echo 2>&1>/dev/null | dialog --keep-window --title "[ Testing the internet connection ]" --backtitle "$myBACKTITLE" \ - --gauge "\n Now checking: $i\n" 8 80 $(expr 100 \* $j / $mySITESCOUNT) - done; -fi - -#################### -# User interaction # -#################### - -# Let's ask the user for install flavor -if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; - then - myCONF_TPOT_FLAVOR=$(dialog --keep-window --no-cancel --backtitle "$myBACKTITLE" --title "[ Choose Your T-Pot NG Edition ]" --menu \ - "\nRequired: 6GB RAM, 128GB SSD\nRecommended: 8GB RAM, 256GB SSD" 15 70 7 \ - "STANDARD" "Honeypots, ELK, NSM & Tools" \ - "SENSOR" "Just Honeypots, EWS Poster & NSM" \ - "INDUSTRIAL" "Conpot, RDPY, Vnclowpot, ELK, NSM & Tools" \ - "COLLECTOR" "Heralding, ELK, NSM & Tools" \ - "NEXTGEN" "NextGen (Glutton instead of Honeytrap)" \ - "LEGACY" "Standard Edition from previous release" 3>&1 1>&2 2>&3 3>&-) -fi - -# Let's ask for a secure tsec password if installation type is iso -if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ]; - then - myCONF_TPOT_USER="tsec" - myPASS1="pass1" - myPASS2="pass2" - mySECURE="0" - while [ "$myPASS1" != "$myPASS2" ] && [ "$mySECURE" == "0" ] - do - while [ "$myPASS1" == "pass1" ] || [ "$myPASS1" == "" ] - do - myPASS1=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \ - --title "[ Enter password for console user (tsec) ]" \ - --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) - done - myPASS2=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \ - --title "[ Repeat password for console user (tsec) ]" \ - --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) - if [ "$myPASS1" != "$myPASS2" ]; - then - dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ - --msgbox "\nPlease re-enter your password." 7 60 - myPASS1="pass1" - myPASS2="pass2" - fi - mySECURE=$(printf "%s" "$myPASS1" | cracklib-check | grep -c "OK") - if [ "$mySECURE" == "0" ] && [ "$myPASS1" == "$myPASS2" ]; - then - dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 - myOK=$? - if [ "$myOK" == "1" ]; - then - myPASS1="pass1" - myPASS2="pass2" - fi - fi - done - printf "%s" "$myCONF_TPOT_USER:$myPASS1" | chpasswd -fi - -# Let's ask for web user credentials if deployment type is iso or user -# In case of auto, credentials are created from config values -# Skip this step entirely if SENSOR flavor -if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ] || [ "$myTPOT_DEPLOYMENT_TYPE" == "user" ]; - then - myOK="1" - myCONF_WEB_USER="webuser" - myCONF_WEB_PW="pass1" - myCONF_WEB_PW2="pass2" - mySECURE="0" - while [ 1 != 2 ] - do - myCONF_WEB_USER=$(dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Enter your web user name ]" --inputbox "\nUsername (tsec not allowed)" 9 50 3>&1 1>&2 2>&3 3>&-) - myCONF_WEB_USER=$(echo $myCONF_WEB_USER | tr -cd "[:alnum:]_.-") - dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Your username is ]" --yesno "\n$myCONF_WEB_USER" 7 50 - myOK=$? - if [ "$myOK" = "0" ] && [ "$myCONF_WEB_USER" != "tsec" ] && [ "$myCONF_WEB_USER" != "" ]; - then - break - fi - done - while [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2" ] && [ "$mySECURE" == "0" ] - do - while [ "$myCONF_WEB_PW" == "pass1" ] || [ "$myCONF_WEB_PW" == "" ] - do - myCONF_WEB_PW=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \ - --title "[ Enter password for your web user ]" \ - --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) - done - myCONF_WEB_PW2=$(dialog --keep-window --insecure --backtitle "$myBACKTITLE" \ - --title "[ Repeat password for your web user ]" \ - --passwordbox "\nPassword" 9 60 3>&1 1>&2 2>&3 3>&-) - if [ "$myCONF_WEB_PW" != "$myCONF_WEB_PW2" ]; - then - dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Passwords do not match. ]" \ - --msgbox "\nPlease re-enter your password." 7 60 - myCONF_WEB_PW="pass1" - myCONF_WEB_PW2="pass2" - fi - mySECURE=$(printf "%s" "$myCONF_WEB_PW" | cracklib-check | grep -c "OK") - if [ "$mySECURE" == "0" ] && [ "$myCONF_WEB_PW" == "$myCONF_WEB_PW2" ]; - then - dialog --keep-window --backtitle "$myBACKTITLE" --title "[ Password is not secure ]" --defaultno --yesno "\nKeep insecure password?" 7 50 - myOK=$? - if [ "$myOK" == "1" ]; - then - myCONF_WEB_PW="pass1" - myCONF_WEB_PW2="pass2" - fi - fi - done -fi -# If flavor is SENSOR do not write credentials -if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ]; - then - mkdir -p /data/nginx/conf 2>&1 - htpasswd -b -c /data/nginx/conf/nginxpasswd "$myCONF_WEB_USER" "$myCONF_WEB_PW" 2>&1 | dialog --keep-window --title "[ Setting up user and password ]" $myPROGRESSBOXCONF; -fi - - -######################## -# Installation section # -######################## - -# Let's generate a SSL self-signed certificate without interaction (browsers will see it invalid anyway) -if ! [ "$myCONF_TPOT_FLAVOR" == "SENSOR" ]; -then -mkdir -p /data/nginx/cert 2>&1 | dialog --keep-window --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; -openssl req \ - -nodes \ - -x509 \ - -sha512 \ - -newkey rsa:8192 \ - -keyout "/data/nginx/cert/nginx.key" \ - -out "/data/nginx/cert/nginx.crt" \ - -days 3650 \ - -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' 2>&1 | dialog --keep-window --title "[ Generating a self-signed-certificate for NGINX ]" $myPROGRESSBOXCONF; -fi - -# Let's setup the ntp server -if [ "$myCONF_NTP_USE" == "0" ]; - then - cp $myCONF_NTP_CONF_FILE /etc/ntp.conf 2>&1 | dialog --keep-window --title "[ Setting up the ntp server ]" $myPROGRESSBOXCONF -fi - -# Let's setup 802.1x networking -myNETWORK_INTERFACES=" -wpa-driver wired -wpa-conf /etc/wpa_supplicant/wired8021x.conf - -### Example wireless config for 802.1x -### This configuration was tested with the IntelNUC series -### If problems occur you can try and change wpa-driver to \"iwlwifi\" -### Do not forget to enter a ssid in /etc/wpa_supplicant/wireless8021x.conf -### The Intel NUC uses wlpXsY notation instead of wlanX -# -#auto wlp2s0 -#iface wlp2s0 inet dhcp -# wpa-driver wext -# wpa-conf /etc/wpa_supplicant/wireless8021x.conf -" -myNETWORK_WIRED8021x="ctrl_interface=/var/run/wpa_supplicant -ctrl_interface_group=root -eapol_version=1 -ap_scan=1 -network={ - key_mgmt=IEEE8021X - eap=TLS - identity=\"host/$myCONF_PFX_HOST_ID\" - private_key=\"/etc/wpa_supplicant/8021x.pfx\" - private_key_passwd=\"$myCONF_PFX_PW\" -} -" -myNETWORK_WLAN8021x="ctrl_interface=/var/run/wpa_supplicant -ctrl_interface_group=root -eapol_version=1 -ap_scan=1 -network={ - ssid="" - key_mgmt=WPA-EAP - pairwise=CCMP - group=CCMP - eap=TLS - identity="host/$myCONF_PFX_HOST_ID" - private_key="/etc/wpa_supplicant/8021x.pfx" - private_key_passwd="$myCONF_PFX_PW" -} -" -if [ "myCONF_PFX_USE" == "0" ]; - then - cp $myCONF_PFX_FILE /etc/wpa_supplicant/ 2>&1 | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF - echo "$myNETWORK_INTERFACES" 2>&1 | tee -a /etc/network/interfaces | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF - - echo "$myNETWORK_WIRED8021x" 2>&1 | tee /etc/wpa_supplicant/wired8021x.conf | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF - - echo "$myNETWORK_WLAN8021x" 2>&1 | tee /etc/wpa_supplicant/wireless8021x.conf | dialog --keep-window --title "[ Setting 802.1x networking ]" $myPROGRESSBOXCONF -fi - -# Let's provide a wireless example config ... -myNETWORK_WLANEXAMPLE=" -### Example static ip config -### Replace with the name of your physical interface name -# -#auto eth0 -#iface eth0 inet static -# address 192.168.1.1 -# netmask 255.255.255.0 -# network 192.168.1.0 -# broadcast 192.168.1.255 -# gateway 192.168.1.1 -# dns-nameservers 192.168.1.1 - -### Example wireless config without 802.1x -### This configuration was tested with the IntelNUC series -### If problems occur you can try and change wpa-driver to "iwlwifi" -# -#auto wlan0 -#iface wlan0 inet dhcp -# wpa-driver wext -# wpa-ssid -# wpa-ap-scan 1 -# wpa-proto RSN -# wpa-pairwise CCMP -# wpa-group CCMP -# wpa-key-mgmt WPA-PSK -# wpa-psk \"\" -" -echo "$myNETWORK_WLANEXAMPLE" 2>&1 | tee -a /etc/network/interfaces | dialog --keep-window --title "[ Provide WLAN example config ]" $myPROGRESSBOXCONF - -# Let's modify the sources list -sed -i '/cdrom/d' /etc/apt/sources.list - -# Let's make sure SSH roaming is turned off (CVE-2016-0777, CVE-2016-0778) -echo "UseRoaming no" 2>&1 | tee -a /etc/ssh/ssh_config | dialog --keep-window --title "[ Turn SSH roaming off ]" $myPROGRESSBOXCONF - -# Installing ctop, elasticdump, tpot, yq -npm install https://github.com/taskrabbit/elasticsearch-dump -g 2>&1 | dialog --keep-window --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF -pip install --upgrade pip 2>&1 | dialog --keep-window --title "[ Installing pip ]" $myPROGRESSBOXCONF -hash -r 2>&1 | dialog --keep-window --title "[ Installing pip ]" $myPROGRESSBOXCONF -pip install elasticsearch-curator yq 2>&1 | dialog --keep-window --title "[ Installing elasticsearch-curator, yq ]" $myPROGRESSBOXCONF -wget https://github.com/bcicen/ctop/releases/download/v0.7.2/ctop-0.7.2-linux-amd64 -O /usr/bin/ctop 2>&1 | dialog --keep-window --title "[ Installing ctop ]" $myPROGRESSBOXCONF -chmod +x /usr/bin/ctop 2>&1 | dialog --keep-window --title "[ Installing ctop ]" $myPROGRESSBOXCONF -git clone https://github.com/dtag-dev-sec/tpotce -b debian /opt/tpot 2>&1 | dialog --keep-window --title "[ Cloning T-Pot ]" $myPROGRESSBOXCONF - -# Let's create the T-Pot user -addgroup --gid 2000 tpot 2>&1 | dialog --keep-window --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF -adduser --system --no-create-home --uid 2000 --disabled-password --disabled-login --gid 2000 tpot 2>&1 | dialog --keep-window --title "[ Adding T-Pot user ]" $myPROGRESSBOXCONF - -# Let's set the hostname -a=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/a.txt) -n=$(fuRANDOMWORD /opt/tpot/host/usr/share/dict/n.txt) -myHOST=$a$n -hostnamectl set-hostname $myHOST 2>&1 | dialog --keep-window --title "[ Setting new hostname ]" $myPROGRESSBOXCONF -sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts 2>&1 | dialog --keep-window --title "[ Setting new hostname ]" $myPROGRESSBOXCONF - -# Let's patch cockpit.socket, sshd_config -sed -i 's#ListenStream=9090#ListenStream=64294#' /lib/systemd/system/cockpit.socket 2>&1 | dialog --keep-window --title "[ Cockpit listen on tcp/64294 ]" $myPROGRESSBOXCONF -sed -i '/^port/Id' /etc/ssh/sshd_config 2>&1 | dialog --keep-window --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF -echo "Port 64295" >> /etc/ssh/sshd_config 2>&1 | dialog --keep-window --title "[ SSH listen on tcp/64295 ]" $myPROGRESSBOXCONF - -# Let's make sure only myCONF_TPOT_FLAVOR images will be downloaded and started -case $myCONF_TPOT_FLAVOR in - STANDARD) - echo "### Preparing STANDARD flavor installation." - ln -s /opt/tpot/etc/compose/standard.yml $myTPOTCOMPOSE 2>&1>/dev/null - ;; - SENSOR) - echo "### Preparing SENSOR flavor installation." - ln -s /opt/tpot/etc/compose/sensor.yml $myTPOTCOMPOSE 2>&1>/dev/null - ;; - INDUSTRIAL) - echo "### Preparing INDUSTRIAL flavor installation." - ln -s /opt/tpot/etc/compose/industrial.yml $myTPOTCOMPOSE 2>&1>/dev/null - ;; - COLLECTOR) - echo "### Preparing COLLECTOR flavor installation." - ln -s /opt/tpot/etc/compose/collector.yml $myTPOTCOMPOSE 2>&1>/dev/null - ;; - NEXTGEN) - echo "### Preparing NEXTGEN flavor installation." - ln -s /opt/tpot/etc/compose/nextgen.yml $myTPOTCOMPOSE 2>&1>/dev/null - ;; - LEGACY) - echo "### Preparing LEGACY flavor installation." - ln -s /opt/tpot/etc/compose/legacy.yml $myTPOTCOMPOSE 2>&1>/dev/null - ;; -esac - -# Let's load docker images in parallel -function fuPULLIMAGES { -for name in $(cat $myTPOTCOMPOSE | grep -v '#' | grep image | cut -d'"' -f2 | uniq) - do - docker pull $name & -done -wait -} -fuPULLIMAGES 2>&1 | dialog --keep-window --title "[ Pulling docker images, please be patient ]" $myPROGRESSBOXCONF - -# Let's add the daily update check with a weekly clean interval -myUPDATECHECK="APT::Periodic::Update-Package-Lists \"1\"; -APT::Periodic::Download-Upgradeable-Packages \"0\"; -APT::Periodic::AutocleanInterval \"7\"; -" -echo "$myUPDATECHECK" 2>&1 | tee /etc/apt/apt.conf.d/10periodic | dialog --keep-window --title "[ Modifying update checks ]" $myPROGRESSBOXCONF - -# Let's make sure to reboot the system after a kernel panic -mySYSCTLCONF=" -# Reboot after kernel panic, check via /proc/sys/kernel/panic[_on_oops] -# Set required map count for ELK -kernel.panic = 1 -kernel.panic_on_oops = 1 -vm.max_map_count = 262144 -net.ipv6.conf.all.disable_ipv6 = 1 -net.ipv6.conf.default.disable_ipv6 = 1 -net.ipv6.conf.lo.disable_ipv6 = 1 -" -echo "$mySYSCTLCONF" 2>&1 | tee -a /etc/sysctl.conf | dialog --keep-window --title "[ Tweak Sysctl ]" $myPROGRESSBOXCONF - -# Let's setup fail2ban config -myFAIL2BANCONF="[DEFAULT] -ignore-ip = 127.0.0.1/8 -bantime = 3600 -findtime = 600 -maxretry = 5 - -[nginx-http-auth] -enabled = true -filter = nginx-http-auth -port = 64297 -logpath = /data/nginx/log/error.log - -[pam-generic] -enabled = true -port = 64294 -filter = pam-generic -logpath = /var/log/auth.log - -[sshd] -enabled = true -port = 64295 -filter = sshd -logpath = /var/log/auth.log -" -echo "$myFAIL2BANCONF" 2>&1 | tee /etc/fail2ban/jail.d/tpot.conf | dialog --keep-window --title "[ Setup fail2ban config ]" $myPROGRESSBOXCONF - -# Fix systemd error https://github.com/systemd/systemd/issues/3374 -mySYSTEMDFIX="[Link] -NamePolicy=kernel database onboard slot path -MACAddressPolicy=none -" -echo "$mySYSTEMDFIX" 2>&1 | tee /etc/systemd/network/99-default.link | dialog --keep-window --title "[ systemd fix ]" $myPROGRESSBOXCONF - -# Let's add some cronjobs -myCRONJOBS=" -# Check if updated images are available and download them -27 1 * * * root docker-compose -f /opt/tpot/etc/tpot.yml pull - -# Delete elasticsearch logstash indices older than 90 days -27 4 * * * root curator --config /opt/tpot/etc/curator/curator.yml /opt/tpot/etc/curator/actions.yml - -# Uploaded binaries are not supposed to be downloaded -*/1 * * * * root mv --backup=numbered /data/dionaea/roots/ftp/* /data/dionaea/binaries/ - -# Daily reboot -27 3 * * * root systemctl stop tpot && docker stop \$(docker ps -aq) || docker rm \$(docker ps -aq) || reboot - -# Check for updated packages every sunday, upgrade and reboot -27 16 * * 0 root apt-get autoclean -y && apt-get autoremove -y && apt-get update -y && apt-get upgrade -y && sleep 10 && reboot -" -echo "$myCRONJOBS" 2>&1 | tee -a /etc/crontab | dialog --keep-window --title "[ Adding cronjobs ]" $myPROGRESSBOXCONF - -# Let's create some files and folders -mkdir -p /data/adbhoney/downloads /data/adbhoney/log \ - /data/ciscoasa/log \ - /data/conpot/log \ - /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/ \ - /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp \ - /data/elasticpot/log \ - /data/elk/data /data/elk/log \ - /data/glastopf/log /data/glastopf/db \ - /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/ \ - /data/glutton/log \ - /data/heralding/log \ - /data/mailoney/log \ - /data/medpot/log \ - /data/nginx/log \ - /data/emobility/log \ - /data/ews/conf \ - /data/rdpy/log \ - /data/spiderfoot \ - /data/suricata/log /home/tsec/.ssh/ \ - /data/tanner/log /data/tanner/files \ - /data/p0f/log 2>&1 | dialog --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF -touch /data/spiderfoot/spiderfoot.db 2>&1 | dialog --keep-window --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF -touch /data/nginx/log/error.log 2>&1 | dialog --keep-window --title "[ Creating some files and folders ]" $myPROGRESSBOXCONF - -# Let's copy some files -tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C / 2>&1 | dialog --keep-window --title "[ Extracting elkbase.tgz ]" $myPROGRESSBOXCONF -cp /opt/tpot/host/etc/systemd/* /etc/systemd/system/ 2>&1 | dialog --keep-window --title "[ Copy configs ]" $myPROGRESSBOXCONF -systemctl enable tpot 2>&1 | dialog --keep-window --title "[ Enabling service for tpot ]" $myPROGRESSBOXCONF - -# Let's take care of some files and permissions -chmod 760 -R /data 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF -chown tpot:tpot -R /data 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF -chmod 644 -R /data/nginx/conf 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF -chmod 644 -R /data/nginx/cert 2>&1 | dialog --keep-window --title "[ Set permissions and ownerships ]" $myPROGRESSBOXCONF - -# Let's replace "quiet splash" options, set a console font for more screen canvas and update grub -sed -i 's#GRUB_CMDLINE_LINUX_DEFAULT="quiet"#GRUB_CMDLINE_LINUX_DEFAULT="quiet consoleblank=0"#' /etc/default/grub 2>&1>/dev/null -sed -i 's#GRUB_CMDLINE_LINUX=""#GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"#' /etc/default/grub 2>&1>/dev/null -update-grub 2>&1 | dialog --keep-window --title "[ Update grub ]" $myPROGRESSBOXCONF -cp /usr/share/consolefonts/Uni2-Terminus12x6.psf.gz /etc/console-setup/ -gunzip /etc/console-setup/Uni2-Terminus12x6.psf.gz -sed -i 's#FONTFACE=".*#FONTFACE="Terminus"#' /etc/default/console-setup -sed -i 's#FONTSIZE=".*#FONTSIZE="12x6"#' /etc/default/console-setup -update-initramfs -u 2>&1 | dialog --keep-window --title "[ Update initramfs ]" $myPROGRESSBOXCONF -sed -i 's#After=.*#After=systemd-tmpfiles-setup.service console-screen.service kbd.service local-fs.target#' /etc/systemd/system/multi-user.target.wants/console-setup.service 2>&1 | dialog --keep-window --title "[ Fix race with console setup ]" $myPROGRESSBOXCONF - -# Let's enable a color prompt and add /opt/tpot/bin to path -myROOTPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;1m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;1m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"' -myUSERPROMPT='PS1="\[\033[38;5;8m\][\[$(tput sgr0)\]\[\033[38;5;2m\]\u\[$(tput sgr0)\]\[\033[38;5;6m\]@\[$(tput sgr0)\]\[\033[38;5;4m\]\h\[$(tput sgr0)\]\[\033[38;5;6m\]:\[$(tput sgr0)\]\[\033[38;5;5m\]\w\[$(tput sgr0)\]\[\033[38;5;8m\]]\[$(tput sgr0)\]\[\033[38;5;2m\]\\$\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]"' -myROOTCOLORS="export LS_OPTIONS='--color=auto' -eval \"\`dircolors\`\" -alias ls='ls \$LS_OPTIONS' -alias ll='ls \$LS_OPTIONS -l' -alias l='ls \$LS_OPTIONS -lA'" -tee -a /root/.bashrc 2>&1>/dev/null <&1>/dev/null <&1>/dev/null - -# Let's clean up apt -apt-get autoclean -y 2>&1 | dialog --keep-window --title "[ Cleaning up ]" $myPROGRESSBOXCONF -apt-get autoremove -y 2>&1 | dialog --keep-window --title "[ Cleaning up ]" $myPROGRESSBOXCONF - -# Final steps -cp /opt/tpot/host/etc/rc.local /etc/rc.local 2>&1>/dev/null && \ -rm -rf /root/installer 2>&1>/dev/null && \ -rm -rf /etc/issue.d/cockpit.issue 2>&1>/dev/null && \ -rm -rf /etc/motd.d/cockpit 2>&1>/dev/null && \ -rm -rf /etc/issue.net 2>&1>/dev/null && \ -rm -rf /etc/motd 2>&1>/dev/null && \ -if [ "$myTPOT_DEPLOYMENT_TYPE" == "auto" ]; - then - echo "Done. Please reboot." - else - dialog --keep-window --no-ok --no-cancel --backtitle "$myBACKTITLE" --title "[ Thanks for your patience. Now rebooting. ]" --pause "" 6 80 2 && \ - systemctl restart console-setup.service - reboot -fi diff --git a/iso/isolinux/txt.cfg b/iso/isolinux/txt.cfg index 0adc8f82..932b0a97 100755 --- a/iso/isolinux/txt.cfg +++ b/iso/isolinux/txt.cfg @@ -1,6 +1,6 @@ default install label install - menu label ^T-Pot (based on Debian sid) + menu label ^T-Pot 19.03 (based on Debian Sid) menu default kernel linux append vga=788 initrd=initrd.gz console-setup/ask_detect=true -- diff --git a/iso/preseed/tpot.seed b/iso/preseed/tpot.seed index ac066629..dc5053b6 100755 --- a/iso/preseed/tpot.seed +++ b/iso/preseed/tpot.seed @@ -78,7 +78,7 @@ d-i mirror/http/proxy string ################### # Suite to install ################### -d-i mirror/suite string unstable +#d-i mirror/suite string unstable #d-i mirror/suite string testing #d-i mirror/udeb/suite string testing @@ -109,10 +109,9 @@ tasksel tasksel/first multiselect ssh-server ######################## ### Package Installation ######################## -d-i pkgsel/include string apache2-utils apparmor apt-transport-https aufs-tools bash-completion build-essential ca-certificates cgroupfs-mount cockpit cockpit-docker curl debconf-utils dialog dnsutils docker.io docker-compose dstat ethtool fail2ban figlet genisoimage git glances grc haveged html2text htop iptables iw jq libcrack2 libltdl7 lm-sensors man mosh multitail net-tools npm ntp openssh-server openssl pass prips software-properties-common syslinux psmisc pv python-pip toilet unzip vim wget wireless-tools wpasupplicant +d-i pkgsel/include string git lsb-release popularity-contest popularity-contest/participate boolean false - ################# ### Update Policy ################# diff --git a/makeiso.sh b/makeiso.sh index 4dcf9dbd..95638d05 100755 --- a/makeiso.sh +++ b/makeiso.sh @@ -5,9 +5,10 @@ export TERM=linux # Let's define some global vars myBACKTITLE="T-Pot - ISO Creator" -# If you need latest hardware support, try using the hardware enablement (hwe) ISO, usually released later in time #myMINIISOLINK="http://ftp.debian.org/debian/dists/testing/main/installer-amd64/current/images/netboot/mini.iso" -myMINIISOLINK="https://d-i.debian.org/daily-images/amd64/daily/netboot/mini.iso" +#myMINIISOLINK="https://d-i.debian.org/daily-images/amd64/daily/netboot/mini.iso" +# For stability reasons Debian Sid installation is built on a stable installer +myMINIISOLINK="http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/netboot/mini.iso" myMINIISO="mini.iso" myTPOTISO="tpot.iso" myTPOTDIR="tpotiso" @@ -275,4 +276,6 @@ do fi done +dialog --clear + exit 0