From f9a9c8c4bfe93af744f1d43be39ff1f74cacf2f7 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Tue, 27 Feb 2024 20:11:16 +0100 Subject: [PATCH] tweak deploy, add autoheal, start update Dockerfiles - tweak deploy a little further - start with rebuilding Dockerfiles - rework healthcheck for adbhoney CPU issues - bump adbhoney, ciscoasa, citrixhoneypot, conpot, cowriepot, ddospot to alpine 3.19 - fix conpot issue with py 3.11 - bump conpot to latest master - bump cowrie to latest master - add autoheal to tpotinit to restart unhealthy container (if healthcheck enabled) --- compose/mobile.yml | 2 +- compose/raspberry_showcase.yml | 2 +- compose/sensor.yml | 2 +- compose/standard.yml | 1 + compose/tpot_services.yml | 2 +- deploy.sh | 14 +- docker-compose.yml | 1 + docker/adbhoney/Dockerfile | 14 +- docker/adbhoney/dist/cpu_check.py | 10 ++ docker/adbhoney/docker-compose.yml | 4 +- docker/ciscoasa/Dockerfile | 4 +- docker/ciscoasa/docker-compose.yml | 2 +- docker/citrixhoneypot/Dockerfile | 8 +- docker/citrixhoneypot/docker-compose.yml | 2 +- docker/conpot/Dockerfile | 89 ++++++------ docker/conpot/dist/conpot.cfg | 2 +- docker/conpot/dist/requirements.txt | 4 +- docker/conpot/docker-compose.yml | 10 +- docker/cowrie/Dockerfile | 72 +++++----- docker/cowrie/docker-compose.yml | 8 +- docker/ddospot/Dockerfile | 34 ++--- docker/ddospot/docker-compose.yml | 6 +- docker/tpotinit/Dockerfile | 2 +- docker/tpotinit/dist/autoheal.sh | 171 +++++++++++++++++++++++ docker/tpotinit/dist/entrypoint.sh | 25 +++- docker/tpotinit/docker-compose.yml | 2 +- install.sh | 1 + 27 files changed, 354 insertions(+), 140 deletions(-) create mode 100644 docker/adbhoney/dist/cpu_check.py create mode 100755 docker/tpotinit/dist/autoheal.sh diff --git a/compose/mobile.yml b/compose/mobile.yml index 44ee9141..83bcdd10 100644 --- a/compose/mobile.yml +++ b/compose/mobile.yml @@ -51,7 +51,7 @@ services: - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole - ${TPOT_DATA_PATH}:/data - + - /var/run/docker.sock:/var/run/docker.sock:ro ################## #### Honeypots diff --git a/compose/raspberry_showcase.yml b/compose/raspberry_showcase.yml index 44ee9141..83bcdd10 100644 --- a/compose/raspberry_showcase.yml +++ b/compose/raspberry_showcase.yml @@ -51,7 +51,7 @@ services: - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole - ${TPOT_DATA_PATH}:/data - + - /var/run/docker.sock:/var/run/docker.sock:ro ################## #### Honeypots diff --git a/compose/sensor.yml b/compose/sensor.yml index 14d3df5c..05e932eb 100644 --- a/compose/sensor.yml +++ b/compose/sensor.yml @@ -49,7 +49,7 @@ services: - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole - ${TPOT_DATA_PATH}:/data - + - /var/run/docker.sock:/var/run/docker.sock:ro ################## #### Honeypots diff --git a/compose/standard.yml b/compose/standard.yml index 7f6bc157..c46eda8f 100644 --- a/compose/standard.yml +++ b/compose/standard.yml @@ -50,6 +50,7 @@ services: - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole - ${TPOT_DATA_PATH}:/data + - /var/run/docker.sock:/var/run/docker.sock:ro ################## diff --git a/compose/tpot_services.yml b/compose/tpot_services.yml index 9cd8510c..f45030f9 100644 --- a/compose/tpot_services.yml +++ b/compose/tpot_services.yml @@ -57,7 +57,7 @@ services: - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole - ${TPOT_DATA_PATH}:/data - + - /var/run/docker.sock:/var/run/docker.sock:ro ################## #### Honeypots diff --git a/deploy.sh b/deploy.sh index 221c8da7..26a3289c 100755 --- a/deploy.sh +++ b/deploy.sh @@ -22,12 +22,24 @@ EOF if ! grep -q 'TPOT_TYPE=HIVE' "$HOME/tpotce/.env"; then echo "# This script is only supported on HIVE installations." + echo + exit 1 +fi + +# Check if running on a supported distribution +mySUPPORTED_DISTRIBUTIONS=("AlmaLinux" "Debian GNU/Linux" "Fedora Linux" "openSUSE Tumbleweed" "Raspbian GNU/Linux" "Rocky Linux" "Ubuntu") +myCURRENT_DISTRIBUTION=$(awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"') + +if [[ ! " ${mySUPPORTED_DISTRIBUTIONS[@]} " =~ " ${myCURRENT_DISTRIBUTION} " ]]; + then + echo "# Only the following distributions are supported: AlmaLinux, Fedora, Debian, openSUSE Tumbleweed, Rocky Linux and Ubuntu." + echo exit 1 fi echo "${myDEPLOY}" echo -echo "This script will prepare a T-Pot SENSOR installation to transmit logs into this HIVE." +echo "# This script will prepare a T-Pot SENSOR installation to transmit logs into this HIVE." echo # Ask if a T-Pot SENSOR was installed diff --git a/docker-compose.yml b/docker-compose.yml index 7f6bc157..c46eda8f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -50,6 +50,7 @@ services: - ${TPOT_DOCKER_COMPOSE}:/tmp/tpot/docker-compose.yml:ro - ${TPOT_DATA_PATH}/blackhole:/etc/blackhole - ${TPOT_DATA_PATH}:/data + - /var/run/docker.sock:/var/run/docker.sock:ro ################## diff --git a/docker/adbhoney/Dockerfile b/docker/adbhoney/Dockerfile index 1022609f..b2e4ebe7 100644 --- a/docker/adbhoney/Dockerfile +++ b/docker/adbhoney/Dockerfile @@ -1,14 +1,15 @@ -FROM alpine:3.17 +FROM alpine:3.19 # # Include dist COPY dist/ /root/dist/ # # Install packages RUN apk --no-cache -U add \ - git \ - procps \ - py3-requests \ - python3 && \ + git \ + procps \ + py3-psutil \ + py3-requests \ + python3 && \ # # Install adbhoney from git git clone https://github.com/huuck/ADBHoney /opt/adbhoney && \ @@ -16,6 +17,7 @@ RUN apk --no-cache -U add \ # git checkout 2417a7a982f4fd527b3a048048df9a23178767ad && \ git checkout 42afd98611724ca3d694a48b694c957e8d953db4 && \ cp /root/dist/adbhoney.cfg /opt/adbhoney && \ + cp /root/dist/cpu_check.py /opt/adbhoney && \ sed -i 's/dst_ip/dest_ip/' /opt/adbhoney/adbhoney/core.py && \ sed -i 's/dst_port/dest_port/' /opt/adbhoney/adbhoney/core.py && \ # @@ -31,7 +33,7 @@ RUN apk --no-cache -U add \ # Set workdir and start adbhoney STOPSIGNAL SIGINT # Adbhoney sometimes hangs at 100% CPU usage, if detected process will be killed and container restarts per docker-compose settings -HEALTHCHECK CMD if [ $(ps -C mpv -p 1 -o %cpu | tail -n 1 | cut -f 1 -d ".") -gt 75 ]; then kill -2 1; else exit 0; fi +HEALTHCHECK --interval=5m --timeout=30s --retries=3 CMD python3 /opt/adbhoney/cpu_check.py USER adbhoney:adbhoney WORKDIR /opt/adbhoney/ CMD /usr/bin/python3 run.py diff --git a/docker/adbhoney/dist/cpu_check.py b/docker/adbhoney/dist/cpu_check.py new file mode 100644 index 00000000..12204d49 --- /dev/null +++ b/docker/adbhoney/dist/cpu_check.py @@ -0,0 +1,10 @@ +import psutil + +# Get the overall CPU usage percentage +cpu_usage = psutil.cpu_percent(interval=1) +print(cpu_usage) +# Check CPU usage threshold +if cpu_usage >= 75: # Adjust the threshold as needed + exit(1) +else: + exit(0) diff --git a/docker/adbhoney/docker-compose.yml b/docker/adbhoney/docker-compose.yml index 9dda6087..0fb250c9 100644 --- a/docker/adbhoney/docker-compose.yml +++ b/docker/adbhoney/docker-compose.yml @@ -19,5 +19,5 @@ services: image: "dtagdevsec/adbhoney:alpha" read_only: true volumes: - - /data/adbhoney/log:/opt/adbhoney/log - - /data/adbhoney/downloads:/opt/adbhoney/dl + - $HOME/tpotce/data/adbhoney/log:/opt/adbhoney/log + - $HOME/tpotce/data/adbhoney/downloads:/opt/adbhoney/dl diff --git a/docker/ciscoasa/Dockerfile b/docker/ciscoasa/Dockerfile index 4a057722..1b2f8c4c 100644 --- a/docker/ciscoasa/Dockerfile +++ b/docker/ciscoasa/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.17 +FROM alpine:3.19 # # Include dist COPY dist/ /root/dist/ @@ -27,7 +27,7 @@ RUN apk --no-cache -U upgrade && \ cd ciscoasa_honeypot && \ git checkout d6e91f1aab7fe6fc01fabf2046e76b68dd6dc9e2 && \ sed -i "s/git+git/git+https/g" requirements.txt && \ - pip3 install --no-cache-dir -r requirements.txt && \ + pip3 install --break-system-packages --no-cache-dir -r requirements.txt && \ cp /root/dist/asa_server.py /opt/ciscoasa_honeypot && \ chown -R ciscoasa:ciscoasa /opt/ciscoasa_honeypot && \ # diff --git a/docker/ciscoasa/docker-compose.yml b/docker/ciscoasa/docker-compose.yml index 58a0a537..08346af3 100644 --- a/docker/ciscoasa/docker-compose.yml +++ b/docker/ciscoasa/docker-compose.yml @@ -22,4 +22,4 @@ services: image: "dtagdevsec/ciscoasa:alpha" read_only: true volumes: - - /data/ciscoasa/log:/var/log/ciscoasa + - $HOME/tpotce/data/ciscoasa/log:/var/log/ciscoasa diff --git a/docker/citrixhoneypot/Dockerfile b/docker/citrixhoneypot/Dockerfile index 45e9ef9d..21fe06c5 100644 --- a/docker/citrixhoneypot/Dockerfile +++ b/docker/citrixhoneypot/Dockerfile @@ -1,14 +1,14 @@ -FROM alpine:3.17 +FROM alpine:3.19 # # Install packages RUN apk --no-cache -U add \ git \ libcap \ - openssl \ + openssl \ py3-pip \ python3 && \ # - pip3 install --no-cache-dir python-json-logger && \ + pip3 install --break-system-packages --no-cache-dir python-json-logger && \ # # Install CitrixHoneypot from GitHub git clone https://github.com/t3chn0m4g3/CitrixHoneypot /opt/citrixhoneypot && \ @@ -28,7 +28,7 @@ RUN apk --no-cache -U add \ addgroup -g 2000 citrixhoneypot && \ adduser -S -H -s /bin/ash -u 2000 -D -g 2000 citrixhoneypot && \ chown -R citrixhoneypot:citrixhoneypot /opt/citrixhoneypot && \ - setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \ + setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \ # # Clean up apk del --purge git \ diff --git a/docker/citrixhoneypot/docker-compose.yml b/docker/citrixhoneypot/docker-compose.yml index 3c5148c8..af1168bb 100644 --- a/docker/citrixhoneypot/docker-compose.yml +++ b/docker/citrixhoneypot/docker-compose.yml @@ -19,4 +19,4 @@ services: image: "dtagdevsec/citrixhoneypot:alpha" read_only: true volumes: - - /data/citrixhoneypot/logs:/opt/citrixhoneypot/logs + - $HOME/tpotce/data/citrixhoneypot/logs:/opt/citrixhoneypot/logs diff --git a/docker/conpot/Dockerfile b/docker/conpot/Dockerfile index ab09ea0f..b6a41e8e 100644 --- a/docker/conpot/Dockerfile +++ b/docker/conpot/Dockerfile @@ -1,52 +1,56 @@ -FROM alpine:3.17 +FROM alpine:3.19 # # Include dist COPY dist/ /root/dist/ # # Setup apt RUN apk --no-cache -U add \ - build-base \ - cython \ - file \ - git \ - libev \ - libtool \ - libcap \ - libffi-dev \ - libxslt \ - libxslt-dev \ - mariadb-dev \ - pkgconfig \ - procps \ - python3 \ - python3-dev \ - py3-cffi \ - py3-cryptography \ - py3-freezegun \ - py3-gevent \ - py3-lxml \ - py3-natsort \ - py3-pip \ - py3-ply \ - py3-psutil \ - py3-pycryptodomex \ - py3-pytest \ - py3-requests \ - py3-pyserial \ - py3-setuptools \ - py3-slugify \ - py3-snmp \ - py3-sphinx \ - py3-wheel \ - py3-zope-event \ - py3-zope-interface \ - wget && \ + build-base \ + cython \ + file \ + git \ + libev \ + libtool \ + libcap \ + libffi-dev \ + libxslt \ + libxslt-dev \ + mariadb-dev \ + pkgconfig \ + procps \ + python3 \ + python3-dev \ + py3-cffi \ + py3-cryptography \ + py3-freezegun \ + py3-gevent \ + py3-lxml \ + py3-natsort \ + py3-pip \ + py3-ply \ + py3-psutil \ + py3-pycryptodomex \ + py3-pytest \ + py3-requests \ + py3-pyserial \ + py3-setuptools \ + py3-slugify \ + py3-snmp \ + py3-sphinx \ + py3-wheel \ + py3-zope-event \ + py3-zope-interface \ + wget && \ # # Setup ConPot + git clone https://github.com/t3chn0m4g3/cpppo /opt/cpppo && \ + cd /opt/cpppo && \ + pip3 install --break-system-packages --no-cache-dir --upgrade pip && \ + pip3 install --break-system-packages --no-cache-dir . && \ git clone https://github.com/mushorg/conpot /opt/conpot && \ cd /opt/conpot/ && \ - git checkout b3740505fd26d82473c0d7be405b372fa0f82575 && \ - #git checkout 1c2382ea290b611fdc6a0a5f9572c7504bcb616e && \ + git checkout 26c67d11b08a855a28e87abd186d959741f46c7f && \ + # git checkout b3740505fd26d82473c0d7be405b372fa0f82575 && \ # Change template default ports if <1024 sed -i 's/port="2121"/port="21"/' /opt/conpot/conpot/templates/default/ftp/ftp.xml && \ sed -i 's/port="8800"/port="80"/' /opt/conpot/conpot/templates/default/http/http.xml && \ @@ -58,17 +62,16 @@ RUN apk --no-cache -U add \ sed -i 's/port="16100"/port="161"/' /opt/conpot/conpot/templates/IEC104/snmp/snmp.xml && \ sed -i 's/port="6230"/port="623"/' /opt/conpot/conpot/templates/ipmi/ipmi/ipmi.xml && \ cp /root/dist/requirements.txt . && \ - pip3 install --no-cache-dir --upgrade pip && \ - pip3 install --no-cache-dir . && \ + pip3 install --break-system-packages --no-cache-dir . && \ cd / && \ rm -rf /opt/conpot /tmp/* /var/tmp/* && \ - setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \ + setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \ # # Get wireshark manuf db for scapy, setup configs, user, groups mkdir -p /etc/conpot /var/log/conpot /usr/share/wireshark && \ wget https://www.wireshark.org/download/automated/data/manuf -o /usr/share/wireshark/manuf && \ cp /root/dist/conpot.cfg /etc/conpot/conpot.cfg && \ - cp -R /root/dist/templates /usr/lib/python3.10/site-packages/conpot/ && \ + cp -R /root/dist/templates /usr/lib/$(readlink -f $(type -P python3) | cut -f4 -d"/")/site-packages/conpot/ && \ addgroup -g 2000 conpot && \ adduser -S -s /bin/ash -u 2000 -D -g 2000 conpot && \ # diff --git a/docker/conpot/dist/conpot.cfg b/docker/conpot/dist/conpot.cfg index e67d5d48..90633fa6 100644 --- a/docker/conpot/dist/conpot.cfg +++ b/docker/conpot/dist/conpot.cfg @@ -3,7 +3,7 @@ sensorid = conpot [virtual_file_system] data_fs_url = %(CONPOT_TMP)s -fs_url = tar:///usr/lib/python3.10/site-packages/conpot/data.tar +fs_url = tar:///usr/lib/python3.11/site-packages/conpot/data.tar [session] timeout = 30 diff --git a/docker/conpot/dist/requirements.txt b/docker/conpot/dist/requirements.txt index c9ef466b..6d0016a9 100644 --- a/docker/conpot/dist/requirements.txt +++ b/docker/conpot/dist/requirements.txt @@ -3,6 +3,7 @@ pysmi libtaxii>=1.1.0 crc16 scapy==2.4.3rc1 +scapy==2.4.3rc1 hpfeeds3 modbus-tk stix-validator @@ -12,9 +13,8 @@ bacpypes==0.17.0 pyghmi==1.4.1 mixbox modbus-tk -cpppo +#cpppo fs==2.3.0 tftpy # some freezegun versions broken -pycrypto sphinx_rtd_theme diff --git a/docker/conpot/docker-compose.yml b/docker/conpot/docker-compose.yml index 91ee14a3..42298004 100644 --- a/docker/conpot/docker-compose.yml +++ b/docker/conpot/docker-compose.yml @@ -40,7 +40,7 @@ services: image: "dtagdevsec/conpot:alpha" read_only: true volumes: - - /data/conpot/log:/var/log/conpot + - $HOME/tpotce/data/conpot/log:/var/log/conpot # Conpot IEC104 service conpot_IEC104: @@ -64,7 +64,7 @@ services: image: "dtagdevsec/conpot:alpha" read_only: true volumes: - - /data/conpot/log:/var/log/conpot + - $HOME/tpotce/data/conpot/log:/var/log/conpot # Conpot guardian_ast service conpot_guardian_ast: @@ -87,7 +87,7 @@ services: image: "dtagdevsec/conpot:alpha" read_only: true volumes: - - /data/conpot/log:/var/log/conpot + - $HOME/tpotce/data/conpot/log:/var/log/conpot # Conpot ipmi conpot_ipmi: @@ -110,7 +110,7 @@ services: image: "dtagdevsec/conpot:alpha" read_only: true volumes: - - /data/conpot/log:/var/log/conpot + - $HOME/tpotce/data/conpot/log:/var/log/conpot # Conpot kamstrup_382 conpot_kamstrup_382: @@ -134,4 +134,4 @@ services: image: "dtagdevsec/conpot:alpha" read_only: true volumes: - - /data/conpot/log:/var/log/conpot + - $HOME/tpotce/data/conpot/log:/var/log/conpot diff --git a/docker/cowrie/Dockerfile b/docker/cowrie/Dockerfile index 5b103c7a..0eab1c73 100644 --- a/docker/cowrie/Dockerfile +++ b/docker/cowrie/Dockerfile @@ -1,37 +1,37 @@ -FROM alpine:3.17 +FROM alpine:3.19 # # Include dist COPY dist/ /root/dist/ # # Get and install dependencies & packages RUN apk --no-cache -U add \ - bash \ - build-base \ - git \ - gmp-dev \ - libcap \ - libffi-dev \ - mpc1-dev \ - mpfr-dev \ - openssl \ - openssl-dev \ - py3-appdirs \ - py3-asn1-modules \ - py3-attrs \ - py3-bcrypt \ - py3-cryptography \ - py3-dateutil \ - py3-greenlet \ - py3-mysqlclient \ - py3-openssl \ - py3-packaging \ - py3-parsing \ - py3-pip \ - py3-service_identity \ - py3-treq \ - py3-twisted \ - python3 \ - python3-dev && \ + bash \ + build-base \ + git \ + gmp-dev \ + libcap \ + libffi-dev \ + mpc1-dev \ + mpfr-dev \ + openssl \ + openssl-dev \ + py3-appdirs \ + py3-asn1-modules \ + py3-attrs \ + py3-bcrypt \ + py3-cryptography \ + py3-dateutil \ + py3-greenlet \ + py3-mysqlclient \ + py3-openssl \ + py3-packaging \ + py3-parsing \ + py3-pip \ + py3-service_identity \ + py3-treq \ + py3-twisted \ + python3 \ + python3-dev && \ # # Setup user addgroup -g 2000 cowrie && \ @@ -40,20 +40,20 @@ RUN apk --no-cache -U add \ # Install cowrie mkdir -p /home/cowrie && \ cd /home/cowrie && \ - git clone --depth=1 https://github.com/cowrie/cowrie -b v2.5.0 && \ - #git clone --depth=1 https://github.com/cowrie/cowrie && \ + # git clone --depth=1 https://github.com/cowrie/cowrie -b v2.5.0 && \ + git clone --depth=1 https://github.com/cowrie/cowrie && \ cd cowrie && \ - #git checkout 8b1e1cf4db0d3b0e70b470cf40385bbbd3ed1733 && \ + git checkout 3394082040c02d91e79efa2c640ad68da9fe2231 && \ mkdir -p log && \ cp /root/dist/requirements.txt . && \ - pip3 install --upgrade pip && \ - pip3 install -r requirements.txt && \ + pip3 install --break-system-packages --upgrade pip && \ + pip3 install --break-system-packages -r requirements.txt && \ # # Setup configs - export PYTHON_DIR=$(python3 --version | tr '[A-Z]' '[a-z]' | tr -d ' ' | cut -d '.' -f 1,2 ) && \ - setcap cap_net_bind_service=+ep /usr/bin/$PYTHON_DIR && \ + #export PYTHON_DIR=$(python3 --version | tr '[A-Z]' '[a-z]' | tr -d ' ' | cut -d '.' -f 1,2 ) && \ + setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \ cp /root/dist/cowrie.cfg /home/cowrie/cowrie/cowrie.cfg && \ - chown cowrie:cowrie -R /home/cowrie/* /usr/lib/$PYTHON_DIR/site-packages/twisted/plugins && \ + chown cowrie:cowrie -R /home/cowrie/* /usr/lib/$(readlink -f $(type -P python3) | cut -f4 -d"/")/site-packages/twisted/plugins && \ # # Start Cowrie once to prevent dropin.cache errors upon container start caused by read-only filesystem su - cowrie -c "export PYTHONPATH=/home/cowrie/cowrie:/home/cowrie/cowrie/src && \ diff --git a/docker/cowrie/docker-compose.yml b/docker/cowrie/docker-compose.yml index ec1128f7..c6d25d71 100644 --- a/docker/cowrie/docker-compose.yml +++ b/docker/cowrie/docker-compose.yml @@ -23,7 +23,7 @@ services: image: "dtagdevsec/cowrie:alpha" read_only: true volumes: - - /data/cowrie/downloads:/home/cowrie/cowrie/dl - - /data/cowrie/keys:/home/cowrie/cowrie/etc - - /data/cowrie/log:/home/cowrie/cowrie/log - - /data/cowrie/log/tty:/home/cowrie/cowrie/log/tty + - $HOME/tpotce/data/cowrie/downloads:/home/cowrie/cowrie/dl + - $HOME/tpotce/data/cowrie/keys:/home/cowrie/cowrie/etc + - $HOME/tpotce/data/cowrie/log:/home/cowrie/cowrie/log + - $HOME/tpotce/data/cowrie/log/tty:/home/cowrie/cowrie/log/tty diff --git a/docker/ddospot/Dockerfile b/docker/ddospot/Dockerfile index 8240680c..94d5af06 100644 --- a/docker/ddospot/Dockerfile +++ b/docker/ddospot/Dockerfile @@ -1,22 +1,22 @@ -FROM alpine:3.17 +FROM alpine:3.19 # # Include dist COPY dist/ /root/dist/ # # Install packages RUN apk --no-cache -U add \ - build-base \ - git \ - libcap \ - py3-colorama \ - py3-greenlet \ - py3-pip \ - py3-schedule \ - py3-sqlalchemy \ - py3-twisted \ - py3-wheel \ - python3 \ - python3-dev && \ + build-base \ + git \ + libcap \ + py3-colorama \ + py3-greenlet \ + py3-pip \ + py3-schedule \ + py3-sqlalchemy \ + py3-twisted \ + py3-wheel \ + python3 \ + python3-dev && \ # # Install ddospot from GitHub and setup mkdir -p /opt && \ @@ -40,8 +40,8 @@ RUN apk --no-cache -U add \ sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ntp/ntpot.conf && \ sed -i "s#rotate_size = 10#rotate_size = 9999#g" /opt/ddospot/ddospot/pots/ssdp/ssdpot.conf && \ cp /root/dist/requirements.txt . && \ - pip3 install -r ddospot/requirements.txt && \ - setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \ + pip3 install --break-system-packages -r ddospot/requirements.txt && \ + setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \ # # Setup user, groups and configs addgroup -g 2000 ddospot && \ @@ -50,8 +50,8 @@ RUN apk --no-cache -U add \ # # Clean up apk del --purge build-base \ - git \ - python3-dev && \ + git \ + python3-dev && \ rm -rf /root/* && \ rm -rf /opt/ddospot/.git && \ rm -rf /var/cache/apk/* diff --git a/docker/ddospot/docker-compose.yml b/docker/ddospot/docker-compose.yml index 028e638f..2506e668 100644 --- a/docker/ddospot/docker-compose.yml +++ b/docker/ddospot/docker-compose.yml @@ -23,6 +23,6 @@ services: image: "dtagdevsec/ddospot:alpha" read_only: true volumes: - - /data/ddospot/log:/opt/ddospot/ddospot/logs - - /data/ddospot/bl:/opt/ddospot/ddospot/bl - - /data/ddospot/db:/opt/ddospot/ddospot/db + - $HOME/tpotce/data/ddospot/log:/opt/ddospot/ddospot/logs + - $HOME/tpotce/data/ddospot/bl:/opt/ddospot/ddospot/bl + - $HOME/tpotce/data/ddospot/db:/opt/ddospot/ddospot/db diff --git a/docker/tpotinit/Dockerfile b/docker/tpotinit/Dockerfile index 471a7a88..2b505ea2 100644 --- a/docker/tpotinit/Dockerfile +++ b/docker/tpotinit/Dockerfile @@ -41,6 +41,6 @@ RUN apk --no-cache -U add \ # # Run tpotinit WORKDIR /opt/tpot -HEALTHCHECK --retries=1000 --interval=5s CMD test -f /tmp/success || exit 1 +HEALTHCHECK --interval=5s CMD pgrep -f autoheal || exit 1 STOPSIGNAL SIGKILL CMD ["/opt/tpot/entrypoint.sh"] diff --git a/docker/tpotinit/dist/autoheal.sh b/docker/tpotinit/dist/autoheal.sh new file mode 100755 index 00000000..22078c67 --- /dev/null +++ b/docker/tpotinit/dist/autoheal.sh @@ -0,0 +1,171 @@ +#!/usr/bin/env sh + +#################################################################### +# docker-autoheal: https://github.com/willfarrell/docker-autoheal +#################################################################### + +set -e +# shellcheck disable=2039 +set -o pipefail + +DOCKER_SOCK=${DOCKER_SOCK:-/var/run/docker.sock} +UNIX_SOCK="" +CURL_TIMEOUT=${CURL_TIMEOUT:-30} +WEBHOOK_URL=${WEBHOOK_URL:-""} +WEBHOOK_JSON_KEY=${WEBHOOK_JSON_KEY:-"text"} +APPRISE_URL=${APPRISE_URL:-""} + +# only use unix domain socket if no TCP endpoint is defined +case "${DOCKER_SOCK}" in + "tcp://"*) HTTP_ENDPOINT="$(echo ${DOCKER_SOCK} | sed 's#tcp://#http://#')" + ;; + "tcps://"*) HTTP_ENDPOINT="$(echo ${DOCKER_SOCK} | sed 's#tcps://#https://#')" + CA="--cacert /certs/ca.pem" + CLIENT_KEY="--key /certs/client-key.pem" + CLIENT_CERT="--cert /certs/client-cert.pem" + ;; + *) HTTP_ENDPOINT="http://localhost" + UNIX_SOCK="--unix-socket ${DOCKER_SOCK}" + ;; +esac + +# AUTOHEAL_CONTAINER_LABEL=${AUTOHEAL_CONTAINER_LABEL:-autoheal} +AUTOHEAL_CONTAINER_LABEL=${AUTOHEAL_CONTAINER_LABEL:-all} +AUTOHEAL_START_PERIOD=${AUTOHEAL_START_PERIOD:-0} +AUTOHEAL_INTERVAL=${AUTOHEAL_INTERVAL:-5} +AUTOHEAL_DEFAULT_STOP_TIMEOUT=${AUTOHEAL_DEFAULT_STOP_TIMEOUT:-10} + +docker_curl() { + curl --max-time "${CURL_TIMEOUT}" --no-buffer -s \ + ${CA} ${CLIENT_KEY} ${CLIENT_CERT} \ + ${UNIX_SOCK} \ + "$@" +} + +# shellcheck disable=2039 +get_container_info() { + local label_filter + local url + + # Set container selector + if [ "$AUTOHEAL_CONTAINER_LABEL" = "all" ] + then + label_filter="" + else + label_filter=",\"label\":\[\"${AUTOHEAL_CONTAINER_LABEL}=true\"\]" + fi + url="${HTTP_ENDPOINT}/containers/json?filters=\{\"health\":\[\"unhealthy\"\]${label_filter}\}" + docker_curl "$url" +} + +# shellcheck disable=2039 +restart_container() { + local container_id="$1" + local timeout="$2" + + docker_curl -f -X POST "${HTTP_ENDPOINT}/containers/${container_id}/restart?t=${timeout}" +} + +notify_webhook() { + local text="$@" + + if [ -n "$WEBHOOK_URL" ] + then + # execute webhook requests as background process to prevent healer from blocking + curl -s -X POST -H "Content-type: application/json" -d "$(generate_webhook_payload $text)" $WEBHOOK_URL + fi + + if [ -n "$APPRISE_URL" ] + then + # execute webhook requests as background process to prevent healer from blocking + curl -s -X POST -H "Content-type: application/json" -d "$(generate_apprise_payload $text)" $APPRISE_URL + fi +} + +notify_post_restart_script() { + if [ -n "$POST_RESTART_SCRIPT" ] + then + # execute post restart script as background process to prevent healer from blocking + $POST_RESTART_SCRIPT "$@" & + fi +} + +# https://towardsdatascience.com/proper-ways-to-pass-environment-variables-in-json-for-curl-post-f797d2698bf3 +generate_webhook_payload() { + local text="$@" + cat <&2 + exit 1 + fi + # Delayed startup + if [ "$AUTOHEAL_START_PERIOD" -gt 0 ] + then + echo "Monitoring containers for unhealthy status in $AUTOHEAL_START_PERIOD second(s)" + sleep "$AUTOHEAL_START_PERIOD" & + wait $! + fi + + while true + do + STOP_TIMEOUT=".Labels[\"autoheal.stop.timeout\"] // $AUTOHEAL_DEFAULT_STOP_TIMEOUT" + get_container_info | \ + jq -r ".[] | select(.Labels[\"autoheal\"] != \"False\") | foreach . as \$CONTAINER([];[]; \$CONTAINER | .Id, .Names[0], .State, ${STOP_TIMEOUT})" | \ + while read -r CONTAINER_ID && read -r CONTAINER_NAME && read -r CONTAINER_STATE && read -r TIMEOUT + do + # shellcheck disable=2039 + CONTAINER_SHORT_ID=${CONTAINER_ID:0:12} + DATE=$(date +%d-%m-%Y" "%H:%M:%S) + + if [ "$CONTAINER_NAME" = "null" ] + then + echo "$DATE Container name of (${CONTAINER_SHORT_ID}) is null, which implies container does not exist - don't restart" >&2 + elif [ "$CONTAINER_STATE" = "restarting" ] + then + echo "$DATE Container $CONTAINER_NAME (${CONTAINER_SHORT_ID}) found to be restarting - don't restart" + else + echo "$DATE Container $CONTAINER_NAME (${CONTAINER_SHORT_ID}) found to be unhealthy - Restarting container now with ${TIMEOUT}s timeout" + if ! restart_container "$CONTAINER_ID" "$TIMEOUT" + then + echo "$DATE Restarting container $CONTAINER_SHORT_ID failed" >&2 + notify_webhook "Container ${CONTAINER_NAME:1} (${CONTAINER_SHORT_ID}) found to be unhealthy. Failed to restart the container!" & + else + notify_webhook "Container ${CONTAINER_NAME:1} (${CONTAINER_SHORT_ID}) found to be unhealthy. Successfully restarted the container!" & + fi + notify_post_restart_script "$CONTAINER_NAME" "$CONTAINER_SHORT_ID" "$CONTAINER_STATE" "$TIMEOUT" & + fi + done + sleep "$AUTOHEAL_INTERVAL" & + wait $! + done + +else + exec "$@" +fi diff --git a/docker/tpotinit/dist/entrypoint.sh b/docker/tpotinit/dist/entrypoint.sh index 28e2420f..dd5099b4 100755 --- a/docker/tpotinit/dist/entrypoint.sh +++ b/docker/tpotinit/dist/entrypoint.sh @@ -132,6 +132,14 @@ if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ]; echo "# Aborting." echo exit 1 + else + if ! [ -S /var/run/docker.sock ]; + then + echo "# Cannot access /var/run/docker.sock, check docker-compose.yml for proper volume definition." + echo + echo "# Aborting." + exit 1 + fi fi # Validate environment variables @@ -292,18 +300,23 @@ echo figlet "Starting ..." figlet "T-Pot: ${TPOT_VERSION}" echo -touch /tmp/success # We want to see true source for UDP packets in container (https://github.com/moby/libnetwork/issues/1994) +# Start autoheal if running on a supported os if [ "${myOSTYPE}" != "linuxkit" ]; then - sleep 60 + sleep 1 + echo "# Dropping UDP connection tables to improve visibility of true source IPs." /usr/sbin/conntrack -D -p udp + # Starting container health monitoring + echo + figlet "Starting ..." + figlet "Autoheal" + echo "# Now monitoring healthcheck enabled containers to automatically restart them when unhealthy." + echo + exec /opt/tpot/autoheal.sh autoheal else echo echo "# Docker Desktop for macOS or Windows detected, Conntrack feature is not supported." echo -fi - -# Keep the container running ... -sleep infinity +fi diff --git a/docker/tpotinit/docker-compose.yml b/docker/tpotinit/docker-compose.yml index 09f25714..a5eece62 100644 --- a/docker/tpotinit/docker-compose.yml +++ b/docker/tpotinit/docker-compose.yml @@ -11,7 +11,7 @@ services: restart: "no" image: "ghcr.io/telekom-security/tpotinit:alpha" volumes: -# - /var/run/docker.sock:/var/run/docker.sock:ro + - /var/run/docker.sock:/var/run/docker.sock:ro - $HOME/tpotce/data:/data network_mode: "host" cap_add: diff --git a/install.sh b/install.sh index ce3ddc8f..42e477bb 100755 --- a/install.sh +++ b/install.sh @@ -33,6 +33,7 @@ myCURRENT_DISTRIBUTION=$(awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"' if [[ ! " ${mySUPPORTED_DISTRIBUTIONS[@]} " =~ " ${myCURRENT_DISTRIBUTION} " ]]; then echo "### Only the following distributions are supported: AlmaLinux, Fedora, Debian, openSUSE Tumbleweed, Rocky Linux and Ubuntu." + echo "### Please follow the T-Pot documentation on how to run T-Pot on macOS, Windows and other currently unsupported platforms." echo exit 1 fi